Skip to content
AsterNOS
Ask AI

ACL Configuration

show acl table

Section titled “show acl table”

[Command] show acl table [ table_name ]

[Purpose] Show existing ACL tables

[Parameter]

ParameterDescription
table_nameSpecify the table name

[View] System view

[Use Cases]

sonic# show acl table
Name        Type     Binding   Description  Stage
------- ----------- --------- ------------- -------
TABLE_2      L3      Ethernet8 TABLE_2      ingress

show acl rule

Section titled “show acl rule”

[Command] show acl rule [ table_name ] [ rule_id ]

[Purpose] Show existing ACL rules

[Parameter]

ParameterDescription
table_nameSpecify the table name
rule_idSpecify the rule name

[View] System view

[Use Cases]

sonic# show acl rule
Table     Rule         Priority  Action  Match
------- ------------ ---------- -------- -----------------------
DATAACL  RULE_1        9999        DROP   SRC_IP: 10.0.0.2/32
DATAACL  RULE_2        9998        DROP   DST_IP: 192.168.0.16/32
DATAACL  RULE_3        9997        DROP   L4_SRC_PORT: 4661
DATAACL  RULE_4        9996        DROP   IP_PROTOCOL: 126
DATAACL  RULE_13       9987        DROP   IP_PROTOCOL: 1


sonic# show acl rule TABLE_1 RULE_1
Table   Rule        Priority  Action  Match
------- ------ ---------- -------- --------------------
TABLE_1 RULE_1      100       DROP    SRC_IP: 200.0.0.2/24

show counters acl

Section titled “show counters acl”

[Command] show counters acl [ acl_table_name ] [ rule_id ]

[Purpose] Show ACL hit count

[Parameter]

ParameterDescription
acl_table_nameACL Table Name
rule_idrule id

[View] System view

[Notes] Allows multiple tables and rules to be entered, either as individual tables or as table + rule. Table and table are separated by ”,”, rule and rule are separated by ”,”; table and rule are separated by spaces.

[Use Cases]

sonic# show counters acl TABLE_1,TABLE_2
RULE NAME   TABLE NAME     PRIO    PACKETS COUNT  BYTES COUNT
----------- ------------ ------ --------------- -------------
RULE_1      TABLE_1         100     N/A            N/A
rule_2      TABLE_2          2      N/A            N/A
rule_1      TABLE_2          1      N/A            N/A

clear counters acl

Section titled “clear counters acl”

[Command] clear counters acl

[Purpose] Clear ACL hit count

[Use Cases]

sonic# clear counters acl

access-list

Section titled “access-list”

[Command] access-list { table_type } { table_name } { table_stage } no access-list { table_name }

[Purpose] Create ACL table and enter ACL view

[Parameter]

ParameterDescription
table_typeACL table type, optional L3, L3v6, CTRLPLANE
table_nameACL Table Name
table_stageSpecify the inbound/outbound direction, ingress/egress

[View] System configuration view

[Use Cases]

sonic# configure terminal
sonic(config)# access-list l3 TABLE_1 ingress

rule

Section titled “rule”

[Command] rule {rule_id rule_id } [{packet-action {deny|permit|trap-to-cpu|copy-to-cpu}|redirect-action}] [src-mac src_mac ] [ethernet-type ethernet_type ] [vlan-pri vlan_pri ] [src-ip src_ip ] [dst-ip dst_ip ] [icmp-type icmp_type ] [icmp-code icmp_code ] [icmp-name icmp_name ] [src-port src_port ] [dst-port dst_port ] [ip-type ip_type ] no rule { rule_id }

[Purpose] Add ACL rules

[Parameter]

ParameterDescription
rule_idRule ID, value range: 0-500; simultaneously indicates rule priority (higher numbers indicate higher priority), values must be unique
packet_actionPacket processing actions for matched rules:
deny- Discard
permit- Allow passage
trap-to-cpu - Forward to CPU for processing
copy-to-cpu - Allow passage while simultaneously copying the packet to the CPU for processing
ethernet_typeEthertype, format: hexadecimal number
vlan_priVLAN priority, value range: 0-7
src_ipSource IP address, format: A.B.C.D/M
dst_ipDestination IP address, format: A.B.C.D/M
icmp_typeICMP message type, value range: 0-16
icmp_codeICMP message code, value range: 0-5
icmp_nameICMP message name
src_portSource L4 port
dst_portDestination L4 port
ip_typeIp type

[View] ACL view

[Notes] Multiple ACL rules can exist per table. rule_id The higher the value, the higher the priority, the same table does not allow the configuration of the same priority rules.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list l3 TABLE_1 ingress
sonic(config-l3-acl-table_1)# rule 1 source-ip 10.0.0.3/24 packet-action permit

acl

Section titled “acl”

[Command]

acl* acl_name*****no acl* acl_name*

[Purpose]

Bind ACL table on Interface

[Parameter]

ParameterDescription
acl_nameACL table name

[View]

System Configuration View,Interface Configuration View,VLANIF View,LAG View

[Comment]

The ACL table is bound to ports. After binding to a port, it means that the ACL table takes effect on the traffic on these ports. One ACL table can be bound to multiple ports, and one port can also have multiple ACL tables, representing a “many-to-many” relationship. The ACL table is bound in the global View, meaning it takes effect on all physical interfaces of the device’s panels.

[Use Cases]

sonic# configure terminal
sonic(config)# acl test


sonic(config)# interface ethernet 1
sonic(config-if-1)# acl test1