Access control lists

An Access Control List, or ACL, is an ordered set of rules that are evaluated on a packet-by-packet basis to determine whether access should be provided to a specific resource. ACLs can be used to drop unauthorized or suspicious packets from entering or leaving a routing device via specified interfaces.

SR Linux supports the following types of ACLs:

  • Interface filters

    An interface filter is an IPv4 or IPv6 ACL that is applied to a routed or bridged subinterface to restrict traffic allowed to enter or exit the subinterface. An interface ACL can be applied to input or output traffic for one or more subinterfaces.

    See Interface filters for more information.

  • Packet capture filters

    A packet capture filter is an IPv4 or IPv6 ACL used to extract packets to the control plane for inspection by packet capture tools. When an ingress IP packet on any line card transits through the router, and it matches a rule in a packet capture filter policy, it is copied and extracted toward the CPM and delivered to a Linux virtual Ethernet interface so that it can be displayed by a packet capture utility, or encapsulated and forwarded to a remote monitoring system.

    See Packet capture filters for more information.

  • CPM filters

    A CPM filter is an IPv4 or IPv6 ACL used for control plane protection. There is one CPM filter for IPv4 traffic and another CPM filter for IPv6 traffic. When an ingress IP packet is matched by a CPM filter rule, and it is a terminating packet (that is, it must be extracted to the CPM), then it is processed according to the matching CPM filter rule.

    See Control plane module (CPM) filters for more information.

  • System filters (7220 IXR-D1, D2, and D3 systems only)

    A system filter ACL is an IPv4 or IPv6 ACL that is evaluated early in the ingress pipeline, at a stage before tunnel termination occurs and before interface filters are run. For VXLAN traffic, system filters can match and drop unauthorized VXLAN tunnel packets before they are decapsulated, based on information in the outer header.

    See System filters for more information.

An ACL is applied to a selected set of traffic contexts. A traffic context could be all the IPv4 or IPv6 packets arriving or leaving on a specific subinterface, or the out-of-band IP traffic arriving on a management interface, or all the in-band IPv4 or IPv6 packets that are locally terminating on the CPM of the router.

Each ACL rule, or entry, has a sequence ID. The ACL evaluates packets starting with the entry with the lowest sequence ID, progressing to the entry with the highest sequence ID. Evaluation stops at the first matching entry (that is, when the packet matches all of the conditions specified by the ACL entry).

ACL actions

When a packet matches an ACL entry, an action specified by the ACL entry is applied to the packet. An ACL entry has a primary action and an optional secondary action. The secondary action extends the primary action with additional packet handling operations.

For traffic transiting through the router, ACL entries support the following primary actions:

  • accept – Allow the packet through to the next processing function.

  • accept and log – Allow the packet through to the next processing function and send information about the accepted packet to the log application.

  • drop – Discard the packet without ICMP generation.

  • drop and log – Discard the packet without ICMP generation and send information about the dropped packet to the log application.

For traffic transiting through the router, the following secondary action is supported:

  • log – Send information about the packet to the log application.

For traffic terminating on the CPM of the router, the preceding primary and secondary actions are supported, as well as the following secondary actions for ACL entries where accept is the primary action:

  • distributed-policer – If the packet is extracted to the CPM, feed the packet to a hardware-based policer, which determines if the packet should be queued by the line card toward the CPM or dropped because a bit-per-second rate is exceeded.

  • system-cpu-policer – If the packet has been extracted to the CPM, feed the packet to a software-based policer, which determines if the packet should be delivered to the CPM application or dropped because a packet-per-second rate is exceeded.

If a packet matches an ACL entry, no further evaluation is done for the packet. If the packet does not match any ACL entry, the default action is accept. To drop traffic that does not match any ACL entry, you can optionally configure an entry with the highest sequence ID in the ACL to drop all traffic. This causes traffic that does not match any of the lower-sequence ACL entries to be dropped.

The supported actions for each type of ACL differ based on the hardware platform where the ACL is configured. The following tables indicate which actions are supported for each ACL filter type for each hardware platform.

Supported ACL actions for 7250 IXR systems

The following table lists the supported actions for each ACL filter type on 7250 IXR systems.

Table 1. Supported actions for each ACL filter type (7250 IXR)

ACL filter type

Action

Supported?

Interface filter (input)

accept

Yes

accept and log

Yes

drop

Yes

drop and log

Yes

Interface filter (output)

accept

Yes

accept and log

Yes

drop

Yes

drop and log

Yes

CPM filter

accept

Yes

accept and log

Yes

drop

Yes

drop and log

Yes

accept and distributed-policer

Yes

accept and distributed-policer and log

No log generated

accept and system-cpu-policer

Yes

accept and system-cpu-policer and log

No log generated

Packet capture filter

accept

Yes

copy

Yes

System filter

accept

No

drop

No

drop and log

No

Supported ACL actions for 7220 IXR-D systems

The following table lists the supported actions for each ACL filter type on 7220 IXR-D1, D2, D3, and D5 systems.

Table 2. Supported actions for each ACL filter type (7220 IXR-D1, D2, D3, and D5)

ACL filter type

Action

Supported?

