IPv4 Access Control List Definition

Access lists configured through localized data policy are called explicit ACLs. Explicit ACLs can be applied to any interface in any VPN on the device. It can be used to filter, classify, mark traffic.

Diagram

Classes

definitions (sdwan.localized_policies)

Name	Type	Constraint	Mandatory	Default Value
ipv4_access_control_lists	List	`[ipv4_access_control_lists]`	No

ipv4_access_control_lists (sdwan.localized_policies.definitions)

Name	Type	Constraint	Mandatory
name	String	Regex: `^[A-Za-z0-9-_]{1,128}$`	Yes
description	String		Yes
default_action	Choice	`accept`, `drop`	Yes
sequences	List	`[sequences]`	No

sequences (sdwan.localized_policies.definitions.ipv4_access_control_lists)

Name	Type	Constraint	Mandatory
id	Integer	min: `1`, max: `65534`	Yes
name	String		No
base_action	Choice	`accept`, `drop`	Yes
match_criterias	Class	`[match_criterias]`	No
actions	Class	`[actions]`	No

match_criterias (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences)

Name	Type	Constraint	Mandatory
class	String	Regex: `^[A-Za-z0-9-_]{1,128}$`	No
destination_data_prefix_list	String	Regex: `^[A-Za-z0-9-_]{1,128}$`	No
destination_ip_prefix	String	Regex: `^(?:((25[0-5]\|2[0-4][0-9]\|1[0-9]{2}\|[1-9]?[0-9])\.){3}(25[0-5]\|2[0-4][0-9]\|1[0-9]{2}\|[1-9]?[0-9])\/(?:[1-9]\|[12]\d\|3[0-2]))(?:\s+((25[0-5]\|2[0-4][0-9]\|1[0-9]{2}\|[1-9]?[0-9])\.){3}(25[0-5]\|2[0-4][0-9]\|1[0-9]{2}\|[1-9]?[0-9])\/(?:[1-9]\|[12]\d\|3[0-2]))*$`	No
destination_ip_prefix_variable	String		No
destination_ports	List	Integer[min: `0`, max: `65535`]	No
destination_port_ranges	List	`[destination_port_ranges]`	No
dscp	Integer	min: `0`, max: `63`	No
packet_length	Integer	min: `0`, max: `65535`	No
priority	Choice	`high`, `low`	No
protocols	List	Integer[min: `0`, max: `255`]	No
source_data_prefix_list	String	Regex: `^[A-Za-z0-9-_]{1,128}$`	No
source_ip_prefix	String	Regex: `^(?:((25[0-5]\|2[0-4][0-9]\|1[0-9]{2}\|[1-9]?[0-9])\.){3}(25[0-5]\|2[0-4][0-9]\|1[0-9]{2}\|[1-9]?[0-9])\/(?:[1-9]\|[12]\d\|3[0-2]))(?:\s+((25[0-5]\|2[0-4][0-9]\|1[0-9]{2}\|[1-9]?[0-9])\.){3}(25[0-5]\|2[0-4][0-9]\|1[0-9]{2}\|[1-9]?[0-9])\/(?:[1-9]\|[12]\d\|3[0-2]))*$`	No
source_ip_prefix_variable	String		No
source_ports	List	Integer[min: `0`, max: `65535`]	No
source_port_ranges	List	`[source_port_ranges]`	No
tcp	Choice	`syn`	No

actions (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences)

Name	Type	Constraint	Mandatory
counter_name	String	min: `1`, max: `20`	No
class	String	Regex: `^[A-Za-z0-9-_]{1,128}$`	No
dscp	Integer	min: `0`, max: `63`	No
log	Boolean	`true`, `false`	No
mirror_list	String	Regex: `^[A-Za-z0-9-_]{1,128}$`	No
next_hop	IP		No
policer	String	Regex: `^[A-Za-z0-9-_]{1,128}$`	No

destination_port_ranges (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences.match_criterias)

Name	Type	Constraint	Mandatory	Default Value
from	Integer	min: `0`, max: `65535`	Yes
to	Integer	min: `0`, max: `65535`	Yes

source_port_ranges (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences.match_criterias)

Name	Type	Constraint	Mandatory	Default Value
from	Integer	min: `0`, max: `65535`	Yes
to	Integer	min: `0`, max: `65535`	Yes

Examples

Example-1: This example show how to classify traffic based on DSCP marking.

sdwan:
  localized_policies:
    definitions:
      ipv4_access_control_lists:
        - name: ACL-TLOCEXT-DSCP
          description: "Set traffic class based on DSCP"
          default_action: accept
          sequences:
            - id: 10
              name: Voice traffic
              base_action: accept
              match_criterias:
                dscp: 46
              actions:
                class: CLASS-REALTIME
                counter_name: 10-CLASS-REALTIME
            - id: 20
              name: Video traffic
              base_action: accept
              match_criterias:
                dscp: 34
              actions:
                class: CLASS-VIDEO
                counter_name: 20-CLASS-VIDEO
            - id: 30
              name: Transactional traffic
              base_action: accept
              match_criterias:
                dscp: 18
              actions:
                class: CLASS-TRANSACTIONAL
                counter_name: 30-CLASS-TRANSACTIONAL
            - id: 40
              name: BULK traffic
              base_action: accept
              match_criterias:
                dscp: 10
              actions:
                class: CLASS-BULK
                counter_name: 40-CLASS-BULK

Example-2: This example shows how to secure interface where traffic from Guest users is received.

sdwan:
  localized_policies:
    definitions:
      ipv4_access_control_lists:
        - name: ACL-GUEST-IN
          description: "Secure interface towards Guest users"
          default_action: accept
          sequences:
            - id: 10
              name: DHCP
              base_action: accept
              match_criterias:
                protocols:
                  - 17
                source_ports:
                  - 68
                destination_ports:
                  - 67
              actions:
                counter_name: 10-DHCP
            - id: 20
              name: Guest Portal
              base_action: accept
              match_criterias:
                protocols:
                  - 6
                destination_data_prefix_list: DPL-ISE-GUEST
                destination_ports:
                  - 443
              actions:
                counter_name: 20-GUEST-PORTAL
            - id: 30
              name: DNS
              base_action: accept
              match_criterias:
                protocols:
                  - 17
                destination_ports:
                  - 53
              actions:
                counter_name: 30-DNS
            - id: 40
              name: To Enterprise Traffic
              base_action: drop
              match_criterias:
                destination_data_prefix_list: DPL-RFC1918
              actions:
                counter_name: 40-ENTERPRISE