BGP FLowspec to Yang/Yaml ACL

• Previous message (by thread): BGP FLowspec to Yang/Yaml ACL
• Next message (by thread): BGP FLowspec to Yang/Yaml ACL
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In order to use YANG you need a device that can speak NETCONF/RESTCONF and understands YANG.

There’s no such thing as “The YANG ACL” -there’s IETF YANG model for ACLs, there’s OpenConfig one, and your switch vendor might have another YANG model for representing ACLs. 

Whichever model provides sufficient coverage for your use case (i.e. can use the model to specify SRC/DST/MASK/DENY/ACCEPT) and is supported natively by your device (can send the ACL config in this format to the device at it knows what to do) is the right for you.   

 

If your devices do not support NETCONF/RESTCONF nor understand YANG you can still push the ACL changes via CLI scraping (Ansible)

 

Now in either case (netconf-yang/ansible), what you’re better off with is a tool that allows operator to enter the details of the ACL line to be added (details of the flow) and just take that input and insert it into the pre-defined/prepared template (yang/ansible template), then the script just prompts the resulting config to be pushed onto the device (devices).

 

 

adam

 

From: NANOG <nanog-bounces at nanog.org> On Behalf Of Douglas Fischer
Sent: Tuesday, June 16, 2020 7:40 PM
To: nanog at nanog.org
Subject: BGP FLowspec to Yang/Yaml ACL

 

We were looking for some way to implement BGP Flowspec Filtering(just the permit/deny basic) using L3 switches  in an automated way.

Searching a bit we found  <https://github.com/ios-xr/bgpfs2acl> https://github.com/ios-xr/bgpfs2acl

 

Is almost what we are looking for!
But is focused on Cisco devices.

We even considered fork it to our specific vendor.
But before reinventing the wheel, I decide to ask to colleagues if anybody knows some tool that converts BGP Flowspec ACLs into YAML or even to YANG.

 

If that exists, with Ansible/Netconf/RestConf(or some similar tool), it would be easy to delegate to Switchs doing the basic filtering that only More expensive Routers can do by now.


P.S.: This Idea does not include(on the first moment) more complex features of Flowspec like Redirect ou Rate-Limt.

 

Any suggestions or ideas? 

 

 

 

 

-- 

Douglas Fernando Fischer
Engº de Controle e Automação

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200617/758fa9ae/attachment.html>

• Previous message (by thread): BGP FLowspec to Yang/Yaml ACL
• Next message (by thread): BGP FLowspec to Yang/Yaml ACL
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]