Access control lists
An Access Control List, or ACL, is an ordered set of rules that are evaluated on a packet-by-packet basis to determine whether access should be provided to a specific resource. ACLs can be used to drop unauthorized or suspicious packets from entering or leaving a routing device via specified interfaces.
An ACL filter is applied to a selected set of traffic contexts. A traffic context could be all the IPv4 or IPv6 packets arriving or leaving on a specific subinterface, or the out-of-band IP traffic arriving on a management interface, or all the in-band IPv4 or IPv6 packets that are locally terminating on the CPM of the router.
Each ACL filter rule, or entry, has a sequence ID. The ACL evaluates packets starting with the entry with the lowest sequence ID, progressing to the entry with the highest sequence ID. Evaluation stops at the first matching entry (that is, when the packet matches all of the conditions specified by the ACL entry).
SR Linux uses a common
acl-filter object model to define
ACLs by name and type for MAC, IPv4, and IPv6
traffic.
IPv4/IPv6 ACLs
SR Linux supports acl-filter
objects of type ipv4 and
ipv6 for the following
applications:
-
Interface filters
An interface filter is an IPv4 or IPv6 ACL that is applied to a routed or bridged subinterface to restrict traffic allowed to enter or exit the subinterface. An interface ACL can be applied to input or output traffic for one or more subinterfaces.
See Interface filters for more information.
-
CPM filters
A CPM filter is an IPv4 or IPv6 ACL used for control plane protection. There is one CPM filter for IPv4 traffic and another CPM filter for IPv6 traffic. When an ingress IP packet is matched by a CPM filter rule, and it is a terminating packet (that is, it must be extracted to the CPM), then it is processed according to the matching CPM filter rule.
See Control plane module (CPM) filters for more information.
-
Packet capture filters
A packet capture filter is an IPv4 or IPv6 ACL used to extract packets to the control plane for inspection by packet capture tools. When an ingress IP packet on any line card transits through the router, and it matches a rule in a packet capture filter policy, it is copied and extracted toward the CPM and delivered to a Linux virtual Ethernet interface so that it can be displayed by a packet capture utility, or encapsulated and forwarded to a remote monitoring system.
The
acl-filternamecaptureis reserved for packet capture filters.See Packet capture filters for more information.
-
System filters (7220 IXR-D1/D2/D3/D4/D5 systems only)
A system filter ACL is an IPv4 or IPv6 ACL that is evaluated early in the ingress pipeline, at a stage before tunnel termination occurs and before interface filters are run. For VXLAN traffic, system filters can match and drop unauthorized VXLAN tunnel packets before they are decapsulated, based on information in the outer header.
The
acl-filternamesystemis reserved for system filters.See System filters for more information.
MAC ACLs
SR Linux supports a Layer 2 traffic
acl-filter object of type
mac for the following
applications:
-
Interface MAC filters
An interface MAC filter is a Layer 2 ACL that is applied to a routed or bridged subinterface to restrict the Ethernet frames allowed to enter or exit from that subinterface. An interface MAC filter can match Ethernet frames carrying an IP or non-IP payload and can be applied to the input or output traffic of one or more subinterfaces.
See Interface filters for more information.
-
CPM filter MAC ACLs
A CPM filter MAC ACL is used for control plane protection. When a CPM filter MAC ACL is created, its rules are automatically evaluated against all non-IP traffic that is extracted to the CPM as a result of a match with an extraction rule (for example, a match of a specific well-known MAC DA value). This is regardless of whether the traffic entered from of network instance, subinterface, TD3 pipeline, and so on.
See Control plane module (CPM) filters for more information.
MAC ACLs are not supported on 7730 SXR systems.
ACL actions
When a packet matches an ACL entry, an action specified by the ACL entry is applied to the packet.
For traffic transiting through the router, ACL entries support the following actions:
accept – Allow the packet through to the next processing function.
drop – Discard the packet without ICMP generation.
-
log – Send information about the packet to the log application.
-
rate-limit policer – The packet is allowed through to the next processing function and rate-limited by a policer instance.
For traffic terminating on the CPM of the router, the following additional action is supported:
rate-limit system-cpu-policer – If the packet has been extracted to the CPM, feed the packet to a software-based policer, which determines if the packet should be delivered to the CPM application or dropped because a packet-per-second rate is exceeded.
On 7730 SXR systems, the following additional actions are supported:
-
forward next-hop – Forward the packet to a specified next-hop address.
-
forwarding-class – Assign the packet to a QoS forwarding class
-
profile – Assign a QoS profile to the packet
-
collect-stats – Record statistics for matching packets at the filter-entry level. Statistics are aggregated for all subinterfaces using the same filter entry. Statistics for matching input and output packets are recorded separately .
If a packet matches an ACL entry, no further evaluation is done for the packet. If the packet does not match any ACL entry, the default action is accept. To drop traffic that does not match any ACL entry, you can optionally configure an entry with the highest sequence ID in the ACL to drop all traffic. This causes traffic that does not match any of the lower-sequence ACL entries to be dropped.
The supported actions for each type of ACL differ based on the hardware platform where the ACL is configured. The following tables indicate which actions are supported for each ACL filter type for each hardware platform.
Supported ACL actions for 7730 SXR systems
The following table lists the supported actions for each ACL filter type on 7730 SXR systems.
|
ACL filter type |
Action |
Supported? |
|---|---|---|
|
IPv4/IPv6 Interface filter (input) |
accept |
Yes |
|
log |
No |
|
| rate-limit policer |
Yes |
|
|
forward next-hop |
Yes |
|
|
forwarding-class |
Yes |
|
|
profile |
Yes |
|
|
drop |
Yes |
|
|
collect-stats |
Yes |
|
|
IPv4/IPv6 Interface filter (output) |
accept |
Yes |
|
log |
No |
|
|
rate-limit policer |
Yes |
|
|
forward next-hop |
No |
|
|
forwarding-class |
Yes |
|
|
profile |
Yes |
|
|
drop |
Yes |
|
|
collect-stats |
Yes |
|
|
IPv4/IPv6 CPM filter |
accept |
Yes |
|
log |
No |
|
| accept + rate-limit policer |
No |
|
| accept + rate-limit system-cpu-policer |
Yes |
|
|
drop |
Yes |
|
|
collect-stats |
Yes |
|
|
Packet capture filter |
accept |
No |
|
copy |
No |
|
|
System filter |
accept |
No |
|
drop |
No |
|
|
drop + log |
No |
|
|
Interface MAC filter (input) |
accept |
No |
| accept + log |
No |
|
|
drop |
No |
|
|
drop + log |
No |
|
|
Interface MAC filter (output) |
accept |
No |
|
accept + log |
No |
|
|
drop |
No |
|
|
drop + log |
No |
|
|
CPM filter MAC ACL |
accept |
No |
|
accept + log |
No |
|
| accept + rate-limit policer |
No |
|
| accept + rate-limit system-cpu-policer |
No |
|
|
drop |
No |
|
|
drop + log |
No |
Supported ACL actions for 7250 IXR systems
The following table lists the supported actions for each ACL filter type on 7250 IXR systems.
|
ACL filter type |
Action |
Supported? |
|---|---|---|
|
IPv4/IPv6 Interface filter (input) |
accept |
Yes |
|
accept + log |
Yes | |
|
drop |
Yes |
|
|
drop + log |
Yes | |
|
IPv4/IPv6 Interface filter (output) |
accept |
Yes |
|
accept + log |
Yes | |
|
drop |
Yes |
|
|
drop + log |
Yes |
|
|
IPv4/IPv6 CPM filter |
accept |
Yes |
|
accept + log |
Yes |
|
| accept + rate-limit policer |
Yes |
|
| accept + rate-limit system-cpu-policer |
Yes |
|
|
drop |
Yes |
|
|
drop + log |
Yes |
|
|
Packet capture filter |
accept |
Yes |
|
copy |
Yes |
|
|
System filter |
accept |
No |
|
drop |
No |
|
|
drop + log |
No |
|
|
Interface MAC filter (input) |
accept |
No |
| accept + log | No | |
|
drop |
No |
|
|
drop + log |
No |
|
|
Interface MAC filter (output) |
accept |
No |
|
accept + log |
No |
|
|
drop |
No |
|
|
drop + log |
No |
|
|
CPM filter MAC ACL |
accept |
No |
|
accept + log |
No |
|
| accept + rate-limit policer |
No |
|
| accept + rate-limit system-cpu-policer |
No |
|
|
drop |
No |
|
|
drop + log |
No |
Supported ACL actions for 7220 IXR-D1/D2/D3 systems
The following table lists the supported actions for each ACL filter type on 7220 IXR-D1, D2, and D3 systems.
