Switch ACL
1. Introduction
This document describes frame filtering configuration and retrieval of status information.
2. ACL rule filtering
Access Control List
Advanced frame processing can be set up using the Access Control List (ACL) of the switch. Each rule in the list is called an Access Control Entry (ACE). For each frame received on an ingress port, the ACL is searched until an ACE matching the ingress port and frame properties is found. The action of the first matching ACE determines the forwarding of the frame. If no matching ACE is found, the default action (section 'Port ACL default actions') of the ingress port is used.
By default, the ACL is empty and the default port actions allow forwarding of frames.
An ACE is divided into two parts - the matching key and the action.
The matching key has some common parameters and some parameters that are related to the frame type selected.
The action parameters are common, independent of the selected frame type.
Some parameters xxx have a related xxx-mask parameter. In this xxx-mask, any bit position with a '0' is matched as
a 'don’t-care', meaning both '0' and '1' in this position generate a match.
All parameters for an ACE can be found described in the mchp-velocitysp-acl.yang file.
2.1. Check initial ACL rule list is empty
First, let’s see that the ACL rule list is empty:
FETCH request message:
- "/mchp-velocitysp-acl:acl/acl-rules/rule-list"FETCH response message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: []2.2. Add an ACE matching any frame
Let’s make a simple ACE that matches any frame received on a set of ports. The frame will have one egress port as a possible forwarding port.
The ingress ports are '1' and '2'.
The possible egress port is '3'.
iPATCH request message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 1
ingress-port-list:
- '1'
- '2'
frame-any:
any:
-
forwarding: filter
egress-port-list:
- '3'Let’s see that the ACL rule list is created:
FETCH request message:
- "/mchp-velocitysp-acl:acl/acl-rules/rule-list[id='1']"FETCH response message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 1
ingress-port-list:
- '1'
- '2'
dmac: 00-00-00-00-00-00
dmac-mask: 00-00-00-00-00-00
smac: 00-00-00-00-00-00
smac-mask: 00-00-00-00-00-00
tagged: any
vid: 0
vid-mask: 0
pcp: 0
pcp-mask: 0
dei: any
frame-any:
any:
-
forwarding: filter
egress-port-list:
- '3'
policer-enable: false
policer-index: 0
rx-count: 02.3. Add an ACE matching a specific MAC
Let’s make an ACE that matches any frame type received on a specific port with a specific SMAC. The frame will have two egress ports as possible forwarding ports.
The ingress port is '1'.
The SMAC is 00-00-00-00-00-01. It is an exact match as the smac-mask is all '1'.
The possible egress ports are '2' and '3'.
iPATCH request message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 2
ingress-port-list:
- '1'
smac: 00-00-00-00-00-01
smac-mask: FF-FF-FF-FF-FF-FF
frame-any:
any:
-
forwarding: filter
egress-port-list:
- '2'
- '3'Let’s see that the ACL rule list is created:
FETCH request message:
- "/mchp-velocitysp-acl:acl/acl-rules/rule-list[id='2']"FETCH response message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 2
ingress-port-list:
- '1'
dmac: 00-00-00-00-00-00
dmac-mask: 00-00-00-00-00-00
smac: 00-00-00-00-00-01
smac-mask: FF-FF-FF-FF-FF-FF
tagged: any
vid: 0
vid-mask: 0
pcp: 0
pcp-mask: 0
dei: any
frame-any:
any:
-
forwarding: filter
egress-port-list:
- '2'
- '3'
policer-enable: false
policer-index: 0
rx-count: 02.4. Add an ACE matching a specific frame type
The ingress port is '2'.
The SMAC is 00-00-00-00-00-01.
The frame type is C-Tagged - '8100'.
