ACL
Access Control List.
| URL | GET | POST | PATCH | PUT | DELETE |
|---|---|---|---|---|---|
| /rest/v1/running/access-list-nexthop-groups/{id} | Y | Y | Y | N | Y |
| /rest/v1/running/access-list-nexthop-groups/{id}/nexthop/{ip-address}/{vrf-name} | Y | Y | N | N | Y |
| /rest/v1/running/access-list-user-defined-types/{name} | Y | Y | Y | N | Y |
| /rest/v1/running/access-lists/{name} | Y | Y | Y | N | Y |
| /rest/v1/running/access-lists/{name}/access-list-entries/{ruleid} | Y | Y | N | Y | Y |
| /rest/v1/rpc/clear-counters-acl | N | Y | N | N | N |
| /rest/v1/rpc/show-acl-rule | N | Y | N | N | N |
| /rest/v1/rpc/show-counters-acl | N | Y | N | N | N |
Examples
Section titled “Examples”Get all access-lists.
Section titled “Get all access-lists.”GET HTTPS://{switch IP}/rest/v1/running/access-listsresponse:
{ "result": [ { "name": "t1", "type": "L3", "stage": "ingress", "bind-intfs": [ "Ethernet43" ], "access-list-entries": [ { "ruleid": 2, "actions": { "packet-action": "FORWARD" }, "matches": { "source-ip": "43.0.0.2" } } ] } ]}Create an access-list and add a rule for it.
Section titled “Create an access-list and add a rule for it.”POST HTTPS://{switch IP}/rest/v1/running/access-lists{ "name": "fc", "stage": "ingress", "type": "FLOW-CONTROL", "access-list-entries": [{ "ruleid": 11, "actions": { "traffic-behavior": "policy_test" }, "matches": {"source-mac": "00:00:00:00:00:01"} }]}Modify an access-list.
Section titled “Modify an access-list.”PATCH HTTPS://{switch IP}/rest/v1/running/access-lists/l3in{ "bind-intfs": ["Ethernet3", "Ethernet4"]}Delete an access-list.
Section titled “Delete an access-list.”DELETE HTTPS://{switch IP}/rest/v1/running/access-lists/l3v6in1Get all the rules for an access list.
Section titled “Get all the rules for an access list.”GET HTTPS://{switch IP}/rest/v1/running/access-lists/test/access-list-entriesCreate a rule for an access list.
Section titled “Create a rule for an access list.”POST HTTPS://{switch IP}/rest/v1/running/access-lists/mirrorv6e/access-list-entries{ "ruleid": 100, "actions": { "egress-mirror-session": 2 }, "matches": { "out-ports": ["Ethernet2"] }}Delete a rule from an access list.
Section titled “Delete a rule from an access list.”DELETE HTTPS://{switch IP}/rest/v1/running/access-lists/l2e/access-list-entries/2Get all the user defined types.
Section titled “Get all the user defined types.”GET HTTPS://{switch IP}/rest/v1/running/access-list-user-defined-typesresponse:
{ "result": [ { "name": "test", "type": "ipv4", "bind-points": "port", "match": [ "source-mac", "tcp-flags" ], "action": [ "set-dscp", "packet-action" ] } ]}Create an access list user-defined type.
Section titled “Create an access list user-defined type.”POST HTTPS://{switch IP}/rest/v1/running/access-list-user-defined-types{ "name": "test", "type": "ipv4", "match": ["source-mac", "tcp-flags"], "action": ["set-dscp", "packet-action"], "bind-points": "port"}Delete an access list user-defined type.
Section titled “Delete an access list user-defined type.”DELETE HTTPS://{switch IP}/rest/v1/running/access-list-user-defined-types/testGet all the nexthop groups.
Section titled “Get all the nexthop groups.”GET HTTPS://{switch IP}/rest/v1/running/access-list-nexthop-groupsresponse:
{ "result": [ { "id": 1, "nexthop": [ { "ip-address": "1.2.3.4", "vrf-name": "default" }, { "ip-address": "2.3.4.5", "vrf-name": "default", "interface-name": "Ethernet1" } ] } ]}Create for nexthop groups.