Interface filter (input)

accept

Yes

accept and log

No log generated

drop

Yes

drop and log

Yes, using separate CPU queue

Interface filter (output)

accept

Yes

accept and log

No log generated

drop

Yes

drop and log

No log generated

CPM filter

accept

Yes

accept and log

No log generated

drop

Yes

drop and log

Yes, using shared CPU queue

accept and distributed-policer

Yes1

accept and distributed-policer and log

No log generated1, 2

accept and system-cpu-policer

Yes

accept and system-cpu-policer and log

No log generated

Packet capture filter

accept

Yes

copy

Yes

System filter3

accept

Yes

drop

Yes

drop and log

Yes

Note:
  • 1 Distributed-policer not supported on 7220 IXR-D5
  • 2 Log not supported on 7220 IXR-D2, D3, and D5
  • 3 System filter not supported on 7220 IXR-D5

Supported ACL actions for 7220 IXR-H systems

The following table lists the supported actions for each ACL filter type on 7220 IXR-H2 and H3 systems.

Table 3. Supported actions for each ACL filter type (7220 IXR-H2 and H3)

ACL filter type

Action

Supported?

Interface filter (input)

accept

Yes

accept and log

No log generated

drop

Yes

drop and log

Yes, but logged packet is also processed by CPM filter

Interface filter (output)

accept

Yes

accept and log

No log generated

drop

Yes

drop and log

No log generated

CPM filter

accept

Yes

accept and log

No log generated

drop

Yes

drop and log

Yes

accept and distributed-policer

No policing

accept and distributed-policer and log

No policing and no log generated

accept and system-cpu-policer

Yes

accept and system-cpu-policer and log

No log generated

Packet capture filter

accept

Yes

copy

Yes

System filter

accept

No

drop

No

drop and log

No

ACL match conditions

IPv4 ACLs analyze IPv4 packets. The following match criteria are supported by IPv4 ACLs:

  • IPv4 destination prefix and prefix-length

  • IPv4 destination address and address-mask

  • TCP/UDP destination port (range)

  • ICMP type/code

  • IP protocol number

  • IPv4 source prefix and prefix-length

  • IPv4 source address and address-mask

  • TCP/UDP source port (range)

  • TCP flags: RST, SYN, and ACK

  • Packet fragmentation: whether the packet is a fragment

  • Packet fragmentation: whether the packet is a first-fragment (fragment-offset=0 and more-fragments=1)

  • IP DSCP

IPv6 ACLs analyze IPv6 packets. The following match criteria are supported by IPv6 ACLs:

  • IPv6 destination prefix and prefix-length

  • IPv6 destination address and address-mask

  • TCP/UDP destination port (range)

  • ICMPv6 type/code

  • IPv6 next-header value. This is the value in the very first next-header field, in the fixed header.

  • IPv6 source prefix and prefix-length

  • IPv6 source address and address-mask

  • TCP/UDP source port (range)

  • TCP flags: RST, SYN, and ACK

  • IP DSCP

Interface filters

An interface filter is an IPv4 or IPv6 ACL that restricts traffic allowed to enter or exit a subinterface.

IPv4 and IPv6 ACLs can be applied to a subinterface to restrict traffic entering or exiting that subinterface, as follows:

  • Input IPv4 ACLs – When an IPv4 filter is used as an input ACL on a subinterface that carries IPv4 traffic, the rules apply to native IPv4 packets (ethertype 0x0800) that enter the subinterface and would normally terminate locally (control/management plane packets) or transit through the router.

    The rules also apply to MPLS-encapsulated IPv4 packets (ethertype 0x8847) that are terminating or transit.

  • Input IPv6 ACLs – When an IPv6 filter is used as an input ACL on a subinterface that carries IPv6 traffic, the rules apply to native IPv6 packets (ethertype 0x86DD) that enter the subinterface and would normally terminate locally (control/management plane packets) or transit through the router.

    The rules also apply to MPLS-encapsulated IPv6 packets (ethertype 0x8847) that are terminating or transit.

  • Output IPv4 ACLs – When an IPv4 filter is used as an output ACL on a subinterface that carries IPv4 traffic, the rules apply to native IPv4 packets (ethertype 0x0800) that exit the subinterface, including packets that originated locally (control/management plane packets) and packets that transited through the router.

    The rules do not apply to MPLS-encapsulated IPv4 packets (ethertype 0x8847) exiting the subinterface.

  • Output IPv6 ACLs – When an IPv6 filter is used as an output ACL on a subinterface that carries IPv6 traffic, the rules apply to native IPv6 packets (ethertype 0x86DD) that exit the subinterface, including packets that originated locally (control/management plane packets) and packets that transited through the router.

    The rules do not apply to MPLS-encapsulated IPv6 packets (ethertype 0x8847) exiting the subinterface.

Creating an IPv4 ACL

The following is an example IPv4 ACL that has one entry.

This example creates an IPv4 ACL named ip_tcp. Within the ip_tcp ACL, an entry with sequence ID 1000 is configured. The action is specified as accept, with logging set to true.