The possible egress ports are '1' and '3'.
iPATCH request message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 3
ingress-port-list:
- '2'
smac: 00-00-00-00-00-01
smac-mask: FF-FF-FF-FF-FF-FF
frame-etype:
etype: 33024
etype-mask: 65535
forwarding: filter
egress-port-list:
- '1'
- '3'Let’s see that the ACL rule list is created:
FETCH request message:
- "/mchp-velocitysp-acl:acl/acl-rules/rule-list[id='3']"FETCH response message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 3
ingress-port-list:
- '2'
dmac: 00-00-00-00-00-00
dmac-mask: 00-00-00-00-00-00
smac: 00-00-00-00-00-01
smac-mask: FF-FF-FF-FF-FF-FF
tagged: any
vid: 0
vid-mask: 0
pcp: 0
pcp-mask: 0
dei: any
frame-etype:
etype: 33024
etype-mask: 65535
data: 0
data-mask: 0
forwarding: filter
egress-port-list:
- '1'
- '3'
policer-enable: false
policer-index: 0
rx-count: 02.5. Add an ACE matching an IPv4 frame
The ingress port is '3'.
The IPv4 SIP is 1.2.3.4/16.
The possible egress ports are '1' and '2'.
iPATCH request message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 4
ingress-port-list:
- '3'
frame-ipv4:
sip: 1.2.3.4/16
forwarding: filter
egress-port-list:
- '1'
- '2'Let’s see that the ACL rule list is created:
FETCH request message:
- "/mchp-velocitysp-acl:acl/acl-rules/rule-list[id='4']"FETCH response message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 4
ingress-port-list:
- '3'
dmac: 00-00-00-00-00-00
dmac-mask: 00-00-00-00-00-00
smac: 00-00-00-00-00-00
smac-mask: 00-00-00-00-00-00
tagged: any
vid: 0
vid-mask: 0
pcp: 0
pcp-mask: 0
dei: any
frame-ipv4:
fragment: any
options: any
sip: 1.2.3.4/16
dip: 0.0.0.0/0
ttl: any
proto: 0
proto-mask: 0
ds: 0
ds-mask: 0
data: 0
data-mask: 0
sport-min: 0
sport-max: 0
dport-min: 0
dport-max: 0
tcp-fin: any
tcp-syn: any
tcp-rst: any
tcp-psh: any
tcp-ack: any
tcp-urg: any
forwarding: filter
egress-port-list:
- '1'
- '2'
policer-enable: false
policer-index: 0
rx-count: 02.6. Add an ACE matching an IPv4 UDP frame
The ingress port is '1'.
The IPv4 SIP is 1.2.3.4/16.
The UDP SPORT range is 10-20.
The possible egress ports are '2' and '3'.
iPATCH request message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 5
ingress-port-list:
- '1'
frame-ipv4:
proto: 17
proto-mask: 255
sip: 1.2.3.4/16
sport-min: 10
sport-max: 20
forwarding: filter
egress-port-list:
- '2'
- '3'Let’s see that the ACL rule list is created:
FETCH request message:
- "/mchp-velocitysp-acl:acl/acl-rules/rule-list[id='5']"FETCH response message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 5
ingress-port-list:
- '1'
dmac: 00-00-00-00-00-00
dmac-mask: 00-00-00-00-00-00
smac: 00-00-00-00-00-00
smac-mask: 00-00-00-00-00-00
tagged: any
vid: 0
vid-mask: 0
pcp: 0
pcp-mask: 0
dei: any
frame-ipv4:
fragment: any
options: any
sip: 1.2.3.4/16
dip: 0.0.0.0/0
ttl: any
proto: 17
proto-mask: 255
ds: 0
ds-mask: 0
data: 0
data-mask: 0
sport-min: 10
sport-max: 20
dport-min: 0
dport-max: 0
tcp-fin: any
tcp-syn: any
tcp-rst: any
tcp-psh: any
tcp-ack: any
tcp-urg: any
forwarding: filter
egress-port-list:
- '2'
- '3'
policer-enable: false
policer-index: 0
rx-count: 02.7. Add an ACE matching an IPv4 TCP frame
The ingress port is '2'.
The IPv4 SIP is 1.2.3.4/16.
