Command Line Reference
Security Configuration
ACL
36 min
acl view acl view table 1 acl view table 1 acl view true 329,329#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type show acl table \[ show acl table \[ table name ] \[command] show acl table \[ table name ] \[purpose] display existing acl tables \[parameters] true 329,329#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type \[view] privileged user view \[use cases] sonic# show acl table name type binding description stage \ table 2 l3 ethernet8 table 2 ingress table 1 vxlan stats table 1 ingress sonic# show acl table table 1 name type binding description stage \ table 1 vxlan stats table 1 ingress show acl rule \[ show acl rule \[ table name ] \[ rule id ] \[command] show acl rule \[ table name ] \[ rule id ] \[purpose] display existing acl rules \[parameters] true 329,329#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type \[view] privileged user view \[use cases] sonic# show acl rule table rule priority action match \ dataacl rule 1 9999 drop src ip 10 0 0 2/32 dataacl rule 2 9998 drop dst ip 192 168 0 16/32 dataacl rule 3 9997 drop l4 src port 4661 dataacl rule 4 9996 drop ip protocol 126 dataacl rule 13 9987 drop ip protocol 1 src ip 10 0 0 2/32 sonic# show acl rule table 1 rule 1 table rule priority action match \ table 1 rule 1 100 drop src ip 200 0 0 2/24 show counters acl \[ show counters acl \[ table name ] \[ rule id ] \[command] show counters acl \[ table name ] \[ rule id ] \[purpose] display acl counters \[parameters] true 329,329#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type \[view] privileged user view \[notes] specify multiple tables or rules separated by commas \[use cases] sonic# show counters acl table 1,table 2 rule name table name prio packets count bytes count \ rule 1 table 1 100 n/a n/a rule 2 table 2 2 n/a n/a rule 1 table 2 1 n/a n/a clear counters acl clear counters acl \[command] clear counters acl \[purpose] clear acl counters \[view] privileged user view \[use cases] sonic# clear counters acl show time range {all| show time range {all| timer name } \[command] show time range { all | timer name } \[purpose] display acl effective time configures \[view] privileged user view \[use cases] sonic# show time range all sonic# show time range timer 1 acl config acl config control plane acl control plane acl table 2 control plane acl table 2 control plane acl true 401,257#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type access list access list table name ctrlplane protocol \[command] access list table name ctrlplane protocol \[purpose] add a control plane acl table \[parameters] true 176,482#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type \[view] global configuration view \[notes] run command no access list table name to delete the acl table \[use cases] sonic# configure terminal sonic(config)# access list test1 ctrlplane ssh sonic(config ctrlplane acl test1)# rule rule rule id packet action {accept|deny} \[source ip sip |source ipv6 sipv6 ] \[time range timer name ] \[command] rule rule id packet action { accept|deny } \[ source ip sip | source ipv6 sipv6 ] \[ time range timer name ] \[purpose] add an acl rule \[parameters] true 220,438#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type \[view] acl table configuration view \[notes] rules with the same priority is not allowed in one acl table run command no rule rule id to delete the acl rule \[use cases] sonic# configure terminal sonic(config)# access list test1 ctrlplane ssh sonic(config ctrlplane acl test1)# rule 100 packet action deny source ip 192 168 10 85 sonic(config ctrlplane acl test1)# rule 1 source ip 192 168 30 138 packet action deny time range timer 1 sonic(config ctrlplane acl test1)# show this ! access list test1 ctrlplane ssh rule 100 packet action deny source ip 192 168 10 85 rule 1 source ip 192 168 30 138 packet action deny time range timer 1 rule default drop \[interface all] rule default drop \[interface all] \[command] rule default drop \[ interface all ] \[purpose] add drop rule \[parameters] true 167,491#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type \[view] acl table configuration view \[notes] run command no ruledefault drop to delete drop rule \[use cases] sonic# configure terminal sonic(config)# access list test1 ctrlplane ssh sonic(config ctrlplane acl test1)# rule default drop interface all sonic(config ctrlplane acl test1)# show this ! access list test1 ctrlplane ssh rule default drop interface all data plane acl data plane acl table 3 data plane acl table 3 data plane acl true 432,226#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type access list access list table name {l2|l3|l3v6|mirror|mirrorv6|flow control} {ingress|egress} \[command] access list table name { l2 | l3 | l3v6 | mirror | mirrorv6 | flow control } { ingress | egress } \[purpose] add a data