Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS- CX 10.00

Transcription

1 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS- CX Part Number: a Published: April 2018 Edition: 2

2 Copyright 2018 Hewlett Packard Enterprise Development LP Notices The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accomping such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or copying. Consistent with FAR and , Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise website. Acknowledgments Intel, Itanium, Pentium, Intel Inside, and the Intel Inside logo are trademarks of Intel Corporation in the United States and other countries. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Adobe and Acrobat are trademarks of Adobe Systems Incorporated. Java and Oracle are registered trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group.

3 Contents Chapter 1 About this document...5 Applicable products...5 Latest version available online...5 About the examples... 5 Switch prompts in examples... 5 Chapter 2 Access Control Lists (ACLs)... 7 Access Control Lists (ACLs) overview... 7 Types of ACLs...7 The application of ACLs...8 How ACL matching works...8 Configuring and applying ACLs... 9 Creating an ACL Setting the ACL log timer frequency...11 Applying, replacing, or removing ACLs in the interface configuration context Viewing ACL information...13 Active ACL configuration versus user-specified configuration Clearing the hit counts for access control entries Viewing the hit counts for access control entries Capacities shown on a switch...17 ACL commands access-list {ip ipv6 mac} <ACL-NAME> copy...17 access-list {ip ipv6 mac} <ACL-NAME> resequence...20 access-list ip access-list ipv access-list log-timer...37 access-list mac...39 access-list reset...44 apply access-list...46 clear access-list hitcounts...48 show access-list...48 show access-list hitcounts Chapter 3 ACL configuration examples IPv4 ACL application configuration example Intent of the IPv4 ACL application configuration example...53 Configuring an ACL for IPv Verifying the IPv4 ACL application configuration example...54 IPv6 ACL application configuration example Intent of the IPv6 ACL application configuration example...54 Configuring an ACL for IPv Verifying the IPv6 ACL application configuration example...55 Chapter 4 Classifier policies Classifier policies overview Traffic policing Contents 3

4 Types of policy actions...58 How policy matching works...59 Active class configuration versus user-specified configuration...60 Active policy configuration versus user-specified configuration...60 Classifier Policy commands apply policy class {ip ipv6 mac} <CLASS-NAME> copy class {ip ipv6 mac} <CLASS-NAME> resequence class ip...65 class ipv class mac...77 class reset...81 clear policy hitcounts...82 policy policy <POLICY-NAME> copy policy <POLICY-NAME> resequence policy reset show class...89 show policy...90 Chapter 5 Classifier policies configuration example...92 Intent of the classifier policies configuration example...92 Configuring the classifier policies example Chapter 6 Websites Chapter 7 Support and other resources Accessing Hewlett Packard Enterprise Support Accessing updates...96 Customer self repair...97 Remote support Warranty information...97 Regulatory information...98 Documentation feedback Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

5 Chapter 1 About this document This document contains information about Access Control Lists (ACLs) and classifier policies for the ArubaOS-CX network operating system. It is intended for network administrators responsible for configuring and managing the network. Applicable products This document applies to the following products: Aruba 8320 Switch Series (JL479A, JL579A, JL581A) Latest version available online Updates to this document can occur after initial publication. For the latest versions of product documentation, see the links provided in the Websites chapter of this document. About the examples Examples in this document are representative and might not match your particular switch or environment. The port numbers in this document are for illustration only and might be unavailable on your device. The software notation for describing module, slot, port, and interface information depends on the switch hardware. Unless otherwise noted, examples in this document are based on the Aruba 8400 Switch Series, which identifies line module interfaces using member/slot/port notation, such as 1/1/1. Switch prompts in examples The switch prompts used in this document are examples and might not match your particular switch or environment. In examples: The switch prompt starts with the word switch. The switch prompt also indicates the command context. For example: switch> Indicates the operator command context. switch# Indicates the manager command context. switch(config)# Indicates the global configuration context. In your environment, the switch prompt can vary because the prompt is user-configurable. Chapter 1 About this document 5

6 Typically, the switch prompt begins with the host name of the switch. The switch prompt contains specifiers in certain configuration command contexts, such as interface name or VLAN ID. For example: switch(config-vlan-100)# In these cases, examples in this document might contain placeholders such as n or if. 6 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

7 Chapter 2 Access Control Lists (ACLs) Access Control Lists (ACLs) overview Access Control Lists (ACLs) lets a network administrator define sets of rules based on network traffic addressing or other header content. These rules are used to restrict, alter, or log the passage of traffic through the switch. Choosing the rule criteria is called Classification, and one such rule set, or list, is called an Access Control List. ACLs can be configured to match on almost frame or packet header field and then take an appropriate action. An ACL contains one or more Access Control Entries (ACEs) which are listed according to priority by sequence number. A single ACE matches on one or more characteristics of the particular traffic type. It has a configured action to either discard or allow the packet to continue through the switch. You can block, permit, count, or reprioritize network traffic that passes through a switch based on m different frame/packet characteristics. Some of these characteristics can be: Frame ingress VLAN ID Source and/or destination Ethernet MAC, IPv4, or IPv6 address Layer 2 (EtherType) and Layer 3 (IP) protocol Layer 4 application ports An administrator might want to limit traffic flowing through the switch in different ways. The limitations implements depend on the role of a switch in the network. Examples of such limits might include: Restrict traffic arriving on a routed port, destined to a particular address or subnet. The restriction would be implemented by applying an ACL that would match on a destination IP address or an IP and a mask. Prevent certain protocols from using a particular multicast MAC address. This configuration would prevent them from advertising through a port by applying an ACL which would match on destination MAC address. Prevent an entire subnet from routing through a port by applying an ACL that matches on IP source address and a mask. Prevent IP host from accessing a particular IP port/application on a specific server by applying an ACL. The ACL would match based on the destination IP address and Layer 4 port. Types of ACLs This product supports three types of ACLs: MAC, IPv4, and IPv6. Each ACL type is focused on relevant frame/ packet characteristics. You can apply an ACL to an interface to affect or control traffic arriving on that interface (inbound) or leaving the interface (outbound), or both. A given interface supports a single ACL application per type, per direction to a total of four interface-applied ACLs. A single interface supports the following ACL applications: Chapter 2 Access Control Lists (ACLs) 7

