Download presentation
Presentation is loading. Please wait.
1
Cisco implementation of ACL yang model
Sonal Agarwal Cisco Systems Inc.
2
Agenda ACE Rule-name handling Edit Configuration Operations
Augmentation of the IETF Interface
3
ACE Rule-name Handling in IOS-XR
Problem: IETF model the ace sequence key is an alphanumeric string. IOS-XR configures ACL by sequence number How to map alphanumeric rule-name to sequence number? Solution: Current solution maps the rule-name to sequence-number, so as to reuse the Cisco’s ACL implementation. This could, in certain cases, include handling complex operations that could result in re-sequencing the ACL. High-level Algorithm On an IETF ACL Yang model update, create a ACE list for the existing ACL and an indexing structure to map rule-name to ACE Handle IETF edit-configuration operations (create, merge, delete, ...) and update the ACE list (ensure order is maintained) Post update operation, generate the new sequence numbers for the ACE’s in the list Commit configuration – update Sysdb (system database), trigger hardware update
4
Edit Configuration Operations
Create Create <rule-name> Create <rule-name> with Insert last Create <rule-name> with Insert first Create <rule-name> with Insert before <key> Create <rule-name> with Insert after <key> Merge Merge <rule-name> Merge <rule-name> with Insert first Merge <rule-name> with Insert last Merge <rule-name> with Insert before <key> Merge <rule-name> with Insert after <key> Replace Replace <rule-name> Replace <rule-name> with Insert first Replace <rule-name> with Insert Last Replace <rule-name> with Insert before <key> Replace <rule-name> with Insert after <key> Delete Delete <rule-name> Get Get-config
5
Get-config Example RP/0/0/CPU0:ios#sh run ipv4 access-list
ipv4 access-list acl1 10 permit tcp / /24 ! Received from NETCONF agent #590 <?xml version="1.0"?> <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <data> <access-lists xmlns="urn:ietf:params:xml:ns:yang:ietf-access-control-list"> <acl> <acl-name>acl1</acl-name> <acl-type>ipv4-acl</acl-type> <access-list-entries> <ace> <rule-name>10</rule-name> <actions> <permit/> </actions> <matches> <protocol>6</protocol> <source-ipv4-network> /24</source-ipv4-network> </matches> </ace> </access-list-entries> </acl> </access-lists> </data> </rpc-reply> Sent to NETCONF agent #286 <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <get-config> <source><running/></source> <filter> <access-lists xmlns="urn:ietf:params:xml:ns:yang:ietf-access-control-list"> <acl> <acl-type>ipv4-acl</acl-type> </acl> </access-lists> </filter> </get-config> </rpc>
6
Edit-config: Create Sent to NETCONF agent #592 <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <edit-config> <target> <candidate/> </target> <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0"> <access-lists xmlns="urn:ietf:params:xml:ns:yang:ietf-access-control-list"> <acl> <access-list-entries> <ace> <actions> <permit/> </actions> <matches> <destination-ipv4-network> /16</destination-ipv4-network> </matches> <rule-name>10</rule-name> </ace> </access-list-entries> <acl-type>ipv4-acl</acl-type> <acl-name xc:operation="create">acl5</acl-name> </acl> </access-lists> </config> </edit-config> </rpc> Received from NETCONF agent #119 <?xml version="1.0"?> <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <ok/> </rpc-reply> ipv4 access-list acl5 10 permit ipv4 any
7
Edit-config: Replace ipv4 access-list nc-test1
10 permit ipv4 any 20 permit ipv any 30 permit ipv any ! Received from NETCONF agent <?xml version="1.0"?> <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <ok/> </rpc-reply> Sent to NETCONF agent <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <edit-config> <target> <candidate/> </target> <config xmlns:xc="urn:ietf:params:xml:ns:netconf:base:1.0"> <access-lists xmlns="urn:ietf:params:xml:ns:yang:ietf-access-control-list"> <acl> <access-list-entries> <ace> <rule-name>10</rule-name> <matches> <protocol xc:operation="replace">6</protocol> </matches> </ace> </access-list-entries> <acl-type>ipv4-acl</acl-type> <acl-name>nc-test1</acl-name> </acl> </access-lists> </config> </edit-config> </rpc> ipv4 access-list nc-test1 10 permit tcp any 20 permit ipv any 30 permit ipv any !
8
IETF to XR Mapping – Create “D”
BEFORE IETF XR A B C 10/A 20/B 30/C AFTER IETF XR A B C D 10/A 20/B 30/C 40/D
9
IETF to XR Mapping – Insert “D” after “B”
BEFORE IETF XR A B C 10/A 20/B 30/C AFTER IETF XR A B D C 10/A 20/B 21/D 30/C
10
IETF to XR Mapping – Replace “B” with “E”, Insert after “A”
BEFORE IETF XR A B C 10/A 20/B 30/C AFTER IETF XR A E C 10/A 20/E 30/C Delete queue: 20/B
11
IETF to XR Mapping – Delete “B”
BEFORE IETF XR A B C 10/A 20/B 30/C AFTER IETF XR A C 10/A 30/C
12
Augmenting of the IETF Interface model
Cisco’s proposal to augment the IETF interface model module: cisco-ietf-interfaces-acl-ext augment /if:interfaces/if:interface: +--rw in-acls | +--rw ipv4 | | +--rw acl-name? acl:access-control-list-ref | +--rw ipv6 | +--rw eth | rw acl-name? acl:access-control-list-ref +--rw out-acls +--rw ipv4 | +--rw acl-name? acl:access-control-list-ref +--rw ipv6 +--rw eth +--rw acl-name? acl:access-control-list-ref
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.