|
ACL filter type |
Action |
Supported? |
|---|---|---|
|
IPv4/IPv6 Interface filter (input) |
accept |
Yes |
|
accept + log |
No log generated |
|
|
accept + rate-limit policer |
Yes |
|
|
drop |
Yes |
|
|
drop + log |
Yes | |
|
IPv4/IPv6 Interface filter (output) |
accept |
Yes |
|
accept + log |
No log generated |
|
|
accept + rate-limit policer |
Yes |
|
|
drop |
Yes |
|
|
drop + log |
No log generated |
|
|
IPv4/IPv6 CPM filter |
accept |
Yes |
|
accept + log |
No log generated |
|
| accept + rate-limit policer |
Yes |
|
| accept + rate-limit system-cpu-policer |
Yes |
|
|
drop |
Yes |
|
|
drop + log |
Yes |
|
|
Packet capture filter |
accept |
Yes |
|
copy |
Yes |
|
|
System filter |
accept |
Yes |
|
drop |
Yes |
|
|
drop + log |
Yes |
|
|
Interface MAC filter (input) |
accept |
Yes |
| accept + log |
No log generated |
|
|
drop |
Yes |
|
|
drop + log |
Yes |
|
|
Interface MAC filter (output) |
accept |
Yes |
|
accept + log |
No log generated |
|
|
drop |
Yes |
|
|
drop + log |
No log generated |
|
|
CPM filter MAC ACL |
accept |
Yes |
|
accept + log |
No log generated |
|
| accept + rate-limit policer |
Yes |
|
| accept + rate-limit system-cpu-policer |
Yes |
|
|
drop |
Yes |
|
|
drop + log |
Yes |
Supported ACL actions for 7220 IXR-D4/D5 systems
The following table lists the supported actions for each ACL filter type on 7220 IXR-D4 and D5 systems.
|
ACL filter type |
Action |
Supported? |
|---|---|---|
|
IPv4/IPv6 Interface filter (input) |
accept |
Yes |
|
accept + log |
No log generated |
|
|
accept + rate-limit policer |
Yes |
|
|
drop |
Yes |
|
|
drop + log |
Yes | |
|
IPv4/IPv6 Interface filter (output) |
accept |
Yes |
|
accept + log |
No log generated |
|
|
accept + rate-limit policer |
Yes |
|
|
drop |
Yes |
|
|
drop + log |
No log generated |
|
|
IPv4/IPv6 CPM filter |
accept |
Yes |
|
accept + log |
No log generated |
|
| accept + rate-limit policer |
No |
|
| accept + rate-limit system-cpu-policer |
Yes |
|
|
drop |
Yes |
|
|
drop + log |
No log generated |
|
|
Packet capture filter |
accept |
Yes |
|
copy |
Yes |
|
|
System filter |
accept |
Yes |
|
drop |
Yes |
|
|
drop + log |
Yes |
|
|
Interface MAC filter (input) |
accept |
Yes |
| accept + log |
No log generated |
|
|
drop |
Yes |
|
|
drop + log |
Yes |
|
|
Interface MAC filter (output) |
accept |
Yes |
|
accept + log |
No log generated |
|
|
drop |
Yes |
|
|
drop + log |
No log generated |
|
|
CPM filter MAC ACL |
accept |
Yes |
|
accept + log |
No log generated |
|
| accept + rate-limit policer |
Yes |
|
| accept + rate-limit system-cpu-policer |
Yes |
|
|
drop |
Yes |
|
|
drop + log |
Yes |
Supported ACL actions for 7220 IXR-H systems
The following table lists the supported actions for each ACL filter type on 7220 IXR-H2, H3, and H4 systems.
|
ACL filter type |
Action |
Supported? |
|---|---|---|
|
IPv4/IPv6 Interface filter (input) |
accept |
Yes |
|
accept + log |
No log generated |
|
|
accept + rate-limit policer |
Yes (7220 IXR-H4 only) | |
|
drop |
Yes |
|
|
drop + log |
Yes | |
|
IPv4/IPv6 Interface filter (output) |
accept |
Yes |
|
accept + log |
No log generated |
|
|
drop |
Yes |
|
|
drop + log |
No log generated |
|
|
IPv4/IPv6 CPM filter |
accept |
Yes |
|
accept + log |
No log generated |
|
| accept + rate-limit policer |
No |
|
| accept + rate-limit system-cpu-policer |
Yes |
|
|
drop |
Yes |
|
|
drop + log |
No log generated |
|
|
Packet capture filter |
accept |
Yes |
|
copy |
Yes |
|
|
System filter |
accept |
No |
|
drop |
No |
|
|
drop + log |
No |
|
|
Interface MAC filter (input) |
accept |
No |
| accept + log |
No |
|
|
drop |
No |
|
|
drop + log |
No |
|
|
Interface MAC filter (output) |
accept |
No |
|
accept + log |
No |
|
|
drop |
No |
|
|
drop + log |
No |
|
|
CPM filter MAC ACL |
accept |
No |
|
accept + log |
No |
|
| accept + rate-limit policer |
No |
|
| accept + rate-limit system-cpu-policer |
No |
|
|
drop |
No |
|
|
drop + log |
No |
Supported ACL actions for 7215 IXS systems
The following table lists the supported actions for each ACL filter type on 7215 IXS systems.
|
ACL filter type |
Action |
Supported? |
|---|---|---|
|
IPv4/IPv6 Interface filter (input) |
accept |
Yes |
|
accept + log |
No log generated |
|
|
drop |
Yes |
|
|
drop + log |
Yes | |
|
IPv4/IPv6 Interface filter (output) |
accept |
No |
|
accept + log |
No |
|
|
drop |
No |
|
|
drop + log |
No |
|
|
IPv4/IPv6 CPM filter |
accept |
Yes |
|
accept + log |
No log generated |
|
| accept + rate-limit policer |
Yes |
|
| accept + rate-limit system-cpu-policer |
Yes |
|
|
drop |
Yes |
|
|
drop + log |
Yes |
|
|
Packet capture filter |
accept |
Yes |
|
copy |
Yes |
|
|
System filter |
accept |
No |
|
drop |
No |
|
|
drop + log |
No |
|
|
Interface MAC filter (input) |
accept |
Yes |
| accept + log |
No |
|
|
drop |
Yes |
|
|
drop + log |
Yes |
|
|
Interface MAC filter (output) |
accept |
No |
|
accept + log |
No |
|
|
drop |
No |
|
|
drop + log |
No |
|
|
CPM filter MAC ACL |
accept |
No |
|
accept + log |
No |
|
| accept + rate-limit policer |
No |
|
| accept + rate-limit system-cpu-policer |
No |
|
|
drop |
No |
|
|
drop + log |
No |
ACL match conditions
You can specify the following match conditions in IPv4, IPv6, and MAC ACLs.
Match conditions for IPv4 ACLs
IPv4 ACLs analyze IPv4 packets. The following match criteria are supported by IPv4 ACLs:
-
IPv4 destination prefix and prefix-length
-
IPv4 destination address and address-mask
-
TCP/UDP destination port (range)
-
ICMP type/code
-
IP protocol number
-
IPv4 source prefix and prefix-length
-
IPv4 source address and address-mask
-
TCP/UDP source port (range)
-
TCP flags: RST, SYN, and ACK
-
Packet fragmentation: whether the packet is a fragment
-
Packet fragmentation: whether the packet is a first-fragment (fragment-offset=0 and more-fragments=1)
-
IP DSCP
-
IPv4 source prefix list
-
IPv4 destination prefix list
-
Network-instance for CPM filters (7730 SXR systems)
Match conditions for IPv6 ACLs
IPv6 ACLs analyze IPv6 packets. The following match criteria are supported by IPv6 ACLs:
-
IPv6 destination prefix and prefix-length
-
IPv6 destination address and address-mask
-
TCP/UDP destination port (range)
-
ICMPv6 type/code
-
IPv6 next-header value. This is the value in the very first next-header field, in the fixed header.
-
IPv6 source prefix and prefix-length
-
IPv6 source address and address-mask
-
TCP/UDP source port (range)
-
TCP flags: RST, SYN, and ACK
-
IP DSCP
-
IPv6 source prefix list
-
IPv6 destination prefix list
-
Network-instance for CPM filters (7730 SXR systems)
Match conditions for MAC ACLs
-
MAC destination address with configurable address mask
-
MAC source address match with configurable address mask
-
outermost VLAN ID (single VLAN ID value or one contiguous VLAN ID range)
-
Ethertype number after the last 802.1Q VLAN tag (if any), specified as a number (0x0600-0xFFFF) or a well-known name
Interface filters
An interface filter is an IPv4/IPv6 or MAC ACL that restricts traffic allowed to enter or exit a subinterface.