The filter matches packets with IP destination address 100.1.3.1/32; for TCP traffic, if the source address 100.1.5.1/32, destination port 6789, and source port 6722 matches the filter, the traffic stream is accepted.

--{ * candidate shared default }--[  ]--
# info acl 
 ipv4-filter ip_tcp {
        entry 1000 {
            description Match_IP_Address_TCP_Protocol_Ports
            action {
                accept {
                    log true
                }
            }
            match {
                destination-address 100.1.3.1/32
                protocol tcp
                source-address 100.1.5.1/32
                destination-port {
                    value 6789
                }
                source-port {
                    value 6722
                }
            }
        }
    }

The following is an example of an entry added to the ip_tcp ACL that causes all traffic to be dropped. Because it has the highest sequence ID, traffic that matches any of the lower-sequenced ACL entries would have been accepted before being evaluated by this entry. Only traffic that did not match any of the other ACL entries would be dropped by this entry.

--{ * candidate shared default }--[  ]--
# info acl
       ipv4-filter ip_tcp {
           entry 65535 {
               action {
                   drop {
                     log true
                   }
               }
           }
        }

Note that the drop action with logging set to true is not supported on 7220 IXR-D1, D2, D3, and D5 systems when it is attached as an egress filter.

Creating an IPv6 ACL

The following is an example IPv6 ACL that has one entry.

This example creates an IPv6 ACL named ipv6_tcp. Within the ipv6_tcp ACL, an entry with sequence ID 100 is configured. The action is specified as accept, with logging set to true.

The filter matches packets with IPv6 destination address 2001:10:1:3::1/120; for TCP traffic, if the source address 2001:10:1:5::1/120, destination port 6789, and source port 6722 matches the filter, the traffic stream is accepted.

--{ * candidate shared default }--[  ]--
# info acl
ipv6-filter ipv6_tcp {
        entry 100 {
            description Match_Dest_Address_TCP_Src_Address_DP_SP
            action {
                accept {
                    log true
                }
            }
            match {
                destination-address 2001:10:1:3::1/120
                next-header tcp
                source-address 2001:10:1:5::1/120
                destination-port {
                    value 6789
                }
                source-port {
                    value 6722
                }
            }
        }
    }

Attaching an ACL to a subinterface

After an ACL is configured, you can attach it to a subinterface so that traffic entering or exiting the subinterface is subject to the rules defined in the ACL.

The following commands apply IPv4 and IPv6 ACLs to inbound traffic on a subinterface:

--{ * candidate shared default }--[  ]--
# interface ethernet-1/16
--{ * candidate shared default }--[ interface ethernet-1/16 ]--
# subinterface 1
--{ * candidate shared default }--[ interface ethernet-1/16  subinterface 1 ]--
# acl 
--{ * candidate shared default }--[ interface ethernet-1/16 subinterface 1 acl ]-- 
# input ipv4-filter ip_tcp
--{ * candidate shared default }--[ interface ethernet-1/16 subinterface 1 acl ]--
# input ipv6-filter ipv6_tcp 

You can check the configuration of the interface to verify that the ACL is successfully attached. For example:

--{ * candidate shared default }--[  ]--
# info interface ethernet-1/16
interface ethernet-1/16 {
    description dut1-dut-2
    subinterface 1 {
        ipv4 {
            address 100.1.5.2/24 {
            }
            arp {
                neighbor 100.1.5.1 {
                    link-layer-address 00:00:64:01:05:05
                }
            }
        }
        ipv6 {
            address 2001:10:1:5::2/120 {
            }
            neighbor-discovery {
                neighbor 2001:10:1:5::1 {
                    link-layer-address 00:00:64:01:05:05
                }
            }
        }
        acl {
            input {
                ipv4-filter ip_tcp
                ipv6-filter ipv6_tcp
            }
        }
    }
}

Attaching an ACL to the management interface

To modulate traffic for the management interface, navigate to the subinterface of interface mgmt0. Under the acl context, attach the IPv4 or IPv6 ACL for input/output traffic.

--{ * candidate shared default }--[  ]--
# interface mgmt0
--{ * candidate shared default }--[ interface mgmt0 ]—
# subinterface 0
--{ * candidate shared default }--[ interface mgmt0 subinterface 0 ]--
# acl
--{ * candidate shared default }--[ interface mgmt0 subinterface 0 acl ]—
# input ipv4-filter ip_tcp
--{ * candidate shared default }--[ interface mgmt0 subinterface 0 acl ]—
# input ipv6-filter ipv6_tcp

To verify the configuration for the management interface ACL:

--{ * candidate shared default }--[  ]--
# info interface mgmt0
   interface mgmt0     {
     admin-state enable
        subinterface 0 {
            admin-state enable
            ipv4 {
               dhcp-client true
            }
            ipv6 {
               dhcp-client true
            }
            acl {
               input {
                   ipv4-filter ip_tcp
                   ipv6-filter ipv6_tcp
               }
            }
        }
   }

Detaching an ACL from an interface

To detach an ACL from an interface, enter the subinterface context and delete the ACL from the configuration.

