ACL profile management

ACL profiles allow you to create IP filters that can be applied on a node when you associate the profile with a workload intent subnet or sub-interface.

ACL profile deployment

An ACL profile is global, which means that the IP filters that are created can be reused across workload intents. If two workload intents reference the same ACL profile on the same node, only a single resultant IP filter is created.

The high-level steps for deploying an ACL profile is as follows:
  1. Assigning ACL profiles to the sub-interfaces and subnets in a workload intent.
  2. Generating the configuration of the workload intent.
  3. Adding the workload intent to the pipeline.
  4. Auto-deploying the workload intent.

    At this point, the ACL profile is automatically deployed. The workload intent still has to be deployed.

  5. Deploying the workload intent in the pipeline.

If a node no longer has any sub-interfaces in a subnet that references an ACL profile, the IP filter configuration is removed from the device.

The configuration of an IP filter is dynamically added to the devices when sub-interfaces are created on subnets that reference ACL profiles. That is, the node list for an ACL profile is dynamically updated and the configuration of the IP filter is automatically deployed on the nodes as soon as the node is added to the list for a specific ACL profile.

You can generate the configuration of an ACL profile even if there are no nodes that require the configuration, which means that you can view the resulting ACL policies before they are associated with subnets or sub-interfaces in the ACL profile.

When you remove an ACL profile from a subnet, the ACL policy configuration is automatically removed from the node when the workload intent is deployed.

Validation of an ACL entry

The Fabric Services System does not validate the combinations of fields that constitute an ACL entry. You must configure these fields in accordance with the requirements of the target platform. For this reason, be aware of the applicable requirements, limitations, and dependencies of the participating nodes when configuring any ACL profile as part of a workload VPN intent.

For example, the Fabric Services System allows you to configure an IPv4 ACL entry with the following attributes:

  • Protocol = icmp
  • Destination port = 80

However, this configuration is not permitted by SR Linux because port numbers can only be configured for protocols such as UDP and TCP.

If you deploy a workload VPN intent that includes an ACL configuration that is unsupported by the target node, the deployment results in an error. A message from the platform indicates the conflicting configuration.

Creating an ACL profile

Before you create an ACL profile, ensure that you have created match groups that describe the types of packets you want to accept or reject as part of the ACL.

When you create an ACL profile, you define a set of packets that should be accepted or rejected by the system. You can create an IPv4 ACL profile or an IPv6 ACL profile.

You define these packet sets by selecting one or more previously created match groups. Each match group already defines one set of possible packets properties; the ACL profile assembles the match groups to create a full profile of the packets deemed acceptable for the current profile.

Later, you can assign ACL profiles to workload VPN intents to represent the packets that are acceptable or unacceptable for the workload VPN intent. The workload VPN intent either accepts or rejects (depending on your selection) all packets that conform to the profiles encompassed by its assigned ACLs.

The total number of entries created for a single IPv4 or IPv6 ACL is the product of the following numbers:

  • the number of IP address in the source match groups
  • the number of IP addresses in destination match groups
  1. Click to open the main menu and click Profiles.
  2. Use the Region Selector at the top of the page to select the region in which to create the ACL profile.
  3. From the Profiles drop-down list, select ACL
  4. If the Profile Manager is in the deployed state, create a candidate first.
    On the upper right of the ACL view, click and select Create Candidate Version.
    The Detailed Status field shows Created.
  5. Click +ADD ACL PROFILE, then specify the type of profile you are creating.
    • To create an IPv4 ACL profile, click CREATE IPV4 ACL, then go to 6.
    • To create an IPv6 ACL profile, click CREATE IPV6 ACL, then go to 7.
  6. Configure the IPv4 ACL profile.
    1. In the Match Group Mappings IPv4 section, click +ADD.
    2. In the Match Group Mapping IPv4 Details form, set the following parameters in the General section:
      • Priority
      • Accept/Reject drop-down list: select Accept or Reject. This setting determines whether the match group you are selecting is intended to define acceptable or unacceptable packet types.
    3. In the Source Match Groups panel, click the box to the left of each pre-existing IPv4 match group you want to associate with the packet source.
      The ACL now represents an instruction to either accept or reject (based on your selection above) any packet whose source IP address conforms to the information in the selected match groups.
    4. In the Destination Match Groups panel, click the box to the left of each pre-existing IPv4 match group you want to associate with the packet destination.
      The ACL now represents an instruction to either accept or reject (based on your selection above) any packet whose destination IP address conforms to the information in the selected match groups.
    5. In the IPv4 Match Entry section, set the following parameters for the packets to be accepted or rejected by this ACL:
      • First Fragment
      • Fragment
      • Source Port Operator
      • Source Port Value

        The setting for the Source Port Value parameter can either be a number or a text string associated with a predefined port. Enter a number or select a value from the drop-down list.