IPv4/IPv6 interface filters
IPv4 and IPv6 ACLs can be applied to a subinterface to restrict IP traffic entering or exiting that subinterface, as follows:
-
Input IPv4 ACLs – When an IPv4 filter is used as an input ACL on a subinterface that carries IPv4 traffic, the rules apply to native IPv4 packets (ethertype 0x0800) that enter the subinterface and would normally terminate locally (control/management plane packets) or transit through the router.
The rules also apply to MPLS-encapsulated IPv4 packets (ethertype 0x8847) that are terminating or transit.
-
Input IPv6 ACLs – When an IPv6 filter is used as an input ACL on a subinterface that carries IPv6 traffic, the rules apply to native IPv6 packets (ethertype 0x86DD) that enter the subinterface and would normally terminate locally (control/management plane packets) or transit through the router.
The rules also apply to MPLS-encapsulated IPv6 packets (ethertype 0x8847) that are terminating or transit.
-
Output IPv4 ACLs – When an IPv4 filter is used as an output ACL on a subinterface that carries IPv4 traffic, the rules apply to native IPv4 packets (ethertype 0x0800) that exit the subinterface, including packets that originated locally (control/management plane packets) and packets that transited through the router.
The rules do not apply to MPLS-encapsulated IPv4 packets (ethertype 0x8847) exiting the subinterface.
-
Output IPv6 ACLs – When an IPv6 filter is used as an output ACL on a subinterface that carries IPv6 traffic, the rules apply to native IPv6 packets (ethertype 0x86DD) that exit the subinterface, including packets that originated locally (control/management plane packets) and packets that transited through the router.
The rules do not apply to MPLS-encapsulated IPv6 packets (ethertype 0x8847) exiting the subinterface.
MAC interface filters
A MAC interface filter is a Layer 2 ACL that can be applied to a routed or bridged subinterface to restrict the Ethernet frames allowed to enter or exit that subinterface. An interface MAC ACL can match Ethernet frames carrying an IP or non-IP payload.
For a specific direction of traffic (input or output), a routed or
bridged subinterface of an Ethernet port or LAG can have
either a MAC interface ACL or an IPv4/IPv6 interface ACL
applied, but not both at the same time. This restriction
also applies to subinterfaces of the mgmt0
management interface.
| Subinterface type | MAC ACL traffic type | Rules |
|---|---|---|
| Routed | Input | Rules apply to all Ethernet frames matched by the subinterface encapsulation, even if they contain an IP or MPLS-IP payload. |
| Output | Rules apply to all Ethernet frames egressing the subinterface except VXLAN-encapsulated packets and MPLS-encapsulated packets. | |
| Bridged | Input | Rules apply to all Ethernet frames matched by the subinterface encapsulation, even if they contain an IP or MPLS-IP payload, and regardless of whether they are switched or forwarded to the IRB. However, if the IRB also has an input IPv4/IPv6 ACL applied to it, the IRB action takes priority over the bridged subinterface MAC ACL action. |
| Output | Rules apply to all Ethernet frames egressing the subinterface except frames routed from the IRB subinterface. |
MAC ACLs are not supported on IRB subinterfaces or loopback or
system0 subinterfaces.
MAC ACLs are not supported on 7730 SXR systems.
Creating an IPv4 ACL
To configure an IPv4 ACL filter, you create an acl-filter of type
ipv4 and specify one or more entries consisting of match
conditions and the action to take for IPv4 traffic that matches the conditions.
Accept IPv4 traffic matching specified IP address and source/destination port
The following is an example IPv4 ACL that has one entry. This example creates an IPv4 ACL named
ip_tcp. Within the ip_tcp ACL, an entry with
sequence ID 1000 is configured. The action is specified as accept,
with logging set to true.
The filter matches packets with IP destination address 10.1.3.1/32; for TCP traffic, if the source address 10.1.5.1/32, destination port 6789, and source port 6722 matches the filter, the traffic stream is accepted.
--{ * candidate shared default }--[ ]--
# info acl
acl {
acl-filter ip_tcp type ipv4 {
entry 1000 {
description "Match IP Address TCP Protocol Ports"
match {
ipv4 {
protocol tcp
destination-ip {
prefix 10.1.3.1/32
}
source-ip {
prefix 10.1.5.1/32
}
}
transport {
destination-port {
value 6789
}
source-port {
value 6722
}
}
}
action {
log true
accept {
}
}
}
}
}Drop all matching traffic
The following is an example of an entry added to the ip_tcp ACL that
causes all traffic to be dropped. Because it has the highest sequence ID, traffic
that matches any of the lower-sequenced ACL entries would have been accepted before
being evaluated by this entry. Only traffic that did not match any of the other ACL
entries would be dropped by this entry.
--{ * candidate shared default }--[ ]--
# info acl
acl {
acl-filter ip_tcp type ipv4 {
entry 65535 {
action {
log true
drop {
}
}
}
}
}Note that the drop action with logging set to true is not
supported on 7220 IXR-Dx, 7220 IXR-Hx, and 7215 IXS-A1 systems when it is attached
as an egress filter.
Match based on IPv4 address and mask
The following example uses an address mask to specify the source IPv4 address. The address mask, entered in IPv4 address format such as 0.0.0.255, indicates the bit values that must be matched exactly (0 in the mask) and the bit values that act as a wildcard (255 in the mask).
In the example, the match condition is address 10.10.10.0 and
mask 0.0.0.255. This is the equivalent of configuring the match
condition prefix 10.10.10.0/24.
--{ * candidate shared default }--[ ]--
# info acl
acl {
acl-filter ip_tcp type ipv4 {
entry 1 {
match {
ipv4 {
destination-ip {
address 10.10.10.0
mask 0.0.0.255
}
}
}
action {
log true
drop {
}
}
}
}
}Match based on IPv4 prefix list
The following example matches based on the IPv4 prefixes configured in a prefix list.
In this example, an IPv4 prefix list p1 is configured under
match-list. This IPv4 prefix list is specified as the source IP
match condition in an ACL filter entry. If the source address of a packet matches
one of the prefixes in the list, the packet is dropped.
--{ * candidate shared default }--[ ]--
# info acl match-list ipv4-prefix-list pl1
acl {
match-list {
ipv4-prefix-list pl1 {
description "IPv4 prefix match list"
prefix 10.10.0.0/16 {
}
prefix 10.20.0.0/16 {
}
prefix 10.30.0.0/16 {
}
}
}
}--{ +* candidate shared default }--[ ]--
# info acl acl-filter pfilter type ipv4
acl {
acl-filter pfilter type ipv4 {
entry 100 {
match {
ipv4 {
source-ip {
prefix-list pl1 {
}
}
}
}
action {
drop {
}
}
}
}
}Creating an IPv6 ACL
To configure an IPv6 ACL filter, you create an acl-filter of type
ipv6 and specify one or more entries consisting of match
conditions and the action to take for IPv6 traffic that matches the conditions.
Accept IPv6 traffic matching specified conditions
The following is an example IPv6 ACL that has one entry. This example creates an IPv6 ACL named
ipv6_tcp. Within the ipv6_tcp ACL, an entry
with sequence ID 100 is configured. The action is specified as
accept, with logging set to true.
The filter matches packets with IPv6 destination address 2001:db8:1:3::1/120; for TCP traffic, if the source address 2001:db8:1:5::1/120, destination port 6789, and source port 6722 matches the filter, the traffic stream is accepted.
--{ * candidate shared default }--[ ]--
# info acl
acl {
acl-filter ipv6_tcp type ipv6 {
entry 100 {
description "Match Dest Address TCP Src Address DP SP"
match {
ipv6 {
next-header tcp
destination-ip {
prefix 2001:db8:1:3::/120
}
source-ip {
prefix 2001:db8:1:5::/120
}
}
transport {
destination-port {
value 6789
}
source-port {
value 6722
}
}
}
action {
log true
accept {
}
}
}
}
}Match based on IPv6 prefix list
The following example matches based on the IPv6 prefixes configured in a prefix list.
In this example, an IPv6 prefix list p2 is configured under
match-list. This IPv6 prefix list is specified as the
destination IP match condition in an ACL filter entry. If the destination address of
a packet matches one of the prefixes in the list, the packet is dropped.
