Skip to content
AsterNOS
Ask AI

ACL

Table 1 ACL View

CommandPurpose
**show acl table ** [table_name]Display existing ACL tables.
**show acl rule ** [table_name] [rule_id]Display existing ACL rules.
**show counters acl ** [table_name] [rule-id]Display ACL counters
clear counters aclClear ACL counters
show time-range {alltimer-name}

show acl table [

Section titled “show acl table [”

[Command] **show acl table ** [table_name]

[Purpose] Display existing ACL tables.

[Parameters]

ParameterDescription
table_nameSpecify the table name.

[View] Privileged User View

[Use Cases]

sonic# show acl table
Name     Type         Binding    Description    Stage
-------  -----------  ---------  -------------  -------
TABLE_2  L3           Ethernet8  TABLE_2        ingress
TABLE_1  VXLAN_STATS             TABLE_1        ingress
sonic# show acl table TABLE_1
Name     Type         Binding    Description    Stage
-------  -----------  ---------  -------------  -------
TABLE_1  VXLAN_STATS             TABLE_1        ingress

[Command] **show acl rule ** [table_name] [rule_id]

[Purpose] Display existing ACL rules.

[Parameters]

ParameterDescription
table_nameSpecify the table name.
rule_idSpecify the rule name.

[View] Privileged User View

[Use Cases]

sonic# show acl rule
Table   Rule          Priority    Action    Match
-------  ------------  ----------  --------  -----------------------
DATAACL  RULE_1        9999        DROP      SRC_IP: 10.0.0.2/32
DATAACL  RULE_2        9998        DROP      DST_IP: 192.168.0.16/32
DATAACL  RULE_3        9997        DROP      L4_SRC_PORT: 4661
DATAACL  RULE_4        9996        DROP      IP_PROTOCOL: 126
DATAACL  RULE_13       9987        DROP      IP_PROTOCOL: 1
                                             SRC_IP: 10.0.0.2/32
sonic# show acl rule TABLE_1 RULE_1
Table   Rule      Priority  Action    Match
-------  ------  ----------  --------  --------------------
TABLE_1  RULE_1         100  DROP      SRC_IP: 200.0.0.2/24

show counters acl [

Section titled “show counters acl [”

[Command] **show counters acl ** [table_name] [rule-id]

[Purpose] Display ACL counters.

[Parameters]

ParameterDescription
table_nameSpecify the table name.
rule_idSpecify the rule name.

[View] Privileged User View

[Notes] Specify multiple tables or rules separated by commas.

[Use Cases]

sonic# show counters acl TABLE_1,TABLE_2
RULE NAME    TABLE NAME      PRIO  PACKETS COUNT    BYTES COUNT
-----------  ------------  ------  ---------------  -------------
RULE_1       TABLE_1          100  N/A              N/A
rule_2       TABLE_2            2  N/A              N/A
rule_1       TABLE_2            1  N/A              N/A

clear counters acl

Section titled “clear counters acl”

[Command] clear counters acl

[Purpose] Clear ACL counters.

[View] Privileged User View

[Use Cases]

sonic# clear counters acl

show time-range {all|

Section titled “show time-range {all|”

[Command] show time-range {all|timer-name}

[Purpose] Display ACL effective time configures.

[View] Privileged User View

[Use Cases]

sonic# show time-range all
sonic# show time-range timer-1

ACL Config

Section titled “ACL Config”

Control-plane ACL

Section titled “Control-plane ACL”

Table 2 Control-plane ACL

CommandPurpose
access-list table_name ctrlplane protocolAdd a control-plane ACL table.
rule rule_id packet-action {accept|deny} [source-ip sip|source-ipv6 sipv6] [time-range timer-name]Add an ACL rule.
**rule default_drop ** [interface all]Config a drop ACL rule.

access-list

Section titled “access-list”

[Command] access-list table_name ctrlplane protocol

[Purpose] Add a control-plane ACL table.

[Parameters]

ParameterDescription
table_nameACL table name.
protocolSpecify one or more control plane protocols, optionally NTP/SNMP/SSH/BGP/TELNET. Specify multiple protocols separated by commas.

[View] Global Configuration View

[Notes] Run command no access-list table_name to delete the ACL table.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list test1 ctrlplane ssh
sonic(config-ctrlplane-acl-test1)#

rule

Section titled “rule”

[Command] rule rule_id packet-action {accept|deny} [source-ip sip|source-ipv6 sipv6] [time-range timer-name]

[Purpose] Add an ACL rule.