The following commands detach an ACL from a subinterface:

--{ * candidate shared default }--[  ]--
# interface ethernet-1/16
--{ * candidate shared default }--[ interface ethernet-1/16 ]—
# subinterface 1
--{ * candidate shared default }--[ interface ethernet-1/16 subinterface 1 ]—
# delete acl input ipv4-filter
--{ * candidate shared default }--[ interface ethernet-1/16 subinterface 1 ]--

Use the info interface command to verify that the ACL is no longer part of the subinterface configuration. For example:

--{ * candidate shared default }--[  ]--
# info interface ethernet-1/16
interface ethernet-1/16 {
    description dut1-dut-2
    subinterface 1 {
        ipv4 {
            address 100.1.5.2/24 {
            }
            arp {
                neighbor 100.1.5.1 {
                    link-layer-address 00:00:64:01:05:05
                }
            }
        }
        ipv6 {
            address 2001:10:1:5::2/120 {
            }
            neighbor-discovery {
                neighbor 2001:10:1:5::1 {
                    link-layer-address 00:00:64:01:05:05
                }
            }
        }
        acl {
            input {
                ipv6-filter ipv6_tcp
            }
        }
    }
}

Detaching an ACL from the management interface

The following example detaches an ACL from the management interface:

--{ * candidate shared default }--[  ]--
# interface mgmt0
--{ * candidate shared default }--[ interface mgmt0 ]—
# subinterface 0
--{ * candidate shared default }--[ interface mgmt0 subinterface 0 ]--
# delete acl input ipv4-filter

To verify that the ACL was detached from the management interface:

--{ * candidate shared default }--[  ]--
# info interface mgmt0
   interface mgmt0     {
     admin-state enable
        subinterface 0 {
            admin-state enable
            ipv4 {
               dhcp-client true
            }
            ipv6 {
               dhcp-client true
            }
            acl {
               input {
                  ipv6-filter ipv6_tcp
               }
            }
        }
   }

Modifying ACLs

You can add entries to an ACL, delete entries from an ACL, and delete the entire ACL from the configuration.

To add an entry to an ACL, enter the context for the ACL, then add the entry. For example, the following commands add an entry to IPv4 ACL ip_tcp:

--{ * candidate shared default }--[  ]--
# acl ipv4-filter ip_tcp
--{ candidate shared default }--[ acl ipv4-filter ip_tcp ]--
# entry 65535
--{ candidate shared default }--[ acl ipv4-filter ip_tcp entry 65535 ]--
# action drop
--{ candidate shared default }--[ acl ipv4-filter ip_tcp entry 65535 action drop ]--
# log true
--{ candidate shared default }--[ acl ipv4-filter ip_tcp entry 65535 action drop ]--

To delete an entry in an ACL, use the delete command under the context for the ACL and specify the sequence ID of the entry to be deleted. For example, the following commands delete the entry in IPv4 ACL ip_tcp with sequence ID 65535:

--{ candidate shared default }--[  ]--
# acl ipv4-filter ip_tcp
--{ candidate shared default }--[ acl ipv4-filter ip_tcp ]--
# delete entry 65535

To delete the entire ACL, use the delete command under the acl context. For example, the following commands delete the ip_tcp ACL:

--{ * candidate shared default }--[  ]--
# acl
--{ candidate shared default }--[ acl ]--
# delete ipv4-filter ip_tcp

Resequencing ACL entries

To aid in managing complex ACLs that have many entries, you can resequence the ACL entries to set a sequence ID number for the first entry and a constant increment for the sequence ID for subsequent entries.

For example, if you have an ACL with three entries, sequence IDs 123, 124, and 301, you can resequence the entries so that the initial entry has sequence ID 100, and the other two entries have sequence ID 110 and 120.

The following is an example of an ACL with three entries:

--{ candidate shared default }--[ acl ]—
# info ipv4-filter ip_tcp
 ipv4-filter ip_tcp {
        entry 123 {
            action {
                drop {
                    log true
                }
            }
            match {
                destination-address 1.1.2.1/24
            }
        }
        entry 124 {
            action {
                accept {
                    log true
                }
            }
            match {
                destination-address 1.1.3.1/24
            }
        }
        entry 301 {
            action {
                drop {
                }
            }
            match {
                destination-address 1.1.4.1/24
            }
        }

To resequence the entries in the ACL so that the first entry has sequence ID 100, and the next two entries are incremented by 10, enter the context for the ACL, issue the tools resequence command, then specify the initial sequence ID and the increment for the subsequent entries. For example:

--{ candidate shared default }--[  ]--
# acl ipv4-filter ip_tcp
--{ candidate shared default }--[ acl ipv4-filter ip_tcp ]--
# tools resequence start 100 increment 10

After you enter the command, the ACL entries are renumbered. For example:

--{ candidate shared default }--[ acl ]—
# info ipv4-filter ip_tcp
 ipv4-filter ip_tcp {
        entry 100 {
            action {
                drop {
                    log true
                }
            }
            match {
                destination-address 1.1.2.1/24
            }
        }
        entry 110 {
            action {
                accept {
                    log true
                }
            }
            match {
                destination-address 1.1.3.1/24
            }
        }
        entry 120 {
            action {
                drop {
                }
            }
            match {
                destination-address 1.1.4.1/24
            }
        }

The resequence command is only available inside an ACL configuration context, and it only applies to the entries of the ACL associated with that context.

