Configuring User Zones

There is a configurable process for applications to insert an ACL (Access Control List) into a zone according to the priority of the application within that zone. Applications can occupy multiple zones. For example, you can add the Cli application to the DOS zone, and assign it a higher priority than the Dos application. The DOS zone then has two applications, Cli and Dos application, and within the DOS zone, an ACL created by the Cli has a higher priority than an ACL inserted by the Dos application.

Another way to configure ACL priority is by creating new zones. For example, you might create a zone called MY_HIGH_ZONE, and assign that zone a priority below the DOS zone and above the System zone. You can add applications to that zone and assign their priority.

The example below shows the ACL zone priority that would result from adding the MacInMac and Cli applications to MY_HIGH_ZONE:

  1. SYSTEM_HIGH_ZONE
    hal
  2. DOS Zone
    hal
    DoS
  3. MY_HIGH_ZONE
    MacInMac
    Cli
  4. SYSTEM Zone
    Dot1Ag
    Dot1AgDefault
    MacInMac
    Cli
  5. SECURITY Zone
    Sentriant
    FlowVSR
    FlowVSRTS
    Generic Xml
  6. SYSTEM_LOW_ZONE
    hal

Applications can insert an ACL into any of the zones to which the application belongs.

If an application attempts to insert an ACL into a zone where the application is not configured, an error message appears, and the ACL is not installed. Therefore, you have full control of ACL priorities and you can configure the switch to install ACLs from an application at any priority level. In the example above, the application Cli can insert an ACL into either MY_HIGH_ZONE or the SYSTEM zone. The location of the ACL within the zone depends on the priority assigned by the application. An application can assign priority to an ACL using:
  • priority attributes (first or last)
  • relative priority
  • priority numbers

The priority attributes first (highest priority) and last (lowest priority) can be applied to an ACL to establish its position within a zone.

Relative priority sets the ACL priority relative to another ACL already installed by the application in the same zone.

Priority numbers allow an application to specify the priority of an ACL within a zone. The priority numbers are unsigned integers from 0 to 7; a lower number represents a higher priority. This means that if an application adds an ACL at priority 5 and later adds another ACL at priority 3, the second ACL has higher priority.

If an application assigns the same priority number to two ACLs, the ACL added most recently has the higher priority. It is inserted in the priority map immediately ahead of the older ACL that has the same priority number. This effectively allows the application to create sub-zones within a zone. The attributes first and last can be used in combination with priority numbers to prioritize the ACLs within a sub-zone. For example, an ACL could be configured with the first attribute, along with the same priority number as other ACLs in the same zone, effectively assigning that ACL the highest priority within a sub-zone.

The show configuration command shows the current configuration of the entire switch in the form of CLI commands which can later be played back to configure the switch.

The show configuration acl command shows the current configuration of the ACL manager.

The new application keyword allows you to specify the application to which the ACL will be bound. Typically, applications create and insert ACLs on the switch; however the administrator can install ACLs "on behalf" of an application by specifying the application keyword. (This keyword is also used with the show config acl command to enable CLI playback). If no application is specified, the default application is CLI.

This means you have the ability to create, delete, and configure ACLs for any application.

  • To create a zone, use the following command:

    create access-list zone name zone-prioritynumber

  • To configure the priority of zones, use the following command:

    configure access-list zone name zone-priority number

  • To add an application to a zone at a particular priority, or to change the priority of an application within a zone, use the following command:

    configure access-list zone name {add} applicationappl-name application_priority number

    An application must occupy at least one zone.

  • To move an application within a zone or to another zone, use the following command:

    configure access-list zone name move-applicationappl-name to-zonenumber application-prioritynumber

    All applications can be configured to go into any and all zones.

    A change in the zone list results in a change in the order of dynamic ACLs that have been applied per interface. The changes in hardware are achieved by uninstalling and then reinstalling the dynamic ACLs in the new positions. There is a possibility, due to hardware constraints, that some ACLs will not be reinstalled. These occurrences are logged.

  • To delete an application from a zone, use the following command:

    configure access-list zone name delete application appl-name

    When you delete an application from a zone, any ACLs that have been inserted into that zone for the deleted application are moved to the next higher zone in which the application appears.

  • To delete a zone, use the following command:

    delete access-list zone name

    You must remove all applications from a zone before you can delete the zone. You cannot delete the default zones.