Skip to content
AsterNOS
Ask AI

ACL Configuration

show acl table

Section titled “show acl table”

[Command] **show acl table ** [table_name ]

[Purpose] Show existing ACL tables

[Parameter]

ParameterDescription
table_nameSpecify ACL group name

[View] System view

[Use Cases]

sonic# show acl table
Name        Type     Binding   Description  Stage
------- ----------- --------- ------------- -------
TABLE_2      L3      Ethernet8 TABLE_2      ingress

show acl rule

Section titled “show acl rule”

[Command] show acl rule table_name rule_id

[Purpose] Show existing ACL rules

[Parameter]

ParameterDescription
table_nameSpecify ACL group name
rule_idSpecify the rule id

[View] System view

[Use Cases]

sonic# show acl rule
Table     Rule         Priority  Action  Match
------- ------------ ---------- -------- -----------------------
DATAACL  RULE_1        9999        DROP   SRC_IP: 10.0.0.2/32
DATAACL  RULE_2        9998        DROP   DST_IP: 192.168.0.16/32
DATAACL  RULE_3        9997        DROP   L4_SRC_PORT: 4661
DATAACL  RULE_4        9996        DROP   IP_PROTOCOL: 126
DATAACL  RULE_13       9987        DROP   IP_PROTOCOL: 1


sonic# show acl rule TABLE_1 RULE_1
Table   Rule        Priority  Action  Match
------- ------ ---------- -------- --------------------
TABLE_1 RULE_1      100       DROP    SRC_IP: 200.0.0.2/24

show counters acl

Section titled “show counters acl”

[Command] show counters acl acl_table_name rule_id

[Purpose] Show ACL hit count

[Parameter]

ParameterDescription
acl_table_nameACL Table Name
rule_idrule id

[View] System view

[Comment] Allows multiple tables and rules to be entered, either as individual tables or as table + rule. Table and table are separated by ”,”, rule and rule are separated by ”,”; table and rule are separated by spaces.

[Use Cases]

sonic# show counters acl TABLE_1,TABLE_2
RULE NAME   TABLE NAME     PRIO    PACKETS COUNT  BYTES COUNT
----------- ------------ ------ --------------- -------------
RULE_1      TABLE_1         100     N/A            N/A
rule_2      TABLE_2          2      N/A            N/A
rule_1      TABLE_2          1      N/A            N/A

[Command] clear counters acl

[Purpose] Clear ACL hit count

[Use Cases]

sonic# clear counters acl

access-list

Section titled “access-list”

[Command] access-list { table_type } { table_name } { table_stage } no access-list { table_name }

[Purpose] Create ACL table and enter ACL view

[Parameter]

ParameterDescription
table_typeACL table type, optional L3, L3v6, CTRLPLANE
table_nameACL Table Name
table_stageSpecify the inbound/outbound direction, ingress/egress

[View] System configuration view

[Comment] ACL table is for ports. Binding ports means that the ACL table is effective for traffic on those ports. An ACL table can bind multiple ports, and multiple ACL tab les can exist on a single port, i.e., a “many-to-many” relationship.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list l3 TABLE_1 ingress

rule

Section titled “rule”

[Command] rule {rule_id rule_id } [{packet-action {deny|permit|trap-to-cpu|copy-to-cpu}|redirect-action}] [src-mac src_mac] [ethernet-type ethernet_type ] [vlan-pri vlan_pri ] [src-ip src_ip ] [dst-ip dst_ip] [icmp-type icmp_type] [icmp-code i cmp_code] [icmp-name icmp_name] [src-port src_port ] [dst-port dst_port ] [ip-type ip_type ] no rule { rule_id }

[Purpose] Add ACL rules

[Parameter]

ParameterDescription
rule_idRule ID, value range: 0-500; simultaneously indicates rule priority (higher numbers indicate higher priority), values must be unique
packet_actionPacket processing actions for matched rules:
deny- Discard
permit- Allow passage
trap-to-cpu - Forward to CPU for processing
copy-to-cpu - Allow passage while simultaneously copying the packet to the CPU for processing
ethernet_typeEthertype, format: hexadecimal number
vlan_priVLAN priority, value range: 0-7
src_ipSource IP address, format: A.B.C.D/M
dst_ipDestination IP address, format: A.B.C.D/M
icmp_typeICMP message type, value range: 0-16
icmp_codeICMP message code, value range: 0-5
icmp_nameICMP message name
src_portSource L4 port
dst_portDestination L4 port
ip_typeIp type

[View] ACL view

[Notes] Multiple ACL rules can exist per table. rule_id The higher the value, the higher the priority, the same table does not allow the configuration of the same priority rules.

[Use Cases]

sonic# configure terminal
sonic(config)# access-list l3 TABLE_1 ingress
sonic(config-l3-acl-table_1)# rule 1 source-ip 10.0.0.3/24 packet-action permit