[Parameters]

ParameterDescription
rule_idACL rule id, also indicates the priority, range from 0 to 500. The larger the value, the higher the priority.
sipSource IP, A.B.C.D(/M)
sipv6Source IPv6,* X:X::X:X*(/M)
timer-nameACL time range name

[View] ACL table Configuration View

[Notes] Rules with the same priority is not allowed in one ACL table. Run command no rule rule-id to delete the ACL rule.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list test1 ctrlplane SSH
sonic(config-ctrlplane-acl-test1)# rule 100 packet-action deny source-ip 192.168.10.85
sonic(config-ctrlplane-acl-test1)# rule 1 source-ip 192.168.30.138 packet-action deny time-range timer-1
sonic(config-ctrlplane-acl-test1)# show this
!
access-list test1 ctrlplane SSH
 rule 100 packet-action deny source-ip 192.168.10.85
rule 1 source-ip 192.168.30.138 packet-action deny time-range timer-1

Section titled “”

[Command] **Rule default_drop ** [interface all]

[Purpose] Add drop rule.

[Parameters]

ParameterDescription
interface allDrop all protocol packets of interfaces. Without this parameter, only protocol packets of eth0 port are discarded by default

[View] ACL table Configuration View

[Notes] Run command no ruledefault_drop to delete drop rule.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list test1 ctrlplane SSH
sonic(config-ctrlplane-acl-test1)# rule default_drop interface all
sonic(config-ctrlplane-acl-test1)# show this
!
access-list test1 ctrlplane SSH
 rule default drop interface all

Data-plane ACL

Section titled “Data-plane ACL”

Table 3 Data-plane ACL

CommandPurpose
access-list table_name {l2|l3|l3v6|mirror|mirrorv6|flow_control} {ingress|egress}Add a data-plane ACL table.
bind interface {{ethernet|link-aggregation} interface_name|all}Apply the ACL table to the interface.
rule rule_id ACITON RULE [time-range timer-name]Create an ACL rule.

access-list

Section titled “access-list”

[Command] access-list table_name {l2|l3|l3v6|mirror|mirrorv6|flow_control} {ingress|egress}

[Purpose] Add a data-plane ACL table.

[Parameters]

ParameterDescription
table_nameACL table name.

[View] Global Configuration View

[Notes] ACLs of type L2/L3/L3v6 are used for Layer 2/Layer 3/Layer 3 IPv6 traffic forwarding, respectively. Mirror/Mirrorv6 are used to local mirror SPAN and remotely mirror ERSPAN. Flow_Control are usually used together with Policer module to implement rate limiting for specific flows. Run command no access-list table_name to delete the ACL table.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list TABLE_1 flow_control ingress
sonic(config)# access-list TABLE_3 l3 egress
Section titled “bind interface {{ethernet|link-aggregation}”

[Command] bind interface {{ethernet|link-aggregation} interface_name|all}

[Purpose] Apply the ACL table to the interface.

[Parameters]

ParameterDescription
interface_nameInterface name (eg.0/1)
allBinds to all interfaces.

[View] ACL table Configuration View

[Notes] ACL table is for ports. When you bind an ACL table to some ports, it means that the ACL table is valid for the traffic on these ports. An ACL table can be bound to multiple ports, and a port can also have multiple ACL tables, which means a “many-to-many” relationship. Run command no bind interface {{ethernet|link-aggregation} interface_name|all} to unbind the interface.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list TABLE_1 l3 ingress
sonic(config-l3-acl-table_1)# bind interface ethernet 0/1
sonic(config-l3-acl-table_1)# bind interface all

rule

Section titled “rule”

[Command] rule rule_id packet-action {drop|deny|permit|trap-to-cpu|copy-to-cpu} RULE [time-range timer-name] Drop/deny/forward/trap to CPU/trap to CPU and forward (ingress only).

rule rule_id packet-action {deny|permit|trap-to-cpu|copy-to-cpu} RULE [time-range timer-name] Deny/forward (egress only).

rule rule_id redirect-action {{ethernet|link-aggregation} interface_name|A.B.C.D|X:X::X:X} RULE [time-range timer-name] Redirect (ingress only).

rule rule_id set-tc tc RULE [time-range timer-name] Set COS (ingress only).

rule rule_id set-dscp dscp RULE [time-range timer-name] Set DSCP.

rule rule_id set-pcp pcp RULE [time-range timer-name] Set VLAN priority.

rule rule_id traffic-behavior traffic_behavior_name RULE [time-range timer-name] Limit the speed for a specific stream (Flow Control only).

rule rule_id action mirror-session session-id Configure traffic mirroring for specific flows.