The possible egress ports are '1' and '3'.
iPATCH request message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 6
ingress-port-list:
- '2'
frame-ipv4:
proto: 6
proto-mask: 255
sip: 1.2.3.4/16
forwarding: filter
egress-port-list:
- '1'
- '3'Let’s see that the ACL rule list is created:
FETCH request message:
- "/mchp-velocitysp-acl:acl/acl-rules/rule-list[id='6']"FETCH response message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 6
ingress-port-list:
- '2'
dmac: 00-00-00-00-00-00
dmac-mask: 00-00-00-00-00-00
smac: 00-00-00-00-00-00
smac-mask: 00-00-00-00-00-00
tagged: any
vid: 0
vid-mask: 0
pcp: 0
pcp-mask: 0
dei: any
frame-ipv4:
fragment: any
options: any
sip: 1.2.3.4/16
dip: 0.0.0.0/0
ttl: any
proto: 6
proto-mask: 255
ds: 0
ds-mask: 0
data: 0
data-mask: 0
sport-min: 0
sport-max: 0
dport-min: 0
dport-max: 0
tcp-fin: any
tcp-syn: any
tcp-rst: any
tcp-psh: any
tcp-ack: any
tcp-urg: any
forwarding: filter
egress-port-list:
- '1'
- '3'
policer-enable: false
policer-index: 0
rx-count: 02.8. Add an ACE matching a specific VID/PCP in a Tagged frame
The ingress port is '3'.
The TAG VID is 200.
The TAG PCP is 4.
The possible egress ports are '1' and '2'.
iPATCH request message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 7
ingress-port-list:
- '3'
tagged: zero
vid: 200
vid-mask: 4095
pcp: 4
pcp-mask: 7
frame-any:
any:
-
forwarding: filter
egress-port-list:
- '1'
- '2'Let’s see that the ACL rule list is created:
FETCH request message:
- "/mchp-velocitysp-acl:acl/acl-rules/rule-list[id='7']"FETCH response message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 7
ingress-port-list:
- '3'
dmac: 00-00-00-00-00-00
dmac-mask: 00-00-00-00-00-00
smac: 00-00-00-00-00-00
smac-mask: 00-00-00-00-00-00
tagged: zero
vid: 200
vid-mask: 4095
pcp: 4
pcp-mask: 7
dei: any
frame-any:
any:
-
forwarding: filter
egress-port-list:
- '1'
- '2'
policer-enable: false
policer-index: 0
rx-count: 02.9. Add an ACE matching an Un-Tagged frame
The ingress port is '3'.
The possible egress ports are '1' and '2'.
iPATCH request message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 8
ingress-port-list:
- '3'
tagged: one
frame-any:
any:
-
forwarding: filter
egress-port-list:
- '1'
- '2'Let’s see that the ACL rule list is created:
FETCH request message:
- "/mchp-velocitysp-acl:acl/acl-rules/rule-list[id='8']"FETCH response message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 8
ingress-port-list:
- '3'
dmac: 00-00-00-00-00-00
dmac-mask: 00-00-00-00-00-00
smac: 00-00-00-00-00-00
smac-mask: 00-00-00-00-00-00
tagged: one
vid: 0
vid-mask: 0
pcp: 0
pcp-mask: 0
dei: any
frame-any:
any:
-
forwarding: filter
egress-port-list:
- '1'
- '2'
policer-enable: false
policer-index: 0
rx-count: 02.10. Add an ACE matching a specific MAC and dropping it
If the forwarding type is filter and the egress-port-list is empty, the frame is dropped.
The ingress port is '1'.
The SMAC is 00-00-00-00-00-01.
