HowTo Configure Filtering Rules on Mellanox Ethernet Switches (ACLs, ip filtering)

Version 10

    The following post discusses two mechanisms to filter traffic that is transferred to Mellanox Ethernet switches:

    1. ip filtering, filters traffic that targets the CPU.
    2. ACLs, filters traffic that does not target the CPU.

     

    References

     

    Overview

    There are two types of malicious traffic that can be received from external sources to the data center:

    1. Traffic that target the switch's CPU, either inband or out of band (e.g. via mgmt0) targeted one of the IP interfaces of the switch (loopback, router IP). To protect or filter those traffic threats use the ip filter set of commands.

    2. Traffic that target the data center servers transferred via the switch. To protect or filter this traffic use the switch's ACL set of commands.

     

     

    IP Filtering

     

    Understanding IP filtering

    IP filtering is a mechanism that allows the user to apply actions to a specific flow identified by a flow key from the data ports to the CPU.

    This mechanism can be used to protect the switch's CPU from external attacks.

    For example; the administrator can allow traffic coming from a specific trusted management subnet only, block the UDP port from receiving traffic and force ping rate to be lower than a specific threshold.

     

    Each IP table rule is defined by key, priority, and action:

    • Key – The key is a combination of physical port and layer 3 parameters (e.g. source IP, destination IP, source PORT, destination PORT, etc.) and other fields. Each part of the key, can be masked or set to a specific value.
    • Priority – Each rule is assigned a priority, the rule with the highest priority and a key matching the packet, executes the action.
    • Action – The action describes the behavior of packets that match the key. The action type may be; drop, accept, rate limit, etc.

     

    An IP filtering rule is bound to an IP interface that can be an inband/out-of-band management, VLAN interface or a router port interface. Once bound, all traffic received (ingress rule) or transmitted (egress rule) in this direction is verified with all bounded rules.

    Once a match was found, the rule action is executed. If no match is found, the default policy of the chain is applied.

     

    Note: if a specific data port is already configured with ACLs, The ACL rules will be executed before the ip filtering.

     

    IP filter Configuration

     

    IP Interface

    Some rules apply to a specific IP interface. we have three possible methods of testing:

    1. Configure loopback interface and add IP address to it, run:

    switch (config)# interface loopback 1

    switch (config interface loopback 1)# ip address 10.10.10.10/32

     

    2. Configure router port and add IP address to it, run:

    switch (config)# interface ethernet 1/1

    switch (config interface ethernet 1/1)# no switchport force

    switch (config interface ethernet 1/1)# ip address 11.11.11.11/24

     

    3. Configure VLAN interface and set an IP address, run:

    switch (config)# interface vlan 1

    switch (config interface vlan 1)# ip address 12.12.12.12/24

     

    IP filtering

    1. Enable ip filter globally.

    switch (config) # ip filter enable

     

    2. Set the default input or output policy rule. The default is to accept all. The default rule will be applied if no other rule will match.For example, drop all traffic other than a specific set of flows, or accept all traffic except a specific set of flows.

    switch (config) # ip filter chain input policy drop

    switch (config) # ip filter chain output policy accept

     

    3. Set ip filtering rules for input or output traffic. For example, block (drop) UDP source port 100.

    switch (config) # ip filter chain input rule set 2 target drop protocol udp source-port 100

     

    Example Rules

    Follow the configuration above, and set rules as needed according to the examples below:

     

    Allow CPU access only to specific host via specific interface:

    1. Enable IP filtering and set the default input policy to drop

    switch (config) # ip filter enable

    switch (config) # ip filter chain input policy drop

     

    2. Set a rule to allow only 10.9.1.91 traffic received only from interface mgmt0.

    switch (config) # ip filter  chain input rule append tail target accept source-addr 10.9.1.91 in-intf mgmt0

     

    Note: When testing the above, be careful not to block your management network connection to the switch!

     

    3. Check your configuration, run:

    switch  (config) # show ip filter

    Packet filtering for IPv4: enabled

    Active IPv4 filtering rules (omitting any not from configuration):

     

    ------------------------------------

    Chain: 'input'    Policy: 'drop'

    ------------------------------------

     

    Rule : 1   

       Target         : accept

       Protocol       : all

       Source         : 10.9.1.91/32

       Destination    : all

       Interface      : mgmt0(ingress)

       State          : any

       Other Filter   :  -

     

    ------------------------------------

    Chain: 'output'    Policy: 'accept'

    ------------------------------------

      No rules.