[Purpose] Create an ACL rule.

[Parameters]

ParameterDescription
rule_idACL rule id, also indicates the priority, range from 0 to 500. The larger the value, the higher the priority.

Different ACL table types support different match fields:

  • L2 ACL Table
FieldDescription
outer-vlan outer-vlanrange [1,4094]
ethernet-type eth-typeHEX<0-FFFF>
source-mac smacHH:HH:HH:HH:HH:HH or nn:nn:nn:nn:nn:nn*/mask*(nn:nn:nn:nn:nn:nn) (ingress only)
destination-mac dmacHH:HH:HH:HH:HH:HH or nn:nn:nn:nn:nn:nn*/mask*(nn:nn:nn:nn:nn:nn) (ingress only)
vlan-pri vlan-prirange 0-7
  • L3 ACL Table
FieldDescription
vlan-pri vlan-prirange 0-7
outer-vlan outer-vlanrange [1,4094]
ip-protocol ip-protocolrange 0-255
source-port sportrange 0-65535
destination-port dportrange 0-65535
tcp-flags tcp-flagsrange 0-63
source-ip sipA.B.C.D(/M)
destination-ip dipA.B.C.D(/M)
icmp-type icmp-typerange 0-16
icmp-code icmp-coderange 0-5
ethernet-type eth-typeHEX<0-FFFF>(ingress only)
ecn ecnrange 0-3
dscp dscprange 0-63
ip-precedence ip-precedencerange 0-7
ip-type ip-typeany/ip/non_ip/ipv4any/non_ipv4/ipv6any/non_ipv6/arp/arp_request/arp_reply
  • L3v6 ACL Table
FieldDescription
ip-protocol ip-protocolrange 0-255 (ingress only)
source-port sportrange 0-65535 (Only supported on CX308P-48Y-N-V2, CX532P-N-V2 and CX732Q-N-V2)
destination-port dportrange 0-65535 (Only supported on CX308P-48Y-N-V2, CX532P-N-V2 and CX732Q-N-V2)
source-ipv6 sipv6X:X::X:X(/M) (Only match high 64 bit addresses)
destination-ipv6 dipv6X:X::X:X(/M) (Only match high 64 bit addresses)
icmpv6-type icmpv6-typerange 1-137 (ingress only)
icmpv6-code icmpv6-coderange 0-4 (ingress only)
ethernet-type eth-typeHEX <0-FFFF> (ingress only)
dscp dscprange 0-63
flow-label flow-labelHEX <0-FFFF> (ingress only)
  • Mirror ACL Table
FieldDescription
outer-vlan outer-vlanrange [1,4094]
source-port sportrange 0-65535
destination-port dportrange 0-65535
tcp-flags tcp-flagsrange 0-63
source-ip sipA.B.C.D(/M)
destination-ip dipA.B.C.D(/M)
icmp-type icmp-typerange 0-16
icmp-code icmp-coderange 0-5
dscp dscprange 0-63
ip-type ip-typeany/ip/non_ip/ipv4any/non_ipv4/ipv6any/non_ipv6/arp/arp_request/arp_reply
bth-opcode bth-opcoderange 0-255
aeth-syndrome aeth-syndromerange 0-255
  • Mirrorv6 ACL Table
FieldDescription
source-ipv6 sipv6X:X::X:X(/M)
destination-ipv6 dipv6X:X::X:X(/M)
bth-opcode bth-opcoderange 0-255
aeth-syndrome aeth-syndromerange 0-255
  • Flow_Control ACL Table
FieldDescription
outer-vlan outer-vlanrange [1,4094]
ip-protocol ip-protocolrange 0-255
source-port sportrange 0-65535
destination-port dportrange 0-65535
source-ip sipA.B.C.D(/M)
destination-ip dipA.B.C.D(/M)
source-mac smacHH:HH:HH:HH:HH:HH or nn:nn:nn:nn:nn:nn/mask(nn:nn:nn:nn:nn:nn) (ingress only)
destination-mac dmacHH:HH:HH:HH:HH:HH or nn:nn:nn:nn:nn:nn*/mask(nn:nn:nn:nn:nn:nn*) (ingress only)
in-ports port-listSpecify a list of bound interfaces, with multiple interfaces separated by commas.

