Solved

How to apply ACL to interface VLANs Using NCLU

  • 14 January 2019
  • 4 replies
  • 401 views

I am simulating one of my scenario in Cumulus VX using NCLU
I have two vlan 20, and 30
Gateway is cumulus switch with respective IPs 20.20.20.254, and 30.30.30.254
By default my hosts in both VLANs are able to reach each other.

Here I have two clarifications
  1. How to add ACL for ICMP filter using NCLU
---------------------------------------------
when i give this command "net add acl ipv4 FILTER1 accept icmp " it is not asking for source and destination IPs

  1. How to applyACL in VLAN interface using NCLU
-------------------------------------------------
When I apply ACL to VLAN interface ,getting below error
cumulus@test1:~$ net add interface vlan20 acl ipv4 FILTER1
ERROR: Command not found.

net add interface vlan20 acl ipv4 FILTER1
^ Invalid value here.

Use "net help KEYWORD(s)" to list all options that use KEYWORD(s).

----------------------------------------------------------------------------------------------------------
Below are the configurations in switch

net add bridge bridge ports swp1,swp2,swp3
net add bridge bridge vids 20,30
net add bridge bridge vlan-aware
net add interface eth0 ip address 10.10.10.101/24
net add interface eth0 ip gateway 10.10.10.99
net add interface swp1-2 bridge access 20
net add interface swp3 bridge access 30
net add vlan 20 ip address 20.20.20.254/24
net add vlan 20 vlan-id 20
net add vlan 20 vlan-raw-device bridge
net add vlan 30 ip address 30.30.30.254/24
net add vlan 30 vlan-id 30
net add vlan 30 vlan-raw-device bridge
net add acl ipv4 FILTER1 priority 10 accept source-ip 20.20.20.1/32 dest-ip 30.30.30.1/32
net add acl ipv4 FILTER1 priority 20 drop source-ip any dest-ip any

I am attaching the net diag also for evryone's reference

icon

Best answer by Eric Pulvino 15 January 2019, 17:08

@Dev S Unfortunately that is not supported at the moment by the NCLU command line interface. The request for that feature is tracked by cm-15784 in case you see it in the release notes at some point.

Cumulus Linux supports the Linux methods for building ACLs (iptables/ip6tables/ebtables) which are documented in more detail here https://docs.cumulusnetworks.com/display/DOCS/Netfilter+-+ACLs the NCLU abstraction is not yet complete in some areas.

However it is still perfectly possible to achieve your goal.
To do this manually you can see the files which NCLU creates when you run the CLI:

code:
cumulus@leaf04:mgmt-vrf:~$ cat /etc/cumulus/acl/policy.d/50_nclu_acl.rules 
[iptables]
# vlan13: acl ipv4 FILTER1 inbound
-A FORWARD --in-interface vlan20 -j -s 20.20.20.1/32 -d 30.30.30.1/32


In this case I'm going to move the file created by NCLU and then modify it to read as follows:

code:
cumulus@leaf04:mgmt-vrf:~$ mv /etc/cumulus/acl/policy.d/50_nclu_acl.rules /etc/cumulus/acl/policy.d/49_custom_acl.rules


cumulus@leaf04:mgmt-vrf:~$ cat /etc/cumulus/acl/policy.d/49_custom_acl.rules
[iptables]
# vlan20: acl ipv4 FILTER1 inbound
-A FORWARD --in-interface vlan20 -s 20.20.20.1/32 -d 30.30.30.1/32 -p icmp --icmp-type echo-request -j DROP


After you make the modification above, you can apply the rule using 'sudo cl-acltool -i' which is what NCLU is typically doing behind the scenes.