Section titled “Create for nexthop groups.”POST HTTPS://{switch IP}/rest/v1/running/access-list-nexthop-groups{ "id": 1, "nexthop": [ { "ip-address": "1.2.3.4", "vrf-name": "default" }, { "ip-address": "2.3.4.5", "vrf-name": "default", "interface-name": "Ethernet1" } ]}Delete from nexthop groups.
Section titled “Delete from nexthop groups.”DELETE HTTPS://{switch IP}/rest/v1/running/access-list-nexthop-groups/1Show access list rule.
Section titled “Show access list rule.”POST HTTPS://{switch IP}/rest/v1/rpc/show-acl-rule{"name": "test", "ruleid": 4}response:
{ "data": [ { "acl_name": "test", "ruleid": 4, "priority": 1004, "actions": { "packet-action": "DROP" }, "matches": { "outer-vlan": "20" } } ]}Show access list counters.
Section titled “Show access list counters.”POST HTTPS://{switch IP}/rest/v1/rpc/show-counters-acl{"acl-names": ["test", "test1"]}response:
{ "data": "ACL Counters are refreshed every 10 seconds\nRULE NAME TABLE NAME PRIO PACKETS COUNT BYTES COUNT\n----------- ------------ ------ --------------- -------------\nrule_1 test1 1001 0 0\n"}Clear access list counters.
Section titled “Clear access list counters.”POST HTTPS://{switch IP}/rest/v1/rpc/clear-counters-acl{}Properties Descriptions
Section titled “Properties Descriptions”ACL entries
Section titled “ACL entries”Tree Diagrams
+--rw access-lists | +--rw access-list* [name] | +--rw name | +--rw type | +--rw stage? | +--rw services* | +--rw bind-intfs* | +--rw access-list-entries | | +--rw access-list-entry* [ruleid] | | +--rw ruleid | | +--rw actions | | | +--rw packet-action? | | | +--rw ingress-mirror-session? | | | +--rw egress-mirror-session? | | | +--rw redirect-action? | | | +--rw redirect-action-ip-params? | | | +--rw set-tc? | | | +--rw set-pcp? | | | +--rw set-dscp? | | | +--rw traffic-behavior? | | +--rw matches | | +--rw ethernet-type? | | +--rw outer-vlan? | | +--rw ip-type? | | +--rw ip-protocol? | | +--rw tcp-flags? | | +--rw source-ip? | | +--rw destination-ip? | | +--rw source-ipv6? | | +--rw destination-ipv6? | | +--rw icmp-type? | | +--rw icmp-code? | | +--rw icmpv6-type? | | +--rw icmpv6-code? | | +--rw source-port? | | +--rw destination-port? | | +--rw dscp? | | +--rw ecn? | | +--rw vlan-pri? | | +--rw vxlan-vni? | | +--rw flow-label? | | +--rw in-ports* | | +--rw out-ports* | | +--rw bth-opcode? {cmn:platform-innovium}? | | +--rw aeth-syndrome? {cmn:platform-innovium}? | | +--rw source-mac? | | +--rw destination-mac? | +--rw rule-default-drop?Table of Properties
| Name | Required | Type/Range | Description |
|---|---|---|---|
| access-lists | M | Path-only node, has no configurable value. | |
| name | M | string | (sub-property of access-lists) |
| type | M | ”L2" | |
| "L3" | |||
| "L3V6" | |||
| "MIRROR" | |||
| "MIRRORV6" | |||
| "FLOW-CONTROL" | |||
| "CTRLPLANE” | |||
| access-list-user-defined-type/name | (sub-property of access-lists) |
|| stage | O | “ingress” “egress” | (sub-property of access-lists) | | services | O | “SNMP” “SSH” “NTP” “BGP” | (sub-property of access-lists) Only supported on tables where type is ctrlplane. | | bind-intfs | O | Ethernet name Lag1..9999 | (sub-property of access-lists) | | access-list-entries | M | | (sub-property of access-lists) Path-only node, has no configurable value. | | ruleid | M | 0..500 | (sub-property of access-list-entries) | | actions | M | | (sub-property of access-list-entries) Path-only node, has no configurable value. | | packet-action | O | “FORWARD” “DENY” “DROP” “TRAP” “COPY” | (sub-property of actions) Specifies the packet action to be taken as part of the ACL rule. This action determines how packets are forwarded, dropped, or processed further. Applicable to ACL tables: Layer 2 ingress/egress, Layer 3 IPv4/IPv6 