Packet capture filters

For troubleshooting purposes, the SR Linux supports ACL policies called packet capture filters. When an ingress IP packet on any line card transits through the router, and it matches a rule in a capture-filter policy, it is copied and extracted toward the CPM (using the capture-filter extraction queue) and delivered to a Linux virtual Ethernet interface, so that it can be displayed by tcpdump (or similar packet capture utility), or encapsulated and forwarded to a remote monitoring system.

Similarly, when an ingress IP packet on any line card terminates locally, and it matches a rule of a capture-filter policy, it is extracted toward the CPM (using the normal protocol-based extraction queue), and a header field indicates to the CPM to replicate it (after running the CPM-filter rules) toward the Linux virtual Ethernet interface.

There is one capture-filter for IPv4 traffic and another capture-filter for IPv6 traffic. The default IPv4 capture-filter policy copies no IPv4 packets and the default IPv6 capture-filter copies no IPv6 packets.

The entries for each capture-filter are installed on every line card. On the line card, the entries are evaluated after the input subinterface ACLs and before the CPM-filter ACLs. On the CPM, the entries in the capture-filter policy are evaluated after the CPM-filter entries.

When a capture-filter ACL is created, its rules are evaluated against all transit and terminating IPv4 or IPv6 traffic that is arriving on any subinterface of the router, regardless of where that traffic entered in terms of network-instance, subinterface, linecard, pipeline, and so on. Note that capture-filter ACL rules cannot override interface filter or system-filter ACL drop outcomes; packets dropped by interface filter ACLs or a system filter ACL cannot be mirrored to the control plane.

Each capture-filter entry has a set of zero or more match conditions, and one of two possible actions: accept and copy. The match conditions are the same as the other filter types. The accept action passes the matching packet to the next stage of processing, without creating a copy. The copy action creates a copy of the matching packet, extracts it toward the CPM and delivers it to the designated virtual Ethernet interface.

Control plane module (CPM) filters

For control plane protection, SR Linux supports ACL policies called CPM filters. There is one CPM filter for IPv4 traffic and another CPM filter for IPv6 traffic. When an ingress IP packet is matched by a CPM filter rule, and it is a terminating packet (that is, it must be extracted to the CPM), then it is processed according to the matching CPM filter rule.

The entries for each CPM filter are installed on every line card. They are evaluated after the input subinterface ACLs and after the capture-filter ACLs. CPM filter rules have no effect on locally originating traffic or transit traffic, and they have no interaction with output subinterface ACLs.

When a CPM filter ACL is created, its rules are evaluated against all IPv4 or IPv6 traffic that is locally terminating on the router, regardless of where that traffic entered in terms of network-instance, subinterface, linecard, pipeline, and so on.

On 7250 IXR systems, for traffic terminating on the CPM of the router, the following secondary actions are supported for ACL entries where accept is the primary action:

  • distributed-policer – If the packet is extracted to the CPM, feed the packet to a hardware-based policer, which determines if the packet should be queued by the line card toward the CPM or dropped because a bit-per-second rate is exceeded.

  • system-cpu-policer – If the packet has been extracted to the CPM, feed the packet to a software-based policer, which determines if the packet should be delivered to the CPM application or dropped because a packet-per-second rate is exceeded.

On 7220 IXR-D1, D2, D3, and D5 systems, CPM filter ACLs support the following actions:

  • accept – Allow the packet through to the next processing function.

  • accept and distributed-policer – The packet is allowed through to the next processing function and rate limited by a policer instance implemented by the 7220 IXR-D2 and D3.

  • accept and system-cpu-policer – The packet is allowed through to the next processing function and rate limited by a policer instance implemented by XDP-CPM.

  • drop – Discard the packet without ICMP generation.

  • drop and log – Discard the packet without ICMP generation and send information about the dropped packet to the log application.

The system-cpu-policer and distributed-policer actions police terminating traffic to ensure that the rate does not exceed a safe limit.

The system-cpu-policer action applies an aggregate rate limit, regardless of ingress line card, while the distributed-policer action applies a rate limit to the extracted traffic from each core (7250 IXR) or complex (7220 IXR) associated with the ingress port. You can have both types of policer actions in the same CPM filter entry, or only one of them.

CPM filter rules that apply a system-cpu-policer or distributed-policer action do not directly specify the policer parameters; they refer to a generically defined policer. This allows different CPM filter entries, even across multiple ACLs, to use the same policer. Optionally, each policer can be configured as entry-specific, which means a different policer instance is used by each referring filter entry, even if they are part of the same ACL.

System filters

A system filter ACL is an IPv4 or IPv6 ACL that evaluates ingress traffic before all other ACL rules. If an IP packet is dropped by a system filter rule, it is the final disposition of the packet; neither a capture-filter copy/accept action, nor an ingress interface ACL accept action, nor a CPM-filter accept action can override the drop action of a system filter.

