Posted on January 14, 2022 6:18 pm
 |  Asked by Artem Tokarev
Print Friendly, PDF & Email

I have a question regarding of various points where you can apply control plane ACLs on Arista switch. For example, I can see some of our devices apply ACL at control-plane, such as the following example.

ip access-group cpp-acl in

While other devices, apply it at management ssh configuration stanza.

management ssh
ip access-group ssh-acl in

I am pretty certain that control-plane is more general than management ssh or management api http-commands levels. By saying “more general”, I mean that ACL applied at control-plane level can include SSH and HTTP relevant ACL statements, while it would not make sense to filter HTTPs based ACL entries from management ssh level, or vice versa, SSH entries from management api http-commands. I searched, but did not find a good explanation between these options. Is there “preferred” level where you would want to filter control plane traffic, or is it completely up to switch admin to decide where to apply various ACLs (control-plane, management ssh, or management api http-commands)?

Answered on January 15, 2022 8:23 am

Hello Artem,

Thank you for the question.

You can find the control plane explanation below

Arista EOS implements a control-plane ACL to restrict the packets going to the CPU. This is done for security purposes, but its default configuration is very permissive.


Also, Starting the EOS 4.19.0 code, the control-plane ACL on the switch has been replaced by service ACLs. A Service ACL is a regular, software ACL created as usual in the EOS CLI.



Posted by Naveen Chandra
Answered on January 18, 2022 3:48 am

Hi Artem,

Thanks for writing to this forum. Answer to your question, “where you can apply control plane ACLs on Arista switch?”, by default, every Arista switch comes configured with a default control-plane ACL, named ‘default-control-plane-acl’, /applied on control-plane.

The 'default-control-plane-acl’ ACL cannot be modified (read-only), though the customer can add to the control-plane ACL and for that, he needs to create a new ACL and apply it to the control-plane (It seems your switch is having a customized control-plane ACL "cpp-acl").

You can view the default control-plane-acl used in Arista switches with the cli command “show ip access-list default-control-plane-acl”.

Many of the sequences in the acl exist to permit well known traffic, for example ssh, https, bgp, or bfd. Please refer the below article, suggested by my colleague Pushkraj, for the detail.

Posted by Artem Tokarev
Answered on January 18, 2022 3:44 pm

Thank Naveen and Pushkraj for your responses. My question is not so much about how to apply ACL to control-plane of the switch, or how to modify such ACL. It is more centered on the fact that Arista EOS provides several different points or levels where such and ACL can be applied, with varying degrees of specificity. My question is more in terms of why have several different options where such "control-plane" ACL can be applied? Does it potentially create more confusion? Would having one, consistent application option for such an ACL, be better than having multiple options?

For example, what would be the effective result if you have different ACLs applied to "control-plane" which is more restrictive in terms of allowed SSH traffic compared to another ACL, which is applied to "management ssh" level? Does more restrictive ACL at control-plane override less restrictive ACL at "management ssh" level, or the opposite is true?

Post your Answer

You must be logged in to post an answer.