ingress/egress | | ingress-mirror-session | O | 1..63 | (sub-property of actions) Configures an ingress mirror session identifier (1-63) for mirroring incoming traffic. This action allows duplicating traffic to a monitoring or analysis port. Applicable to ACL tables: Mirror/Mirrorv6 ingress | | egress-mirror-session | O | 1..63 | (sub-property of actions) Configures an egress mirror session identifier (1-63) for mirroring outgoing traffic. Facilitates traffic analysis by directing a copy of traffic to a designated port. Applicable to ACL tables: Mirror/Mirrorv6 egress | | redirect-action | O | Ethernet name Lag1..9999 1..12 “A.B.C.D XX:XX:XX:XX:XX:XX:XX:XX” | (sub-property of actions) Defines the redirection destination for matched packets. Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress. | | redirect-action-ip-params | O | Ethernet name Lag1..9999 Vlan1..4094 “default” vrf name” | (sub-property of actions) Defines the redirection destination interface or vrf with ipv4/ipv6 address for matched packets. Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress and redirect-action is IPv4/IPv6 address. | | set-tc | O | 0..7 | (sub-property of actions) Sets the traffic class (TC), influencing QoS treatment. Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress. | | set-pcp | O | 0..7 | (sub-property of actions) Sets the PCP, affecting prioritization within a VLAN. Applicable to ACL tables: Layer 2 ingress, Layer 3 IPv4/IPv6 ingress, mirror/mirrorv6 ingress, Flowctrl ingress | | set-dscp | O | 0..63 | (sub-property of actions) Sets the DSCP. Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress, Flowctrl ingress | | traffic-behavior | O | string | (sub-property of actions) Configuring Interface Speed Limiting Policies. Applicable to ACL tables: Layer 2 ingress, Layer 3 IPv4/IPv6 ingress, Mirror/Mirrorv6 ingress, Flowctrl ingress | | matches | M | | (sub-property of access-list-entries) Path-only node, has no configurable value. | | ethernet-type | O | 0x0000..ffff | (sub-property of matches) Matches the Ethernet frame type to be matched in the ACL rule. It accepts hexadecimal values ranging from 0x0000 to 0xffff, aiding in distinguishing different L2 protocols. Applicable to ACL tables: Layer 2 ingress, Layer 3 IPv4/IPv6 ingress | | outer-vlan | O | 1..4094 or 0x1..ffe | (sub-property of matches) Matches the outer VLAN tag in a tagged frame, supporting a wide range of VLAN IDs (from 1 to 4094) with optional EtherType (in hexadecimal format) following a slash (/) for further refinement. Applicable to ACL tables: Layer 2 ingress/egress, Layer 3 IPv4 ingress/egress mirror ingress/egress, Flowctrl ingress | | ip-type | O | “ANY” “IP” “NON-IP” “IPV4ANY” “NON-IPv4” “IPV6ANY” “NON-IPv6” “ARP” “ARP-REQUEST” “ARP-REPLY” | (sub-property of matches) Matches the IP type(ANY/IP/NON-IP/IPV4ANY/NON-IPv4/IPV6ANY/NON-IPv6/ARP /ARP-REQUEST/ARP-REPLY) to be inspected by the ACL. Applicable to ACL tables: Layer 3 IPv4 ingress/egress, mirror ingress/egress | | ip-protocol | O | 0..255 | (sub-property of matches) Matches the protocol field in the IP header, accepting values between 0 and 255 to filter traffic based on the upper-layer protocol used. Applicable to ACL tables: Layer 3 IPv4 ingress/egress IPv6 ingress, Flowctrl ingress | | tcp-flags | O | 0..63 | (sub-property of matches) Matches the specific TCP flags within packets. Applicable to ACL tables: Layer 3 IPv4 ingress/egress, mirror ingress/egress | | source-ip | O | “A.B.C.D/M” “A.B.C.D” | (sub-property of matches) Matches the source IPv4 address to filter network traffic based on its origin. Applicable to ACL tables: Layer 3 IPv4 ingress/egress, mirror ingress/egress, Flowctrl ingress | | destination-ip | O | “A.B.C.D/M” “A.B.C.D” | (sub-property of matches) Matches the destination IPv4 address to filter network traffic based on its intended endpoint. Applicable to ACL tables: Layer 3 IPv4 ingress/egress, mirror ingress/egress | | source-ipv6 | O | “XX:XX:XX:XX:XX:XX:XX:XX/M” “XX:XX:XX:XX:XX:XX:XX:XX” | (sub-property of matches) Matches the source IPv6 address to filter network traffic based on its origin. Applicable to ACL tables: Layer 3 IPv4 ingress/egress, mirrorv6 ingress/egress | | destination-ipv6 | O | “XX:XX:XX:XX:XX:XX:XX:XX/M” “XX:XX:XX:XX:XX:XX:XX:XX” | (sub-property of matches) Matches the destination IPv6 address to filter network traffic based on its intended endpoint. Applicable to ACL tables: Layer 3 IPv4 ingress/egress, mirrorv6 ingress/egress | | icmp-type | O | 0..16 | (sub-property of matches) Matches the ICMP traffic based on the message type. Applicable to ACL tables: Layer 3 IPv4 ingress/egress, mirror ingress/egress | | icmp-code | O | 0..5 | (sub-property of matches) Matches the ICMP traffic based on the code. Applicable to ACL tables: Layer 3 IPv4 ingress/egress, mirror ingress/egress | | icmpv6-type | O | 1..137 | (sub-property of matches) Matches the ICMPv6 traffic based on the message type. Applicable to ACL tables: Layer 3 IPv4 ingress | | icmpv6-code | O | 0..4 | (sub-property of matches) Matches the ICMPv6 traffic based on the code. Applicable to ACL tables: Layer 3 IPv4 ingress | | source-port | O | 0..65535 | (sub-property of matches) Matches the source transport layer port numbers. Applicable to ACL tables: Layer 2 ingress/egress, Layer 3 IPv4 ingress/egress, mirror ingress/egress, Flowctrl ingress | | destination-port | O | 0..65535 | (sub-property of matches) Matches the destination transport layer port numbers. Applicable to ACL tables: Layer 2 ingress/egress, Layer 3 IPv4 ingress/egress, mirror ingress/egress, Flowctrl ingress | | dscp | O | 0..63 | (sub-property of matches) Matches the Differentiated Services Code Point in the IP header, allowing Quality of Service (QoS) differentiation with a range of 0 to 63. Applicable to ACL tables: Layer 3 IPv4 or IPv6 ingress/egress, mirror ingress/egress | | ecn | O | 0..3 | (sub-property of matches) Matches the Explicit Congestion Notification bits in the IP header. Applicable to ACL tables: Layer 3 IPv4 ingress/egress | | vlan-pri | O | 0..7 | (sub-property of matches) Matches the 3-bit VLAN Priority Code Point. Applicable to ACL tables: Layer 2 ingress/egress, Layer 3 IPv4 ingress/egress | | vxlan-vni | O | 1..16777215 | (sub-property of matches) Matches the 6-bit VXLAN Priority Code Point. Applicable to ACL tables: Layer 3 IPv4 ingress/egress | | flow-label | O | ^[0-9a-fA-F]{1,5} | (sub-property of matches) Matches the flow label to be matched in the ACL rule. It accepts hexadecimal values ranging from 0x00000 to 0xfffff Applicable to ACL tables: Layer 3 IPv6 ingress | | in-ports | O | Ethernet name | (sub-property of matches) Matches the in-ports. Applicable to ACL tables: Mirror ingress, Flowctrl ingress | | out-ports | O | Ethernet name | (sub-property of matches) Matches the out-ports. Applicable to ACL tables: Layer 3 IPv4 egress, Mirrorv6 egress | | bth-opcode | O | 0..255 | (sub-property of matches) (Innovium platform specific): Matches the Byte Transmission Header Opcode. Applicable to ACL tables: Mirror/Mirrorv6 ingress/egress | | aeth-syndrome | O | 0..255 or 0..255/0x00..ff | (sub-property of matches) (Innovium platform specific): Matches the Analyzed Ethernet Header Syndrome. Applicable to ACL tables: Mirror/Mirrorv6 ingress/egress | | source-mac | O | A:B:C:D:E:F | (sub-property of matches) Matches the source mac-address. Applicable to ACL tables: Layer 2 ingress, Flowctrl ingress | | destination-mac | O | A:B:C:D:E:F | (sub-property of matches) Matches the destination mac-address. Applicable to ACL tables: Layer 2 ingress, Flowctrl ingress | | rule-default-drop | CO | “out_of_band” “in_band” | (sub-property of access-lists) Only applicable when type = “CTRLPLANE”. |