At most one system filter can be defined for IPv4 traffic, and at most one system filter can be defined for IPv6 traffic. System filter ACLs are supported on 7220 IXR-D1, D2, and D3 systems only. They can be applied only at ingress, not egress.

When a system-filter ACL is created, its rules are automatically installed everywhere, meaning they are evaluated against all transit and terminating IPv4 or IPv6 traffic arriving on any subinterface of the router, regardless of where that traffic entered in terms of network-instance, subinterface, pipeline, and so on.

A system filter is the only type of filter that can match the outer header of tunneled packets. For VXLAN traffic, this allows you to configure a system filter that matches and drops unauthorized VXLAN tunnel packets before they are decapsulated. The system filter matches the outer header of tunneled packets; they do not filter the payload of VXLAN tunnels.

Creating a system filter

The following is an example of a system filter ACL that filters IPv4 traffic. When the system filter is applied, it evaluates all transit and terminating IPv4 arriving on any subinterface of the router. The system filter ACL evaluates the traffic before any other ACL filters. System filter ACLs can be configured on 7220 IXR-D1, D2, and D3 systems only.

--{ * candidate shared default }--[  ]--
# info acl system-filter
 acl
    system-filter {
        ipv4-filter {
            entry 44 {
                action {
                    drop {
                        log true
                    }
                }
                match {
                    source-ip {
                        address 100.1.5.1
                        mask 0.0.0.255
                    }
                }
            }
        }
    }

Configuring logging for ACLs

You can configure the SR Linux to log information about packets that match an ACL entry in the system log.

You can set thresholds for ACL or TCAM resource usage. When utilization of a specified resource reaches the threshold in either the rising or falling direction, it can trigger a log message.

Enabling syslog for the ACL subsystem

If you set the log parameter to true for the accept or drop action in an ACL entry, information about packets that match the ACL entry is recorded in the system log. You can specify settings for the log file for the ACL subsystem, including the location of the log file, maximum log file size, and the number of log files to keep.

For example, the following configuration specifies that the log file for the ACL subsystem be stored in the file dut1_file, located in the /opt/srlinux/bin/logs/srbase directory. The log file can be a maximum of 1 Mb. When the log file reaches this size, it is renamed using dut1_file as its base name. The five most recent log files are kept.

--{ candidate shared default }--[  ]--
# system
--{ candidate shared default }--[ system ]--
# info logging file dut1_file
logging {
        file dut1_file {
            directory /opt/srlinux/bin/logs/srbase/
            rotate 5
            size 1M
            subsystem acl {
            }
        }
}

Ensure that write permission is set for the specified directory path.

Syslog entry examples

The following are examples of syslog entries for ACLs.

IPv4 Accept:

acl||I Type: Ingress IPv4 Filter: testing Sequence Id: 100 Action: Accept Interface: ethernet-1/16:1 Packet length: 56 IP Source: 100.1.5.1 Destination: 100.1.3.1 Protocol: 6 TCP Source port: 6722 Destination Port: 6789 Flags: SYN

IPv4 Drop:

acl||I Type: Ingress IPv4 Filter: test Sequence Id: 65535 Action: Drop Interface: ethernet-1/16:1 Packet length: 44 IP Source: 100.3.2.3 Destination: 100.1.3.1 Protocol: 17 UDP Source port: 6722 Destination Port: 6789

IPv6 Accept:

acl||I Type: Ingress IPv6 Filter: tests Sequence Id: 1000 Action: Accept Interface: ethernet-1/16:1 Packet length: 76 IP Source: 2001:10:1:5::1 Destination: 2001:10:1:3::1 Protocol: 6 TCP Source port: 6722 Destination Port: 6789 Flags: SYN

Logging ACL resource usage

You can set thresholds for ACL resource usage. When utilization of a specified ACL resource, such as input IPv4 filter instances, reaches the threshold in either the rising or falling direction, it can trigger a log message.

The following example sets thresholds for resource usage by input IPv4 filter instances. If the resource usage percentage falls below the falling-threshold-log value, a log message of priority notice is generated. If the resource usage percentage falls below the rising-threshold-log value, a log message of priority warning is generated.

--{ * candidate shared default }--[  ]--
# info platform resource-monitoring
    platform {
        resource-monitoring {
            acl {
                resource input-ipv4-filter-instances {
                    rising-threshold-log 90
                    falling-threshold-log 90
                }
            }
        }
    }

Logging TCAM resource usage

You can set thresholds for Ternary Content Addressable Memory (TCAM) resource usage. When utilization of a specified TCAM resource, such as TCAM used by IPv4 CPM filters, reaches the threshold in either the rising or falling direction, it can trigger a log message.

The following example sets thresholds for TCAM resource usage by IPv4 CPM filters. If the resource usage percentage falls below the falling-threshold-log value, a log message of priority notice is generated. If the resource usage percentage falls below the rising-threshold-log value, a log message of priority warning is generated.

