Goal

This tutorial shows how a onePK application can create an Access Control List (ACL) in a network element. It also shows how to create and add an Access Control Element (ACE) to the list. The ACL is added to an Interface on the network element. The onePK application can retrieve the match counts for each ACE.

Tutorial Code

The code used in this tutorial is available in available in the ACLTutorial.py file located under <SDK Location>/python/tutorials/Policy.

Requirements/Prerequisites

To register for application events from a network element, the application must already know the following information:

Steps in Detail

Create an Access Control List

Create the ACL on the network element. As these functions are invoked, the ACLs are created on the network element. There are several types of ACL: L3 IPv4 ACL, L3 IPv6 ACL and L2 MAC ACL.

#  Create a L3 IPv4 Access Control List
l3_acl = L3Acl(networkElement, OnepConstants.OnepAddressFamilyType.ONEP_AF_INET, 0)

Create an Access Control Element

Create an L3 IPv4 ACE. We will set the protocol to TCP. Specify source and destination prefixes and prefix lengths. For port matches the protocol must be TCP, UDP or SCTP. Set a source port and a destination port range. Also specify the TCP flags and matching criteria. Specify any SysLog flags.

# Creates a new Access Control Element w/ Sequence Number 10 and this will "permit" the following conditions.
l3_ace = L3Ace(tutorial.SEQUENCE_NUMBER, True)
# Protocol value must be a number between 0 and 256.
# 256 = All protocols   6 =  TCP
l3_ace.protocol = 6

value = [l3_ace.TcpFlags.ONEP_TCP_URG, 
             l3_ace.TcpFlags.ONEP_TCP_SYN]
mask  = [l3_ace.TcpFlags.ONEP_TCP_FIN, 
         l3_ace.TcpFlags.ONEP_TCP_SYN, 
         l3_ace.TcpFlags.ONEP_TCP_PSH, 
         l3_ace.TcpFlags.ONEP_TCP_ACK]
match = l3_ace.TcpFlagMatch.ONEP_MATCH_ALL  

l3_ace.set_tcp_flags(value, mask, match)
# Permit any source prefix
l3_ace.set_src_prefix_any()
# Permit any destination prefix
l3_ace.set_dst_prefix_any()            
# Set the value of the DSCP field        
l3_ace.set_dscp(OnepConstants.OnepDscp.ONEP_DSCP_CS1)
# Log the Access Control Element    
l3_ace.set_log_flag(l3_ace.log_flag.ONEP_ACL_LOG_NORMAL)

Apply an Access Control Element

Now add the L3 ACE to the ACL. After the ACE is added to the ACL we will apply the ACL to an Interface. As these functions are invoked the ACEs are added to the connected network element.

#  Add Access Control Element to Access Control List
l3_acl.add_ace(l3_ace)
l3_acl.apply_to_interface(tutorial.network_interface, Acl.Direction.ONEP_DIRECTION_IN)

After this ACL is applied you can also go to the network element and run a few commands to ensure it is in place. Run the following commands to display information about the applied ACL:

  • show ip access-list dynamic
  • show ip interface <interface name> | include access list

Remove an Access Control Element

Finally, we can easily remove the Access Control Element that we have applied.

#  Remove Access Control Element from ACL.
l3_acl.remove_ace(l3_ace)
#  Remove ACL from interface. 
l3_acl.delete_acl()

Result

Congratulations! You have applied an Access Control Element to an access control list, and applied the access control list to an interface on a network element.