Group-based policy ACLs
Micro-segmentation is a security capability for data centers and enterprises intended to prevent lateral movement of security threats within the network. It divides networks into smaller, isolated zones (known as micro-segments) and establishes rules to restrict traffic between them. A group-based policy (GBP) is a way to control access between network segments using micro-segmentation.
Group-based policies use a type of ACL called a GBP ACL. A GBP ACL is similar to an interface ACL, with the exception that IP addresses are replaced with micro-segmentation group names to enforce security policies within the network-instance.
For information about micro-segmentation and configuring GBPs, see the SR Linux VPN Services Guide.
Within the group-based-policy context for a network-instance, you can
configure a GBP ACL. A GBP ACL contains match criteria specific to GBP filtering, including
source and destination group names. The GBP ACL is common for both IPv4 and IPv6 traffic in
the network-instance.
The following match conditions are supported concurrently in a GBP ACL:
- source group
- destination group
- TCP/UDP source port (range)
- TCP/UDP destination port (range)
- IP version (IPv4 or IPv6)
- IP protocol type (IPv4 protocol type field or IPv6 next-header field)
- TCP flags, specified as an expression using
&,|, and!logical operators and the TCP flag names:rst,syn, andack.
The following actions are supported in a GBP ACL:
- accept
- drop
- log
- collect-stats
A GBP ACL filter is not assigned to subinterfaces manually; instead it is configured within the network-instance group-based policy and applies automatically to all ingress packets on all subinterfaces within the network-instance.
Assigning a subinterface IPv4 ACL, IPv6 ACL, or MAC ACL to subinterfaces in a network-instance where a GBP ACL is also configured results in the system executing both ACLs as follows:
- A packet drop by either ACL resulting from a drop or rate-limit action takes priority over the action in the other ACL
- A packet subject to log action in both the GBP ACL entry and subinterface ACL entry is only logged once; in this case, the subinterface ACL takes priority.
Creating a GBP ACL
To configure a GBP ACL filter within a network-instance, you specify one or more entries consisting of match conditions and the action to take for traffic that matches the conditions.
The following is an example of a GBP ACL filter with one entry. In this example, traffic
with source group grp1 and destination group grp2 is
accepted. The GBP ACL filter applies to both IPv4 and IPv6 traffic.
--{ +* candidate shared default }--[ ]--
# info with-context network-instance gbpex group-based-policy acl
network-instance gbpex {
group-based-policy {
acl {
entry 100 {
match {
source-group [
grp1
]
destination-group [
grp2
]
}
action {
accept {
}
}
}
}
}
}Displaying GBP ACL information
You can display information about specific GBP ACL entries. For example:
--{ running }--[ ]--
# show acl gbp-filter test entry 10
============================================================================
Network Instance: test
Entries : 1
----------------------------------------------------------------------------
Entry 10
Match : protocol=<undefined>, [RED:1](*)->[BLUE:2](*)
Action : accept
Collect Stats : false
Match Packets : 0
Last Match : never
----------------------------------------------------------------------------Clearing GBP ACL statistics
To reset GBP ACL statistics counters to zero, use the tools network-instance group-based-policy acl statistics clear command. For example:
--{ running }--[ ]--
# tools network-instance gbpex group-based-policy acl statistics clearThe following example clears statistics for a specific entry in the GBP ACL:
--{ running }--[ ]--
# tools network-instance gbpex group-based-policy acl entry 10 statistics clear