--{ * candidate shared default }--[ ]--
# info acl match-list ipv6-prefix-list p2
acl {
match-list {
ipv6-prefix-list p2 {
prefix 2001:db8:1:3::/120 {
}
prefix 2001:db8:1:5::/120 {
}
prefix 2001:db8:1:7::/120 {
}
}
}
}--{ * candidate shared default }--[ ]--
# info acl acl-filter pfilter2 type ipv6
acl {
acl-filter pfilter2 type ipv6 {
entry 100 {
match {
ipv6 {
destination-ip {
prefix-list p2 {
}
}
}
}
action {
drop {
}
}
}
}
}Creating a MAC ACL
To create a MAC ACL specify statements consisting of match criteria (see Match conditions for MAC ACLs) and actions (see Supported ACL actions for 7220 IXR-D1/D2/D3 systems).
Drop traffic from a source MAC
This example creates a MAC ACL named mac01. Within the mac01
ACL, an entry with sequence ID 100 is configured. The filter matches Ethernet frames
with a source MAC address of 00:00:5E:00:53:01. The action is specified as
drop, with logging set to true.
--{ * candidate shared default }--[ ]--
# info acl
acl {
acl-filter mac01 type mac {
entry 100 {
match {
l2 {
source-mac {
address 00:00:5E:00:53:01
}
}
}
action {
log true
drop {
}
}
}
}
}Accept traffic using MAC address mask
The following example uses an address mask to specify the source MAC address. The
address mask, entered in MAC address format such as ff:ff:ff:ff:00:00, indicates the
bit values that must be matched exactly (FF value in the mask) and
the bit values that can be 0 or 1 (00 value in the mask).
--{ * candidate shared default }--[ ]--
# info acl
acl {
acl-filter mac01 type mac {
entry 200 {
match {
l2 {
source-mac {
address 00:00:5E:00:53:01
mask FF:FF:FF:FF:00:00
}
}
}
action {
accept {
}
}
}
}
}Drop traffic of specific Ethertype
The following example drops Ethernet frames with ARP Ethertype (0x0806).
--{ * candidate shared default }--[ ]--
# info acl
acl {
acl-filter mac01 type mac {
entry 300 {
match {
l2 {
ethertype arp
}
}
action {
log true
drop {
}
}
}
}
}Drop traffic with specific outermost VLAN ID
You can configure a specific VLAN ID or range of VLAN IDs as match criteria. The match is based on the outermost VLAN ID of the Ethernet frame. The VLAN ID can be specified as an integer from 0 to 4095 or none. Specifying 0 as the VLAN ID matches priority-tagged frames; specifying none matches untagged frames.
The following example drops Ethernet frames with VLAN ID 4095.
--{ * candidate shared default }--[ ]--
# info acl
acl {
acl-filter mac01 type mac {
entry 400 {
match {
l2 {
vlan {
outermost-vlan-id {
value 4095
}
}
}
}
action {
log true
drop {
}
}
}
}
}The following example configures a range of VLAN IDs, 100 to 999 inclusive, as match criteria.
--{ * candidate shared default }--[ ]--
# info acl
acl {
acl-filter mac01 type mac {
entry 500 {
match {
l2 {
vlan {
outermost-vlan-id {
range {
start 100
end 999
}
}
}
}
}
action {
log true
drop {
}
}
}
}
}-
When used in an ingress ACL applied to a routed or bridged subinterface, the VLAN ID is matched before the subinterface-defining VLAN tag (of a single-tagged subinterface) has been removed.
-
When used in an egress ACL applied to a routed subinterface, the VLAN ID is matched after the subinterface-defining VLAN tag (of a single-tagged subinterface) has been added.
-
When used in an egress ACL applied to a bridged subinterface the VLAN ID is matched before the subinterface defining VLAN tag (of a single-tagged subinterface) has been added.
Attaching an ACL to a subinterface
After an ACL is configured, you can attach it to a subinterface so that traffic entering or exiting the subinterface is subject to the rules defined in the ACL. For an interface ACL to have an effect on the system, it must be explicitly applied to the input and, or output traffic of at least one subinterface.
The interface reference (interface-ref) binding to the subinterface
is created as part of the ACL configuration context, along with the
input and output acl-filter attachment.
Attach IPv4/IPv6 ACLs to a subinterface
The following example applies IPv4 and IPv6 ACLs to inbound traffic on a subinterface.
--{ * candidate shared default }--[ ]--
# info acl interface ethernet-1/16.1
acl {
interface ethernet-1/16.1 {
interface-ref {
interface ethernet-1/16
subinterface 1
}
input {
acl-filter ipv4-filter type ipv4 {
}
acl-filter ipv6-filter type ipv6 {
}
}
}
}Attach a MAC ACL to a subinterface
The following example applies a MAC ACL to outbound traffic on a subinterface. To apply a MAC ACL to traffic in the outbound direction on any subinterface, you must set the acl egress-mac-filtering command to true.
--{ * candidate shared default }--[ ]--
# info acl interface ethernet-1/16.1
acl {
interface ethernet-1/16.1 {
interface-ref {
interface ethernet-1/16
subinterface 1
}
output {
acl-filter mac01 type mac {
}
}
}
}--{ * candidate shared default }--[ ]--
# info acl
acl {
egress-mac-filtering true
}Attaching an ACL to a subinterface (7730 SXR systems)
7730 SXR systems allow the following number of interface ACLs to be applied to input or output traffic on a subinterface:
Input traffic:
- up to two IPv4 ACLs
- up to two IPv6 ACLs
Output traffic:
- one IPv4 ACL
- one IPv6 ACL
The system uses two independent ACL lookup functions at ingress for IPv4 and IPv6 traffic that can be used for security and, or, QoS-related functions.
When two input ACL filters are applied to a subinterface, the order in which the filters are configured determines the filter processing order. For example, if two input filters F1 and F2 are applied to a subinterface, F1 and F2 are processed sequentially in terms of actions and statistics.
--{ +* candidate shared default }--[ ]--
# info acl interface ethernet-1/1.1
acl {
interface ethernet-1/1.1 {
input {
acl-filter F1 type ipv4 {
}
acl-filter F2 type ipv4 {
}
}
}
}F1 and F2 process matching packets as follows:
-
If a packet is accepted by F1, it is then processed by F2, which may accept or drop the packet.
-
If a packet is dropped by F1, it is discarded and not processed by F2.
-
If the matching entry for F1 and the matching entry for F2 both use the same log, rate-limit, forward, forwarding-class or profile action, then only the action from F1 is used. For the rate-limit policer action, both conforming and discarded packets in F1 are not processed in F2.
Attaching an ACL to the management interface
To control traffic filtering for the management interface, attach the IPv4 or IPv6 ACL for
input/output traffic to the subinterface of interface mgmt0.
ACLs with actions rate-limit, forward, forwarding-class, or profile cannot be applied to the management interface.
Attach an ACL to the mgmt0 interface
--{ * candidate shared default }--[ ]--
# acl interface mgmt0.0
--{ * candidate shared default }--[ acl interface mgmt0.0 ]--
# interface-ref interface mgmt0 subinterface 0
--{ * candidate shared default }--[ acl interface mgmt0.0 ]--
# input acl-filter ip_tcp type ipv4
--{ * candidate shared default }--[ acl interface mgmt0.0 input acl-filter ip_tcp type ipv4 ]--
# exit
--{ * candidate shared default }--[ acl interface mgmt0.0 input]--
# input acl-filter ipv6_tcp type ipv6Verify the configuration
To verify the configuration for the management interface ACL:
--{ * candidate shared default }--[ ]--
# info interface mgmt0 acl
interface mgmt0 {
acl {
input {
ipv4-filter [
ip_tcp
]
ipv6-filter [
ipv6_tcp
]
}
}
}
}Detaching an ACL from an interface
To detach an ACL from an interface, enter the acl interface context and delete
the ACL from the configuration.
Detach an ACL from a subinterface
--{ * candidate shared default }--[ ]--
# acl interface ethernet-1/16.1
--{ * candidate shared default }--[ acl interface ethernet-1/16.1 ]--
# delete input acl-filter ipv4-filter type ipv4
Verify the configuration
Use the info acl interface command to verify that the ACL is no longer part of the subinterface configuration. For example:
--{ * candidate shared default }--[ ]--
# info acl interface ethernet-1/16.1
acl {
interface ethernet-1/16.1 {
interface-ref {
interface ethernet-1/16
subinterface 1
}
}
}Detaching an ACL from the management interface
To detach an ACL from the management interface, enter the acl mgmt0.0
context and delete the ACL from the configuration.