     

    Deny CPU access from a specific network:

    1. Enable IP filtering and set the default input policy to accept, run:

    switch (config) # ip filter enable

    switch (config) # ip filter chain input policy accept

     

    2. Set a rule to deny 10.9.1.0/24 traffic coming from all interfaces, run:

    switch (config) # ip filter  chain input rule append tail target drop source-addr 10.9.1.0/24

     

    3. Check your configuration, run:

    switch  (config) # show ip filter

    Packet filtering for IPv4: enabled

    Active IPv4 filtering rules (omitting any not from configuration):

     

    ------------------------------------

    Chain: 'input'    Policy: 'accept'

    ------------------------------------

     

    Rule : 1   

       Target         : drop

       Protocol       : all

       Source         : 10.9.1.91/24

       Destination    : all

       Interface      : all

       State          : any

       Other Filter   :  -

     

    ------------------------------------

    Chain: 'output'    Policy: 'accept'

    ------------------------------------

      No rules.

     

    Deny specific TCP traffic (e.g. telnet):

    1. Enable IP filtering and set the default input policy to accept, run:

    switch (config) # ip filter enable

    switch (config) # ip filter chain input policy accept

     

    2. Set a rule to deny telnet traffic (TCP port 23) coming from all interfaces, run:

    switch (config) # ip filter chain input rule append tail target drop dest-port 23 protocol tcp

     

    3. Check your configuration, run:

    switch  (config) # show ip filter

    Packet filtering for IPv4: enabled

    Active IPv4 filtering rules (omitting any not from configuration):

     

    ------------------------------------

    Chain: 'input'    Policy: 'accept'

    ------------------------------------

     

    Rule : 1  

       Target         : drop

       Protocol       : tcp

       Source         : 10.9.1.91/24

       Destination    : all

       Interface      : all

       State          : any

       Other Filter   : dest port 23

     

    ------------------------------------

    Chain: 'output'    Policy: 'accept'

    ------------------------------------

      No rules.

     

    similarly, you can allow or deny other TCP protocols such as HTTP, FTP SMTP and so on depending on the TCP port.

     

    For the full list of commands, refer to MLNX-OS User Manual, IP Table Filtering section.

     

    Access Control Lists (ACLs)

    Understanding ACLs

    Access Control List (ACL) is a list of permissions applied on a port that filters the stream of packets transmitted to the port.
    Each rule specified by a set of L2/L3/L4 fields, represents a flow (e.g. source and destination addresses, IP protocol and VLAN ID or TCP port).

    The ACL commands are relevant for data traffic transmitted through the switch.

    Note: Only ingress ACLs filtering is supported.

    Note: In case ip filtering is configured in addition to ACLs, The ACLs' rules are executed before the ip filtering rules (higher priority).

     

    In addition to filtering, several other actions could be applied to the ACL.
    Once the a rule from the ACL is permitted on the port, the action will be applied. ACL action can modify the ingress packet (e.g. change VLAN, add VLAN, remove VLAN).

     

     

     

    Configuring ACLs

    To Configure ACLs on a port, first you need to create a list, add rules to the list and then apply the list to a specific port. As an option, you can create also ACL action and bind that to the list you created for the action to take affect.

     

    1. Create a list. There are two types of lists (IP and MAC) depending on the rules you wish to create.

    For example, create an IP list called my_list, run:

    switch (config) # ipv4 access-list my-list

    switch (config ipv4 access-list my-list) #

     

    2. Add rules with no action, run:

    switch (config ipv4 access-list my-list) # seq-number 10 deny ip 1.2.3.4 mask 255.255.255.255 any
    switch (config ipv4 access-list my-list) # deny tcp any any eq-destination 23

     

    Use the sequence number to arrange the list of rules.

     

    3. Add rules with action.

     

    Create ACL action profile, and add an action to it, run:

    switch (config) # access-list action my-action

    switch  (config access-list action my-action) # vlan-map 10

     

    Add rule plus action, run:

    switch (config ipv4 access-list my-list) #seq-number 10 deny ip 1.2.3.4 mask 255.255.255.255 any action

     

    4. Bind the ACL to a port, run:

    switch (config interface ethernet 1/1) # ipv4 port access-group my_list

     

    5. Check the configuration, run:

    switch (config) # show access-lists

    ipv4 access-list my_list

    seq-number|p/d   |protocol|sip              |dip              |sport/type |dport/code |action|

    =============================================================================================

    10        |deny  |ip      |1.2.3.4          |any              |any        |any        |my_action|

    20        |deny  |tcp     |any              |any              |any        |23         |none  |

     

     

     

    switch (config) # show ipv4 access-lists summary

    ipv4 access-list my_list

        Total ACEs Configured: 2

        Configured on interfaces:

            Ethernet 1/1

     

     

     

    switch (config) # show access-lists action my_action

    Access-list Action my_action

    Mapped_Vlan_ID      |Mapped_port    |Counter_set    |Policer_ID     |

    ================================================================================

    10                  |N/A            |N/A            |N/A            |

    mti-mar-sx11 [standalone: master] (config interface ethernet 1/1) #

     

    For the full list of commands, refer to MLNX-OS User Manual Access Control List section.