Service IPv4 Access Control List Feature

Configure access control lists (ACLs) to influence the traffic flowing in or out the service interfaces.

Diagram

Classes

service_profiles (sdwan.feature_profiles)

Name	Type	Constraint	Mandatory	Default Value
ipv4_acls	List	`[ipv4_acls]`	No

ipv4_acls (sdwan.feature_profiles.service_profiles)

Name	Type	Constraint	Mandatory
name	String	Regex: `^[^&<>! "]{1,128}$`	Yes
description	String		No
default_action	Choice	`accept`, `drop`	Yes
sequences	List	`[sequences]`	No

sequences (sdwan.feature_profiles.service_profiles.ipv4_acls)

Name	Type	Constraint	Mandatory	Default Value
id	Integer	min: `1`, max: `65536`	Yes
name	String	min: `1`, max: `19`	No	`acl`
base_action	Choice	`accept`, `drop`	Yes
match_entries	Class	`[match_entries]`	No
actions	Class	`[actions]`	No

match_entries (sdwan.feature_profiles.service_profiles.ipv4_acls.sequences)

Name	Type	Constraint	Mandatory
destination_data_prefix	IP		No
destination_data_prefix_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
destination_data_prefix_list	String	Regex: `^[^&<>! "]{1,128}$`	No
destination_ports	List	Integer[min: `0`, max: `65535`]	No
dscps	List	Integer[min: `0`, max: `63`]	No
icmp_messages	List	Choice[`administratively-prohibited`, `dod-host-prohibited`, `dod-net-prohibited`, `echo`, `echo-reply`, `echo-reply-no-error`, `extended-echo`, `extended-echo-reply`, `general-parameter-problem`, `host-isolated`, `host-precedence-unreachable`, `host-redirect`, `host-tos-redirect`, `host-tos-unreachable`, `host-unknown`, `host-unreachable`, `interface-error`, `malformed-query`, `multiple-interface-match`, `net-redirect`, `net-tos-redirect`, `net-tos-unreachable`, `net-unreachable`, `network-unknown`, `no-room-for-option`, `option-missing`, `packet-too-big`, `parameter-problem`, `photuris`, `port-unreachable`, `precedence-unreachable`, `protocol-unreachable`, `reassembly-timeout`, `redirect`, `router-advertisement`, `router-solicitation`, `source-route-failed`, `table-entry-error`, `time-exceeded`, `timestamp-reply`, `timestamp-request`, `ttl-exceeded`, `unreachable`]	No
packet_length	Integer	min: `1`, max: `65535`	No
protocols	List	Integer[min: `0`, max: `255`]	No
source_data_prefix	IP		No
source_data_prefix_variable	String	Regex: `^[./\[\]a-zA-Z0-9_-]{1,64}$`	No
source_data_prefix_list	String	Regex: `^[^&<>! "]{1,128}$`	No
source_ports	List	Integer[min: `0`, max: `65535`]	No
tcp_state	Choice	`syn`	No

actions (sdwan.feature_profiles.service_profiles.ipv4_acls.sequences)

Name	Type	Constraint	Mandatory
counter_name	String	Regex: `^[a-zA-Z0-9-_]{1,32}$`	No
dscp	Integer	min: `0`, max: `63`	No
ipv4_next_hop	IP		No
log	Boolean	`true`, `false`	No
mirror	String	Regex: `^[^&<>! "]{1,128}$`	No
policer	String	Regex: `^[^&<>! "]{1,128}$`	No

Examples

Example-1: The example below demonstrates how to configure service IPv4 access list with default action accept and two sequences. Sequence 1 matches all traffic destined to 10.0.0.0/8 with DSCP 12, accepts the traffic, sets DSCP to 0 and apply counter. Sequence 2 matches all traffic destined to 192.168.0.0/16, drops the traffic and logs the drop.

sdwan:
  feature_profiles:
    service_profiles:
      - name: basic_service
        ipv4_acls:
          - name: lan_acl_in
            description: "control LAN inbound traffic"
            default_action: accept
            sequences:
              - id: 1
                base_action: accept
                match_entries:
                  destination_data_prefix: 10.0.0.0/8
                  dscps:
                    - 12
                    - 24
                actions:
                  dscp: 0
                  counter_name: remark-dscp
              - id: 2
                base_action: drop
                match_entries:
                  destination_data_prefix: 192.168.0.0/16
                actions:
                  log: true