--{ * candidate shared default }--[  ]--
# info platform resource-monitoring
    platform {
        resource-monitoring {
            tcam {
                resource cpm-capture-ipv4 {
                    rising-threshold-log 90
                    falling-threshold-log 90
                }
            }
        }
    }

Collecting and displaying ACL statistics

The SR Linux can collect statistics for packets matching an ACL and display statistics for the matched packets. You can display the amount of system resources (TCAM) used by each type of ACL on each line card. ACL statistics can also be displayed using show commands.

Collecting ACL statistics

You can configure an ACL to collect statistics for packets matching the ACL. Statistics can be collected for packets that match each ACL entry, as well as for matching input/output traffic per subinterface.

The following example configures the ACL to record the number of matching packets for each entry:

--{ candidate shared default }--[ acl ]-- 
# ipv4-filter ip_tcp
--{ candidate shared default }--[ acl ipv4-filter ip_tcp ]--
# statistics-per-entry true

By default, if two or more subinterfaces on the same line card reference the same ACL for filtering the same direction of traffic, they use a shared instance of the same ACL in hardware. This means that per-entry statistics (including the number of matched packets and the time stamp of the last matching packet), if enabled, reflect the aggregate of the data gathered for the multiple subinterfaces.

To collect per-entry, per-subinterface statistics, instead of the aggregate of the subinterfaces where the ACL is applied, you can configure an ACL to operate in subinterface-specific mode.

If you change an ACL from subinterface-specific mode to shared mode, or the other way around, during the transition from one mode to the next, traffic continues to be subject to the previous mode until the system resources (TCAM) entries are programmed for the new mode.

The following example configures the ACL to collect statistics for matching packets inbound and outbound on each subinterface:

--{ candidate shared default }--[ acl ]-- 
# ipv4-filter ip_tcp
--{ candidate shared default }--[ acl ipv4-filter ip_tcp ]--
# subinterface-specific input-and-output

You can configure the following values for the subinterface-specific parameter:

  • disabled (the default) – All subinterfaces on a single line card that reference the ACL as an input ACL use a shared filter instance, and all subinterfaces on a single line card that reference the ACL as an output ACL use a shared filter instance.

  • input-only – All subinterfaces on a single line card that reference the ACL as an output ACL use a shared filter instance, but each subinterface that references the ACL as an input ACL uses its own separate instance of the filter.

  • output-only – All subinterfaces on a single line card that reference the ACL as an input ACL use a shared filter instance, but each subinterface that references the ACL as an output ACL uses its own separate instance of the filter.

  • input-and-output – Each subinterface that references the ACL as either an input ACL or an output ACL uses its own separate instance of the filter.

Displaying ACL statistics

Use the info from state command to display the matched packet statistics and the time of the last match for the interfaces to which the ACL is attached.

In the following example, the ACL is attached to two interfaces, and statistics are collected for each subinterface:

--{ candidate shared default }--[ acl ipv4-filter ip_tcp ]--
# info from state
    subinterface-specific input-and-output
    statistics-per-entry true
    entry 1000 {
        description Match_IP_Address_TCP_Protocol_Ports
        action {
            accept {
                log true
            }
        }
        match {
            destination-address 100.1.3.1/32
            protocol tcp
            source-address 100.1.5.1/32
            destination-port {
                value 6789
            }
            source-port {
                value 6722
            }
        }
        statistics {
            aggregate {
                in-matched-packets 3000
                in-last-match 2019-07-16T10:53:00.1563Z
                out-matched-packets 0
            }
            per-interface {
                subinterface ethernet-1/16.1 {
                    in-matched-packets 3000
                    in-last-match 2019-07-16T10:53:00.1563Z
                }
            }
        }
    }
    entry 65535 {
        action {
            drop {
                log true
            }
        }
        statistics {
            aggregate {
                in-matched-packets 1000
                in-last-match 2019-07-16T10:53:30.1563Z
            }
            per-interface {
                subinterface ethernet-1/16.1 {
                    in-matched-packets 1000
                    in-last-match 2019-07-16T10:53:30.1563Z
                }
            }
        }
    }

If the match criteria changes for an ACL entry, the statistics counter does not reset to zero. To reset the statistics counter for an ACL entry to zero, use the tools acl clear command, as described in Clearing ACL statistics.

Displaying ACL resource usage

Use the info from state platform command to display the amount of system resources (TCAM) used by each type of ACL on each line card.

The following example shows two different numbers for the remaining (free) TCAM entry resources that are available for input IPv4 ACLs on the line card. The free-static value refers to the available number of resources assuming no additional TCAM banks are dynamically assigned to the ACL type. The free-dynamic value refers to the available number of resources assuming all unallocated TCAM banks are dedicated to the specified ACL type.

