Creating and managing ACL profiles

ACL profiles allow you specify whether a workload intent's traffic should include or exclude packets that correspond to one or more match groups, as described in ACL profiles.

The Fabric Services System currently allows you to configure ACL profiles as ingress filters only.

The Fabric Services System does not validate the combinations of fields that constitute an ACL entry. You must configure these fields in accordance with the requirements of the target platform (SR Linux). For this reason, you should be aware of the applicable requirements, limitations, and dependencies of the participating nodes when configuring any ACL profile as part of a workload intent.

For example, the Fabric Services System allows you to configure an IPv4 ACL entry with the following attributes:

  • Protocol = icmp
  • Destination port = 80

However, this configuration is not permitted by SR Linux because port numbers can only be configured for protocols like UDP/TCP.

If you deploy a workload intent that includes an ACL configuration that is unsupported by the target node, the deployment results in an error. A message from the platform indicates the conflicting configuration.

In the Fabric Services System UI, you can:

  • Create an ACL profile
  • Edit an ACL profile
  • Delete an ACL profile

Creating an ACL profile

Before you create an ACL profile, ensure that you have created match groups that describe the types of packets you want to accept or reject as part of the ACL; see Creating a match group.

When you create an ACL profile, you define a set of packets that should be accepted or rejected by the system.

You define these packet sets by selecting one or more previously created match groups. Each match group already defines one set of possible packets properties; the ACL profile assembles the match groups to create a full profile of the packets deemed acceptable for the current profile.

Later, you can assign ACL profiles to workload intents to represent the packets that are acceptable or unacceptable for the workload intent. The workload intent either accepts or rejects, depending on your selection, all packets that conform to the profiles encompassed by its assigned ACLs.

The total number of entries created for a single IPv4/IPv6 ACL is the product of the following numbers:

  • the number of IP address in the source match-groups
  • the number of IP addresses in destination match-groups
  1. If you are not already on the Profiles page, do the following:
    1. Click to open the main menu.
    2. Select Profiles.
  2. From the Profiles drop-down, select ACL.
  3. Click + CREATE AN ACL PROFILE.
  4. Enter general information about the ACL profile:
    1. Enter a Name for the ACL profile.
    2. Optionally, enter a Description.
  5. Select the IPv4 match groups that represent packets acceptable for this ACL:
    1. In the Match Group Mappings IPv4 panel, click +ADD.
    2. Select a Priority level.
    3. In the Accept/Reject drop-down, select either Accept or Reject.
      This determines whether the Match Group you are selecting is intended to define acceptable, or unacceptable, packet types.
    4. In the Source Match Groups panel, click the box to the left of each pre-existing IPv4 match group you want to associate with the packet source.
      The ACL now represents an instruction to either accept or reject (based on your selection above) any packet whose source IP address conforms to the information in the selected match groups.
    5. In the Destination Match Groups panel, click the box to the left of each pre-existing IPv4 match group you want to associate with the packet destination.
      The ACL now represents an instruction to either accept or reject (based on your selection above) any packet whose destination IP address conforms to the information in the selected match groups.
    6. Set IPv4 Match Entry values for the packets to be accepted, or rejected, by this ACL:
      • First Fragment
      • Fragment
      • Source Port Operator
      • Source Port Value

        The Port Value can either be a number or a text string associated with a predefined port.

        Type a number or select a value from the drop-down list.

      • Source Port Range Start
      • Source Port Range End
      • Destination Port Operator
      • Destination Port Value
      • Destination Port Range Start
      • Destination Port Range End
      • ICMP Code (can support multiple values)
      • ICMP Type
      • Protocol
      • TCP Flags
    7. Click the ADD button.
  6. Select the IPv6 match groups that represent packets acceptable for this ACL:
    1. In the Match Group Mappings IPv6 panel, click +ADD.
      The Match Group Mapping IPv6 Details overlay displays.
    2. Select a Priority level.
    3. In the Accept/Reject drop-down, select either Accept or Reject.
      This determines whether the Match Group you are selecting is intended to define acceptable or unacceptable packet types.
    4. In the Source Match Groups panel, click the box to the left of each pre-existing IPv6 match group that you want to associate with the packet source.
      The ACL now represents an instruction to either accept or reject (based on your selection above) any packets whose source IP address conforms to the information in the selected match groups.
    5. In the Destination Match Groups panel, click the box to the left of each pre-existing IPv6 match group you want to associate with the packet destination.
      The ACL now represents an instruction to either accept or reject (based on your selection above) any packets whose destination IP address conforms to the information in the selected match groups.
    6. Set IPv6 Match Entry values for the packets to be accepted, or rejected, by this ACL:
      • Source Port Operator
      • Source Port Value

        The Port Value can either be a number or a text string associated with a predefined port.

        Type a number or select a value from the drop-down list.

      • Source Port Range Start
      • Source Port Range End
      • Destination Port Operator
      • Destination Port Value
      • Destination Port Range Start
      • Destination Port Range End
      • ICMP Code (can support multiple values)
      • ICMP Type
      • Next Header
      • TCP Flags
    7. Click the ADD button. The system adds the Match Group to the Match Group Mappings IPv6 list.
    Note that the Workload Reference List is empty. This list shows all of the workloads that are currently using this ACL profile; but because this is a new ACL profile, no profiles are using it.
  7. Click the CREATE button.

Editing an ACL profile

You can edit an ACL profile at any time.

If the ACL profile that you edit is already being used by a workload intent, and that workload intent has already been generated or deployed, then the changes you make do not propagate to the workload intent until you regenerate that workload intent.

  • If the workload intent has been generated but is not yet deployed, you can re-save and regenerate the workload intent without creating a new version. Regenerating the workload intent incorporates the new ACL settings into its configuration.
  • If the workload intent has already been deployed, you must create a new candidate version of the workload intent before you can regenerate and redeploy it with the new ACL settings.
  1. If you are not already on the Profiles page, do the following:
    1. Click to open the main menu.
    2. Select .Profiles. The Profiles page displays.
  2. From the Profiles drop-down list, select ACL. The system displays the ACL page, showing a list of previously created ACL profiles.
  3. Select an ACL profile from the list, click the More actions icon ( ) at the right edge of the row, and select Open from the drop-down list. The ACL Creation overlay displays.
  4. Update parameters for the ACL profile as described in Creating an ACL profile.
  5. At the lower right of the ACL overlay, click SAVE.
    The system saves your changes and closes the ACL Creation overlay.

Deleting an ACL profile

There are some restrictions in place when deleting an ACL profile to ensure that you do not invalidate any fabric intents that rely on it:
  • If an ACL profile has been assigned to a bridged subnet or a sub-interface, or to a routed sub-interface, the system prevents you from deleting the ACL.
  • You cannot delete an ACL profile associated with a previous version of a deployed workload intent, even if you are designing a subsequent, undeployed version of that same intent that no longer relies on that ACL profile.
  • However, after you deploy a workload intent that no longer relies on an ACL profile, the system allows the deletion of the unassociated ACL profile (provided no other workload intent still relies on it).

To delete an ACL profile:

  1. If you are not already on the Profiles page, do the following:
    1. Click to open the main menu.
    2. Select Profiles.
  2. From the Profiles drop-down, select ACL.
  3. Select an ACL profile from the list, click the More actions icon ( ) at the right edge of the row, and select Delete... from the drop-down list.
  4. In the confirmation dialog, click OK.
    The system deletes the selected ACL profile and closes the confirmation dialog, returning you to the Profiles page with the ACL view selected. The ACL profile you just deleted no longer appears in the list.