plane acl table \[parameters] true 329,329#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type \[view] global configuration view \[notes] acls of type l2/l3/l3v6 are used for layer 2/layer 3/layer 3 ipv6 traffic forwarding, respectively mirror/mirrorv6 are used to local mirror span and remotely mirror erspan flow control are usually used together with policer module to implement rate limiting for specific flows run command no access list table name to delete the acl table \[use cases] sonic# configure terminal sonic(config)# access list table 1 flow control ingress sonic(config)# access list table 3 l3 egress bind interface {{ethernet|link aggregation} bind interface {{ethernet|link aggregation} interface name |all} \[command] bind interface {{ ethernet | link aggregation } interface name | all } \[purpose] apply the acl table to the interface \[parameters] true 329,329#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type \[view] acl table configuration view \[notes] acl table is for ports when you bind an acl table to some ports, it means that the acl table is valid for the traffic on these ports an acl table can be bound to multiple ports, and a port can also have multiple acl tables, which means a "many to many" relationship run command no bind interface {{ ethernet | link aggregation } interface name | all } to unbind the interface \[use cases] sonic# configure terminal sonic(config)# access list table 1 l3 ingress sonic(config l3 acl table 1)# bind interface ethernet 0/1 sonic(config l3 acl table 1)# bind interface all rule rule rule id action rule \[time range timer name ] \[command] rule rule id packet action { drop | deny | permit | trap to cpu | copy to cpu } rule \[ time range timer name ] drop/deny/forward/trap to cpu/trap to cpu and forward (ingress only) (ingress only) rule rule id packet action { deny | permit | trap to cpu | copy to cpu } rule \[ time range timer name ] deny/forward (egress only) (egress only) rule rule id redirect action {{ ethernet|link aggregation } interface name|a b c d|x\ x x\ x } rule \[ time range timer name ] redirect (ingress only) (ingress only) rule rule id set tc tc rule \[ time range timer name ] set cos (ingress only) (ingress only) rule rule id set dscp dscp rule \[ time range timer name ] set dscp rule rule id set pcp pcp rule \[ time range timer name ] set vlan priority rule rule id traffic behavior traffic behavior name rule \[ time range timer name ] limit the speed for a specific stream (flow control only) (flow control only) rule rule id action mirror session session id configure traffic mirroring for specific flows \[purpose] create an acl rule \[parameters] true 124,534#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type different acl table types support different match fields l2 acl table l2 acl table true 211,447 true#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type l3 acl table l3 acl table true 300,358 true#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type l3v6 acl table l3v6 acl table true 249,409 true#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type mirror acl table mirror acl table true 329,329 true#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type mirrorv6 acl table mirrorv6 acl table true 329,329 true#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type flow control acl table flow control acl table true 210,448 true#4283c7 1 1 unhandled content type #4283c7 1 1 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type \[view] acl table configuration view \[notes] an acl rule can only be added to one table, but a table can have more than one rule, that is, rule and table is a "many to one" relationship rules with the same priority is not allowed in one acl table run command no rule rule id to delete the acl rule \[use cases] sonic# configure terminal sonic(config)# access list table 1 l3 ingress sonic(config l3 acl table 1)# rule 1 source ip 10 0 0 3/24 packet action permit sonic(config l3 acl table 1)# rule 1 source ip 192 168 30 138 set tc 6 time range timer 1 policy routing based on acl policy routing based on acl table 4 policy routing based on acl table 4 policy routing based on acl true 391,267#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type access list nexthop group access list nexthop group group number \[command] access list nexthop group group number \[purpose] add a next hop group \[parameters] true 275,383#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type \[view] global configuration view \[notes] run command no access list nexthop group group number to delete the nexthop group \[use cases] sonic# configure terminal sonic(config)# access list nexthop group 1 sonic(config acl nexthop group 1)# ip address { ip address { a b c d|x\ x x\ x } \[command] ip address { a b c d|x\ x x\ x } \[purpose] add next hops to the next hop group \[parameters] true 