Configuration to control ACL set/entry counter allocation #1122
Conversation
…set and per ACL entry
|
/gcbrun |
|
No major YANG version changes in commit 849eca5 |
|
OC does not have a way to enable/disable ACL counters so this sounds like a good gap to close. EOS support looks like My interpretation of the SRLinux doc is it supports enable/disable of |
|
@dplore, the SRLinux implementation has two different controls: one to control whether the ACL is shared by multiple interfaces or not and another to control whether stats are enabled or disabled for all entries of the acl-set. So these two controls together will determine whether a particular acl-set's entries have AGGREGATE or INTERFACE capability. |
| @@ -527,6 +550,15 @@ module openconfig-acl { | |||
| "Description, or comment, for the ACL set"; | |||
| } | |||
|
|
|||
| leaf counter { | |||
There was a problem hiding this comment.
this leaf is not needed, as the grouping "access-list-entries-config" is used in both config and state containers.
|
@nokia1adam let me know if you'd like to continue this PR |
This code is a Contribution to the OpenConfig Public project (“Work”) made under the Google Software Grant and Corporate Contributor License Agreement (“CLA”) and governed by the Apache License 2.0. No other rights or licenses in or to any of Nokia’s intellectual property are granted for any other purpose. This code is provided on an “as is” basis without any warranties of any kind.
Change Scope
At present, the allocation of system resources needed to provide counters for packets matching ACL entries cannot be controlled through configuration. This PR aims to fill this gap by introducing the following new paths:
acl/acl-sets/acl-set/config/counter
acl/acl-sets/acl-set/state/counter
acl/acl-sets/acl-set/acl-entries/acl-entry/config/counter
acl/acl-sets/acl-set/acl-entries/acl-entry/state/counter
The permitted values are: NONE, INTERFACE_ONLY, AGGREGATE_ONLY and INTERFACE_AGGREGATE. These are the same values as supported by the existing ACL_COUNTER_CAPABILITY except now NONE has been added as well, in order to allow the operator to disable stats collection for specific ACL sets or ACL entries in order to conserve limited resources.
The description for /acl/state/counter-capability has been amended to recommend that no value should be returned in state if the support of counters is not uniformly configured for all ACL sets and all ACL entries.
Implementations
Many vendors support some form of configuration control for ACL counters.
Arista: https://www.arista.com/en/um-eos/eos-acls-and-route-maps
Nokia: https://documentation.nokia.com/srlinux/24-3/books/acl-policy-based-routing/access-control-lists.html