ACL user-defined types
Section titled “ACL user-defined types”Tree Diagrams
+--rw access-list-user-defined-types | +--rw access-list-user-defined-type* [name] | +--rw name | +--rw type | +--rw bind-points? | +--rw match*? | +--rw action*?Table of Properties
| Name | Required | Type/Range | Description |
|---|---|---|---|
| access-list-user-defined-types | M | Path-only node, has no configurable value. | |
| name | M | ^[a-z0-9_]* | (sub-property of access-list-user-defined-types) |
| type | M | ”ipv4" | |
| "ipv6" | |||
| "non_ip” | (sub-property of access-list-user-defined-types) | ||
| bind-points | O | ”port" | |
| "switch” | (sub-property of access-list-user-defined-types) | ||
| match | O | ”in-ports" | |
| "out-ports" | |||
| "bth-opcode" | |||
| "aeth-syndrome" | |||
| "source-mac" | |||
| "destination-mac" | |||
| "ethernet-type" | |||
| "outer-vlan" | |||
| "ip-type" | |||
| "ip-protocol" | |||
| "tcp-flags" | |||
| "source-ip" | |||
| "destination-ip" | |||
| "source-ipv6" | |||
| "destination-ipv6" | |||
| "icmp-type" | |||
| "icmp-code" | |||
| "icmpv6-type" | |||
| "icmpv6-code" | |||
| "source-port" | |||
| "destination-port" | |||
| "dscp" | |||
| "ecn" | |||
| "vlan-pri" | |||
| "vxlan-vni” | (sub-property of access-list-user-defined-types) | ||
| action | O | ”packet-action" | |
| "ingress-mirror-session" | |||
| "egress-mirror-session" | |||
| "redirect-action" | |||
| "set-tc" | |||
| "set-pcp" | |||
| "set-dscp" | |||
| "traffic-behavior” | (sub-property of access-list-user-defined-types) |
ACL nexthop groups
Section titled “ACL nexthop groups”Tree Diagrams
+--rw access-list-nexthop-groups +--rw access-list-nexthop-group* [id] +--rw id +--rw nexthop* [ip-address vrf-name] | +--rw ip-address | +--rw vrf-name | +--rw interface-name? +--rw commit?Table of Properties
| Name | Required | Type/Range | Description |
|---|---|---|---|
| show-acl-rule | M | Path-only node, has no configurable value. | |
| name | O | string | (sub-property of input) |
| acl name. | |||
| ruleid | O | 0..500 | (sub-property of input) |
| data | RO | (sub-property of output) |
Show-acl-rule
Section titled “Show-acl-rule”Tree Diagrams
+---x show-acl-rule | +---w input | | +---w name? | | +---w ruleid? | +--ro output | +--ro data?Table of Properties
| Name | Required | Type/Range | Description |
|---|---|---|---|
| show-acl-rule | M | Path-only node, has no configurable value. | |
| name | O | string | (sub-property of input) |
| acl name. | |||
| ruleid | O | 0..500 | (sub-property of input) |
| data | RO | (sub-property of output) |
Show-counters-acl
Section titled “Show-counters-acl”Tree Diagrams
+---x show-counters-acl | +---w input | | +---w acl-names* | | +---w rule-ids* | +--ro output | +--ro data?Table of Properties
| Name | Required | Type/Range | Description |
|---|---|---|---|
| show-counters-acl | M | Path-only node, has no configurable value. | |
| RPC for showing acl counters. | |||
| acl-names | O | string | (sub-property of input) |
| List of ACL table names | |||
| rule-ids | O | string | (sub-property of input) |
| List of Rule IDs | |||
| data | RO | (sub-property of output) |
Clear-counters-acl
Section titled “Clear-counters-acl”Tree Diagrams
+---x clear-counters-aclTable of Properties
| Name | Required | Type/Range | Description |
|---|---|---|---|
| clear-counters-acl | M | Path-only node, has no configurable value. | |
| RPC for clearing acl counters. |