ACL application examples

NOTE: Refer to the dell-base-acl.yang model which defines an ACL object and attributes before you configure ACL settings.

Configure ACL using Python

1. Import the CPS object Python library.

import cps_utils

2. Define the enum map.

NOTE: A CPS Python application does not automatically map the YANG model enum name to a number.

e_stg = {'INGRESS': 1, 'EGRESS': 2}
e_ftype = {
    'SRC_MAC': 3,
    'DST_MAC': 4,
    'SRC_IP': 5,
    'DST_IP': 6,
    'IN_PORT': 9,
    'DSCP': 21,
    }
e_atype = {'PACKET_ACTION': 3, 'SET_TC': 10}
e_ptype = {'DROP': 1}

3. Register the attribute type with the CPS utility for attributes with non-integer values.

type_map = {'base-acl/entry/SRC_MAC_VALUE/addr': 'mac',
            'base-acl/entry/SRC_MAC_VALUE/mask': 'mac'}
for (key, val) in type_map.items():
    cps_utils.cps_attr_types_map.add_type(key, val)

See config_acl.py to view the Python application example.

Create ACL table using Python

An ACL table groups entries and allows a packet to match one of the entries in the group. A packet can simultaneously match ACL entries in different tables. The table priority determines the order in which match criteria are applied.

1. Import the CPS object Python library.

import cps_utils
import nas_os_utils

2. Define the enum map.

NOTE: A CPS Python application does not automatically map the YANG model enum name to a number.

e_stg = {'INGRESS': 1, 'EGRESS': 2}
e_ftype = {
    'SRC_MAC': 3,
    'DST_MAC': 4,
    'SRC_IP': 5,
    'DST_IP': 6,
    'IN_PORT': 9,
    'DSCP': 21,
    }
e_atype = {'PACKET_ACTION': 3, 'SET_TC': 10}
e_ptype = {'DROP': 1}

3. Register the attribute type with the CPS utility for attributes with non-integer values.

type_map = {'base-acl/entry/SRC_MAC_VALUE/addr': 'mac',
            'base-acl/entry/SRC_MAC_VALUE/mask': 'mac'}
for (key, val) in type_map.items():
    cps_utils.cps_attr_types_map.add_type(key, val)

4. Create the CPS object and populate the attributes.

cps_obj = cps_utils.CPSObject(module='base-acl/table')

5. Set the stage and priority.

cps_obj.add_attr ('stage', e_stg['INGRESS'])
cps_obj.add_attr ('priority', 99)

The allowed-match-list attribute is a YANG leaf list, which takes multiple values provided with a Python list.

cps_obj.add_list ('allowed-match-fields', [e_ftype['SRC_MAC'], e_ftype['DST_IP'], e_ftype['DSCP'], e_ftype['IN_PORT']])

6. Define the CPS object.

cps_update = ('create', cps_obj.get())

7. Define an add operation and object pair to the CPS transaction.

NOTE: Each CPS transaction can hold multiple CPS operation and object pairs.

cps_trans = cps_utils.CPSTransaction([cps_update])

8. Verify the return value.

r = cps_trans.commit()
if not r:
  raise RuntimeError ("Error creating ACL Table")

9. Retrieve the table ID from the ACL table — this ID is used for all operations in the ACL table.

cps_get_val = cps_utils.CPSObject (module='base-acl/table', obj=r[0]['change'])
tbl_id = cps_get_val.get_attr_data ('id')

print 'Successfully created ACL Table ' + str(tbl_id)

See create_acl.py to view the Python application example.

Verify ACL table creation using CPS get

# cps_get_oid.py 'base-acl/table'

Key: 1.25.1638504.1638499.
base-acl/table/npu-id-list = 0 base-acl/table/stage = 1
base-acl/table/priority = 99
base-acl/table/allowed-match-fields = 3,6,9,21 base-acl/table/id = 2

Create ACL entry using Python

An ACL entry is a rule that consists of a set of filters that define packets to be matched, and a set of actions to be performed on the matched packets.

1. Import the CPS object Python library.

import cps_utils

2. Define the enum map.

NOTE: A CPS Python application does not automatically map the YANG model enum name to a number.

e_stg = {'INGRESS': 1, 'EGRESS': 2}
e_ftype = {
    'SRC_MAC': 3,
    'DST_MAC': 4,
    'SRC_IP': 5,
    'DST_IP': 6,
    'IN_PORT': 9,
    'DSCP': 21,
    }
e_atype = {'PACKET_ACTION': 3, 'SET_TC': 10}
e_ptype = {'DROP': 1}

3. Register the attribute type with the CPS utility for attributes with non-integer values.

type_map = {'base-acl/entry/SRC_MAC_VALUE/addr': 'mac',
            'base-acl/entry/SRC_MAC_VALUE/mask': 'mac'}
for (key, val) in type_map.items():
    cps_utils.cps_attr_types_map.add_type(key, val)

4. Import the CPS object library to convert the interface name to an index.

import nas_os_utils

5. Create the CPS object based on the dell-base-acl.yang model and define the leaf attributes.

cps_obj = cps_utils.CPSObject(module='base-acl/entry')

6. Define the ACL table ID to indicate the group to which this ACL entry belongs to. The priority value determines the sequence of the ACL rule lookup in the ACL table group.

cps_obj.add_attr ('table-id', tbl_id) cps_obj.add_attr ('priority', 512)

7. Define the filters that the packets are to be matched to — filter attribute is a YANG nested list. The add_embed_attr() function is used to create multiple instances for nested lists. Each filter instance is made up of two attributes — match-type and match-value.