Detach an ACL from the management interface
--{ * candidate shared default }--[ ]--
# acl interface mgmt0.0
--{ * candidate shared default }--[ acl interface mgmt0.0 ]--
# delete input acl-filter ip_tcp type ipv4Verify the configuration
To verify that the ACL was detached from the management interface:
--{ * candidate shared default }--[ ]--
# info interface mgmt0 acl
interface mgmt0 {
acl {
input {
ipv6-filter [
ipv6_tcp
]
}
}
}
}Modifying ACLs
You can add entries to an ACL, delete entries from an ACL, and delete the entire ACL from the configuration.
Add an entry to an ACL
To add an entry to an ACL, enter the context for the ACL, then add the entry. For
example, the following commands add an entry to IPv4 ACL
ip_tcp:
--{ * candidate shared default }--[ ]--
# acl acl-filter ip_tcp type ipv4
--{ candidate shared default }--[ acl acl-filter ip_tcp type ipv4 ]--
# entry 65535
--{ candidate shared default }--[ acl acl-filter ip_tcp type ipv4 entry 65535 ]--
# log true
--{ candidate shared default }--[ acl acl-filter ip_tcp type ipv4 entry 65535 ]--
# action dropDelete an entry in an ACL
To delete an entry in an ACL, use the delete command under the
context for the ACL and specify the sequence ID of the entry to be deleted. For
example, the following commands delete the entry in IPv4 ACL ip_tcp
with sequence ID 65535:
--{ candidate shared default }--[ ]--
# acl acl-filter ip_tcp type ipv4
--{ candidate shared default }--[ acl acl-filter ip_tcp type ipv4 ]--
# delete entry 65535
Delete an entire ACL
To delete the entire ACL, use the delete command under the
acl context. For example, the following commands delete the
ip_tcp ACL:
--{ * candidate shared default }--[ ]--
# acl
--{ candidate shared default }--[ acl ]--
# delete acl-filter ip_tcp type ipv4
Resequencing ACL entries
To aid in managing complex ACLs that have many entries, you can resequence the ACL entries to set a sequence ID number for the first entry and a constant increment for the sequence ID for subsequent entries.
For example, if you have an ACL with three entries, sequence IDs 123, 124, and 301, you can resequence the entries so that the initial entry has sequence ID 100, and the other two entries have sequence ID 110 and 120.
The following is an example of an ACL with three entries:
--{ candidate shared default }--[ acl ]
# info acl acl-filter ip_tcp type ipv4
acl {
acl-filter ip_tcp type ipv4 {
entry 123 {
match {
ipv4 {
destination-ip {
prefix 10.1.2.0/24
}
}
}
action {
log true
drop {
}
}
}
entry 124 {
match {
ipv4 {
destination-ip {
prefix 10.1.3.0/24
}
}
}
action {
log true
accept {
}
}
}
entry 301 {
match {
ipv4 {
destination-ip {
prefix 10.1.4.0/24
}
}
}
action {
drop {
}
}
}
}
}To resequence the entries in the ACL so that the first entry has sequence ID 100, and the next two entries are incremented by 10, enter the context for the ACL, issue the tools resequence command, then specify the initial sequence ID and the increment for the subsequent entries. For example:
--{ candidate shared default }--[ ]--
# acl acl-filter ip_tcp type ipv4
--{ candidate shared default }--[ acl acl-filter ip_tcp type ipv4 ]--
# tools resequence start 100 increment 10
After you enter the command, the ACL entries are renumbered. For example:
--{ candidate shared default }--[ acl ]
# info acl acl-filter ip_tcp type ipv4
acl {
acl-filter ip_tcp type ipv4 {
entry 100 {
match {
ipv4 {
destination-ip {
prefix 10.1.2.0/24
}
}
}
action {
log true
drop {
}
}
}
entry 110 {
match {
ipv4 {
destination-ip {
prefix 10.1.3.0/24
}
}
}
action {
log true
accept {
}
}
}
entry 120 {
match {
ipv4 {
destination-ip {
prefix 10.1.4.0/24
}
}
}
action {
drop {
}
}
}
}
}Control plane module (CPM) filters
For control plane protection, SR Linux supports ACL policies called CPM filters. You can configure one CPM filter that applies to IPv4 traffic, one that applies to IPv6 traffic, and one that applies to non-IP traffic. When ingress traffic is matched by a CPM filter rule, and it is a terminating packet (that is, it must be extracted to the CPM), then it is processed according to the matching CPM filter rule.
The entries for each CPM filter are installed on every line card. They are evaluated after the input subinterface ACLs and after the packet capture ACLs. CPM filter rules have no effect on locally originating traffic or transit traffic, and they have no interaction with output subinterface ACLs.
When a CPM filter ACL is created, its rules are evaluated against all IPv4 or IPv6 traffic that is locally terminating on the router, regardless of where that traffic entered in terms of network instance, subinterface, linecard, pipeline, and so on. Traffic dropped by CPM filter actions is discarded without ICMP generation.
The default name for the CPM filter acl-filter object is
cpm. SR Linux supports acl-filter objects of type
ipv4, ipv6, and mac for CPM filtering.
CPM filter ACLs support the following actions:
accept – Allow the packet through to the next processing function.
rate-limit policer – Feed the packet to a hardware-based policer, which determines if the packet should be queued by the line card toward the CPM or dropped because a bit-per-second rate is exceeded
rate-limit system-cpu-policer – If the packet has been extracted to the CPM, feed the packet to a software-based policer, which determines if the packet should be delivered to the CPM application or dropped because a packet-per-second rate is exceeded.
drop – Discard the packet without ICMP generation.
log – Send information about the dropped packet to the log application.
-
collect-stats – Collect statistics for individual CPM filter entries (7730 SXR systems only)
The system-cpu-policer and policer actions police terminating traffic to ensure that the rate does not exceed a safe limit.
The system-cpu-policer action applies an aggregate rate limit, regardless of ingress line card, while the policer action applies a rate limit to the extracted traffic from each core (7250 IXR) or complex (7220 IXR) associated with the ingress port. You can have both types of policer actions in the same CPM filter entry, or only one of them.
CPM filter rules that apply a system-cpu-policer or policer action do not directly specify the policer parameters; they refer to a generically defined policer. This allows different CPM filter entries, even across multiple ACLs, to use the same policer. Optionally, each policer can be configured as entry-specific, which means a different policer instance is used by each referring filter entry, even if they are part of the same ACL.
Creating CPM filters
To create CPM filters for IPv4 traffic, IPv6 traffic, or non-IP traffic, you create
an acl-filter of type ipv4, ipv6
or mac consisting of entries with match criteria and actions, then
assign this acl-filter to
.system.control-plane-traffic.input.acl.
CPM-bound traffic that matches the match criteria is processed according to the
specified action. Note that the system includes a default
acl-filter named cpm for CPM filtering.
Create an IPv4 CPM filter
The following example creates a CPM filter for IPv4 traffic. IPv4 traffic extracted
to the CPM that matches the rule in the filter is processed according to the action
configured in the rule. In this example, the matching CPM-bound IPv4 traffic is
accepted and rate-limited according to the limit specified by the
sp1 system-cpu-policer.
--{ * candidate shared default }--[ ]--
# info acl acl-filter cpm type ipv4
acl {
acl-filter cpm type ipv4 {
entry 1000 {
match {
ipv4 {
protocol tcp
destination-ip {
prefix 10.1.3.1/32
}
source-ip {
prefix 10.1.5.1/32
}
}
transport {
destination-port {
value 6789
}
source-port {
value 6722
}
}
}
action {
accept {
rate-limit {
system-cpu-policer sp1
}
}
}
}
}
}--{ * candidate shared default }--[ ]--
# info acl policers system-cpu-policer sp1
acl {
policers {
system-cpu-policer sp1 {
peak-packet-rate 1000000
max-packet-burst 16
}
}
}--{ * candidate shared default }--[ ]--
# info system control-plane-traffic input
system {
control-plane-traffic {
input {
acl {
acl-filter cpm type ipv4 {
}
}
}
}
}Create a MAC CPM filter
The following example creates a MAC CPM filter. Non-IP traffic extracted to the CPM that matches
the filter rule is processed according to the configured action. In this example,
the matching CPM-bound Ethernet frames are accepted and rate-limited according to
the limit specified by the dp1 policer setting.
