NETCONF Configuration Guide
YANG API Reference
acl
31 min
asternos model for access control list yang tree diagram yang tree diagram module asternos acl + rw access lists + rw access list \[name] + rw name string + rw type identityref + rw stage? acl stage + rw services identityref + rw description? string + rw bind intfs if\ interface ref + rw access list entries + rw access list entry \[ruleid] + rw ruleid uint16 + rw actions \| + rw packet action? identityref \| + rw ingress mirror session? uint8 \| + rw egress mirror session? uint8 \| + rw set dscp? uint8 \| + rw ingress sample rate? uint32 \| + rw egress sample rate? uint32 \| + rw traffic behavior? string \| + rw redirect action? redirect destination + rw matches + rw ethernet type? string + rw outer vlan? string + rw ip type? acl ip type + rw ip protocol? uint8 + rw source ip? inet\ ipv4 address + rw destination ip? inet\ ipv4 address + rw source ipv6? inet\ ipv6 address + rw destination ipv6? inet\ ipv6 address + rw icmp type? uint8 + rw icmpv6 type? uint8 + rw source port? inet\ port number + rw destination port? inet\ port number + rw vlan pri? uint8 + rw source mac? yang\ mac address + rw dscp? uint8 rpcs + x show counters acl \| + w input \| | + w table name string \| | + w rule id string \| + ro output \| + ro data? \<anydata> + x clear counters acl resources resources resource list resource list path access /access lists read write /access lists/access list read write /access lists/access list/name read write /access lists/access list/type read write /access lists/access list/stage read write /access lists/access list/services read write /access lists/access list/description read write /access lists/access list/bind intfs read write /access lists/access list/access list entries read write /access lists/access list/access list entries/access list entry read write /access lists/access list/access list entries/access list entry/ruleid read write /access lists/access list/access list entries/access list entry/actions read write /access lists/access list/access list entries/access list entry/actions/packet action read write /access lists/access list/access list entries/access list entry/actions/ingress mirror session read write /access lists/access list/access list entries/access list entry/actions/egress mirror session read write /access lists/access list/access list entries/access list entry/actions/set dscp read write /access lists/access list/access list entries/access list entry/actions/ingress sample rate read write /access lists/access list/access list entries/access list entry/actions/egress sample rate read write /access lists/access list/access list entries/access list entry/actions/traffic behavior read write /access lists/access list/access list entries/access list entry/actions/redirect action read write /access lists/access list/access list entries/access list entry/matches read write /access lists/access list/access list entries/access list entry/matches/ethernet type read write /access lists/access list/access list entries/access list entry/matches/outer vlan read write /access lists/access list/access list entries/access list entry/matches/ip type read write /access lists/access list/access list entries/access list entry/matches/ip protocol read write /access lists/access list/access list entries/access list entry/matches/source ip read write /access lists/access list/access list entries/access list entry/matches/destination ip read write /access lists/access list/access list entries/access list entry/matches/source ipv6 read write /access lists/access list/access list entries/access list entry/matches/destination ipv6 read write /access lists/access list/access list entries/access list entry/matches/icmp type read write /access lists/access list/access list entries/access list entry/matches/icmpv6 type read write /access lists/access list/access list entries/access list entry/matches/source port read write /access lists/access list/access list entries/access list entry/matches/destination port read write /access lists/access list/access list entries/access list entry/matches/vlan pri read write /access lists/access list/access list entries/access list entry/matches/source mac read write /access lists/access list/access list entries/access list entry/matches/dscp read write detailed nodes detailed nodes /access lists /access lists path /access lists node type container access read write /access lists/access list /access lists/access list path /access lists/access list node type list access read write constraints has local type /access lists/access list/name /access lists/access list/name path /access lists/access list/name node type leaf access read write data type \<yang type string> constraints string with length 1 to 64 /access lists/access list/type /access lists/access list/type path /access lists/access list/type node type leaf access read write data type \<yang type identityref> constraints identityref with options ctrlplane l3 l3v6 ctrlplanev6 mandatory yes /access lists/access list/stage /access lists/access list/stage path /access lists/access list/stage node type leaf access read write data type \<yang type acl stage> constraints enumeration with options ingress egress /access lists/access list/services /access lists/access list/services path /access lists/access list/services node type leaf list description only supported on tables where type is ctrlplane access read write data type \<yang type identityref> constraints identityref with options snmp telnet ssh ntp /access lists/access list/description /access lists/access list/description path /access lists/access list/description node type leaf access read write data type \<yang type string> /access lists/access list/bind intfs /access lists/access list/bind intfs path /access lists/access list/bind intfs node type leaf list description the acl rule can be bound to either the aggregation port or the ethernet port to take effect access read write data type \<yang type interface