Command Line Reference
Security Configuration
ACL Configuration
11 min
show acl table show acl table \[command] show acl table \[ table name ] \[purpose] show existing acl tables \[parameter] true 195,438#2166ae #4283c7 unhandled content type #2166ae #4283c7 unhandled content type unhandled content type unhandled content type \[view] system view \[use cases] sonic# show acl table name type binding description stage \ table 2 l3 ethernet8 table 2 ingress show acl rule show acl rule \[command] show acl rule \[ table name ] \[ rule id ] \[purpose] show existing acl rules \[parameter] true 148,513#2166ae #4283c7 unhandled content type #2166ae #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type \[view] system view \[use cases] sonic# show acl rule table rule priority action match \ dataacl rule 1 9999 drop src ip 10 0 0 2/32 dataacl rule 2 9998 drop dst ip 192 168 0 16/32 dataacl rule 3 9997 drop l4 src port 4661 dataacl rule 4 9996 drop ip protocol 126 dataacl rule 13 9987 drop ip protocol 1 sonic# show acl rule table 1 rule 1 table rule priority action match \ table 1 rule 1 100 drop src ip 200 0 0 2/24 show counters acl show counters acl \[command] show counters acl \[ acl table name ] \[ rule id ] \[purpose] show acl hit count \[parameter] true 174,487#2166ae #4283c7 unhandled content type #2166ae #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type \[view] system view \[notes] allows multiple tables and rules to be entered, either as individual tables or as table + rule table and table are separated by ",", rule and rule are separated by ","; table and rule are separated by spaces \[use cases] sonic# show counters acl table 1,table 2 rule name table name prio packets count bytes count \ rule 1 table 1 100 n/a n/a rule 2 table 2 2 n/a n/a rule 1 table 2 1 n/a n/a clear counters acl clear counters acl \[command] clear counters acl \[purpose] clear acl hit count \[use cases] sonic# clear counters acl access list access list \[command] access list { table type } { table name } { table stage } no access list { table name } \[purpose] create acl table and enter acl view \[parameter] true 139,522#2166ae #4283c7 unhandled content type #2166ae #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type \[view] system configuration view \[use cases] sonic# configure terminal sonic(config)# access list l3 table 1 ingress rule rule \[command] rule {rule id rule id } \[{packet action {deny|permit|trap to cpu|copy to cpu}|redirect action}] \[src mac src mac ] \[ethernet type ethernet type ] \[vlan pri vlan pri ] \[src ip src ip ] \[dst ip dst ip ] \[icmp type icmp type ] \[icmp code icmp code ] \[icmp name icmp name ] \[src port src port ] \[dst port dst port ] \[ip type ip type ] no rule { rule id } \[purpose] add acl rules \[parameter] true 150,511#2166ae #4283c7 unhandled content type #2166ae #4283c7 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type \[view] acl view \[notes] multiple acl rules can exist per table rule id the higher the value, the higher the priority, the same table does not allow the configuration of the same priority rules \[use cases] sonic# configure terminal sonic(config)# access list l3 table 1 ingress sonic(config l3 acl table 1)# rule 1 source ip 10 0 0 3/24 packet action permit acl acl \[command] acl acl name no acl acl name \[purpose] bind acl table on interface \[parameter] true 150,511 left #2166ae #4283c7 unhandled content type left #2166ae #4283c7 unhandled content type left unhandled content type left unhandled content type \[view] system configuration view,interface configuration view,vlanif view,lag view \[comment] the acl table is bound to ports after binding to a port, it means that the acl table takes effect on the traffic on these ports one acl table can be bound to multiple ports, and one port can also have multiple acl tables, representing a "many to many" relationship the acl table is bound in the global view, meaning it takes effect on all physical interfaces of the device's panels \[use cases] sonic# configure terminal sonic(config)# acl test sonic(config)# interface ethernet 1 sonic(config if 1)# acl test1
