This tutorial shows how a onePK application can create an Access Control List (ACL) in a network element. It also shows how to create and add an Access Control Element (ACE) to the list. The ACL is added to an Interface on the network element. The onePK application can retrieve the match counts for each ACE.
The code used in this tutorial is available in available in the ACLTutorial.py file located under <SDK Location>/python/tutorials/Policy.
To register for application events from a network element, the application must already know the following information:
Create the ACL on the network element. As these functions are invoked, the ACLs are created on the network element. There are several types of ACL: L3 IPv4 ACL, L3 IPv6 ACL and L2 MAC ACL.
# Create a L3 IPv4 Access Control List l3_acl = L3Acl(networkElement, OnepConstants.OnepAddressFamilyType.ONEP_AF_INET, 0)
Create an L3 IPv4 ACE. We will set the protocol to TCP. Specify source and destination prefixes and prefix lengths. For port matches the protocol must be TCP, UDP or SCTP. Set a source port and a destination port range. Also specify the TCP flags and matching criteria. Specify any SysLog flags.
# Creates a new Access Control Element w/ Sequence Number 10 and this will "permit" the following conditions. l3_ace = L3Ace(tutorial.SEQUENCE_NUMBER, True) # Protocol value must be a number between 0 and 256. # 256 = All protocols 6 = TCP l3_ace.protocol = 6 value = [l3_ace.TcpFlags.ONEP_TCP_URG, l3_ace.TcpFlags.ONEP_TCP_SYN] mask = [l3_ace.TcpFlags.ONEP_TCP_FIN, l3_ace.TcpFlags.ONEP_TCP_SYN, l3_ace.TcpFlags.ONEP_TCP_PSH, l3_ace.TcpFlags.ONEP_TCP_ACK] match = l3_ace.TcpFlagMatch.ONEP_MATCH_ALL l3_ace.set_tcp_flags(value, mask, match) # Permit any source prefix l3_ace.set_src_prefix_any() # Permit any destination prefix l3_ace.set_dst_prefix_any() # Set the value of the DSCP field l3_ace.set_dscp(OnepConstants.OnepDscp.ONEP_DSCP_CS1) # Log the Access Control Element l3_ace.set_log_flag(l3_ace.log_flag.ONEP_ACL_LOG_NORMAL)
Now add the L3 ACE to the ACL. After the ACE is added to the ACL we will apply the ACL to an Interface. As these functions are invoked the ACEs are added to the connected network element.
# Add Access Control Element to Access Control List l3_acl.add_ace(l3_ace)
l3_acl.apply_to_interface(tutorial.network_interface, Acl.Direction.ONEP_DIRECTION_IN)
After this ACL is applied you can also go to the network element and run a few commands to ensure it is in place. Run the following commands to display information about the applied ACL:
Finally, we can easily remove the Access Control Element that we have applied.
# Remove Access Control Element from ACL. l3_acl.remove_ace(l3_ace) # Remove ACL from interface. l3_acl.delete_acl()
Congratulations! You have applied an Access Control Element to an access control list, and applied the access control list to an interface on a network element.