      • Source Port Range Start
      • Source Port Range End
      • Destination Port Operator
      • Destination Port Value
      • Destination Port Range Start
      • Destination Port Range End
      • ICMP Code: can support multiple values
      • ICMP Type
      • Protocol
      • TCP Flags
    6. Click ADD.
    7. Go to Step 8.
  7. Configure the IPv6 ACL profile.
    1. In the Match Group Mappings IPv6 panel, click +ADD.
    2. In the Match Group Mapping IPv6 Details overlay, set the following parameters in the General section:
      • Priority
      • Accept/Reject drop-down list: select Accept or Reject. This setting determines whether the match group you are selecting is intended to define acceptable or unacceptable packet types.
    3. In the Source Match Groups panel, click the box to the left of each pre-existing IPv6 match group that you want to associate with the packet source.
      The ACL now represents an instruction to either accept or reject (based on your selection above) any packets whose source IP address conforms to the information in the selected match groups.
    4. In the Destination Match Groups panel, click the box to the left of each pre-existing IPv6 match group you want to associate with the packet destination.
      The ACL now represents an instruction to either accept or reject (based on your selection above) any packet whose destination IP address conforms to the information in the selected match groups.
    5. Set IPv6 Match Entry values for the packets to be accepted, or rejected, by this ACL:
      • Source Port Operator
      • Source Port Value

        The setting for Source Port Value can either be a number or a text string associated with a predefined port. Type a number or select a value from the drop-down list.

      • Source Port Range Start
      • Source Port Range End
      • Destination Port Operator
      • Destination Port Value
      • Destination Port Range Start
      • Destination Port Range End
      • ICMP Code: can support multiple values
      • ICMP Type
      • Next Header
      • TCP Flags
    6. Click ADD. The system adds the match group to the Match Group Mappings IPv6 list.
  8. Click CREATE.
    Note: The Workload Reference List field shows all of the workloads that are currently using this ACL profile, but because this is a new ACL profile, it is empty because no profiles are using it.

Editing and deploying an ACL profile

If the Profile Manager is already deployed, to edit a QoS profile, create a candidate version of the Profile Manager first, then edit the QoS profile. Then, to push the changes to the nodes, add the Profile Manager to the deployment pipeline and deploy it.
  1. Click the main menu and select Profiles.
  2. Use the Region Selector at the top of the page to select the region containing the ACL profile.
  3. If the Profile Manager is in the deployed state (that is, the Detailed Status field shows Deployed), create a candidate version first.
    On the upper right of the Profile Manager view, click and select Create Candidate Version.
    The Detailed Status field shows Created.
  4. From the Profiles drop-down list, select ACL.
  5. Update the ACL profile.
    1. Double-click the profile that you want to edit.
    2. Update parameters as needed.
    3. On the lower right of the ACL overlay, click SAVE.
  6. Deploy the Profile Manager manually.
    See Step 2 in Deploying the Profile Manager.

Deleting an ACL profile

There are some restrictions in place when deleting an ACL profile to ensure that you do not invalidate any fabric intents that rely on it:
  • If an ACL profile has been assigned to a bridged subnet or a sub-interface or to a routed sub-interface, the system prevents you from deleting the ACL.
  • You cannot delete an ACL profile associated with a previous version of a deployed workload intent, even if you are designing a subsequent, undeployed version of that same intent that no longer relies on that ACL profile.
  • After you deploy a workload VPN intent that no longer relies on an ACL profile, the system allows the deletion of the unassociated ACL profile (provided no other workload VPN intent still relies on it).
  1. Click the main menu and select Profiles.
  2. Use the Region Selector at the top of the page to select the region containing the ACL profile.
  3. If the Profile Manager is in the deployed state (that is, the Detailed Status field shows Deployed), create a candidate version first.
    On the upper right of the Profile Manager view, click and select Create Candidate Version.
    The Detailed Status field shows Created.
  4. From the Profiles drop-down list, click ACL.
  5. Select an ACL profile from the list and click at the end of its row.
  6. Select Delete from the drop-down list, then click OK.
  7. Deploy the Profile Manager.
    See Step 2 in Deploying the Profile Manager.
    The system deletes the selected ACL profile and closes the confirmation form, returning you to the Profiles page with the ACL view selected. The ACL profile you just deleted no longer appears in the list.