329,329#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type \[view] next hop group configuration view \[notes] the next hop address is required to be reachable, and the configuration takes effect after commit run command no ip address { a b c d|x\ x x \ x } to delete next hops address \[use cases] sonic# configure terminal sonic(config)# access list nexthop group 1 sonic(config acl nexthop group 1)# ip address 1 0 0 1 sonic(config acl nexthop group 1)# ip address 2 0 0 1 sonic(config acl nexthop group 1)# ip address 2000 1 sonic(config acl nexthop group 1)# ip address 2001 1 sonic(config acl nexthop group 1)# commit sonic(config acl nexthop group 1)# show this ! access list nexthop group 1 ip address 1 0 0 1 ip address 2 0 0 1 ip address 2000 1 ip address 2001 1 commit access list access list table name {l3|l3v6} ingress \[command] access list table name { l3 | l3v6 } ingress \[purpose] add an acl table \[parameters] true 329,329#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type \[view] global configuration view \[notes] run command no access list table name to delete the acl table \[use cases] sonic# configure terminal sonic(config)# access list test l3 ingress bind interface {{ethernet|link aggregation} bind interface {{ethernet|link aggregation} interface name |all} \[command] bind interface {{ ethernet | link aggregation } interface name | all } \[purpose] apply the acl table to the interface \[parameters] true 329,329#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type \[view] acl table configuration view \[notes] run command no bind interface {{ ethernet | link aggregation } interface name | all } to unbind the interface \[use cases] sonic# configure terminal sonic(config)# access list test l3 ingress sonic(config l3 acl test)# bind interface ethernet 0/1 sonic(config l3 acl test)# rule 10 destination ip 96 0 0 7 redirect action nexthop group 1 rule rule rule id redirect action nexthop group group number \[ rule ] \[time range timer name ] \[command] rule rule id redirect action nexthop group group number \[ rule ] \[ time range timer name ] \[purpose] add a policy route based on acl \[parameters] true 192,466#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type different acl table types support different match fields l3 acl table l3 acl table true 329,329#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type l3v6 acl table l3v6 acl table true 329,329#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type \[view] acl table configuration view \[notes] rules with the same priority is not allowed in one acl table run command no rule rule id to delete the acl rule \[use cases] sonic# configure terminal sonic(config)# access list table 1 l3 ingress set a time period for acl set a time period for acl table 5 set a time period for acl table 5 set a time period for acl true 383,275#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type time range time range timer name xx\ xx to xx\ xx days \[command] time range timer name xx\ xx to xx\ xx days \[purpose] create a time period based on a periodic time range \[parameters] true 116,542#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type \[view] global configuration view \[notes] multiple periodic time ranges can be configured on the same timer name run command no time range timer name to delete the acl timer run command no time range timer name xx\ xx to xx\ xx days to delete a single time range under the acl timer \[use cases] sonic# configure terminal sonic(config)# time range timer 1 23 59 to 11 38 0,1 sonic(config)# time range timer 1 11 40 to 11 45 0 1 sonic(config)# time range timer 1 11 40 to 11 45 2 sonic(config)# time range timer 1 11 50 to 11 55 mon,wed sonic(config)# time range timer 1 12 05 to 12 15 daily sonic(config)# time range timer 1 13 05 to 13 15 off day sonic(config)# time range timer 1 14 05 to 14 15 working day time range time range timer name from xx\ xx xxxx/xx/xx to xx\ xx xxxx/xx/xx \[command] time range timer name from xx\ xx xxxx/xx/xx to xx\ xx xxxx/xx/xx \[purpose] create a time period based on an absolute time range \[parameters] true 329,329#4283c7 unhandled content type #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type \[view] global configuration view \[notes] multiple absolute time ranges can be configured on the same timer name absolute time range and periodic time range can be configured on the same timer name the effective time is the intersection of these two time range configurations run command no time range timer name to delete the acl timer run command no time range from xx\ xx xxxx/xx/xx to xx\ xx xxxx/xx/xx to delete a single time range under the acl timer \[use cases] sonic# configure terminal sonic(config)# time range timer 1 from 11 00 2024/10/14 to 11 00 2024/10/20 sonic(config)# time range timer 1 from 11 00 2024/10/25 to 11 00 2024/10/28