8 One MAC ACL inbound One IPv4 ACL inbound One IPv4 ACL outbound One IPv6 ACL inbound Different ACLs of the same type can be used in opposite directions for IPv4. If you apply an ACL of a particular type in a direction that is already in use, the switch replaces the current ACL with the new ACL. The application of ACLs A packet travels the following route through the router: 1. The packet arrives at the entrance of the router. 2. The router makes a forwarding decision regarding the packet. 3. The packet exits the router. Apply ACLs at the entrance and exit of the router, but not in the middle of the router where the router makes forwarding decisions. ACLs you apply as the packet arrives at the router are called inbound filters, and ACLs you apply as the packet leaves the router are called outbound filters. You can configure an ACL to do one of the following: Allow only certain types of traffic to pass through the router, but deny all other traffic. Deny certain types of traffic from passing through the router, but allow all other types of traffic. How ACL matching works An ACL contains one or more Access Control Entries (ACE) which are listed according to priority by sequence number. A single ACE matches on one or more characteristics of the particular traffic type. A single ACL also has a configured action to either deny or permit the packet to continue through the switch. The matching process begins with the ACE with the lowest sequence number. The incoming or outgoing packet is compared against entries in the match characteristics. If a match occurs, the action of the ACE - either permit or deny - is taken. If no match occurs, the match characteristics of the next ACE in sequence is compared to the relevant frame/packet details. If a match occurs, the specified action is taken. This process continues until a match is found, or the end of the list is reached. If no ACEs in a given applied ACL match, the frame/packet is discarded. This discarding of the frame/packet occurs because of the presence of an invisible implicit deny rule at the end of *all* applied ACLs whether populated or empty. This mechanism is a security feature to ensure that Access Controlled interface will only pass explicitly permitted traffic. Because of this security feature, an ACE permitting ICMPv6 traffic must be added to the end of an IPv6 ACL. This appending allows IPv6 neighbor discovery packets. For example: switch(config)# do show run... access-list ipv6 TEST1 10 deny ::0 20 permit 100.2::0 30 permit icmpv6 interface 1/1/3 no shutdown 8 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

9 no routing apply access-list ipv6 TEST1 in Traffic matching an explicit deny or permit rule can be counted and recorded in the system log. Logging permitted traffic is not currently supported. An ACL must be applied using the apply access-list command (in the interface context) before it affects traffic. If an ACL with no user-created entries is applied, the ACL will deny all traffic on the ACL type on the applied interface. This denying of traffic occurs since only the implicit default-deny ACE will be present. For example, applying an empty IPv4 ACL will not deny ARP, ICMPv6, and m other non-ipv4 types of traffic. ACLs can only be applied to port and lag interfaces, but not to VLAN interfaces. If you enter an existing ACL-NAME value, the existing ACL will be modified with both of the following: new sequence-number value creating an additional ACE existing sequence-number value replacing the existing ACE with the same sequence number If you modify an ACL already applied to a port, it is possible that packets, blocked by the previous ACL, will briefly pass through the switch during the ACL reconfiguration. In a highly secured environment, bring down the port prior to modifying the ACL, and then bring the port back up once the configuration is complete. Sequence numbering If no sequence number is specified, the software appends the ACEs to the end of the ACL with a sequence number equal to the highest ACE currently in the list plus 10. The sequence numbers may be reordered with the access-list {ip ipv6 mac} <ACL-NAME> resequence command. Deny ACLs If multiple ACLs of different types are applied in the same direction, a deny ACE, whether explicit or implicit, in one ACL overrides a permit ACL in another. A deny ACE is an ACE within an ACL that uses the "deny" action keyword. Comment only ACEs are also supported. Denied ping requests A ping request is denied when an ACL is applied on egress. switch# ping PING ( ) 100(128) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted More information access-list {ip ipv6 mac} <ACL-NAME> resequence on page 20 Configuring and applying ACLs Create an ACL comprised of one or more access control list entries (ACE) ordered and prioritized by sequence. Then, apply the ACL on an interface. Chapter 2 Access Control Lists (ACLs) 9

10 Prerequisites You must be in the global configuration context: switch(config)# Procedure 1. Determine the following for each ACL: Do you want to specify filtering on inbound or outbound packets? No ACLs (including ACLs for IPv4, IPv6, and MAC) are supported in egress on the Layer 2 interface. Egress ACLs can only be applied to Layer 3 (route-only) interfaces. Applying an egress ACL to a Layer 2 interface results in an error. Do you want to configure to deny or permit packet flows? What matching criteria do you want to include in the access control entries? Which interfaces do you want to apply the ACL to? 2. Create an ACL using one of the following commands: access-list ip access-list ipv6 access-list mac 3. These access-list commands enter you into the named ACL context. Within the named ACL context, create the access control entries: switch(config-acl-ip)# 10 permit udp /24 4. To apply the ACL to an interface, enter: apply access-list {ip ipv6 mac} <ACL-NAME> {in out} In the command, specify the type of ACL, ACL name, and whether to apply it to inbound or outbound packets. Configuring and applying an ACL switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# 10 permit udp /24 switch(config-acl-ip)# 20 permit tcp /16 lt 1023 switch(config-acl-ip)# 30 permit tcp /24 syn ack dscp 10 switch(config-acl-ip)# 40 deny count switch(config-acl-ip)# exit switch(config)# interface 1/1/2 switch(config-if)# apply access-list mac MY_IP_ACL in More information access-list ip on page 22 access-list ipv6 on page 29 access-list mac on page 39 apply access-list on page 46 Creating an ACL Create an IPv4, IPv6, or MAC ACL comprised of one or more access control list entries (ACE) ordered and prioritized by sequence. 10 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

