openconfig / public

Repository for publishing OpenConfig models, documentation, and other material for the community.
Apache License 2.0
899 stars 656 forks source link

'redirect' action needed for 'OC-ACL #434

Closed rajatiitd closed 3 months ago

rajatiitd commented 3 years ago

Hi OC-Team,

This is a vendor (Company: Juniper Networks Inc) suggestion for adding a new action name 'redirect' at the following path.

/acl/acl-sets/acl-set/acl-entries/acl-entry/action/config/redirect

The main purpose of this 'redirect' action is to redirect the matched packets against a rule to an inline monitoring instance.

For this, the grouping action-config (file: https://github.com/openconfig/public/blob/master/release/models/acl/openconfig-acl.yang), needs to be updated as below

grouping action-config {
description "Config of action type";

  leaf forwarding-action {      
    type identityref {        
      base FORWARDING_ACTION;      
    }      
    mandatory true;
    description
       "Specifies the forwarding action.  
       One forwarding action must be 
       specified for each ACL entry";
 }
leaf log-action {
  type identityref {
     base LOG_ACTION;
  }
  default LOG_NONE;
  description
    "Specifies the log action and destination for
    matched packets.  The default is not to log the
    packet.";
}
 // New 'redirect' action
leaf redirect { 
  type string;
  description
         "Redirects the matched packets to instance for inline monitoring";
 }

}

With the help of redirect action, inline-monitoring can be performed using openconfig-acl.

Please let me know your inputs.

Thanks, Rajat Rastogi

robshakir commented 3 years ago

This sounds reasonable to me.

I presume that in JNPR's implementation there is a well known monitoring interface. Can you please confirm that this is the case with other vendors such that we can add this to the model?

I can act as shepherd for this change. Per the contributions guide. Please can you confirm the above, and then submit a PR.

Please also ensure that you are included in your organisation's CLA so the CLA checks pass.

Thanks for the contribution! r.

rajatiitd commented 3 years ago

Hi Rob Shakir,

Thanks, for your support.

I discussed further within my team and finalized the proposed yang model for 'redirect' action in OC-ACL.

Please find below the attached openconfig_modified_yang.zip file which contains modified openconfig-acl.yang, openconfig-sampling-sflow.yang and openconfig-sampling-inline-monitor.yang files.

The openconfig-sampling-inline-monitor.yang is a new submodule that is used by openconfig-sampling-sflow module.

openconfig_modified_yang.zip

Please let us know if you have any concerns or queries.

Thanks Rajat Rastogi

rajatiitd commented 3 years ago

Hi Rob Shakir,

For the earlier proposal, please find the attached openconfig_modified_yang.zip file which contains the following a. openconfig-acl.yang b. openconfig-sampling-sflow.yang c. openconfig-sampling-inline-monitor.yang

As mentioned earlier the main objective behind the proposal are as follows:

  1. This is a vendor (Company: Juniper Networks Inc) suggestion for adding a new action name 'redirect' at the following path.

/acl/acl-sets/acl-set/acl-entries/acl-entry/action/config/redirect

The main purpose of this 'redirect' action is to redirect the matched packets against a rule to a sampling inline monitoring instance. Right now there is no way to define the sampling inline monitor instance. To define it please go through the following points.

  1. The sampling sflow module includes a new submodule named as sampling inline monitor.

  2. The openconfig-sampling-inline-monitor.yang defines a new submodule that will be used by openconfig-sampling-sflow module. This file contains the configurations related to sampling inline monitor.

  3. Using openconfig-sampling-inline-monitor submodule, we can configure a sampling inline-monitoring instance.

Please let me know if you need the patch for the same.

Thanks Rajat openconfig_modified_yang.zip

rajatiitd commented 3 years ago

Hi OC-Team,

Gentle reminder.

Can you please revert back to this revised requirement?

Thanks and regards, Rajat Rastogi

aashaikh commented 3 years ago

Rajat, I believe the AI from earlier comments was for you to check and confirm that other vendor platforms also have an analog of a monitoring interface/instance that can be used in an ACL redirect action, such that this could be supported in a vendor-agnostic way.

rajatiitd commented 3 years ago

@ aashaikh thanks for the response.

I checked and found that only a few vendors use inline monitoring which is the target for redirect action of OC-ACL rule.

If this is the case, what is the way to move forward for such OC-ACL requirements? Kindly advice.

Thanks Rajat

robshakir commented 3 years ago

Our requirements here are that >=2 NOS (from separate vendors) implement the functionality, it does not need to be globally supported. If you can provide references to those implementations, as well as the change in the form of a pull request to this repository, we can proceed with reviewing the change.

Please see this document for the guide on how to contribute to the OpenConfig public repo.

github-actions[bot] commented 5 months ago

This issue is stale because it has been open 180 days with no activity. If you wish to keep this issue active, please remove the stale label or add a comment, otherwise will be closed in 14 days.