In my testing this exact rule did NOT work in CumulusVx as it would in hardware.
View original

4 replies

Userlevel 5
Try applying the command like this:
net add vlan 20 acl ipv4 FILTER1 inbound

Despite the vlan20 interface having been created to support the SVI in /etc/network/interfaces, the SVI is accessed via NCLU using 'net add vlan 20'
Try applying the command like this:
net add vlan 20 acl ipv4 FILTER1 inbound

Despite the vlan20 interface having been created to support the SVI in /etc/network/interfaces, the SVI is accessed via NCLU using 'net add vlan 20'


Thanks a lot Eric,

It worked, can u help on creating an ACL to block only ICMP with source and Destination? As mentioned in the above post when i add ACL
"net add acl ipv4 FILTER1 accept icmp " there is no provision to give source and destination. It is asking only for dscp
Userlevel 5
@Dev S Unfortunately that is not supported at the moment by the NCLU command line interface. The request for that feature is tracked by cm-15784 in case you see it in the release notes at some point.

Cumulus Linux supports the Linux methods for building ACLs (iptables/ip6tables/ebtables) which are documented in more detail here https://docs.cumulusnetworks.com/display/DOCS/Netfilter+-+ACLs the NCLU abstraction is not yet complete in some areas.

However it is still perfectly possible to achieve your goal.
To do this manually you can see the files which NCLU creates when you run the CLI:

code:
cumulus@leaf04:mgmt-vrf:~$ cat /etc/cumulus/acl/policy.d/50_nclu_acl.rules 
[iptables]
# vlan13: acl ipv4 FILTER1 inbound
-A FORWARD --in-interface vlan20 -j -s 20.20.20.1/32 -d 30.30.30.1/32


In this case I'm going to move the file created by NCLU and then modify it to read as follows:

code:
cumulus@leaf04:mgmt-vrf:~$ mv /etc/cumulus/acl/policy.d/50_nclu_acl.rules /etc/cumulus/acl/policy.d/49_custom_acl.rules


cumulus@leaf04:mgmt-vrf:~$ cat /etc/cumulus/acl/policy.d/49_custom_acl.rules
[iptables]
# vlan20: acl ipv4 FILTER1 inbound
-A FORWARD --in-interface vlan20 -s 20.20.20.1/32 -d 30.30.30.1/32 -p icmp --icmp-type echo-request -j DROP


After you make the modification above, you can apply the rule using 'sudo cl-acltool -i' which is what NCLU is typically doing behind the scenes.

In my testing this exact rule did NOT work in CumulusVx as it would in hardware.
@Dev S Unfortunately that is not supported at the moment by the NCLU command line interface. The request for that feature is tracked by cm-15784 in case you see it in the release notes at some point. Cumulus Linux supports the Linux methods for building ACLs (iptables/ip6tables/ebtables) which are documented in more detail here https://docs.cumulusnetworks.com/display/DOCS/Netfilter+-+ACLs the NCLU abstraction is not yet complete in some areas. However it is still perfectly possible to achieve your goal. To do this manually you can see the files which NCLU creates when you run the CLI:
code:
cumulus@leaf04:mgmt-vrf:~$ cat /etc/cumulus/acl/policy.d/50_nclu_acl.rules 
[iptables]
# vlan13: acl ipv4 FILTER1 inbound
-A FORWARD --in-interface vlan20 -j -s 20.20.20.1/32 -d 30.30.30.1/32
In this case I'm going to move the file created by NCLU and then modify it to read as follows:
code:
cumulus@leaf04:mgmt-vrf:~$ mv /etc/cumulus/acl/policy.d/50_nclu_acl.rules /etc/cumulus/acl/policy.d/49_custom_acl.rules


cumulus@leaf04:mgmt-vrf:~$ cat /etc/cumulus/acl/policy.d/49_custom_acl.rules
[iptables]
# vlan20: acl ipv4 FILTER1 inbound
-A FORWARD --in-interface vlan20 -s 20.20.20.1/32 -d 30.30.30.1/32 -p icmp --icmp-type echo-request -j DROP
After you make the modification above, you can apply the rule using 'sudo cl-acltool -i' which is what NCLU is typically doing behind the scenes. In my testing this exact rule did NOT work in CumulusVx as it would in hardware.


Thanks Eric for your time and attention. This exactly answers my question. Until NCLU abstraction is ready for this i will experiment it by editing file. Still really appreciate the effort by Cumulus team on building such a great thing. Looking forward to have more features in NCLU.

Reply