The possible egress ports are none.
iPATCH request message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 9
ingress-port-list:
- '1'
smac: 00-00-00-00-00-01
smac-mask: FF-FF-FF-FF-FF-FF
frame-any:
any:
-
forwarding: filter
egress-port-list: []Let’s see that the ACL rule list is created:
FETCH request message:
- "/mchp-velocitysp-acl:acl/acl-rules/rule-list[id='9']"FETCH response message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 9
ingress-port-list:
- '1'
dmac: 00-00-00-00-00-00
dmac-mask: 00-00-00-00-00-00
smac: 00-00-00-00-00-01
smac-mask: FF-FF-FF-FF-FF-FF
tagged: any
vid: 0
vid-mask: 0
pcp: 0
pcp-mask: 0
dei: any
frame-any:
any:
-
forwarding: filter
egress-port-list: []
policer-enable: false
policer-index: 0
rx-count: 02.11. Add an ACE matching a specific MAC and policing it
An ACE can point to an ACL policer as an action. So first, the ACL policer instance must be created.
The policer index is 0.
The Frame Rate is 1000 frames/s.
iPATCH request message:
- ? "/mchp-velocitysp-acl:acl/acl-policers/policer-list[index='0']/frame-rate"
: 1000Let’s see that the ACL policer is created:
FETCH request message:
- "/mchp-velocitysp-acl:acl/acl-policers/policer-list[index='0']"FETCH response message:
- ? "/mchp-velocitysp-acl:acl/acl-policers/policer-list"
: index: 0
frame-rate: 1000Now we create the ACE that points to the ACL policer.
The ingress port is '1'.
The SMAC is 00-00-00-00-00-01.
No forwarding filtering.
The ACL police index is '0'.
iPATCH request message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 10
ingress-port-list:
- '1'
smac: 00-00-00-00-00-01
smac-mask: FF-FF-FF-FF-FF-FF
frame-any:
any:
-
forwarding: none
policer-enable: true
policer-index: 0Let’s see that the ACL rule list is created:
FETCH request message:
- "/mchp-velocitysp-acl:acl/acl-rules/rule-list[id='10']"FETCH response message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 10
ingress-port-list:
- '1'
dmac: 00-00-00-00-00-00
dmac-mask: 00-00-00-00-00-00
smac: 00-00-00-00-00-01
smac-mask: FF-FF-FF-FF-FF-FF
tagged: any
vid: 0
vid-mask: 0
pcp: 0
pcp-mask: 0
dei: any
frame-any:
any:
-
forwarding: none
egress-port-list: []
policer-enable: true
policer-index: 0
rx-count: 02.12. Add an ACE matching a range of destination MACs
Let’s make an ACE that matches any frame type received on a specific port with a range of DMACs. The frame will have two egress ports as possible forwarding ports.
The ingress port is '1'.
The DMAC range is 00-00-00-00-00-01 to 00-00-00-00-00-FF.
The possible egress ports are '2' and '3'.
NOTE that the dmac-mask has the value '01' in the least significant byte. Bit '0' means don’t-care, so the least significant bit must be '1' and all other bits are don’t-care. The DMAC 00-00-00-00-00-00 does not match.
iPATCH request message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 11
ingress-port-list:
- '1'
dmac: 00-00-00-00-00-01
dmac-mask: FF-FF-FF-FF-FF-01
frame-any:
any:
-
forwarding: filter
egress-port-list:
- '2'
- '3'Let’s see that the ACL rule list is created:
FETCH request message:
- "/mchp-velocitysp-acl:acl/acl-rules/rule-list[id='11']"FETCH response message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list"
: id: 11
ingress-port-list:
- '1'
dmac: 00-00-00-00-00-01
dmac-mask: FF-FF-FF-FF-FF-01
smac: 00-00-00-00-00-00
smac-mask: 00-00-00-00-00-00
tagged: any
vid: 0
vid-mask: 0
pcp: 0
pcp-mask: 0
dei: any
frame-any:
any:
-
forwarding: filter
egress-port-list:
- '2'
- '3'
policer-enable: false
policer-index: 0
rx-count: 02.13. Read the ACE RX counter
When there is a match on an ACE, the related RX counter is incremented.