11 Prerequisites You must be in the global configuration context: switch(config)# Procedure 1. Determine the following for each ACL. Do you want to specify filtering on inbound or outbound packets? Do you want to configure to deny or permit packet flows? What matching criteria do you want to include in the access control entries. 2. Create an ACL using one of the following commands: access-list ip access-list ipv6 access-list mac These access-list commands enter you into the named ACL context. 3. Within the named ACL context, create the access control entries. Creating an ACL switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# 10 permit udp /24 switch(config-acl-ip)# 20 permit tcp /16 lt 1023 switch(config-acl-ip)# 30 permit tcp /24 syn ack dscp 10 switch(config-acl-ip)# 40 deny count switch(config-acl-ip)# exit More information access-list ip on page 22 access-list ipv6 on page 29 access-list mac on page 39 Setting the ACL log timer frequency You can set the log timer frequency for ACEs that have the log parameter configured. This capability allows throttling of logging ACL hits. Prerequisites You must be in the global configuration context: switch(config)# Procedure To set the ACL log timer frequency, enter: access-list log-timer {default <VALUE>} Where default sets the log timer back to the default value (300 seconds). Chapter 2 Access Control Lists (ACLs) 11

12 And <VALUE> sets the log timer to the specified value (from seconds). Setting the ACL log timer to 120 seconds: switch(config)# access-list log-timer 120 Resetting the ACL log timer to the default value: switch(config)# no access-list log-timer The first packet that matches an entry with the log parameter within an ACL log timer window (configured with access-list log-timer command) has its header contents extracted and sent to the configured logging destination, such as to the console and syslog server. Each time the ACL log timer expires, a summary of ACEs with log configured is sent to the logging destination. More information access-list log-timer on page 37 Applying, replacing, or removing ACLs in the interface configuration context Apply an ACL to the current interface context. Individual front plane ports or Link Aggregation Groups (LAGs) are valid interfaces for applying ACLs. Only one direction (for example, inbound) and type (for example, IPv4) of ACL can be applied to an interface at a time. IPv6 and MAC ACLs can only be applied to inbound traffic. Also use this command to replace or remove an ACL from a specific interface. Prerequisites You must be in the interface configuration context (config-if) or the interface LAG configuration context (config-lag-if). Procedure In the interface configuration context or the interface LAG configuration context, enter the following command: apply access-list {ip ipv6 mac} <ACL-NAME> {in out} Specify the type of ACL, the name of the applicable ACL, and whether to apply to inbound (ingress) or outbound (egress) traffic. Use the no form of the command for removing an ACL. Applying MY_MAC_ACL to ingress traffic on interface 1/1/1 and ingress traffic on interface 1/1/2: switch(config)# interface 1/1/1 switch(config-if)# apply access-list mac MY_MAC_ACL in switch(config-if)# exit switch(config)# interface 1/1/2 switch(config-if)# apply access-list mac MY_MAC_ACL in switch(config-if)# exit switch(config)# 12 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

13 Viewing ACL information Prerequisites You must be in the manager (#) command context: switch# Procedure To view various aspects of ACLs and their current use, enter: show access-list [interface <ID>] [{in out}] [{ip ipv6 mac}] [<ACL-NAME>] [commands] [configuration] Use the [interface <ID>] parameters to show ACL information for a specific interface. Use the[{in out}] parameters to limit display of ACL information to inbound (ingress) ACLs or outbound (egress) ACLs. Use the [{ip ipv6 mac}] parameters to limit display of ACL information to either IPv4, IPv6 or MAC ACLs. Use the [<ACL-NAME>] parameter to limit display of information to a specific named ACL. Use the [commands] parameter to display output as CLI commands. Use the [configuration] parameter to display user-specified ACL configuration instead of active programmed configuration. Viewing IPv4 ACL information: switch# show access-list ip L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv4 MY_ACL 10 permit udp /24 20 Permit all TCP ephemeral ports permit tcp /16 < permit tcp /24 syn ack dscp deny Hit-counts: enabled Displaying IPv6 ACLs as commands: Chapter 2 Access Control Lists (ACLs) 13

14 switch# show access-list ipv6 commands 10 permit udp 2001::1/64 20 permit tcp 2001:2001::2:1/128 gt permit tcp 2001:2011:::1/64 tos 4 vlan deny count More information show access-list on page 48 Active ACL configuration versus user-specified configuration on page 14 Active ACL configuration versus user-specified configuration The output of the show access-list command displays the active configuration of the product. The active configuration is the ACLs that have been configured and accepted by the system. The active configurations are the interfaces on which the ACLs have successfully been programmed in the hardware. The output of the show access-list command with the configuration parameter, displays the ACLs that have been configured. The output of this command may not be the same as what was programmed in the hardware or what is active on the product. The situation might occur because of one or more of the following: Unsupported command parameters might have been configured. Unsupported applications might have been specified Applying an ACL might have been unsuccessful due to lack of hardware resources. To determine if a discrepancy exists between what was configured and what is active, run the show accesslist command with the configuration parameter. If the active ACLs and configured ACLs are not the same, the switch displays a warning message in the output of the show command:! access-list ip MY_IP_ACL user configuration does not match active configuration.! run 'access-list TYPE NAME reset' to reset access-list to match active configuration. If the configured ACL is processing, the switch displays an in-progress warning.! access-list ip MY_IP_ACL user configuration currently being processed! run 'access-list TYPE NAME reset' to reset access-list to match active configuration. If the switch displays a warning message or in-progress message, additional changes can be made until the error message is no longer displayed in the show command, or you can run the access-list {all ip <ACL- NAME> ipv6 <ACL-NAME> mac <ACL-NAME>} reset command. The access-list reset command changes the user-specified configuration to match the active configuration. For details, see access-list reset on page 44. Examples Applying an ACL with TCP acknowledgements (ACKs) on egress, which is unsupported by the hardware: switch(config-acl)# 10 permit tcp /16 ack Displaying the user-specified configuration: switch(config)# do show run access-list ip TEST_ACL 10 permit tcp /16 ack interface 1/1/1! access-list ip TEST_ACL user configuration does not match active configuration.! run 'show access-list [commands]' to display active access-list configuration. 14 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

