IPv4 Access Control List Definition
Access lists configured through localized data policy are called explicit ACLs. Explicit ACLs can be applied to any interface in any VPN on the device. It can be used to filter, classify, mark traffic.
Diagram
Section titled “Diagram”Classes
Section titled “Classes”definitions (sdwan.localized_policies)
Section titled “definitions (sdwan.localized_policies)”Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
ipv4_access_control_lists | List | [ipv4_access_control_lists] | No |
ipv4_access_control_lists (sdwan.localized_policies.definitions)
Section titled “ipv4_access_control_lists (sdwan.localized_policies.definitions)”Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
name | String | Regex: ^[A-Za-z0-9-_]{1,128}$ | Yes | |
description | String | Yes | ||
default_action | Choice | accept , drop | Yes | |
sequences | List | [sequences] | No |
sequences (sdwan.localized_policies.definitions.ipv4_access_control_lists)
Section titled “sequences (sdwan.localized_policies.definitions.ipv4_access_control_lists)”Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
id | Integer | min: 1 , max: 65534 | Yes | |
name | String | No | ||
base_action | Choice | accept , drop | Yes | |
match_criterias | Class | [match_criterias] | No | |
actions | Class | [actions] | No |
match_criterias (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences)
Section titled “match_criterias (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences)”Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
class | String | Regex: ^[A-Za-z0-9-_]{1,128}$ | No | |
destination_data_prefix_list | String | Regex: ^[A-Za-z0-9-_]{1,128}$ | No | |
destination_ip_prefix | String | Regex: ^(?:((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/(?:[1-9]|[12]\d|3[0-2]))(?:\s+((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/(?:[1-9]|[12]\d|3[0-2]))*$ | No | |
destination_ip_prefix_variable | String | No | ||
destination_ports | List | Integer[min: 0 , max: 65535 ] | No | |
destination_port_ranges | List | [destination_port_ranges] | No | |
dscp | Integer | min: 0 , max: 63 | No | |
packet_length | Integer | min: 0 , max: 65535 | No | |
priority | Choice | high , low | No | |
protocols | List | Integer[min: 0 , max: 255 ] | No | |
source_data_prefix_list | String | Regex: ^[A-Za-z0-9-_]{1,128}$ | No | |
source_ip_prefix | String | Regex: ^(?:((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/(?:[1-9]|[12]\d|3[0-2]))(?:\s+((25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\.){3}(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])\/(?:[1-9]|[12]\d|3[0-2]))*$ | No | |
source_ip_prefix_variable | String | No | ||
source_ports | List | Integer[min: 0 , max: 65535 ] | No | |
source_port_ranges | List | [source_port_ranges] | No | |
tcp | Choice | syn | No |
actions (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences)
Section titled “actions (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences)”Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
counter_name | String | min: 1 , max: 20 | No | |
class | String | Regex: ^[A-Za-z0-9-_]{1,128}$ | No | |
dscp | Integer | min: 0 , max: 63 | No | |
log | Boolean | true , false | No | |
mirror_list | String | Regex: ^[A-Za-z0-9-_]{1,128}$ | No | |
next_hop | IP | No | ||
policer | String | Regex: ^[A-Za-z0-9-_]{1,128}$ | No |
destination_port_ranges (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences.match_criterias)
Section titled “destination_port_ranges (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences.match_criterias)”Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
from | Integer | min: 0 , max: 65535 | Yes | |
to | Integer | min: 0 , max: 65535 | Yes |
source_port_ranges (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences.match_criterias)
Section titled “source_port_ranges (sdwan.localized_policies.definitions.ipv4_access_control_lists.sequences.match_criterias)”Name | Type | Constraint | Mandatory | Default Value |
---|---|---|---|---|
from | Integer | min: 0 , max: 65535 | Yes | |
to | Integer | min: 0 , max: 65535 | Yes |
Examples
Section titled “Examples”Example-1: This example show how to classify traffic based on DSCP marking.
sdwan: localized_policies: definitions: ipv4_access_control_lists: - name: ACL-TLOCEXT-DSCP description: "Set traffic class based on DSCP" default_action: accept sequences: - id: 10 name: Voice traffic base_action: accept match_criterias: dscp: 46 actions: class: CLASS-REALTIME counter_name: 10-CLASS-REALTIME - id: 20 name: Video traffic base_action: accept match_criterias: dscp: 34 actions: class: CLASS-VIDEO counter_name: 20-CLASS-VIDEO - id: 30 name: Transactional traffic base_action: accept match_criterias: dscp: 18 actions: class: CLASS-TRANSACTIONAL counter_name: 30-CLASS-TRANSACTIONAL - id: 40 name: BULK traffic base_action: accept match_criterias: dscp: 10 actions: class: CLASS-BULK counter_name: 40-CLASS-BULK
Example-2: This example shows how to secure interface where traffic from Guest users is received.
sdwan: localized_policies: definitions: ipv4_access_control_lists: - name: ACL-GUEST-IN description: "Secure interface towards Guest users" default_action: accept sequences: - id: 10 name: DHCP base_action: accept match_criterias: protocols: - 17 source_ports: - 68 destination_ports: - 67 actions: counter_name: 10-DHCP - id: 20 name: Guest Portal base_action: accept match_criterias: protocols: - 6 destination_data_prefix_list: DPL-ISE-GUEST destination_ports: - 443 actions: counter_name: 20-GUEST-PORTAL - id: 30 name: DNS base_action: accept match_criterias: protocols: - 17 destination_ports: - 53 actions: counter_name: 30-DNS - id: 40 name: To Enterprise Traffic base_action: drop match_criterias: destination_data_prefix_list: DPL-RFC1918 actions: counter_name: 40-ENTERPRISE