• Default Control Plane ACL Explained

 
 
Print Friendly, PDF & Email

Explaining the default Control Plane ACL-

  • Control-plane traffic is defined as the traffic that is destined to or sourced from the CPU.
  • An access-list applied to the control-plane traffic is called the control-plane ACL.
  • By default, every Arista switch comes configured with a control-plane ACL, named ‘default-control-plane-acl’, which cannot be modified (read-only).

To add to the control-plane ACL, you should create a new ACL and apply it to the control-plane (see next section).

When customizing the default CP-ACL, be wary of removing original rules which could negatively impact necessary traffic on your network. Please see the Caveats section as examples. For most customers, the default CP-ACL is all that is ever needed. Arista recommends working with your SE to review any desired modifications.

You can view the default control-plane-acl used in Arista switches as of EOS version with the cli command “show ip access-list default-control-plane-acl”.

Many of these sequences in the acl exist to permit well known traffic, for example ssh, https, bgp, or bfd. This article won’t go into detail on these sequences as various documentation already exists on the subjects. Instead, a link to the appropriate RFC or IANA has been provided.

However, there are also Arista specific protocols and features that require inclusion to function as expected. Details on these have been added in the second column.

 

counters per-entry Shows incrementing counters for when packets hit a particular entry; helpful in troubleshooting

https://www.arista.com/en/um-eos/eos-section-24-2-access-control-lists

10 permit icmp any any  ICMP

https://tools.ietf.org/html/rfc777

20 permit ip any any tracked Tracked keyword permits *existing* ICMP, UDP, or TCP connections (think BGP)

https://www.arista.com/en/um-eos/eos-section-24-2-access-control-lists

30 permit udp any any eq bfd ttl eq 255 BFD https://tools.ietf.org/html/rfc5881
40 permit udp any any eq bfd-echo ttl eq  See directly above
50 permit udp any any eq multihop-bfd Multihop-BFD https://tools.ietf.org/html/rfc5883
60 permit udp any any eq micro-bfd Micro-BFD https://tools.ietf.org/html/rfc7130
70 permit udp any any eq sbfd SBFD is seamless-bfd. One port for initiator and one for reflector

https://eos.arista.com/eos-4-24-1f/seamless-bfd-for-sr-te-policies/ &

https://tools.ietf.org/html/rfc7881#page-2

80 permit udp any eq sbfd any eq sbfd-initiator See directly above
90 permit ospf any any OSPF https://tools.ietf.org/html/rfc2328
100 permit tcp any any eq ssh telnet www snmp bgp https msdp ldp netconf-ssh gnmi Service Name and Transport Protocol Port Number Registry
110 permit udp any any eq bootps bootpc snmp rip ntp ldp  bootps and bootpc is bootstrap client and server, ports 67 and 68

https://tools.ietf.org/html/rfc951

Service Name and Transport Protocol Port Number Registry

120 permit tcp any any eq mlag ttl eq 255  Required for MLAG CP traffic. Uses TCP and UDP ports 4432 TTL 255 (see section in Caveats for more details)
130 permit udp any any eq mlag ttl eq 255 See directly above
140 permit vrrp any any VRRP https://tools.ietf.org/html/rfc3768
150 permit ahp any any Authentication Header protocol, part of IPSEC

https://tools.ietf.org/html/rfc2402

160 permit pim any any PIM is for dynamic multicast at layer 3

https://tools.ietf.org/html/rfc6559

170 permit igmp any any IGMP is for dynamic multicast at layer 2

https://tools.ietf.org/html/rfc2236

180 permit tcp any any range 5900 5910 Used in VNC to on-board virtual-machine (VM on KVM)

https://eos.arista.com/running-a-guest-vm-on-eos/

190 permit tcp any any range 50000 50100  Used by Arista for features or extensions and/or customer extensions that can be run on top of EOS/Linux some examples are:

LANZ streaming: 50001 

Mlag ARP-Sync: 50002

CVX: 50003-50004

200 permit udp any any range 51000 51100 VXLAN Vtep ARP-Sync is 51023

CVP uses the following:

udpMinPort: 51000 

controllerUdpPort: 51001 

controllerClientUdpPort: 51002 

udpMaxPort: 51100 

210 permit tcp any any eq 3333 Used for Local License Server (CVX)
220 permit tcp any any eq nat ttl eq 255 220 Ensures that only connections from a directly attached peer are allowed when using NAT Peer State Synchronization https://eos.arista.com/eos-4-17-0f/nat-peer-state-synchronization/
230 permit tcp any eq bgp any 230 BGP uses TCP 179

https://tools.ietf.org/html/rfc1105

240 permit rsvp any any 240 Resource Reservation Protocol https://tools.ietf.org/html/rfc2205
250 permit tcp any any eq 6040 250 gRIBI, gRBC routing information base interface https://eos.arista.com/eos-4-23-1f/gribi-grpc-routing-information-base-interface/

Modifying the Control Plane ACL

The default control-plane ACL that protects the CPU is read-only and cannot be modified. However, you can create a new ACL and then apply it to replace the default CP ACL.