15 apply access-list ip TEST_ACL out switch(config)# do show access-list commands access-list ip TEST_ACL 10 permit tcp /16 ack! access-list ip TEST_ACL user configuration does not match active configuration.! run 'access-list all reset' to reset all access-lists to match active configuration. switch(config)# do show access-list commands configuration access-list ip TEST_ACL 10 permit tcp /16 ack! access-list ip TEST_ACL user configuration does not match active configuration.! run 'access-list all reset' to reset all access-lists to match active configuration. interface 1/1/1 apply access-list ip TEST_ACL out switch(config)# do show access-list commands access-list ip TEST_ACL 10 permit tcp /16 ack switch(config)# do show access-list L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv4 test 10 permit tcp ack Resetting the user-specified configuration to match the active configuration: switch(config)# access-list all reset Displaying the updated user-specified configuration: switch(config)# do show access-list commands configuration access-list ip TEST_ACL 10 permit tcp /16 ack More information access-list reset on page 44 Clearing the hit counts for access control entries Prerequisites You must be in the manager (#) command context: switch# Procedure 1. To clear the hit counts, enter: clear access-list hitcounts {all ip ipv6 mac} <ACL-NAME> interface <ID> [{in out}]} Chapter 2 Access Control Lists (ACLs) 15

16 Use the {ip ipv6 mac} parameters to clear the hit counts from either IPv4, IPv6 or MAC ACLs. Use the [<ACL-NAME>] parameter to clear the hit counts from a specific named ACL. Use the [interface <ID>] parameters to clear the hit counts for a specific interface. Use the [{in out}] parameters to clear the hit counts from inbound (ingress) ACLs or outbound (egress) ACLs. Clearing the hit counts for specified ACLs: switch# clear access-list hitcounts ip MY_ACL interface 1/1/1 in Clearing the hit counts for all configured ACLs: switch# clear access-list hitcounts all More information clear access-list hitcounts on page 48 Viewing the hit counts for access control entries Prerequisites You must be in the manager (#) command context: switch# Procedure 1. To view the hit counts, enter: show access-list hitcounts {ip ipv6 mac} <ACL-NAME> [interface <ID> [{in out}]] Use the {ip ipv6 mac} parameters to limit display of the hit counts from either IPv4, IPv6 or MAC ACLs. Use the [<ACL-NAME>] parameter to limit display of the hit counts from a specific named ACL. Use the [interface <ID>] parameters to display the hit counts for a specific interface. Use the [{in out}] parameters to limit display of the hit counts from inbound (ingress) ACLs or outbound (egress) ACLs. Displaying the hit counts for ACLs: switch# show access-list hitcounts ip MY_ACL interface 1/1/1 Statistics for ACL MY_ACL (ipv4): Interface 1/1/1 (in): Hit Count Configuration - 10 permit udp /24-20 permit tcp /16 lt permit tcp /24 tcp-syn tcp-ack dscp deny count More information show access-list hitcounts on page Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

17 Capacities shown on a switch Capacities are a representation of the quantity of specific resources the switch can make available. For the capacities declared, the switch software reports the capacity status to indicate how much of a specific capacity is in use at a given time. Use the show capacities and show capacities-status commands to view capacity information. ACL commands access-list {ip ipv6 mac} <ACL-NAME> copy Syntax access-list {ip ipv6 mac} <ACL-NAME> copy <DESTINATION-ACL> Description Copies an IPv4, IPv6, or MAC ACL to a new destination ACL. Command context config Parameters {ip ipv6 mac} Specifies the type of ACL. <ACL-NAME> Specifies the name of the ACL to be copied. <DESTINATION-ACL> Specifies the name of the destination ACL. Authority Administrators Examples Copying MY_IP_ACL to MY_IP_ACL2: switch(config)# access-list ip MY_IP_ACL copy MY_IP_ACL2 switch(config-acl-ip)# exit switch(config)# do show access-list L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv4 MY_IP_ACL 1 permit udp / permit tcp / > 1023 Chapter 2 Access Control Lists (ACLs) 17

18 3 permit tcp / dscp: AF11 ack syn 4 deny Hit-counts: enabled IPv4 MY_IP_ACL2 1 permit udp / permit tcp / > permit tcp / dscp: AF11 ack syn 4 deny Hit-counts: enabled Copying MY_IPV6_ACL to MY_IPV6_ACL2: switch(config)# access-list ipv6 MY_IPV6_ACL copy MY_IPV6_ACL2 switch(config-acl-ip)# exit switch(config)# do show access-list L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv6 MY_IPV6_ACL 1 permit udp 2001::1/64 2 Permit all TCP ephemeral ports permit tcp 2001:2001::2:1 > permit tcp 2001:2011::1/64 4 deny Hit-counts: enabled IPv6 MY_IPV6_ACL2 1 permit udp 2001::1/64 2 Permit all TCP ephemeral ports 18 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