ref> constraints multiple constraints must condition starts with( , 'ethernet') or starts with( , 'portchannel') leafref pointing to asternos interfaces\ interface ref /access lists/access list/access list entries /access lists/access list/access list entries path /access lists/access list/access list entries node type container access read write /access lists/access list/access list entries/access list entry /access lists/access list/access list entries/access list entry path /access lists/access list/access list entries/access list entry node type list access read write /access lists/access list/access list entries/access list entry/ruleid /access lists/access list/access list entries/access list entry/ruleid path /access lists/access list/access list entries/access list entry/ruleid node type leaf access read write data type \<yang type uint16> constraints valid range 0 to 2999 /access lists/access list/access list entries/access list entry/actions /access lists/access list/access list entries/access list entry/actions path /access lists/access list/access list entries/access list entry/actions node type container access read write /access lists/access list/access list entries/access list entry/actions/packet action /access lists/access list/access list entries/access list entry/actions/packet action path /access lists/access list/access list entries/access list entry/actions/packet action node type leaf description specifies the packet action to be taken as part of the acl rule this action determines how packets are forwarded, dropped, or processed further applicable to acl tables layer 3 ipv4/ipv6 ingress/egress, ctrlplane/ctrlplanev6 ingress access read write data type \<yang type identityref> constraints identityref with options copy trap forward drop /access lists/access list/access list entries/access list entry/actions/ingress mirror session /access lists/access list/access list entries/access list entry/actions/ingress mirror session path /access lists/access list/access list entries/access list entry/actions/ingress mirror session node type leaf description configures an ingress mirror session identifier (1 7) for mirroring incoming traffic this action allows duplicating traffic to a monitoring or analysis port applicable to acl tables mirror/mirrorv6 ingress access read write data type \<yang type uint8> constraints valid range 1 to 7 /access lists/access list/access list entries/access list entry/actions/egress mirror session /access lists/access list/access list entries/access list entry/actions/egress mirror session path /access lists/access list/access list entries/access list entry/actions/egress mirror session node type leaf description configures an egress mirror session identifier (1 7) for mirroring outgoing traffic facilitates traffic analysis by directing a copy of traffic to a designated port applicable to acl tables mirror/mirrorv6 egress access read write data type \<yang type uint8> constraints valid range 1 to 7 /access lists/access list/access list entries/access list entry/actions/set dscp /access lists/access list/access list entries/access list entry/actions/set dscp path /access lists/access list/access list entries/access list entry/actions/set dscp node type leaf description sets the dscp applicable to acl tables layer 3 ipv4/ipv6 egress access read write data type \<yang type uint8> constraints valid range 0 to 63 /access lists/access list/access list entries/access list entry/actions/ingress sample rate /access lists/access list/access list entries/access list entry/actions/ingress sample rate path /access lists/access list/access list entries/access list entry/actions/ingress sample rate node type leaf description sets the sample rate for ingress traffic applicable to acl tables layer 3 ipv4/ipv6 ingress access read write data type \<yang type uint32> constraints valid range 8000 to 1000000 /access lists/access list/access list entries/access list entry/actions/egress sample rate /access lists/access list/access list entries/access list entry/actions/egress sample rate path /access lists/access list/access list entries/access list entry/actions/egress sample rate node type leaf description sets the sample rate for egress traffic applicable to acl tables layer 3 ipv4/ipv6 egress access read write data type \<yang type uint32> constraints valid range 8000 to 1000000 /access lists/access list/access list entries/access list entry/actions/traffic behavior /access lists/access list/access list entries/access list entry/actions/traffic behavior path /access lists/access list/access list entries/access list entry/actions/traffic behavior node type leaf description configuring interface speed limiting policies applicable to acl tables layer 2 ingress, layer 3 ipv4/ipv6 ingress, mirror/mirrorv6 ingress, flowctrl ingress access read write data type \<yang type string> /access lists/access list/access list entries/access list entry/actions/redirect action /access lists/access list/access list entries/access list entry/actions/redirect action path /access lists/access list/access list entries/access list entry/actions/redirect action node type leaf description defines the redirection destination for matched packets applicable to acl tables layer 3 ipv4/ipv6 ingress access read write data type \<yang type redirect destination> constraints multiple constraints the ipv6 address type represents an ipv6 address in full, mixed, shortened, and shortened mixed notation the ipv6 address may include a zone index, separated by a % sign if a system uses zone names that are not represented in utf 8, then an implementation needs to use some mechanism to transform the local name into utf 8 the definition of such a mechanism is outside the scope of this document the zone index is used to disambiguate identical address values for link local addresses, the zone index will typically be the interface index number or the name of an interface if the zone index is not present, the default zone of the device will be used the canonical format of ipv6 addresses uses the textual representation defined in section 4 of rfc 5952 the canonical format for the zone index is the numerical format as described in section 11 2 of rfc 4007 the ipv4 address type represents an ipv4 address in dotted quad notation the ipv4 address may include a zone index, separated by a % sign if a system uses zone names that are not represented in utf 8, then an implementation needs to use some mechanism to transform the local name into utf 8 the definition of such a mechanism is outside the scope of this document the zone index is used to disambiguate identical address values for link local addresses, the zone index will typically be the interface index number or the name of an interface if the zone index is not present, the default zone of the device will be used the canonical format for the zone index is the numerical format /access lists/access list/access list entries/access list entry/matches /access lists/access list/access list entries/access list entry/matches path /access lists/access list/access list entries/access list entry/matches node type container access read write /access lists/access list/access list entries/access list entry/matches/ethernet type /access lists/access list/access list entries/access list entry/matches/ethernet type path /access lists/access list/access list entries/access list entry/matches/ethernet type node type leaf description matches the ethernet frame type to be matched in the acl rule it accepts hexadecimal values ranging from 0x0000 to 0xffff, aiding in distinguishing different l2 protocols applicable to acl tables layer 3 ipv4/ipv6 ingress/egress access read write data type \<yang type string> /access lists/access list/access list entries/access list entry/matches/outer vlan /access lists/access list/access list entries/access list entry/matches/outer vlan path /access lists/access list/access list entries/access list entry/matches/outer vlan node type leaf description matches the outer vlan tag in a tagged frame, supporting a wide range of vlan ids (from 1 to 4094) with optional ethertype (in hexadecimal format) following a slash (/) for further refinement applicable to acl tables layer 3 ipv4/ipv6 ingress/egress access read write data type \<yang type string> /access lists/access list/access list entries/access list entry/matches/ip type /access lists/access list/access list entries/access list entry/matches/ip type path /access lists/access list/access list entries/access list entry/matches/ip type node type leaf description matches the ip type(non ip/ipv4any/ipv6any/arp) to be inspected by the acl applicable to acl tables layer 3 ipv4/ipv6 ingress/egress access read write data type \<yang type acl ip type> constraints enumeration with options non ip ipv4any ipv6any arp /access lists/access list/access list entries/access list entry/matches/ip protocol /access lists/access list/access list entries/access list entry/matches/ip protocol path /access lists/access list/access list entries/access list entry/matches/ip protocol node type leaf description matches the protocol field in the ip header, accepting values between 0 and 255 to filter traffic based on the upper layer protocol used applicable to acl tables layer 3 ipv4/ipv6 ingress/egress access read write data type \<yang type uint8> constraints valid range 0 to 255 /access lists/access list/access list entries/access list entry/matches/source ip /access lists/access list/access list entries/access list entry/matches/source ip path /access lists/access list/access list entries/access list entry/matches/source ip node type leaf description matches the source ipv4 address to filter network traffic based on its origin applicable to acl tables layer 3 ipv4 ingress/egress, ctrlplane ingress access read write data type \<yang type ipv4 address> constraints the ipv4 address type represents an ipv4 address in dotted quad notation the ipv4 address may include a zone index, separated by a % sign if a system uses zone names that are not represented in utf 8, then an implementation needs to use some mechanism to transform the local name into utf 8 the definition of such a mechanism is outside the scope of this document the zone index is used to disambiguate identical address values for link local addresses, the zone index will typically be the interface index number or the name of an interface if the zone index is not present, the default zone of the device will be used the canonical format for the zone index is the numerical format /access lists/access list/access list entries/access list entry/matches/destination ip /access lists/access list/access list entries/access list entry/matches/destination ip path /access lists/access list/access list entries/access list entry/matches/destination ip node type leaf description matches the destination ipv4 address to filter network traffic based on its intended endpoint applicable to acl tables layer 3 ipv4 ingress/egress, ctrlplane ingress access read write data type \<yang type ipv4 address> constraints the ipv4 address type represents an ipv4 address in dotted quad notation the ipv4 address may include a zone index, separated by a % sign if a system uses zone names that are not represented in utf 8, then an implementation needs to use some mechanism to transform the local name into utf 8 the definition of such a mechanism is outside the scope of this document the zone index is used to disambiguate identical address values for link local addresses, the zone index will typically be the interface index number or the name of an interface if the zone index is not present, the default zone of the device will be used the canonical format for the zone index is the numerical format /access lists/access list/access list entries/access list entry/matches/source ipv6 /access lists/access list/access list entries/access list entry/matches/source ipv6 path /access lists/access list/access list entries/access list entry/matches/source ipv6 node type leaf description matches the source ipv6 address to filter network traffic based on its origin applicable to acl tables layer 3 ipv6 ingress/egress, ctrlplanev6 ingress access read write data type \<yang type ipv6 address> constraints the ipv6 address type represents an ipv6 address in full, mixed, shortened, and shortened mixed notation the ipv6 address may include a zone index, separated by a % sign if a system uses zone names that are not represented in utf 8, then an implementation needs to use some mechanism to transform the local name into utf 8 the definition of such a mechanism is outside the scope of this document the zone index is used to disambiguate identical address values for link local addresses, the zone index will typically be the interface index number or the name of an interface if the zone index is not present, the default zone of the device will be used the canonical format of ipv6 addresses uses the textual representation defined in section 4 of rfc 5952 the canonical format for the zone index is the numerical format as described in section 11 2 of rfc 4007 /access lists/access list/access list entries/access list entry/matches/destination ipv6 /access lists/access list/access list entries/access list entry/matches/destination ipv6 path /access lists/access list/access list entries/access list entry/matches/destination ipv6 node type leaf description matches the destination ipv6 address to filter network traffic based on its intended endpoint applicable to acl tables layer 3 ipv6 ingress/egress, ctrlplanev6 ingress access read write data type \<yang type ipv6 address> constraints the ipv6 address type represents an ipv6 address in full, mixed, shortened, and shortened mixed notation the ipv6 address may include a zone index, separated by a % sign if a system uses zone names that are not represented in utf 8, then an implementation needs to use some mechanism to transform the local name into utf 8 the definition of such a mechanism is outside the scope of this document the zone index is used to disambiguate identical address values for link local addresses, the zone index will typically be the interface index number or the name of an interface if the zone index is not present, the default zone of the device will be used the canonical format of ipv6 addresses uses the textual representation defined in section 4 of rfc 5952 the canonical format for the zone index is the numerical format as described in section 11 2 of rfc 4007 /access lists/access list/access list entries/access list entry/matches/icmp type /access lists/access list/access list entries/access list entry/matches/icmp type path /access lists/access list/access list entries/access list entry/matches/icmp type node type leaf description matches the icmp traffic based on the message type applicable to acl tables layer 3 ipv4 ingress/egress access read write data type \<yang type uint8> constraints valid range 0 to 16 /access lists/access list/access list entries/access list entry/matches/icmpv6 type /access lists/access list/access list entries/access list entry/matches/icmpv6 type path /access lists/access list/access list entries/access list entry/matches/icmpv6 type node type leaf description matches the icmpv6 traffic based on the message type applicable to acl tables layer 3 ipv6 ingress access read write data type \<yang type uint8> constraints valid range 1 to 137 /access lists/access list/access list entries/access list entry/matches/source port /access lists/access list/access list entries/access list entry/matches/source port path /access lists/access list/access list entries/access list entry/matches/source port node type leaf description matches the source transport layer port numbers applicable to acl tables layer 3 ipv4/ipv6 ingress/egress access read write data type \<yang type port number> constraints valid range 0 to 65535 /access lists/access list/access list entries/access list entry/matches/destination port /access lists/access list/access list entries/access list entry/matches/destination port path /access lists/access list/access list entries/access list entry/matches/destination port node type leaf description matches the destination transport layer port numbers applicable to acl tables layer 3 ipv4/ipv6 ingress/egress access read write data type \<yang type port number> constraints valid range 0 to 65535 /access lists/access list/access list entries/access list entry/matches/vlan pri /access lists/access list/access list entries/access list entry/matches/vlan pri path /access lists/access list/access list entries/access list entry/matches/vlan pri node type leaf description matches the the 3 bit vlan priority code point applicable to acl tables layer 3 ipv4/ipv6 ingress/egress access read write data type \<yang type uint8> constraints valid range 0 to 7 /access lists/access list/access list entries/access list entry/matches/source mac /access lists/access list/access list entries/access list entry/matches/source mac path /access lists/access list/access list entries/access list entry/matches/source mac node type leaf description matches the source mac address applicable to acl tables layer 3 ipv4/ipv6 ingress access read write data type \<yang type mac address> constraints the mac address type represents an ieee 802 mac address the canonical representation uses lowercase characters in the value set and its semantics, this type is equivalent to the macaddress textual convention of the smiv2 /access lists/access list/access list entries/access list entry/matches/dscp /access lists/access list/access list entries/access list entry/matches/dscp path /access lists/access list/access list entries/access list entry/matches/dscp node type leaf description matches the differentiated services code point in the ip header, allowing quality of service (qos) differentiation with a range of 0 to 63 applicable to acl tables layer 3 ipv4 or ipv6 ingress/egress access read write data type \<yang type uint8> constraints valid range 0 to 63
