Java Basic ACL Tutorial
This tutorial shows how a onePK application can create an Access Control List (ACL) in a Network Element. It also shows how to create and add an Access Control Element (ACE) to the list. The ACL is added to an Interface on the Network Element. The onePK application can retrieve the match counts for each ACE.
The code used in this tutorial is available in available in the ACLTutorial.java file located under <SDK Location>/java/tutorials/src/Policy.
Requirements / Prerequisites
To register for application events from a Network Element, the application must already know the following information:
- Know how to connect an application to a onePK-enabled Network Element. See Connecting to a Network Element tutorial.
Steps in Detail
Create an Access Control List
Create the ACL on the Network Element. As these functions are invoked, the ACLs are created on the Network Element. There are several types of ACL: L3 IPv4 ACL, L3 IPv6 ACL and L2 MAC ACL. The new ACL is stored in a variable named L3Acl.
Create an Access Control Element
Create an L3 IPv4 ACE. We will set the protocol to TCP. Specify source and destination prefixes and prefix lengths. For port matches the protocol must be TCP, UDP or SCTP. Set a source port and a destination port range. Also specify the TCP flags and matching criteria. Specify any SysLog flags.
// Creates a new Access Control Element w/ Sequence Number 10 and this // will "deny" the following conditions. L3Ace accessControlElement = new L3Ace(SEQUENCE_NUMBER, false); // Set the protocol to TCP protocol. accessControlElement.setProtocol(Acl.AclProtocol.TCP); // Permit any source prefix. accessControlElement.setSrcPrefixAny(); // Permit any destination prefix. accessControlElement.setDstPrefixAny(); // Set source port to 0 and everything greater accessControlElement.setSrcPort((short) 0, L3Ace.PortOperator.ONEP_OPER_GT); // Set destination port to 0 and everything greater accessControlElement.setDstPort((short) 0, L3Ace.PortOperator.ONEP_OPER_GT); // Log the Access Control Element. accessControlElement.setLogFlag(L3Ace.LogFlag.ONEP_ACL_LOG_NORMAL); return accessControlElement;
Apply an Access Control Element
Now add the L3 ACE to the ACL. After the ACE is added to the ACL we will apply the ACL to an Interface. As these functions are invoked the ACEs are added to the connected Network Element.
// Apply ACL to the interface accessControlList.applyToInterface(testNetworkInterface,Acl.Direction.ONEP_DIRECTION_BOTH);
After this ACL is applied you can also go to the Network Element and run a few commands to ensure it is in place. Run the following commands to display information about the applied ACL:
- show ip access-list dynamic
- show ip interface <interface name> | include access list
Remove an Access Control Element
Finally, we can easily remove the Access Control Element that we have applied.
Congratulations! You have applied an Access Control Element to an access control list, and applied the access control list to an interface on a Network Element.
Other Java tutorials
Base Service Set Tutorials
Network Interface Tutorial
Interface State Change Tutorial
Interface Addresses Tutorial
Interface Statistics Tutorial
Debug and Trace Tutorial
Syslog Event Tutorial (Network Element)
Service Set DiscoveryTutorial
Application Event Tutorial