19 permit tcp 2001:2001::2:1 > permit tcp 2001:2011::1/64 4 deny Hit-counts: enabled Copying MY_MAC_ACL to MY_MAC_ACL2: switch(config)# access-list mac MY_MAC_ACL copy MY_MAC_ACL2 switch(config-acl-mac)# exit switch(config)# do show access-list EtherType Source MAC Address Destination MAC Address MAC MY_MAC_ACL 1 permit ipv /ffff.ffff permit aaaa.bbbb.cccc QoS Priority Code Point: 4 3 Permit all vlan-40 tagged Appletalk traffic permit appletalk VLAN: 1 4 deny Hit-counts: enabled MAC MY_MAC_ACL2 1 permit ipv /ffff.ffff permit aaaa.bbbb.cccc QoS Priority Code Point: 4 3 Permit all vlan-40 tagged Appletalk traffic permit appletalk VLAN: 1 4 deny Hit-counts: enabled Chapter 2 Access Control Lists (ACLs) 19

20 access-list {ip ipv6 mac} <ACL-NAME> resequence Syntax access-list {ip ipv6 mac} <ACL-NAME> resequence <STARTING-SEQUENCE-NUMBER> INCREMENT Description Reorders the sequence numbers in an ACL. Command context config Parameters {ip ipv6 mac} Specifies the type of ACL. <ACL-NAME> Specifies the name of the ACL to be copied. <STARTING-SEQUENCE-NUMBER> Specifies the starting sequence number. <INCREMENT> Specifies incrementing the sequence number by the number entered. Authority Administrators Examples Resequencing an IPv4 ACL: switch(config)# access-list ip MY_IP_ACL resequence 1 1 switch(config-acl-ip)# exit switch(config)# do show access-list L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv4 MY_IP_ACL 1 permit udp / permit tcp / > permit tcp / dscp: AF11 ack syn 4 deny 20 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

21 Hit-counts: enabled Resequencing an IPv6 ACL: switch(config)# access-list ipv6 MY_IPV6_ACL resequence 1 1 switch(config-acl-ip)# exit switch(config)# do show access-list L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv6 MY_IPV6_ACL 1 permit udp 2001::1/64 2 Permit all TCP ephemeral ports permit tcp 2001:2001::2:1 > permit tcp 2001:2011::1/64 4 deny Hit-counts: enabled Resequencing a MAC ACL: switch(config)# access-list mac MY_MAC_ACL resequence 1 1 switch(config-acl-mac)# exit switch(config)# do show access-list EtherType Source MAC Address Destination MAC Address MAC MY_MAC_ACL 1 permit ipv /ffff.ffff permit aaaa.bbbb.cccc QoS Priority Code Point: 4 3 Permit all vlan-40 tagged Appletalk traffic permit appletalk VLAN: 1 4 deny Chapter 2 Access Control Lists (ACLs) 21

22 Hit-counts: enabled access-list ip Syntax access-list ip <ACL-NAME> [<SEQUENCE-NUMBER>] {permit deny} { ah gre esp icmp igmp ospf pim <IP-PROTOCOL-NUM>} { <SRC-IP-ADDRESS>[/{<PREFIX-LENGTH> <SUBNET-MASK>}]} { <DST-IP-ADDRESS>[/{<PREFIX-LENGTH> <SUBNET-MASK>}]} [dscp {AF11 AF12 AF13 AF21 AF22 AF23 AF31 AF32 AF33 AF41 AF42 AF43 CS0 CS1 CS2 CS3 CS4 CS5 CS6 CS7 EF <DSCP-VALUE>}][ecn <ECN-VALUE>] [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>] [fragment] [vlan <VLAN-ID>] [ttl <TTL-VALUE>] [count] [log] [<SEQUENCE-NUMBER>] {permit deny} {sctp tcp udp} { <SRC-IP-ADDRESS>[/{<PREFIX-LENGTH> <SUBNET-MASK>}]} [{eq gt lt} <PORT> range <MIN-PORT> <MAX-PORT>] { <DST-IP-ADDRESS>[/{<PREFIX-LENGTH> <SUBNET-MASK>}]} [{eq gt lt} <PORT> range <MIN-PORT> <MAX-PORT>] [urg] [ack] [psh] [rst] [syn] [fin] [established] [dscp {AF11 AF12 AF13 AF21 AF22 AF23 AF31 AF32 AF33 AF41 AF42 AF43 CS0 CS1 CS2 CS3 CS4 CS5 CS6 CS7 EF <DSCP-VALUE>}] [ecn <ECN-VALUE>] [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>] [fragment] [vlan <VLAN-ID>] [ttl <TTL-VALUE>] [count] [log] [<SEQUENCE-NUMBER>] comment <TEXT-STRING> Description Creates an IPv4 access control list (ACL) comprised of one or more access control entries (ACEs) ordered and prioritized by sequence numbers. The lowest sequence number is the highest prioritized ACE. The no form of this command can be used to delete an ACL (use no with the access list command). And you can delete an individual ACE (use no with the sequence number command). Command context config The access-list ip <ACL-NAME> command takes you into the named ACL context where you enter the access control entries. Parameters <ACL-NAME> Specifies the name of this ACL. <SEQUENCE-NUMBER> Specifies a sequence number for the ACE. Optional, in the range of Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