--{ * candidate shared default }--[ ]--
# info acl acl-filter mac01 type mac
acl {
acl-filter mac01 type mac {
entry 100 {
match {
l2 {
source-mac {
address 00:00:5E:00:53:FF
mask 00:00:5E:00:53:00
}
}
}
action {
accept {
rate-limit {
policer dp1
}
}
}
}
}
}--{ * candidate shared default }--[ ]--
# info acl policers policer dp1
acl {
policers {
policer dp1 {
peak-rate 500000
max-burst 100000
}
}
}
--{ * candidate shared default }--[ ]--
# info system control-plane-traffic input
system {
control-plane-traffic {
input {
acl {
acl-filter mac01 type mac {
}
}
}
}
}Filter CPM traffic using an IPv4 prefix list
The following example matches based on the IPv4 prefixes configured in a prefix list. In this example, if the source address of a packet matches one of the prefixes in the list, the packet is dropped.
--{ * candidate shared default }--[ ]--
# info acl match-list ipv4-prefix-list pl1
acl {
match-list {
ipv4-prefix-list pl1 {
description "IPv4 prefix match list"
prefix 10.10.0.0/16 {
}
prefix 10.20.0.0/16 {
}
prefix 10.30.0.0/16 {
}
}
}
}--{ +* candidate shared default }--[ ]--
# info acl acl-filter pfilter type ipv4
acl {
acl-filter pfilter type ipv4 {
entry 100 {
match {
ipv4 {
source-ip {
prefix-list pl1 {
}
}
}
}
action {
drop {
}
}
}
}
}--{ +* candidate shared default }--[ ]--
# info system control-plane-traffic input
system {
control-plane-traffic {
input {
acl {
acl-filter pfilter type ipv4 {
}
}
}
}
}Match traffic extracted to the CPM from a specific network-instance
On 7730 SXR systems, a CPM filter can use a network-instance as a match condition. The following example creates a CPM filter that matches IGMP protocol traffic in network-instance VRF 100.
--{ +* candidate shared default }--[ ]--
# info acl acl-filter cpm-igmp type ipv4
acl {
acl-filter cpm-igmp type ipv4 {
entry 100 {
match {
network-instance "VRF 100"
ipv4 {
protocol igmp
}
}
action {
accept {
}
}
}
}
}--{ +* candidate shared default }--[ ]--
# info system control-plane-traffic input
system {
control-plane-traffic {
input {
acl {
acl-filter cpm-igmp type ipv4 {
}
}
}
}
}Packet capture filters
For troubleshooting purposes, SR Linux supports ACLs called packet capture filters. When an ingress IP packet on any line card transits through the router, and it matches a rule in a packet capture filter, it is copied and extracted toward the CPM (using the capture-filter extraction queue) and delivered to a Linux virtual Ethernet interface, so that it can be displayed by tcpdump (or similar packet capture utility), or encapsulated and forwarded to a remote monitoring system.
Similarly, when an ingress IP packet on any line card terminates locally, and it matches a rule of a packet capture filter, it is extracted toward the CPM (using the normal protocol-based extraction queue), and a header field indicates to the CPM to replicate it (after running the CPM-filter rules) toward the Linux virtual Ethernet interface.
The entries for each packet capture filter are installed on every line card. On the line card, the entries are evaluated after the input subinterface ACLs and before the CPM-filter ACLs. On the CPM, the entries in the packet capture filter ACL are evaluated after the CPM-filter entries.
When a packet capture filter ACL is created, its rules are evaluated against all transit and terminating IPv4 or IPv6 traffic that is arriving on any subinterface of the router, regardless of where that traffic entered in terms of network instance, subinterface, linecard, pipeline, and so on. Note that packet capture filter ACL rules cannot override interface filter or system filter ACL drop outcomes; packets dropped by interface filter ACLs or a system filter ACL cannot be mirrored to the control plane.
Each packet capture filter entry has a set of zero or more match conditions, and one of two possible actions: accept and copy. The match conditions are the same as the other filter types. The accept action passes the matching packet to the next stage of processing, without creating a copy. The copy action creates a copy of the matching packet, extracts it toward the CPM and delivers it to the designated virtual Ethernet interface.
There is one packet capture filter for IPv4 traffic and another packet capture filter for IPv6 traffic. The default IPv4 packet capture filter copies no IPv4 packets, and the default IPv6 packet capture filter copies no IPv6 packets.
To configure a packet capture filter, you create an
acl-filter of type
ipv4 or ipv6 named
capture and specify match
conditions and actions. See the "Interactive traffic-monitoring
tool" chapter in the SR Linux Troubleshooting
Toolkit for examples of configuring packet
capture filters.
Packet capture filters are not supported on 7730 SXR systems.
System filters
A system filter ACL is an IPv4 or IPv6 ACL that evaluates ingress traffic before all other ACL rules. If an IP packet is dropped by a system filter rule, it is the final disposition of the packet; neither a packet capture ACL copy/accept action, nor an ingress interface ACL accept action, nor a CPM-filter accept action can override the drop action of a system filter.
At most one system filter can be defined for IPv4 traffic, and at most one system filter can be defined for IPv6 traffic. System filter ACLs are supported on 7220 IXR-D1/D2/D2L/D3/D3L and 7220 IXR-D4/D5 systems only. They can be applied only at ingress, not egress. System filters are not supported on 7730 SXR systems.
Creating a system filter enables the filter. When a system filter is created, its rules are automatically installed everywhere, meaning they are evaluated against all transit and terminating IPv4 or IPv6 traffic arriving on any subinterface of the router, regardless of where that traffic entered in terms of network instance, subinterface, pipeline, and so on.
A system filter is the only type of filter that can match the outer header of tunneled packets. For VXLAN traffic, this allows you to configure a system filter that matches and drops unauthorized VXLAN tunnel packets before they are decapsulated. The system filter matches the outer header of tunneled packets; they do not filter the payload of VXLAN tunnels.
Creating a system filter
When you apply a system filter, it evaluates all transit and terminating IPv4 arriving on any subinterface of the router. The system filter ACL evaluates the traffic before any other ACL filters.
The following is an example of a system filter ACL that filters IPv4 traffic.
--{ * candidate shared default }--[ ]--
# info acl acl-filter system type ipv4
acl {
acl-filter system type ipv4 {
entry 44 {
match {
ipv4 {
source-ip {
prefix 10.0.0.0/24
}
}
}
action {
log true
drop {
}
}
}
}
}Rate-limiting action for ACL filters
SR Linux supports a rate-limit action in CPM and interface ACL filters to limit the traffic to a specified rate.
- CPM MAC/IPv4/IPv6 filters support the rate-limit action using both policer and system-cpu-policer templates as described in Control plane module (CPM) filters.
- Interface IPv4/IPv6 filters support the rate-limit action in the input and output directions using policer templates on 7220 IXR D1/D2/D2L/D3/D3L/D4/D5 platforms.
- Interface IPv4/IPv6 filters support the rate-limit action in the input direction only using policer templates on the 7220 IXR-H4 and 7730 SXR platforms.
- The rate-limit action is not supported for ACL filters assigned to the mgmt0 interface.
Policer templates
Within an ACL policer template, you can specify the following settings:
-
name
User-defined name of the ACL policer template.
-
max-burst
The maximum burst size in bytes.
-
peak-rate
The peak information rate in kbps.
-
entry-specific
If set to
true, a policer instance is created per ACL entry. If set tofalse, the policer instance can be shared between entries of an ACL. On 7730 SXR systems, the entry-specific parameter is set tofalseand cannot be configured. -
scope
Can be
globalorsubinterface:-
global: This setting is supported using CPM and interface ACL filters:CPM filters: A single instance of the policer is created per forwarding complex.
Interface ACL filters: A single instance of the policer is created per forwarding complex, and per direction, in case the same policer is used in both input and output ACLs.-
Using 7220 IXR D1/D2/D2L/D3/D3L and 7220 IXR-H4: the global policer cannot be shared between IPv4 and IPv6 ACLs.
- Using 7220 IXR D4/D5: the global policer can be shared between IPv4 and IPv6 ACLs.
- Policer of scope global requires the ACL setting
subinterface-specificdisabled.
-
subinterface: This setting is supported using interface ACL filters only. One instance of the policer is created per subinterface and direction the policer is used for, in case the same policer is used in both input and output ACLs.- Using 7220 IXR D1/D2/D2L/D3/D3L and 7220 IXR-H4: the policer cannot be shared between ACLs of the same subinterface.
- Using 7220 IXR D4/D5: the policer can be shared between ACLs of the same subinterface.
-
An ACL policer template cannot be configured as an action for an ACL assigned to a mgmt0 subinterface.
An individual ACL policer template can be assigned to interface ACL filters or CPM filters, but not to both filter types.
System CPU policer templates
Within a system CPU policer template, you can specify the following settings:
-
name
User-defined name of the policer.
