Unable to Configure ACL rule to deny traffic from a given IP address.
258 views
Skip to first unread message
balaji
Apr 16, 2021, 11:23:16 AM4/16/21
to sonicproject
Hi,
We are trying to validate ACL on 201911.
Created an ACL table and ACL rule to block traffic from an ip address 25.25.25.25 on a given interface.
But when traffic is sent from different IP address, traffic(ping request) getting dropped.
When there is no ACL rule and table, Back to back ping is working fine.
Can some one help me in this regard.
Here are the commands and logs.
Test Setup:
Switch ------------- SONiC
Ethernet96
root@sonic:~# show version
SONiC Software Version: SONiC.201911.0-4e48a671
Distribution: Debian 9.13
Kernel: 4.9.0-14-2-amd64
Build commit: 4e48a671
Build date: Mon Mar 29 21:27:00 UTC 2021
Built by: balaji@sfstypc01
Platform: x86_64-accton_as7716_32x-r0
HwSKU: Accton-AS7716-32X
ASIC: broadcom
Serial Number: 771632X1716006
Uptime: 11:43:16 up 35 min, 1 user, load average: 1.22, 1.42, 1.36
<<< truncated >>>
root@sonic:~#
root@sonic:~# show arp
Address MacAddress Iface Vlan
---------- ----------------- ---------- ------
172.30.7.1 02:10:18:a0:9d:aa Ethernet96 -
Total number of entries 1
root@sonic:~#
root@sonic:~# config acl add table -p Ethernet96 DATAACL L3
json"sonic:~# config acl update full " --table_name DATAACL /etc/sonic/acltest1.j
root@sonic:~#
root@sonic:~# show acl table
Name Type Binding Description Stage
------- ------ ---------- ------------- -------
DATAACL L3 Ethernet96 DATAACL ingress
root@sonic:~# show acl rule
Table Rule Priority Action Match
------- ------------ ---------- -------- -----------------------
DATAACL RULE_1 9999 DROP SRC_IP: 25.25.25.25/32
DATAACL RULE_2 9998 DROP DST_IP: 192.168.0.16/32
DATAACL RULE_3 9997 DROP L4_SRC_PORT: 4661
DATAACL DEFAULT_RULE 1 DROP ETHER_TYPE: 2048
root@sonic:~#
root@sonic:~# ping 172.30.7.1
PING 172.30.7.1 (172.30.7.1) 56(84) bytes of data.
^C
--- 172.30.7.1 ping statistics ---
564 packets transmitted, 0 received, 100% packet loss, time 576261ms
root@sonic:~# ^C
root@sonic:~# show arp
Address MacAddress Iface Vlan
---------- ----------------- ---------- ------
172.30.7.1 02:10:18:a0:9d:aa Ethernet96 -
Total number of entries 1
root@sonic:~#
root@sonic:~# ifconfig Ethernet96
Ethernet96: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9100
inet 172.30.7.2 netmask 255.255.255.0 broadcast 172.30.7.255
inet6 fe80::aa2b:b5ff:fe17:d3e1 prefixlen 64 scopeid 0x20<link>
ether a8:2b:b5:17:d3:e1 txqueuelen 1000 (Ethernet)
RX packets 347 bytes 22624 (22.0 KiB)
RX errors 0 dropped 6 overruns 0 frame 0
TX packets 663 bytes 72436 (70.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@sonic:~#
root@sonic:~# show interfaces description Ethernet96
Interface Oper Admin Alias Description
----------- ------ ------- ------------- -------------
Ethernet96 up up hundredGigE25 N/A
root@sonic:~#
IFACE STATE RX_OK RX_BPS RX_UTIL RX_ERR RX_DRP RX_OVR TX_OK TX_BPS
----------- ------- ------- -------- --------- -------- -------- -------- ------- --------
Ethernet96 U 2150 N/A N/A 0 623 0 17404 N/A
======== Config DB has updated ACL table entries, ASIC DB contains no entries ===================
127.0.0.1:6379[4]> keys *ACL*
1) "ACL_TABLE|DATAACL"
2) "ACL_RULE|DATAACL|DEFAULT_RULE"
3) "ACL_RULE|DATAACL|RULE_2"
4) "ACL_RULE|DATAACL|RULE_3"
5) "ACL_RULE|DATAACL|RULE_1"
127.0.0.1:6379[4]>
127.0.0.1:6379[4]> select 0
OK
127.0.0.1:6379> keys *ACL*
(empty list or set)
root@sonic:~# cat /etc/sonic/acltest1.json
{
"acl": {
"acl-sets": {
"acl-set": {
"dataacl": {
"acl-entries": {
"acl-entry": {
"1": {
"actions": {
"config": {
"forwarding-action": "DROP"
}
},
"config": {
"sequence-id": 1
},
"ip": {
"config": {
"source-ip-address": "25.25.25.25/32"
}
}
},
"2": {
"actions": {
"config": {
"forwarding-action": "DROP"
}
},
"config": {
"sequence-id": 2
},
"ip": {
"config": {
"destination-ip-address": "192.168.0.16/32"
}
}
},
"3": {
"actions": {
"config": {
"forwarding-action": "DROP"
}
},
"config": {
"sequence-id": 3
},
"transport": {
"config": {
"source-port": "4661"
}
}
}
}
}
}
}
}
}
}
root@sonic:~#
Reply all
Reply to author
Forward
0 new messages