23 {permit deny} Specifies whether to permit or deny traffic matching this ACE. comment Specifies storing the remaining entered text as an ACE comment. protocols Select a protocol from the following (enter one only): - Any IP protocol <IP-PROTOCOL-NUM> - Enter an IP protocol number. Range: Enter an IP protocol name from the following list: ah gre esp icmp igmp ospf (version 2) pim sctp tcp udp { <SRC-IP-ADDRESS>[/{<PREFIX-LENGTH> <SUBNET-MASK>}]} Specifies the source IP host, network address, or the keyword. You can optionally include the following: <PREFIX-LENGTH> - The address bits to mask (CIDR subnet mask notation), range <SUBNET-MASK> - The address bits to mask (dotted decimal notation). Optional { <DST-IP-ADDRESS>[/{<PREFIX-LENGTH> <SUBNET-MASK>}]} Specifies the destination IP host network address, or the keyword. You can optionally include the following: <PREFIX-LENGTH> - The address bits to mask (CIDR subnet mask notation), range <SUBNET-MASK> - The address bits to mask (dotted decimal notation). [{eq gt lt} <PORT> range <MIN-PORT> <MAX-PORT>] Each port to be matched requires a separate hardware entry. The system can run out of hardware resources before the ACE limit is reached when m Layer 4 ports are to be matched. For example, the 8320 switch supports a maximum of 256 ACEs per egress ACL. One ACE containing a source or destination Layer 4 port range of gt 10 results in 65,525 ( ) hardware entries. This ACE exceeds the hardware capacity of the 8320 switch and cannot be applied. Chapter 2 Access Control Lists (ACLs) 23

24 urg ack psh rst syn fin Egress ACLs can only be applied to Layer 3 (route-only) interfaces. Applying an egress ACL to a Layer 2 interface results in an error. Specifies matching using one of the following keywords: eq - Layer 4 port is equal to the specified port. gt - Layer 4 port is greater than the specified port. lt - Layer 4 port is less than the specified port. Relative to either: <PORT> - A single Layer 4 port (range ). range <MIN-PORT> <MAX-PORT> - A layer 4 port from the minimum to the maximum port inclusive. Specifies matching on the TCP Flag: Urgent. Specifies matching on the TCP Flag: Acknowledgment. Specifies matching on the TCP Flag: Push buffered data to receiving application. Specifies matching on the TCP Flag: Reset the connection. Specifies matching on the TCP Flag: Synchronize sequence numbers. Specifies matching on the TCP Flag: Finish connection. established dscp Specifies matching on the TCP Flag: Established connection. Specifies a Differentiated Services Code Point (DSCP) value. Enter either a numeric <DSCP-VALUE> (0-63) or a keyword as follows: AF11 - DSCP 10 (Assured Forwarding Class 1, low drop probability) AF12 - DSCP 12 (Assured Forwarding Class 1, medium drop probability) AF13 - DSCP 14 (Assured Forwarding Class 1, high drop probability) AF21 - DSCP 18 (Assured Forwarding Class 2, low drop probability) AF22 - DSCP 20 (Assured Forwarding Class 2, medium drop probability) AF23 - DSCP 22 (Assured Forwarding Class 2, high drop probability) AF31 - DSCP 26 (Assured Forwarding Class 3, low drop probability) AF32 - DSCP 28 (Assured Forwarding Class 3, medium drop probability) 24 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

25 AF33 - DSCP 30 (Assured Forwarding Class 3, high drop probability) AF41 - DSCP 34 (Assured Forwarding Class 4, low drop probability) AF42 - DSCP 36 (Assured Forwarding Class 4, medium drop probability) AF43 - DSCP 38 (Assured Forwarding Class 4, high drop probability) CS0 - DSCP 0 (Class Selector 0: Default) CS1 - DSCP 8 (Class Selector 1: Scavenger) CS2 - DSCP 16 (Class Selector 2: OAM) CS3 - DSCP 24 (Class Selector 3: Signaling) CS4 - DSCP 32 (Class Selector 4: Realtime) CS5 - DSCP 40 (Class Selector 5: Broadcast video) CS6 - DSCP 48 (Class Selector 6: Network control) CS7 - DSCP 56 (Class Selector 7) EF - DSCP 46 (Expedited Forwarding) ecn <ECN-VALUE> Specifies an Explicit Congestion Notification value. Range: 0-3. fragment Specifies a fragment packet. ip-precedence <IP-PRECEDENCE-VALUE> Specifies an IP precedence value. Range: 0-7. tos <TOS-VALUE> Specifies a Type of Service value. Range: 0-7. ttl <TTL-VALUE> Specifies a time-to-live value. vlan <VLAN-ID> Specifies VLAN tag to match on Q VLAN ID. count log Keeps the hit counts of the number of packets matching this ACE. Keeps a log of the number of packets matching this ACE. The action log can only be combined with deny, not permit. The 8320 switch does not support logging for ACLs applied on the egress. Authority Administrators Usage Egress ACLs can only be applied to Layer 3 (route-only) interfaces. Applying an egress ACL to a Layer 2 interface results in an error. Chapter 2 Access Control Lists (ACLs) 25

26 When using multiple ACL types (IPv4, IPv6, or MAC) with logging on the same interface, the first packet that matches an ACE with log option is logged. Until the log-timer wait-period is over, packets matching other ACL types do not create a log. At the end of the wait-period, the switch creates a summary log all the ACLs that were matched, regardless of type. Egress ACL logging is not supported. Egress filtering based on the vlan tag on a routed port is not supported. Examples Creating an IPv4 ACL with four entries: switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# 10 permit udp /24 switch(config-acl-ip)# 20 permit tcp /16 gt 1023 switch(config-acl-ip)# 30 permit tcp /24 syn ack dscp 10 switch(config-acl-ip)# 40 deny count switch(config-acl-ip)# exit switch(config)# do show access-list L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv4 MY_IP_ACL 10 permit udp / permit tcp / > permit tcp / dscp: AF11 ack syn 40 deny Hit-counts: enabled Adding a comment to an existing IPv4 ACE: switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# 20 comment Permit all TCP ephemeral ports switch(config-acl-ip)# exit switch(config)# do show access-list L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv4 MY_IP_ACL 10 permit udp / Permit all TCP ephemeral ports permit tcp 26 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