Let’s read the RX counter of ACE id 1:
FETCH request message:
- "/mchp-velocitysp-acl:acl/acl-rules/rule-list[id='1']/rx-count"FETCH response message:
- ? "/mchp-velocitysp-acl:acl/acl-rules/rule-list/rx-count"
: 03. Port ACL default actions
Port based Access Control
Per port, there is a default action used if no ACE is matching in the ACL. The possible actions are an egress port list and a policer pointer.
3.1. Check initial default actions
Verify that by default, no actions are active.
When forwarding is none, it means "No frame forwarding change."
The interface (port) name is '1'.
FETCH request message:
- "/ietf-interfaces:interfaces/interface[name='1']/\
mchp-velocitysp-acl:acl-port"FETCH response message:
- ? "/ietf-interfaces:interfaces/interface/mchp-velocitysp-acl:acl-port"
: forwarding: none
egress-port-list: []
policer-enable: false
policer-index: 0
rx-count: 03.2. Enable forwarding to a port list
Configure the default action to forward to a list of ports.
The interface (port) name is '1'.
The possible egress ports are '2' and '3'.
iPATCH request message:
- ? "/ietf-interfaces:interfaces/interface[name='1']/\
mchp-velocitysp-acl:acl-port"
: forwarding: filter
egress-port-list:
- '2'
- '3'Let’s see that the Port ACL is changed:
FETCH request message:
- "/ietf-interfaces:interfaces/interface[name='1']/\
mchp-velocitysp-acl:acl-port"FETCH response message:
- ? "/ietf-interfaces:interfaces/interface/mchp-velocitysp-acl:acl-port"
: forwarding: filter
egress-port-list:
- '2'
- '3'
policer-enable: false
policer-index: 0
rx-count: 03.3. Disable forwarding
Configure the default action to disable forwarding from the port.
The interface (port) name is '1'.
The possible egress ports list is empty.
iPATCH request message:
- ? "/ietf-interfaces:interfaces/interface[name='1']/\
mchp-velocitysp-acl:acl-port"
: forwarding: filter
egress-port-list: []Let’s see that the Port ACL is changed:
FETCH request message:
- "/ietf-interfaces:interfaces/interface[name='1']/\
mchp-velocitysp-acl:acl-port"FETCH response message:
- ? "/ietf-interfaces:interfaces/interface/mchp-velocitysp-acl:acl-port"
: forwarding: filter
egress-port-list: []
policer-enable: false
policer-index: 0
rx-count: 03.4. Enable policing
Configure the default action to point to a policer.
First, the ACL policer instance must be created.
The policer index is 1.
The Frame Rate is 1000 frames/s.
iPATCH request message:
- ? "/mchp-velocitysp-acl:acl/acl-policers/policer-list[index='1']/frame-rate"
: 1000Now we configure the default action to point to the ACL policer.
The interface (port) name is '1'.
The possible egress ports are '2' and '3'.
The policer index is 1.
iPATCH request message:
- ? "/ietf-interfaces:interfaces/interface[name='1']/\
mchp-velocitysp-acl:acl-port"
: forwarding: filter
egress-port-list:
- '2'
- '3'
policer-enable: true
policer-index: 1Let’s see that the Port ACL is changed:
FETCH request message:
- "/ietf-interfaces:interfaces/interface[name='1']/\
mchp-velocitysp-acl:acl-port"FETCH response message:
- ? "/ietf-interfaces:interfaces/interface/mchp-velocitysp-acl:acl-port"
: forwarding: filter
egress-port-list:
- '2'
- '3'
policer-enable: true
policer-index: 1
rx-count: 03.5. Read the RX counter
When the default action is used, the related RX counter is incremented.
FETCH request message:
- "/ietf-interfaces:interfaces/interface[name='1']/\
mchp-velocitysp-acl:acl-port/rx-count"FETCH response message:
- ? "/ietf-interfaces:interfaces/interface/mchp-velocitysp-acl:acl-port/\
rx-count"
: 0