NOTE: Use the correct match-value attribute name depending on the value assigned to the match-type — use attribute name SRC_MAC_VALUE when match-type is SRC_MAC.

Filter 1 — Match packets with a specific source MAC address

cps_obj.add_embed_attr (['match','0','type'], e_ftype['SRC_MAC'])
cps_obj.add_embed_attr (['match','0','SRC_MAC_VALUE','addr'], '50:10:6e:00:00:00', 2)

Filter 2 — Match packets received on a specific port

cps_obj.add_embed_attr (['match','1','type'], e_ftype['IN_PORT'])
cps_obj.add_embed_attr (['match','1','IN_PORT_VALUE'], nas_os_utils.if_nametoindex('e101-001-0'))

8. Define actions to apply on matched packets — action attribute is a YANG nested list. The add_embed_attr() function is used to create multiple instances for nested lists. Each action instance is made up of two attributes - action-type and action-value.

NOTE: Use the correct action-value attribute name depending on the value assigned to the action-type — use attribute name PACKET_ACTION_VALUE when action-type is PACKET_ACTION.

Action — drop

cps_obj.add_embed_attr (['action','0','type'], e_atype['PACKET_ACTION'])
cps_obj.add_embed_attr (['action','0','PACKET_ACTION_VALUE'], e_ptype['DROP'])

9. Associate the CPS object in an operation.

cps_update = ('create', cps_obj.get())

10. Add the CPS operation and object pair to a new transaction. Each CPS transaction holds multiple pairs of CPS operation and object updates.

cps_trans = cps_utils.CPSTransaction([cps_update])

11. Verify the return value.

r = cps_trans.commit()
if not r:
  raise RuntimeError ("Error creating MAC ACL Entry")

12. Retrieve the CPS object ID from the ACL table. This ID is used for all operations on the ACL table.

ps_get_val = cps_utils.CPSObject (module='base-acl/entry', obj=r[0]['change'])
mac_eid = cps_get_val.get_attr_data ('id')
print 'Successfully created MAC ACL Entry ' + str(mac_eid)

See create_acl_table.py to view the Python application example.

Verify ACL entry creation using CPS get

# cps_get_oid.py 'base-acl/entry'

Key: 1.25.1638505.1638428.1638429. base-acl/entry/table-id = 2
base-acl/entry/id = 1
base-acl/entry/match/IN_PORT_VALUE = 23
base-acl/entry/match/type = 9
base-acl/entry/match/SRC_MAC_VALUE/mask = ffffff000000
base-acl/entry/match/SRC_MAC_VALUE/addr = 50106e000000
base-acl/entry/match/type = 3
base-acl/entry/action/PACKET_ACTION_VALUE = 1
base-acl/entry/action/type = 3
base-acl/entry/npu-id-list = 0
base-acl/entry/priority = 512

Delete ACL entry using Python

1. Import the CPS object Python library.

import cps_utils

2. Define the enum map.

NOTE: A CPS Python application does not automatically map the YANG model enum name to a number.

e_stg = {'INGRESS': 1, 'EGRESS': 2}
e_ftype = {'SRC_MAC': 3, 'DST_MAC': 4, 'SRC_IP': 5, 'DST_IP': 6, 'IN_PORT': 9, 'DSCP': 21}
e_atype = {'PACKET_ACTION': 3, 'SET_TC': 10}
e_ptype = {'DROP': 1}

3. Register the attribute type with the CPS utility for attributes with non-integer values.

type_map = {
'base-acl/entry/SRC_MAC_VALUE/addr': 'mac',
'base-acl/entry/SRC_MAC_VALUE/mask': 'mac',
}
for key,val in type_map.items():
  cps_utils.cps_attr_types_map.add_type(key, val)

4. Define the table and entry ID key values and create the CPS object.

cps_obj = cps_utils.CPSObject(module='base-acl/entry', data={'table-id': 'id': mac_eid})

5. Associate the object with a CPS operation.

cps_update = ('delete', cps_obj.get())

6. Add the operation and object pair to a new CPS transaction.

cps_trans = cps_utils.CPSTransaction([cps_update])

7. Verify the return value.

r = cps_trans.commit()
if not ret:
  raise RuntimeError ("Error deleting ACL Entry")

See delete_acl.py to view the Python application example.

© 2019 OpenSwitch project. All information is contributed to and made available by OPX under the Creative Commons Attribution 4.0 International License (available at http://creativecommons.org/licenses/by/4.0/).

Home
System overview
Software releases
Hardware support
FAQs
Install
Build
Configure
- Network integration
- OPX commands
- FRRouting
- VRF
- Containers
- RADIUS
- TACACS+
- ZTP
- Porting guide
Develop
- Architecture
- Application programming
Administer
Troubleshoot
Software compatibility
- FRRouting
- ifupdown2
Contribute
DevOps
- Ansible
- Chef
- Puppet
- Salt
Join

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ACL application examples

Configure ACL using Python

Create ACL table using Python

Verify ACL table creation using CPS get

Create ACL entry using Python

Filter 1 — Match packets with a specific source MAC address

Filter 2 — Match packets received on a specific port

Action — drop

Verify ACL entry creation using CPS get

Delete ACL entry using Python

Clone this wiki locally