27 / > permit tcp / dscp: AF11 ack syn 40 deny Hit-counts: enabled Removing a comment from an existing IPv4 ACE: switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# no 20 comment switch(config-acl-ip)# exit switch(config)# do show access-list L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv4 MY_IP_ACL 10 permit udp / permit tcp / > permit tcp / dscp: AF11 ack syn 40 deny Hit-counts: enabled Adding an ACE (insert line 25) to an existing IPv4 ACL: switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# 25 permit icmp /16 switch(config-acl-ip)# exit switch(config)# do show access-list L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv4 MY_IP_ACL 10 permit udp / permit tcp Chapter 2 Access Control Lists (ACLs) 27

28 / > permit icmp / permit tcp / dscp: AF11 ack syn 40 deny Hit-counts: enabled Replacing an ACE in an existing IPv4 ACL: switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# 25 permit icmp /16 switch(config-acl-ip)# exit switch(config)# do show access-list L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv4 MY_IP_ACL 10 permit udp / permit tcp / > permit icmp / permit tcp / dscp: AF11 ack syn 40 deny Hit-counts: enabled Removing an ACE from an IPv4 ACL: switch(config)# access-list ip MY_IP_ACL switch(config-acl-ip)# no 25 switch(config-acl-ip)# exit switch(config)# do show access-list L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv4 MY_IP_ACL 28 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

29 10 permit udp / permit tcp / > permit tcp / dscp: AF11 ack syn 40 deny Hit-counts: enabled Removing an IPv4 ACL: switch(config)# no access-list ip MY_IP_ACL switch(config)# do show access-list L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv4 MY_IP_ACL2 1 permit udp / permit tcp / > permit tcp / dscp: AF11 ack syn 4 deny Hit-counts: enabled access-list ipv6 Syntax access-list ipv6 <ACL-NAME> [<SEQUENCE-NUMBER>] {permit deny} { ah gre esp icmpv6 ospf pim <IP-PROTOCOL-NUM>} { <SRC-IP-ADDRESS>[/<PREFIX-LENGTH>]} { <DST-IP-ADDRESS>[/<PREFIX-LENGTH>]} [dscp {AF11 AF12 AF13 AF21 AF22 AF23 AF31 AF32 AF33 AF41 AF42 AF43 CS0 CS1 CS2 CS3 CS4 CS5 CS6 CS7 EF <DSCP-VALUE>}] [ecn <ECN-VALUE>] [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <TOS-VALUE>] Chapter 2 Access Control Lists (ACLs) 29

30 [fragment] [vlan <VLAN-ID>] [ttl <TTL-VALUE>] [count] [log] [<SEQUENCE-NUMBER>] {permit deny} {sctp tcp udp} { <SRC-IP-ADDRESS>[/<PREFIX-LENGTH>]} [{eq gt lt} <PORT> range <MIN-PORT> <MAX-PORT>] { <DST-IP-ADDRESS>[/<PREFIX-LENGTH>]} [{eq gt lt} <PORT> range <MIN-PORT> <MAX-PORT>] [cwr] [ece] [urg] [ack] [psh] [rst] [syn] [fin] [established] [dscp {AF11 AF12 AF13 AF21 AF22 AF23 AF31 AF32 AF33 AF41 AF42 AF43 CS0 CS1 CS2 CS3 CS4 CS5 CS6 CS7 EF <DSCP-VALUE>}] [ecn <ECN-VALUE>] [ip-precedence <IP-PRECEDENCE-VALUE>] [tos <tos-value>] [fragment] [vlan <VLAN-ID>] [ttl <TTL-VALUE>] [count] [log] [<sequence-number>] comment <TEXT-STRING> Description Creates an IPv6 access control list (ACL). The ACL is made of one or more access control list entries (ACEs) ordered and prioritized by sequence numbers. The lowest sequence number is the highest prioritized ACE. The no form of this command can be used to delete an ACL (use no with the access-list command). And you can delete an individual ACE (use no with the sequence-number parameter). Command context config The access-list ipv6 <ACL-NAME> command takes you into the named ACL context where you enter the access control entries. Parameters <ACL-NAME> Specifies the name of this ACL. <SEQUENCE-NUMBER> Specifies a sequence number for the ACE. Optional, in the range of {permit deny} Specifies whether to permit or deny traffic matching this ACE. comment Specifies storing the remaining entered text as an ACE comment. protocols Select a protocol from the following (enter one only): - Any IP protocol <IP-PROTOCOL-NUM> - Enter an IP protocol number, range Enter an IP protocol name from the following list: 30 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

31 ah gre esp icmpv6 ospf (version 3) pim sctp tcp udp { <SRC-IP-ADDRESS>[/<PREFIX-LENGTH>]} Specifies the source IPv6 host, network address, or the keyword. You can optionally include the following: <PREFIX-LENGTH> - The address bits to mask (CIDR subnet mask notation), range { <DST-IP-ADDRESS>[/<PREFIX-LENGTH>]} Specifies the destination IP host network address, or the keyword. You can optionally include the following: <PREFIX-LENGTH> - The address bits to mask (CIDR subnet mask notation), range [{eq gt lt} <PORT> range <MIN-PORT> <MAX-PORT>] Each port to be matched requires a separate hardware entry. The system can run out of hardware resources before the ACE limit is reached when m Layer 4 ports are to be matched. For example, the 8320 switch supports a maximum of 256 ACEs per egress ACL. One ACE containing a source or destination Layer 4 port range of gt 10 results in 65,525 ( ) hardware entries. This ACE exceeds the hardware capacity of the 8320 switch and cannot be applied. Egress ACLs can only be applied to Layer 3 (route-only) interfaces. Applying an egress ACL to a Layer 2 interface results in an error. Specifies matching using one of the following keywords: eq - Layer 4 port is equal to the specified port. gt - Layer 4 port is greater than the specified port. lt - Layer 4 port is less than the specified port. Relative to either a single port or from a port range: <PORT> - A single Layer 4 port (range ). range <MIN-PORT> <MAX-PORT> - A layer 4 port from the minimum to the maximum port inclusive. Chapter 2 Access Control Lists (ACLs) 31