[View] ACL table Configuration View

[Notes] An ACL rule can only be added to one table, but a table can have more than one rule, that is, rule and table is a “many-to-one” relationship. Rules with the same priority is not allowed in one ACL table. Run command no rule rule-id to delete the ACL rule.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list TABLE_1 l3 ingress
sonic(config-l3-acl-table_1)# rule 1 source-ip 10.0.0.3/24 packet-action permit
sonic(config-l3-acl-table_1)# rule 1 source-ip 192.168.30.138 set-tc 6 time-range timer-1

Policy routing based on ACL

Section titled “Policy routing based on ACL”

Table 4 Policy routing based on ACL

CommandPurpose
access-list nexthop-group group_numberAdd a next-hop group.
ip-address {A.B.C.D|X:X::X:X}Add next hops to the next-hop group.
access-list table_name {l3|l3v6} ingressAdd an ACL table.
bind interface {{ethernet|link-aggregation} interface_name|all}Apply the ACL table to the interface.
rule rule_id redirect-action nexthop-group group_number [RULE] [time-range timer-name]Add a policy route based on ACL.

access-list nexthop-group

Section titled “access-list nexthop-group”

[Command] access-list nexthop-group group_number

[Purpose] Add a next-hop group.

[Parameters]

ParameterDescription
group_numberNext-hop group number, the range is 1~12.

[View] Global Configuration View

[Notes] Run command no access-list nexthop-group group_number to delete the nexthop-group.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list nexthop-group 1
sonic(config-acl-nexthop-group-1)#

ip-address {

Section titled “ip-address {”

[Command] ip-address {A.B.C.D|X:X::X:X}

[Purpose] Add next hops to the next-hop group.

[Parameters]

ParameterDescription
A.B.C.DIPv4 address.
X:X::X:XIPv6 address.

[View] Next-hop Group Configuration View

[Notes] The next-hop address is required to be reachable, and the configuration takes effect after commit. Run command no ip-address {A.B.C.D|X:X::X:X } to delete next hops address.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list nexthop-group 1
sonic(config-acl-nexthop-group-1)# ip-address 1.0.0.1
sonic(config-acl-nexthop-group-1)# ip-address 2.0.0.1
sonic(config-acl-nexthop-group-1)# ip-address 2000::1
sonic(config-acl-nexthop-group-1)# ip-address 2001::1
sonic(config-acl-nexthop-group-1)# commit
sonic(config-acl-nexthop-group-1)# show this
!
access-list nexthop-group 1
 ip-address 1.0.0.1
 ip-address 2.0.0.1
 ip-address 2000::1
 ip-address 2001::1
 commit

access-list

Section titled “access-list”

[Command] access-list table_name {l3|l3v6} ingress

[Purpose] Add an ACL table.

[Parameters]

ParameterDescription
table_nameACL table name.

[View] Global Configuration View

[Notes] Run command no access-list table_name to delete the ACL table.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list test l3 ingress
Section titled “bind interface {{ethernet|link-aggregation}”

[Command] bind interface {{ethernet|link-aggregation} interface_name|all}

[Purpose] Apply the ACL table to the interface.

[Parameters]

ParameterDescription
interface_nameInterface name (eg.0/1)
allBinds to all interfaces.

[View] ACL table Configuration View

[Notes] Run command no bind interface {{ethernet|link-aggregation} interface_name|all} to unbind the interface.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list test l3 ingress
sonic(config-l3-acl-test)# bind interface ethernet 0/1
sonic(config-l3-acl-test)# rule 10 destination-ip 96.0.0.7 redirect-action nexthop-group 1

rule

Section titled “rule”

[Command] rule rule_id redirect-action nexthop-group group_number [RULE] [time-range timer-name]

[Purpose] Add a policy route based on ACL.

[Parameters]

ParameterDescription
rule_idACL rule id, also indicates the priority, range from 0 to 500. The larger the value, the higher the priority.
group_numberNext-hop group number, the range is 1~12.