-
entry-specific
Whether a policer instance is instantiated for each entry or shared between entries.
-
peak-packet-rate
The maximum number of packets per second.
-
max-packet-burst
The maximum depth of the policer bucket in number of packets.
Configuring the ACL rate-limiting action
To configure a rate limiting action for an ACL, you configure an ACL policer template and apply it as an action in an ACL entry.
Configure a rate-limit action for an interface ACL
The following example configures an ACL policer template and specifies it as an action in an IPv4 ACL entry. Traffic that matches this entry on the interface where this ACL is applied is subject to the rate-limiting settings configured in the ACL policer template.
--{ * candidate shared default }--[ ]--
# info acl policers policer po1
acl {
policers {
policer po1 {
peak-rate 1000000
max-burst 500000
}
}
}--{ * candidate shared default }--[ ]--
# info acl acl-filter a2 type ipv4
acl {
acl-filter a2 type ipv4 {
entry 101 {
action {
accept {
rate-limit {
policer po1
}
}
}
}
}
}CPU generated traffic is not subject to the egress subinterface rate-limit action; packets still match the entry, but are not subject to the rate-limit.
Configure a rate-limit action for a CPM filter
The following example configures an ACL policer template and specifies it as an action in a CPM filter entry. The entry-specific parameter is set to true, which creates a policer instance for each ACL entry that specifies this policer template as an action.
--{ * candidate shared default }--[ ]--
# info acl policers policer po2
acl {
policers {
policer po2 {
entry-specific true
peak-rate 1000000
max-burst 500000
}
}
}--{ * candidate shared default }--[ ]--
# info system control-plane-traffic input acl acl-filter cpm type ipv4
acl {
acl-filter cpm type ipv4 {
entry 101 {
action {
accept {
rate-limit {
policer po2
}
}
}
}
}
}Display ACL policer statistics
To display statistics for traffic subject to the ACL policer template, use the info from state command.
--{ * candidate shared default }--[ ]--
# info from state acl policers policer po2
acl {
policers {
policer po2 {
peak-rate 500000
max-burst 100000
statistics {
aggregate {
conforming-packets 6
conforming-octets 516
exceeding-packets 0
exceeding-octets 0
}
}
}
}
}Configuring logging for ACLs
You can configure SR Linux to log information about packets that match an ACL entry in the system log.
You can set thresholds for ACL or TCAM resource usage. When utilization of a specified resource reaches the threshold in either the rising or falling direction, it can trigger a log message.
Enabling syslog for the ACL subsystem
If you set the log parameter to true for the accept or drop action in an ACL entry, information about packets that match the ACL entry is recorded in the system log. You can specify settings for the log file for the ACL subsystem, including the location of the log file, maximum log file size, and the number of log files to keep.
The following configuration specifies that the log file for the ACL subsystem be stored in the file dut1_file, located in the /opt/srlinux/bin/logs/srbase directory. The log file can be a maximum of 1 Mb. When the log file reaches this size, it is renamed using dut1_file as its base name. The five most recent log files are kept.
--{ candidate shared default }--[ ]--
# system
--{ candidate shared default }--[ system ]--
# info logging file dut1_file
logging {
file dut1_file {
directory /opt/srlinux/bin/logs/srbase/
rotate 5
size 1M
subsystem acl {
}
}
}
Ensure that write permission is set for the specified directory path.
Syslog entry examples
The following are examples of syslog entries for ACLs.
IPv4 Accept:
acl||I Type: Ingress IPv4 Filter: testing Sequence Id: 100 Action: Accept Interface: ethernet-1/16:1 Packet length: 56 IP Source: 10.1.5.1 Destination: 100.1.3.1 Protocol: 6 TCP Source port: 6722 Destination Port: 6789 Flags: SYNIPv4 Drop:
acl||I Type: Ingress IPv4 Filter: test Sequence Id: 65535 Action: Drop Interface: ethernet-1/16:1 Packet length: 44 IP Source: 10.3.2.3 Destination: 100.1.3.1 Protocol: 17 UDP Source port: 6722 Destination Port: 6789IPv6 Accept:
acl||I Type: Ingress IPv6 Filter: tests Sequence Id: 1000 Action: Accept Interface: ethernet-1/16:1 Packet length: 76 IP Source: 2001:db8:1:5::1 Destination: 2001:10:1:3::1 Protocol: 6 TCP Source port: 6722 Destination Port: 6789 Flags: SYNLogging ACL resource usage
You can set thresholds for ACL resource usage. When utilization of a specified ACL resource, such as input IPv4 filter instances, reaches the threshold in either the rising or falling direction, it can trigger a log message.
The following example sets thresholds for resource usage by input IPv4 filter
instances. If the resource usage percentage falls below the
falling-threshold-log value, a log message of priority
notice is generated. If the resource usage percentage falls
below the rising-threshold-log value, a log message of priority
warning is generated.
--{ * candidate shared default }--[ ]--
# info platform resource-monitoring
platform {
resource-monitoring {
acl {
resource input-ipv4-filter-instances {
rising-threshold-log 90
falling-threshold-log 90
}
}
}
}
Logging TCAM resource usage
You can set thresholds for Ternary Content Addressable Memory (TCAM) resource usage. When utilization of a specified TCAM resource, such as TCAM used by IPv4 CPM filters, reaches the threshold in either the rising or falling direction, it can trigger a log message.
The following example sets thresholds for TCAM resource usage by IPv4 CPM filters. If
the resource usage percentage falls below the falling-threshold-log
value, a log message of priority notice is generated. If the
resource usage percentage falls below the rising-threshold-log
value, a log message of priority warning is generated.
--{ * candidate shared default }--[ ]--
# info platform resource-monitoring
platform {
resource-monitoring {
tcam {
resource cpm-capture-ipv4 {
rising-threshold-log 90
falling-threshold-log 90
}
}
}
}
Collecting and displaying ACL statistics
SR Linux can collect statistics for packets matching an ACL and display statistics for the matched packets. You can display the amount of system resources (TCAM) used by each type of ACL on each line card. ACL statistics can also be displayed using show commands.
Collecting ACL statistics
You can configure an ACL to collect statistics for packets matching the ACL. Statistics can be collected for packets that match each ACL entry, as well as for matching input/output traffic per subinterface.
The following example configures the ACL to record the number of matching packets for each entry:
--{ candidate shared default }--[ acl ]--
# ipv4-filter ip_tcp
--{ candidate shared default }--[ acl ipv4-filter ip_tcp ]--
# statistics-per-entry true
By default, if two or more subinterfaces on the same line card reference the same ACL for filtering the same direction of traffic, they use a shared instance of the same ACL in hardware. This means that per-entry statistics (including the number of matched packets and the time stamp of the last matching packet), if enabled, reflect the aggregate of the data gathered for the multiple subinterfaces.
To collect per-entry, per-subinterface statistics, instead of the aggregate of the subinterfaces where the ACL is applied, you can configure an ACL to operate in subinterface-specific mode.
If you change an ACL from subinterface-specific mode to shared mode, or the other way around, during the transition from one mode to the next, traffic continues to be subject to the previous mode until the system resources (TCAM) entries are programmed for the new mode.
On 7730 SXR systems, configure the collect-stats action instead of
statistics-per-entry true.
The following example configures the ACL to collect statistics for matching packets inbound and outbound on each subinterface:
--{ * candidate shared default }--[ ]--
# info acl acl-filter ip_tcp type ipv4
acl {
acl-filter ip_tcp type ipv4 {
subinterface-specific input-and-output
}
}You can configure the following values for the subinterface-specific parameter:
-
disabled (the default) – All subinterfaces on a single line card that reference the ACL as an input ACL use a shared filter instance, and all subinterfaces on a single line card that reference the ACL as an output ACL use a shared filter instance.
-
input-only – All subinterfaces on a single line card that reference the ACL as an output ACL use a shared filter instance, but each subinterface that references the ACL as an input ACL uses its own separate instance of the filter.
-
output-only – All subinterfaces on a single line card that reference the ACL as an input ACL use a shared filter instance, but each subinterface that references the ACL as an output ACL uses its own separate instance of the filter.
-
input-and-output – Each subinterface that references the ACL as either an input ACL or an output ACL uses its own separate instance of the filter.
Collect-stats action
On 7730 SXR systems, you can enable statistics collection for individual ACL filter entries by configuring the collect-stats action. The collect-stats action is supported for input and output IPv4/IPv6 interface filters, and records packet and byte match counters for input and output separately. The collect-stats action is also supported for CPM filters.