32 cwr ece urg ack psh rst syn fin Specifies matching on the TCP Flag: the Congestion Window Reduced (RFC3168). Specifies matching on the TCP Flag: ECN-Echo (RFC3168). Specifies matching on the TCP Flag: Urgent. Specifies matching on the TCP Flag: Acknowledgment. Specifies matching on the TCP Flag: Push buffered data to receiving application. Specifies matching on the TCP Flag: Reset the connection. Specifies matching on the TCP Flag: Synchronize sequence numbers. Specifies matching on the TCP Flag: Finish connection. established dscp Specifies matching on the TCP Flag: Established connection. Specifies a Differentiated Services Code Point (DSCP) value. Enter either a numeric <DSCP-VALUE> (0-63) or a keyword as follows: AF11 - DSCP 10 (Assured Forwarding Class 1, low drop probability) AF12 - DSCP 12 (Assured Forwarding Class 1, medium drop probability) AF13 - DSCP 14 (Assured Forwarding Class 1, high drop probability) AF21 - DSCP 18 (Assured Forwarding Class 2, low drop probability) AF22 - DSCP 20 (Assured Forwarding Class 2, medium drop probability) AF23 - DSCP 22 (Assured Forwarding Class 2, high drop probability) AF31 - DSCP 26 (Assured Forwarding Class 3, low drop probability) AF32 - DSCP 28 (Assured Forwarding Class 3, medium drop probability) AF33 - DSCP 30 (Assured Forwarding Class 3, high drop probability) AF41 - DSCP 34 (Assured Forwarding Class 4, low drop probability) AF42 - DSCP 36 (Assured Forwarding Class 4, medium drop probability) AF43 - DSCP 38 (Assured Forwarding Class 4, high drop probability) CS0 - DSCP 0 (Class Selector 0: Default) CS1 - DSCP 8 (Class Selector 1: Scavenger) 32 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00

33 CS2 - DSCP 16 (Class Selector 2: OAM) CS3 - DSCP 24 (Class Selector 3: Signaling) CS4 - DSCP 32 (Class Selector 4: Realtime) CS5 - DSCP 40 (Class Selector 5: Broadcast video) CS6 - DSCP 48 (Class Selector 6: Network control) CS7 - DSCP 56 (Class Selector 7) EF - DSCP 46 (Expedited Forwarding) ecn <ECN-VALUE> Specifies an Explicit Congestion Notification value. Range: 0-3. ip-precedence <IP-PRECEDENCE-VALUE> Specifies an IP precedence value. Range: 0-7. tos <TOS-VALUE> Specifies the traffic class. Range: 0-7. fragment Specifies a fragment packet. (IPv4 only) vlan <VLAN-ID> This option is not supported on the 8320 and 8400 switches. Specifies VLAN tag to match on Q VLAN ID. ttl <TTL-VALUE> This option is not supported on the 8320 and 8400 switches. Specifies the hop limit. count log Keeps the hit counts of the number of packets matching this ACE. Keeps a log of the number of packets matching this ACE. The action log can only be combined with deny, not permit. The 8320 switch does not support logging for ACLs applied on the egress. Authority Administrators Usage Egress ACLs can only be applied to Layer 3 (route-only) interfaces. Applying an egress ACL to a Layer 2 interface results in an error. When using multiple ACL types (IPv4, IPv6, or MAC) with logging on the same interface, the first packet that matches an ACE with log option is logged. Until the log-timer wait-period is over, packets matching other ACL types do not create a log. At the end of the wait-period, the switch creates a summary log all the ACLs that were matched, regardless of type. Egress ACL logging is not supported. Egress filtering based on the vlan tag on a routed port is not supported. Examples Creating an IPv6 ACL with four entries: Chapter 2 Access Control Lists (ACLs) 33

34 switch(config)# access-list ipv6 MY_IPV6_ACL switch(config-acl-ipv6)# 10 permit udp 2001::1/64 switch(config-acl-ipv6)# 20 permit tcp 2001:2001::2:1/128 gt 1023 switch(config-acl-ipv6)# 30 permit tcp 2001:2011::1/64 switch(config-acl-ipv6)# 40 deny count switch(config-acl-ipv6)# exit switch(config)# do show access-list L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv6 MY_IPV6_ACL 10 permit udp 2001::1/64 20 permit tcp 2001:2001::2:1 > permit tcp 2001:2011::1/64 40 deny Hit-counts: enabled Adding a comment to an existing IPv6 ACE: switch(config)# access-list ipv6 MY_IPV6_ACL switch(config-acl-ipv6)# 20 comment Permit all TCP ephemeral ports switch(config-acl-ipv6)# exit switch(config)# do show access-list L3 Protocol Source IP Address Source L4 Port(s) Destination IP Address Destination L4 Port(s) IPv6 MY_IPV6_ACL 10 permit udp 2001::1/64 20 Permit all TCP ephemeral ports permit tcp 2001:2001::2:1 > permit tcp 2001:2011::1/64 40 deny Hit-counts: enabled Removing a comment from an existing IPv6 ACE: switch(config)# access-list ipv6 MY_IPV6_ACL switch(config-acl-ipv6)# no 20 comment 34 Aruba 8320 Configuring ACLs and Classifier Policies Guide for ArubaOS-CX 10.00