Different ACL table types support different match fields:

  • L3 ACL Table
FieldDescription
vlan-pri vlan-prirange 0-7
outer-vlan outer-vlanrange [1,4094]
ip-protocol ip-protocolrange 0-255
source-port sportrange 0-65535
destination-port dportrange 0-65535
tcp-flags tcp-flagsHEX<0-FF>
source-ip sipA.B.C.D(/M)
destination-ip dipA.B.C.D(/M)
icmp-type icmp-typerange 0-16
icmp-code icmp-coderange 0-5
ethernet-type eth-typeHEX<0-FFFF>
ecn ecnrange 0-3
dscp dscprange 0-63
  • L3v6 ACL Table
FieldDescription
ip-protocol ip-protocolrange 0-255
source-port sportrange 0-65535
destination-port dportrange 0-65535
tcp-flags tcp-flagsHEX<0-FF>
source-ipv6 sipv6X:X::X:X(/M)
destination-ipv6 dipv6X:X::X:X(/M)
icmpv6-type icmpv6-typerange 1-137
icmpv6-code icmpv6-coderange 0-4
ethernet-type eth-typeHEX<0-FFFF>

[View] ACL table Configuration View

[Notes] Rules with the same priority is not allowed in one ACL table. Run command no rule rule-id to delete the ACL rule.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list TABLE_1 l3 ingress

Set a time period for ACL

Section titled “Set a time period for ACL”

Table 5 Set a time period for ACL

CommandPurpose
time-range timer_name xx:xx to xx:xx daysCreate a time period based on a periodic time range.
time-range timer_name from xx:xx xxxx/xx/xx to xx:xx xxxx/xx/xxCreate a time period based on an absolute time range.

time-range

Section titled “time-range”

[Command] time-range timer_name *xx:xx *to xx:xx days

[Purpose] Create a time period based on a periodic time range.

[Parameters]

ParameterDescription
timer_nameTime-range name, the maximum length is 32 characters.
xx:xx24-hour time, such as 18:49.
daysThe optional values for the weekly effective time are as follows:1)0-6 :Corresponds to Sunday through Saturday. It can be configured as follows:0-6 or 0,1,2,3,4,5,62)Mon/Tue/Wed/Thu/Fri/Sat/Sun:It can be configured as follows:Configuration takes effect on Monday of the week:Mon Configuration takes effect on Monday and Wednesday of the week:Mon, Wed3)daily: Take effect on every day4)off-day:Take effect on Sun and Sat5)working-day:Take effect from Mon to Fri

[View] Global Configuration View

[Notes] Multiple periodic time ranges can be configured on the same timer-name. Run command no time-range timer_name to delete the ACL timer. Run command no time-range timer_name xx:xx to xx:xx days to delete a single time range under the ACL timer.

[Use Cases]

sonic# configure terminal
sonic(config)# time-range timer-1 23:59 to 11:38 0,1
sonic(config)# time-range timer-1 11:40 to 11:45 0-1
sonic(config)# time-range timer-1 11:40 to 11:45 2
sonic(config)# time-range timer-1 11:50 to 11:55 Mon,Wed
sonic(config)# time-range timer-1 12:05 to 12:15 daily
sonic(config)# time-range timer-1 13:05 to 13:15 off-day
sonic(config)# time-range timer-1 14:05 to 14:15 working-day

time-range

Section titled “time-range”

[Command] time-range timer_name from xx:xx xxxx/xx/xx to xx:xx xxxx/xx/xx

[Purpose] Create a time period based on an absolute time range.

[Parameters]

ParameterDescription
timer_nameTime-range name, the maximum length is 32 characters.
xx:xx24-hour time, such as 18:49.
xxxx/xx/xxEffective date, the format is Y/m/d.

[View] Global Configuration View

[Notes] Multiple absolute time ranges can be configured on the same timer-name. Absolute time range and periodic time range can be configured on the same timer-name. The effective time is the intersection of these two time range configurations Run command no time-range timer_name to delete the ACL timer. Run command no time-range from xx:xx xxxx/xx/xx to xx:xx* xxxx/xx/xx* to delete a single time range under the ACL timer

[Use Cases]

sonic# configure terminal
sonic(config)# time-range timer-1 from 11:00 2024/10/14 to 11:00 2024/10/20
sonic(config)# time-range timer-1 from 11:00 2024/10/25 to 11:00 2024/10/28