In this example, we will be creating a new ACL to restrict SNMP access to our switch.

 

Step 1: Start by copying all of the rules from the default ACL.

The default-control-plane-acl is not visible in the running config, but is visible via ‘show ip access-lists’.

Arista#show ip access-lists default-control-plane-acl
IP Access List default-control-plane-acl [readonly]
counters per-entry
10 permit icmp any any
20 permit ip any any tracked
30 permit udp any any eq bfd ttl eq 255
40 permit udp any any eq bfd-echo ttl eq 254
50 permit udp any any eq multihop-bfd
60 permit udp any any eq micro-bfd
70 permit udp any any eq sbfd
80 permit udp any eq sbfd any eq sbfd-initiator
90 permit ospf any any
100 permit tcp any any eq ssh telnet www snmp bgp https msdp ldp netconf-ssh gnmi
110 permit udp any any eq bootps bootpc snmp rip ntp ldp
120 permit tcp any any eq mlag ttl eq 255
130 permit udp any any eq mlag ttl eq 255
140 permit vrrp any any
150 permit ahp any any
160 permit pim any any
170 permit igmp any any
180 permit tcp any any range 5900 5910
190 permit tcp any any range 50000 50100
200 permit udp any any range 51000 51100
210 permit tcp any any eq 3333
220 permit tcp any any eq nat ttl eq 255
230 permit tcp any eq bgp any
240 permit rsvp any any
250 permit tcp any any eq 6040

 

Step 2: Create the new ACL:

Arista(config)#ip access-list default-with-snmp

 

If applicable, find the sequence that needs to be altered:

110 permit udp any any eq bootps bootpc snmp rip ntp ldp

 

Modify, including adding new sequences if necessary:

110 permit udp any any eq bootps bootpc rip ntp ldp
114 permit udp 10.118.247.5 any eq snmp

 

Review the new ACL:

Arista#show ip access-lists default-with-snmp
IP Access List default-with-snmpv3
counters per-entry
10 permit icmp any any
20 permit ip any any tracked
30 permit udp any any eq bfd ttl eq 255
40 permit udp any any eq bfd-echo ttl eq 254
50 permit udp any any eq multihop-bfd
60 permit udp any any eq micro-bfd
70 permit udp any any eq sbfd
80 permit udp any eq sbfd any eq sbfd-initiator
90 permit ospf any any
100 permit tcp any any eq ssh telnet www snmp bgp https msdp ldp netconf-ssh gnmi
110 permit udp any any eq bootps bootpc rip ntp ldp
114 permit udp 10.118.247.5 any eq snmp
120 permit tcp any any eq mlag ttl eq 255
130 permit udp any any eq mlag ttl eq 255
140 permit vrrp any any
150 permit ahp any any
160 permit pim any any
170 permit igmp any any
180 permit tcp any any range 5900 5910
190 permit tcp any any range 50000 50100
200 permit udp any any range 51000 51100
210 permit tcp any any eq 3333
220 permit tcp any any eq nat ttl eq 255
230 permit tcp any eq bgp any
240 permit rsvp any any
250 permit tcp any any eq 6040

 

Step 3: Apply the ACL to the control-plane – this will replace the default control-plane ACL and restrict / allow access based on the new ACL configuration. If done properly, this will be a hitless configuration change.

Arista(config)#system control-plane
Arista(config-cp)#ip access-group default-with-snmp in

Note: See Restricting Access to your Switch in references for a more in-depth walkthrough.

 

Caveats in modifying the default CP-ACL

MLAG

Two rules must always be present for MLAG to work:

120 permit tcp any any eq mlag ttl eq 255
130 permit udp any any eq mlag ttl eq 255

Since MLAG uses TCP and UDP, both must be permitted to destination port ‘mlag’ (4432).

TTL must always be 255. This is a safety check as MLAG peers must always be one IP hop away.
If the MLAG packet arrives with a TTL < 255, it is dropped for security.

 

VXLAN ARP SYNC

VXLAN ARP sync requires only one rule to work:

200 permit udp any any range 51000 51100

If this rule is missing, a switch with VXLAN configured won’t sync ARP entries with it’s MLAG peer, or with remote VTEPs. This can be difficult to quickly spot during a transition from a pure bridging VXLAN deployment to an IRB deployment.

 

Remote connectivity

SSH is probably your preferred method of remotely accessing your switches. I’d like to say I’ve never seen someone remove this sequence, but that wouldn’t be true.

100 permit tcp any any eq ssh telnet www snmp bgp https msdp ldp netconf-ssh gnmi

Having to console into your switch because you weren’t careful when replacing the CP-ACL is fun for no one.

 

References

Restricting Access to the Switch – https://eos.arista.com/restricting-access-to-the-switch/

Access Lists – https://www.arista.com/en/um-eos/eos-section-24-2-access-control-lists

IETF – https://tools.ietf.org/

IANA – Service Name and Transport Protocol Port Number Registry

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: