NETCONF Configuration Guide
YANG API Reference
acl
46 min
uint32 module description module description asternos model for access control list yang tree diagram yang tree diagram module asternos acl + rw access lists + rw access list \[name] + rw name string + rw type identityref + rw stage? acl stage + rw services identityref + rw description? string + rw bind intfs if\ interface ref + rw access list entries + rw access list entry \[ruleid] + rw ruleid uint16 + rw actions \| + rw packet action? identityref \| + rw ingress mirror session? uint8 \| + rw egress mirror session? uint8 \| + rw set dscp? uint8 \| + rw ingress sample rate? uint32 \| + rw egress sample rate? uint32 \| + rw traffic behavior? string \| + rw redirect action? redirect destination + rw matches + rw ethernet type? string + rw outer vlan? string + rw ip type? acl ip type + rw ip protocol? uint8 + rw source ip? inet\ ipv4 address + rw destination ip? inet\ ipv4 address + rw source ipv6? inet\ ipv6 address + rw destination ipv6? inet\ ipv6 address + rw icmp type? uint8 + rw icmpv6 type? uint8 + rw source port? inet\ port number + rw destination port? inet\ port number + rw vlan pri? uint8 + rw source mac? yang\ mac address + rw dscp? uint8 rpcs + x show counters acl \| + w input \| | + w table name string \| | + w rule id string \| + ro output \| + ro data? \<anydata> + x clear counters acl resources resources resource list resource list path access /access lists read write /access lists/access list read write /access lists/access list/name read write /access lists/access list/type read write /access lists/access list/stage read write /access lists/access list/services read write /access lists/access list/description read write /access lists/access list/bind intfs read write /access lists/access list/access list entries read write /access lists/access list/access list entries/access list entry read write /access lists/access list/access list entries/access list entry/ruleid read write /access lists/access list/access list entries/access list entry/actions read write /access lists/access list/access list entries/access list entry/actions/packet action read write /access lists/access list/access list entries/access list entry/actions/ingress mirror session read write /access lists/access list/access list entries/access list entry/actions/egress mirror session read write /access lists/access list/access list entries/access list entry/actions/set dscp read write /access lists/access list/access list entries/access list entry/actions/ingress sample rate read write /access lists/access list/access list entries/access list entry/actions/egress sample rate read write /access lists/access list/access list entries/access list entry/actions/traffic behavior read write /access lists/access list/access list entries/access list entry/actions /redirect action read write /access lists/access list/access list entries/access list entry/matches read write /access lists/access list/access list entries/access list entry/matches /ethernet type read write /access lists/access list/access list entries/access list entry/matches/outer vlan read write /access lists/access list/access list entries/access list entry/matches/ip type read write /access lists/access list/access list entries/access list entry/matches/ip protocol read write /access lists/access list/access list entries/access list entry/matches/source ip read write /access lists/access list/access list entries/access list entry/matches /destination ip read write /access lists/access list/access list entries/access list entry/matches/source ipv6 read write /access lists/access list/access list entries/access list entry/matches /destination ipv6 read write /access lists/access list/access list entries/access list entry/matches/icmp type read write /access lists/access list/access list entries/access list entry/matches/icmpv6 type read write /access lists/access list/access list entries/access list entry/matches/source port read write /access lists/access list/access list entries/access list entry/matches /destination port read write /access lists/access list/access list entries/access list entry/matches/vlan pri read write /access lists/access list/access list entries/access list entry/matches/source mac read write /access lists/access list/access list entries/access list entry/matches/dscp read write detailed nodes detailed nodes /access lists /access lists path /access‑lists node type container access read write /access‑lists/access‑list /access‑lists/access‑list path /access‑lists/access‑list node type list access read write constraints haslocal type /access‑lists/access‑list/name /access‑lists/access‑list/name path /access‑lists/access‑list/name node type leaf access read write datatype \<yang type string> constraints string with length 1 to 64 /access‑lists/access‑list/type /access‑lists/access‑list/type path /access‑lists/access‑list/type node type leaf access read write datatype \<yang type identityref> constraints identityref with options ・ ctrlplane ・ l3 ・ l3v6 ・ ctrlplanev6 mandatory yes /access‑lists/access‑list/stage /access‑lists/access‑list/stage path /access‑lists/access‑list/stage node type leaf access read write datatype \<yang type acl‑stage> constraints enumeration with options ・ ingress ・ egress /access‑lists/access‑list/services /access‑lists/access‑list/services path /access‑lists/access‑list/services node type leaf‑list description only supported on tables where type is ctrlplane access read write datatype \<yang type identityref> constraints identityref with options snmp telnet ssh ntp /access‑lists/access‑list/description /access‑lists/access‑list/description path /access‑lists/access‑list/description node type leaf access read write datatype \<yang type string> /access‑lists/access‑list/bind‑intfs /access‑lists/access‑list/bind‑intfs path /access‑lists/access‑list/bind‑intfs node type leaf‑list description the acl rule can be bound to either the aggregation port or the ethernet port to take effect access read write datatype \<yang type interface‑ref> constraints multiple constraints must condition starts with( , 'ethernet') or starts with( , 'portchannel') leafref pointing to asternos interfaces\ interface ref /access‑lists/access‑list/access‑list‑entries /access‑lists/access‑list/access‑list‑entries path /access‑lists/access‑list/access‑list‑entries node type container access read write /access‑lists/access‑list/access‑list‑entries/access‑list‑entry /access‑lists/access‑list/access‑list‑entries/access‑list‑entry path /access‑lists/access‑list/access‑list‑entries/access‑list‑entry node type list access read write /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/ruleid /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/ruleid path /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/ruleid node type leaf access read write datatype \<yang type uint16> constraints valid range 0 to 2999 /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions path /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions node type container access read write /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/packet‑action /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/packet‑action path /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/packet‑action node type leaf description specifies the packet action to be taken as part of the acl rule this action determines how packets are forwarded, dropped, or processed further applicable to acl tables layer 3 ipv4/ipv6 ingress/egress, ctrlplane/ctrlplanev6 ingress access read write datatype \<yang type identityref> constraints identityref with options copy trap forward drop /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/ingress‑mirror session /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/ingress‑mirror session path /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/ingress‑mirror session node type leaf description configures an ingress mirror session identifier (1 7) for mirroring incoming traffic this action allows duplicating traffic to a monitoring or analysis port applicable to acl tables mirror/mirrorv6 ingress access read write datatype \<yang type uint8> constraints valid range 1 to 7 /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/egress‑mirror session /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/egress‑mirror session path /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/egress‑mirror session node type leaf description configures an egress mirror session identifier (1 7) for mirroring outgoing traffic facilitates traffic analysis by directing a copy of traffic to a designated port applicable to acl tables mirror/mirrorv6 egress access read write datatype \<yang type uint8> constraints valid range 1 to 7 /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/set‑dscp /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/set‑dscp path /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/set‑dscp node type leaf description sets the dscp applicable to acl tables layer 3 ipv4/ipv6 egress access read write datatype \<yang type uint8> constraints valid range 0 to 63 /access lists/access list/access list entries/access list entry/actions/ingress sample rate /access lists/access list/access list entries/access list entry/actions/ingress sample rate path /access lists/access list/access list entries/access list entry/actions/ingress sample rate node type leaf description sets the sample rate for ingress traffic applicable to acl tables layer 3 ipv4/ipv6 ingress access read write datatype \<yang type uint32> constraints valid range 8000 to 1000000 /access lists/access list/access list entries/access list entry/actions/egress sample rate /access lists/access list/access list entries/access list entry/actions/egress sample rate path /access lists/access list/access list entries/access list entry/actions/egress sample rate node type leaf description sets the sample rate for egress traffic applicable to acl tables layer 3 ipv4/ipv6 egress access read write datatype \<yang type uint32> constraints valid range 8000 to 1000000 /access lists/access list/access list entries/access list entry/actions/traffic behavior /access lists/access list/access list entries/access list entry/actions/traffic behavior path /access lists/access list/access list entries/access list entry/actions/traffic behavior node type leaf description configuring interface speed limiting policies applicable to acl tables layer 2 ingress, layer 3 ipv4/ipv6 ingress, mirror/mirrorv6 ingress, flowctrl ingress access read write datatype \<yang type string> /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/redirect‑action /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/redirect‑action path /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/actions/redirect‑action node type leaf description defines the redirection destination for matched packets applicable to acl tables layer 3 ipv4/ipv6 ingress access read write datatype \<yang type redirect‑destination> constraints multiple constraints the ipv6 address type represents an ipv6 address in full, mixed, shortened, and shortened mixed notation the ipv6 address may include a zone index, separated by a % sign if a system uses zone names that are not represented in utf 8, then an implementation needs to use some mechanism to transform the local name into utf 8 the definition of such a mechanism is outside the scope of this document the zone index is used to disambiguate identical address values for link local addresses, the zone index will typically be the interface index number or the name of an interface if the zone index is not present, the default zone of the device will be used the canonical format of ipv6 addresses uses the textual representation defined in section 4 of rfc 5952 the canonical format for the zone index is the numerical format as described in section 11 2 of rfc 4007 the ipv4 address type represents an ipv4 address in dotted quad notation the ipv4 address may include a zone index, separated by a % sign if a system uses zone names that are not represented in utf 8, then an implementation needs to use some mechanism to transform the local name into utf 8 the definition of such a mechanism is outside the scope of this document the zone index is used to disambiguate identical address values for link local addresses, the zone index will typically be the interface index number or the name of an interface if the zone index is not present, the default zone of the device will be used the canonical format for the zone index is the numerical format /access lists/access list/access list entries/access list entry/matches /access lists/access list/access list entries/access list entry/matches path /access lists/access list/access list entries/access list entry/matches node type container access read write /access lists/access list/access list entries/access list entry/matches/ethernet type /access lists/access list/access list entries/access list entry/matches/ethernet type path /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/ethernet‑type node type leaf description matches the ethernet frame type to be matched in the acl rule it accepts hexadecimal values ranging from 0x0000 to 0xffff, aiding in distinguishing different l2 protocols applicable to acl tables layer 3 ipv4/ipv6 ingress/egress access read write datatype \<yang type string> /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/outer‑vlan /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/outer‑vlan path /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/outer‑vlan node type leaf description matches the outer vlan tag in a tagged frame, supporting a wide range of vlan ids (from 1 to 4094) with optional ethertype (in hexadecimal format) following a slash (/) for further refinement applicable to acl tables layer 3 ipv4/ipv6 ingress/egress access read write datatype \<yang type string> /access lists/access list/access list entries/access list entry/matches/ip type /access lists/access list/access list entries/access list entry/matches/ip type path /access lists/access list/access list entries/access list entry/matches/ip type node type leaf description matches the ip type(non ip/ipv4any/ipv6any/arp) to be inspected by the acl applicable to acl tables layer 3 ipv4/ipv6 ingress/egress access read write datatype \<yang type acl‑ip‑type> constraints enumeration with options non ip ipv4any ipv6any arp /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/ip‑protocol /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/ip‑protocol path /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/ip‑protocol node type leaf description matches the protocol field in the ip header, accepting values between 0 and 255 to filter traffic based on the upper layer protocol used applicable to acl tables layer 3 ipv4/ipv6 ingress/egress access read write datatype \<yang type uint8> constraints valid range 0 to 255 /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/source‑ip /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/source‑ip path /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/ip‑protocol node type leaf description matches the source ipv4 address to filter network traffic based on its origin applicable to acl tables layer 3 ipv4 ingress/egress, ctrlplane ingress access read write datatype \<yang type ipv4‑address> constraints the ipv4 address type represents an ipv4 address in dotted quad notation the ipv4 address may include a zone index, separated by a % sign if a system uses zone names that are not represented in utf 8, then an implementation needs to use some mechanism to transform the local name into utf 8 the definition of such a mechanism is outside the scope of this document the zone index is used to disambiguate identical address values for link local addresses, the zone index will typically be the interface index number or the name of an interface if the zone index is not present, the default zone of the device will be used the canonical format for the zone index is the numerical format /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/destination‑ip /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/destination‑ip path /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/destination‑ip node type leaf description matches the destination ipv4 address to filter network traffic based on its intended endpoint applicable to acl tables layer 3 ipv4 ingress/egress, ctrlplane ingress access read write datatype \<yang type ipv4‑address> constraints the ipv4 address type represents an ipv4 address in dotted quad notation the ipv4 address may include a zone index, separated by a % sign if a system uses zone names that are not represented in utf 8, then an implementation needs to use some mechanism to transform the local name into utf 8 the definition of such a mechanism is outside the scope of this document the zone index is used to disambiguate identical address values for link local addresses, the zone index will typically be the interface index number or the name of an interface if the zone index is not present, the default zone of the device will be used the canonical format for the zone index is the numerical format /access lists/access list/access list entries/access list entry/matches/source ipv6 /access lists/access list/access list entries/access list entry/matches/source ipv6 path /access lists/access list/access list entries/access list entry/matches/source ipv6 node type leaf description matches the source ipv6 address to filter network traffic based on its origin applicable to acl tables layer 3 ipv6 ingress/egress, ctrlplanev6 ingress access read write datatype \<yang type ipv6‑address> constraints the ipv6 address type represents an ipv6 address in full, mixed, shortened, and shortened mixed notation the ipv6 address may include a zone index, separated by a % sign if a system uses zone names that are not represented in utf 8, then an implementation needs to use some mechanism to transform the local name into utf 8 the definition of such a mechanism is outside the scope of this document the zone index is used to disambiguate identical address values for link local addresses, the zone index will typically be the interface index number or the name of an interface if the zone index is not present, the default zone of the device will be used the canonical format of ipv6 addresses uses the textual representation defined in section 4 of rfc 5952 the canonical format for the zone index is the numerical format as described in section 11 2 of rfc 4007 /access lists/access list/access list entries/access list entry/matches/destination ipv6 /access lists/access list/access list entries/access list entry/matches/destination ipv6 path /access lists/access list/access list entries/access list entry/matches/destination ipv6 node type leaf description matches the destination ipv6 address to filter network traffic based on its intended endpoint applicable to acl tables layer 3 ipv6 ingress/egress, ctrlplanev6 ingress access read write datatype \<yang type ipv6‑address> constraints the ipv6 address type represents an ipv6 address in full, mixed, shortened, and shortened mixed notation the ipv6 address may include a zone index, separated by a % sign if a system uses zone names that are not represented in utf 8, then an implementation needs to use some mechanism to transform the local name into utf 8 the definition of such a mechanism is outside the scope of this document the zone index is used to disambiguate identical address values for link local addresses, the zone index will typically be the interface index number or the name of an interface if the zone index is not present, the default zone of the device will be used the canonical format of ipv6 addresses uses the textual representation defined in section 4 of rfc 5952 the canonical format for the zone index is the numerical format as described in section 11 2 of rfc 4007 /access lists/access list/access list entries/access list entry/matches/icmp type /access lists/access list/access list entries/access list entry/matches/icmp type path /access lists/access list/access list entries/access list entry/matches/icmp type node type leaf description matches the icmp traffic based on the message type applicable to acl tables layer 3 ipv4 ingress/egress access read write datatype \<yang type uint8> constraints valid range 0 to 16 /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/icmpv6‑type /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/icmpv6‑type path /access lists/access list/access list entries/access list entry/matches/icmp type node type leaf description matches the icmpv6 traffic based on the message type applicable to acl tables layer 3 ipv6 ingress access read write datatype \<yang type uint8> constraints valid range 1 to 137 /access lists/access list/access list entries/access list entry/matches/source port /access lists/access list/access list entries/access list entry/matches/source port path /access lists/access list/access list entries/access list entry/matches/source port node type leaf description matches the source transport layer port numbers applicable to acl tables layer 3 ipv4/ipv6 ingress/egress access read write datatype \<yang type port‑number> constraints valid range 0 to 65535 /access lists/access list/access list entries/access list entry/matches/destination port /access lists/access list/access list entries/access list entry/matches/destination port path /access lists/access list/access list entries/access list entry/matches/destination port node type leaf description matches the destination transport layer port numbers applicable to acl tables layer 3 ipv4/ipv6 ingress/egress access read write datatype \<yang type port‑number> constraints valid range 0 to 65535 /access lists/access list/access list entries/access list entry/matches/vlan pri /access lists/access list/access list entries/access list entry/matches/vlan pri path /access lists/access list/access list entries/access list entry/matches/vlan pri node type leaf description matches the the 3 bit vlan priority code point applicable to acl tables layer 3 ipv4/ipv6 ingress/egress access read write datatype \<yang type uint8> constraints valid range 0 to 7 /access lists/access list/access list entries/access list entry/matches/source mac /access lists/access list/access list entries/access list entry/matches/source mac path /access lists/access list/access list entries/access list entry/matches/source mac node type leaf description matches the source mac address applicable to acl tables layer 3 ipv4/ipv6 ingress access read write datatype \<yang type mac‑address> constraints the mac address type represents an ieee 802 mac address the canonical representation uses lowercase characters in the value set and its semantics, this type is equivalent to the macaddress textual convention of the smiv2 /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/dscp /access‑lists/access‑list/access‑list‑entries/access‑list‑entry/matches/dscp path /access lists/access list/access list entries/access list entry/matches/vlan pri node type leaf description matches the differentiated services code point in the ip header, allowing quality of service (qos) differentiation with a range of 0 to 63 applicable to acl tables layer 3 ipv4 or ipv6 ingress/egress access read write datatype \<yang type uint8> constraints valid range 0 to 63 rpcs rpcs show counters acl show counters acl path access /show counters acl/input read write /show counters acl/input/table name read write /show counters acl/input/rule id read write /show counters acl/output read write /show counters acl/output/data read write /show counters acl/input /show counters acl/input path /show‑counters‑acl/input node type container access read write /show counters acl/input/table name /show counters acl/input/table name path /show‑counters‑acl/input/table‑name node type leaf list description acl table name access read write data type \<yang type string> /show counters acl/input/rule id /show counters acl/input/rule id path /show counters acl/input/rule id node type leaf list description acl rule id access read write data type \<yang type string> /show counters acl/output /show counters acl/output path /show counters acl/output node type container access read write /show counters acl/output/data /show counters acl/output/data path /show counters acl/output/data node type anydata description the rule counters for the specified parameter according to the value of input(table name, rule id) access read write data type \<yang type string>