On 7730 SXR systems, you enable the collect-stats action instead of configuring
statistics-per-entry true setting.
If the same ACL filter is attached to multiple subinterfaces, the statistics collected by the collect-stats action are aggregated for all subinterfaces using the ACL filter.
The following example configures an ACL entry to record statistics for matching packets:
--{ candidate shared default }--[ acl ]--
# info acl acl-filter F1 type ipv4
acl {
acl-filter F1 type ipv4 {
entry 100 {
match {
ipv4 {
destination-ip {
prefix 10.10.0.0/16
}
}
}
action {
collect-stats true
accept {
}
}
}
}
}Displaying ACL statistics
Use the info from state command to display the matched packet statistics and the time of the last match for the interfaces to which the ACL is attached.
In the following example, the ACL is attached to two interfaces, and statistics are collected for each subinterface:
--{ candidate shared default }--[ ]--
# info from state acl acl-filter ip_tcp type ipv4
subinterface-specific input-and-output
statistics-per-entry true
entry 1000 {
description "Match IP Address TCP Protocol Ports"
action {
accept {
log true
}
}
match {
destination-address 10.1.3.1/32
protocol tcp
source-address 10.1.5.1/32
destination-port {
value 6789
}
source-port {
value 6722
}
}
statistics {
aggregate {
in-matched-packets 3000
in-last-match 2019-07-16T10:53:00.1563Z
out-matched-packets 0
}
per-interface {
subinterface ethernet-1/16.1 {
in-matched-packets 3000
in-last-match 2019-07-16T10:53:00.1563Z
}
}
}
}
entry 65535 {
action {
drop {
log true
}
}
statistics {
aggregate {
in-matched-packets 1000
in-last-match 2019-07-16T10:53:30.1563Z
}
per-interface {
subinterface ethernet-1/16.1 {
in-matched-packets 1000
in-last-match 2019-07-16T10:53:30.1563Z
}
}
}
}
If the match criteria changes for an ACL entry, the statistics counter does not reset to zero. To reset the statistics counter for an ACL entry to zero, use the tools acl clear command, as described in Clearing ACL statistics.
Displaying ACL resource usage
Use the info from state platform command to display the amount of system resources (TCAM) used by each type of ACL on each line card.
Display free-static and free-dynamic resources
The following example shows two different numbers for the remaining (free) TCAM entry resources that are available for input IPv4 ACLs on the line card. The free-static value refers to the available number of resources assuming no additional TCAM banks are dynamically assigned to the ACL type. The free-dynamic value refers to the available number of resources assuming all unallocated TCAM banks are dedicated to the specified ACL type.
--{ candidate shared default }--[ ]--
# info from state platform linecard 1 forwarding-complex 0 tcam resource if-input-ipv4
platform {
linecard 1 {
forwarding-complex 0 {
tcam {
resource if-input-ipv4 {
free-static 2046
free-dynamic 18430
reserved 2
programmed 2
}
}
}
}
}
Display system resources allocated to input IPv4 ACLs
The following example shows the amount of system resources allocated to input IPv4 ACLs on the line card and how much is used and free:
--{ candidate shared default }--[ ]--
# info from state platform linecard 1 forwarding-complex 0 acl resource input-ipv4-filter-instances
platform {
linecard 1 {
forwarding-complex 0 {
acl {
resource input-ipv4-filter-instances {
used 1
free 254
}
}
}
}
}
Clearing ACL statistics
To reset ACL statistics counters to zero, use the tools acl clear command. This command can clear statistics at the IPv4 / IPv6 / CPM filter level, ACL entry level, or for an interface or subinterface to which the ACL is attached.
Clear statistics for an IPv4 filter
--{ candidate shared default }--[ ]--
# tools acl acl-filter tcp_ip type ipv4 statistics clearAfter this command is executed, the info from state output for the IPv4 filter includes a timestamp indicating when the statistics were cleared. For example:
--{ candidate shared default }--[ ]--
# info from state acl acl-filter ip_tcp type ipv4
subinterface-specific output-only
statistics-per-entry true
entry 1000 {
description "Match IP Address TCP Protocol Ports"
action {
accept {
log true
}
}
match {
destination-address 100.1.3.1/32
protocol tcp
source-address 10.1.5.1/32
destination-port {
value 6789
}
source-port {
value 6722
}
}
statistics {
last-clear 2024-03-22T13:53:51.000Z
}
}
Clear statistics for a specific IPv4 filter entry
The following example clears statistics for a specific entry in the IPv4 filter:
--{ candidate shared default }--[ ]--
# tools acl acl-filter ip_tcp type ipv4 entry 10 statistics clear
Clear statistics for a subinterface for a IPv4 filter entry
The following example clears statistics for a specified subinterface for a specified entry in the IPv4 filter:
--{ candidate shared default }--[ ]--
# tools acl acl-filter ip_tcp type ipv4 entry 10 statistics per-interface subinterface 1 clear
Displaying ACL statistics using show commands
You can display ACL statistics using relevant show commands.
Display all active ACLs
To display information about all active ACLs, use the show acl summary command. For example:
--{ candidate shared default }--[ ]--
# show acl summary
--------------------------------------------------------------------------------
CPM Filter ACLs
--------------------------------------------------------------------------------
ipv4-entries: 1
ipv6-entries: 0
mac-entries : 1
--------------------------------------------------------------------------------
Capture Filter ACLs
--------------------------------------------------------------------------------
ipv4-entries: 0
ipv6-entries: 0
--------------------------------------------------------------------------------
IPv4 Filter ACLs
--------------------------------------------------------------------------------
Filter : ip_tcp
Active on : 1 subinterfaces (input) and 0 subinterfaces (output)
Entries : 2
--------------------------------------------------------------------------------
IPv6 Filter ACLs
--------------------------------------------------------------------------------
Filter : ipv6_tcp
Active on : 1 subinterfaces (input) and 0 subinterfaces (output)
Entries : 1
--------------------------------------------------------------------------------
MAC Filter ACLs
--------------------------------------------------------------------------------
Filter : mac01
Active On: 1 subinterfaces (input) and 0 subinterfaces (output)
Entries : 5
--------------------------------------------------------------------------------
Display statistics for a specific ACL
You can display statistics for a specific ACL, including how many times each ACL entry was matched on all subinterfaces to which the ACL was applied. For example:
--{ candidate shared default }--[ ]--
# show acl ipv4-filter ip_tcp
====================================================================================
Filter : ip_tcp
SubIf-Specific: input-and-output
Entry-stats : yes
Entries : 2
------------------------------------------------------------------------------------
Subinterface Input Output
ethernet-1/16.1 yes no
------------------------------------------------------------------------------------
Entry 1000
Match : protocol=tcp, 10.1.5.1/32(6722-6722)->10.1.3.1/32(6789-
6789)
Action : accept
Input Match Packets : 3000
Input Last Match : 18 seconds ago
Output Match Packets: 0
Output Last Match : never
Entry 65535
Match : protocol=<undefined>, any(*)->any(*)
Action : drop
Input Match Packets : 1000
Input Last Match : 6 minutes ago
Output Match Packets: 0
Output Last Match : never
Display per-interface statistics for each ACL entry
To display per-interface statistics for packets matching each ACL entry, specify the interface name in addition to the ACL name. For example:
--{ candidate shared default }--[ ]--
# show acl ipv4-filter ip_tcp interface ethernet-1/16
====================================================================================
Filter : ip_tcp
SubIf-Specific: input-and-output
Entry-stats : yes
Entries : 2
------------------------------------------------------------------------------------
Subinterface Input Output
ethernet-1/16.1 yes no
------------------------------------------------------------------------------------
Entry 1000
Match : protocol=tcp, 10.1.5.1/32(6722-6722)->10.1.3.1/32(6789-
6789)
Action : accept
Input Match Packets : 3000
Input Last Match : 5 minutes ago
Output Match Packets: 0
Output Last Match : never
Entry 65535
Match : protocol=<undefined>, any(*)->any(*)
Action : drop
Input Match Packets : 1000
Input Last Match : 10 minutes ago
Output Match Packets: 0
Output Last Match : never
Display statistics for a CPM filter
To display statistics for packets matching a CPM filter, specify the CPM filter type (IPv4 or IPv6). For example:
--{ candidate shared default }--[ ]--
# show acl cpm-filter ipv4-filter
================================================================================
Filter : CPM IPv4-filter
Entry-stats: no
Entries : 1
--------------------------------------------------------------------------------
Entry 1001
Match : protocol=<undefined>, any(*)->10.1.2.1/24(*)
Action : none
Matched Packets: 0
--------------------------------------------------------------------------------