--{ candidate shared default }--[  ]--
# info from state platform linecard 1 forwarding-complex 0 tcam resource if-input-ipv4
    platform {
        linecard 1 {
            forwarding-complex 0 {
                tcam {
                    resource if-input-ipv4 {
                        free-static 2046
                        free-dynamic 18430
                        reserved 2
                        programmed 2
                    }
                }
            }
        }
    }

The following example shows the amount of system resources allocated to input IPv4 ACLs on the line card and how much is used and free:

--{ candidate shared default }--[  ]--
# info from state platform linecard 1 forwarding-complex 0 acl resource input-ipv4-filter-instances
    platform {
        linecard 1 {
            forwarding-complex 0 {
                acl {
                    resource input-ipv4-filter-instances {
                        used 1
                        free 254
                    }
                }
            }
        }
    }

Clearing ACL statistics

To reset ACL statistics counters to zero, use the tools acl clear command. This command can clear statistics at the IPv4 / IPv6 / CPM filter level, ACL entry level, or for an interface or subinterface to which the ACL is attached.

The following example clears statistics for an IPv4 filter:

--{ candidate shared default }--[ acl ]-- 
# tools acl ipv4-filter tcp_ip clear

After this command is executed, the info from state output for the IPv4 filter includes a timestamp indicating when the statistics were cleared. For example:

--{ candidate shared default }--[ acl ipv4-filter tcp_ip ]-- 
# info from state 
    subinterface-specific output-only
    statistics-per-entry true
    entry 1000 {
        description Match_IP_Address_TCP_Protocol_Ports
        action {
            accept {
                log true
            }
        }
        match {
            destination-address 100.1.3.1/32
            protocol tcp
            source-address 100.1.5.1/32
            destination-port {
                value 6789
            }
            source-port {
                value 6722
            }
        }
        statistics {
            last-clear 2019-10-03T13:53:51.000Z
        }
    }

The following example clears statistics for a specific entry in the IPv4 filter:

--{ candidate shared default }--[ acl ]-- 
# tools acl ipv4-filter tcp_ip entry 1000 statistics clear

The following example clears statistics for a specified subinterface for a specified entry in the IPv4 filter:

--{ candidate shared default }--[ acl ]-- 
# tools acl ipv4-filter tcp_ip entry 1000 statistics per-interface subinterface 1 clear

Displaying ACL statistics using show commands

You can display ACL statistics using relevant show commands.

To display information about all active ACLs, use the show acl summary command. For example:

# show acl summary
--------------------------------------------------------------------------------
IPv4 Filter ACLs
--------------------------------------------------------------------------------
Filter : ip_tcp
Active on : 1 subinterfaces (input) and 0 subinterfaces (output)
Entries : 2
--------------------------------------------------------------------------------
IPv6 Filter ACLs
--------------------------------------------------------------------------------
Filter : ipv6_tcp
Active on : 1 subinterfaces (input) and 0 subinterfaces (output)
Entries : 1
--------------------------------------------------------------------------------

You can display statistics for a specific ACL, including how many times each ACL entry was matched on all subinterfaces to which the ACL was applied. For example:

--{ candidate shared default }--[  ]--
# show acl ipv4-filter ip_tcp
====================================================================================
Filter        : ip_tcp
SubIf-Specific: input-and-output
Entry-stats   : yes
Entries       : 2
------------------------------------------------------------------------------------
 Subinterface     Input   Output
ethernet-1/16.1   yes     no    
------------------------------------------------------------------------------------
Entry 1000
  Match               : protocol=tcp, 100.1.5.1/32(6722-6722)->100.1.3.1/32(6789-
6789)
  Action              : accept
  Input Match Packets : 3000
  Input Last Match    : 18 seconds ago
  Output Match Packets: 0
  Output Last Match   : never
Entry 65535
  Match               : protocol=<undefined>, any(*)->any(*)
  Action              : drop
  Input Match Packets : 1000
  Input Last Match    : 6 minutes ago
  Output Match Packets: 0
  Output Last Match   : never

To display per-interface statistics for packets matching each ACL entry, specify the interface name in addition to the ACL name. For example:

--{ candidate shared default }--[  ]--
# show acl ipv4-filter ip_tcp interface ethernet-1/16
====================================================================================
Filter        : ip_tcp
SubIf-Specific: input-and-output
Entry-stats   : yes
Entries       : 2
------------------------------------------------------------------------------------
 Subinterface     Input   Output
ethernet-1/16.1   yes     no    
------------------------------------------------------------------------------------
Entry 1000
  Match               : protocol=tcp, 100.1.5.1/32(6722-6722)->100.1.3.1/32(6789-
6789)
  Action              : accept
  Input Match Packets : 3000
  Input Last Match    : 5 minutes ago
  Output Match Packets: 0
  Output Last Match   : never
Entry 65535
  Match               : protocol=<undefined>, any(*)->any(*)
  Action              : drop
  Input Match Packets : 1000
  Input Last Match    : 10 minutes ago
  Output Match Packets: 0
  Output Last Match   : never

To display statistics for packets matching a CPM filter, specify the CPM filter type (IPv4 or IPv6). For example:

--{ candidate shared default }--[  ]--
# show acl cpm-filter ipv4-filter
================================================================================
Filter     : CPM IPv4-filter
Entry-stats: no
Entries    : 1
--------------------------------------------------------------------------------
Entry 1001
  Match          : protocol=<undefined>, any(*)->1.1.2.1/24(*)
  Action         : none
  Matched Packets: 0
--------------------------------------------------------------------------------