acl
AsterNOS Model for Access Control List
module: asternos-acl +--rw access-lists +--rw access-list* [name] +--rw name string +--rw type identityref +--rw stage? acl-stage +--rw services* identityref +--rw description? string +--rw bind-intfs* if:interface-ref +--rw access-list-entries +--rw access-list-entry* [ruleid] +--rw ruleid uint16 +--rw actions | +--rw packet-action? identityref | +--rw ingress-mirror-session? uint8 | +--rw egress-mirror-session? uint8 | +--rw set-dscp? uint8 | +--rw ingress-sample-rate? uint32 | +--rw egress-sample-rate? uint32 | +--rw traffic-behavior? string | +--rw redirect-action? redirect-destination +--rw matches +--rw ethernet-type? string +--rw outer-vlan? string +--rw ip-type? acl-ip-type +--rw ip-protocol? uint8 +--rw source-ip? inet:ipv4-address +--rw destination-ip? inet:ipv4-address +--rw source-ipv6? inet:ipv6-address +--rw destination-ipv6? inet:ipv6-address +--rw icmp-type? uint8 +--rw icmpv6-type? uint8 +--rw source-port? inet:port-number +--rw destination-port? inet:port-number +--rw vlan-pri? uint8 +--rw source-mac? yang:mac-address +--rw dscp? uint8
rpcs: +---x show-counters-acl | +---w input | | +---w table-name* string | | +---w rule-id* string | +--ro output | +--ro data? <anydata> +---x clear-counters-aclResources
Section titled “Resources”Resource List
Section titled “Resource List”| Path | Access |
|---|---|
| /access-lists | Read-Write |
| /access-lists/access-list | Read-Write |
| /access-lists/access-list/name | Read-Write |
| /access-lists/access-list/type | Read-Write |
| /access-lists/access-list/stage | Read-Write |
| /access-lists/access-list/services | Read-Write |
| /access-lists/access-list/description | Read-Write |
| /access-lists/access-list/bind-intfs | Read-Write |
| /access-lists/access-list/access-list-entries | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/ruleid | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/actions | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/actions/packet-action | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/actions/ingress-mirror-session | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/actions/egress-mirror-session | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/actions/set-dscp | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/actions/ingress-sample-rate | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/actions/egress-sample-rate | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/actions/traffic-behavior | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/actions/redirect-action | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/ethernet-type | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/outer-vlan | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/ip-type | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/ip-protocol | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/source-ip | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ip | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/source-ipv6 | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ipv6 | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/icmp-type | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/icmpv6-type | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/source-port | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/destination-port | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/vlan-pri | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/source-mac | Read-Write |
| /access-lists/access-list/access-list-entries/access-list-entry/matches/dscp | Read-Write |
Detailed Nodes
Section titled “Detailed Nodes”/access-lists
Section titled “/access-lists”Path
/access-lists
Node Type
container
Access
Read-Write
/access-lists/access-list
Section titled “/access-lists/access-list”Path
/access-lists/access-list
Node Type
list
Access
Read-Write
Constraints
Has local type
/access-lists/access-list/name
Section titled “/access-lists/access-list/name”Path
/access-lists/access-list/name
Node Type
leaf
Access
Read-Write
Data Type
Constraints
String with length: 1 to 64
/access-lists/access-list/type
Section titled “/access-lists/access-list/type”Path
/access-lists/access-list/type
Node Type
leaf
Access
Read-Write
Data Type
Constraints
IdentityRef with options:
- CTRLPLANE
- L3
- L3V6
- CTRLPLANEV6
Mandatory
Yes
/access-lists/access-list/stage
Section titled “/access-lists/access-list/stage”Path
/access-lists/access-list/stage
Node Type
leaf
Access
Read-Write
Data Type
Constraints
Enumeration with options:
- ingress
- egress
/access-lists/access-list/services
Section titled “/access-lists/access-list/services”Path
/access-lists/access-list/services
Node Type
leaf-list
Description
Only supported on tables where type is ctrlplane.
Access
Read-Write
Data Type
Constraints
IdentityRef with options:
- SNMP
- TELNET
- SSH
- NTP
/access-lists/access-list/description
Section titled “/access-lists/access-list/description”Path
/access-lists/access-list/description
Node Type
leaf
Access
Read-Write
Data Type
/access-lists/access-list/bind-intfs
Section titled “/access-lists/access-list/bind-intfs”Path
/access-lists/access-list/bind-intfs
Node Type
leaf-list
Description
The acl rule can be bound to either the aggregation port or the Ethernet port to take effect.
Access
Read-Write
Data Type
Constraints
Multiple constraints:
- Must condition: starts-with(., ‘Ethernet’) or starts-with(., ‘PortChannel’)
- LeafRef pointing to: asternos-interfaces:interface-ref
/access-lists/access-list/access-list-entries
Section titled “/access-lists/access-list/access-list-entries”Path
/access-lists/access-list/access-list-entries
Node Type
container
Access
Read-Write
/access-lists/access-list/access-list-entries/access-list-entry
Section titled “/access-lists/access-list/access-list-entries/access-list-entry”Path
/access-lists/access-list/access-list-entries/access-list-entry
Node Type
list
Access
Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/ruleid
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/ruleid”Path
/access-lists/access-list/access-list-entries/access-list-entry/ruleid
Node Type
leaf
Access
Read-Write
Data Type
Constraints
Valid range: 0 to 2999
/access-lists/access-list/access-list-entries/access-list-entry/actions
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/actions”Path
/access-lists/access-list/access-list-entries/access-list-entry/actions
Node Type
container
Access
Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/actions/packet-action
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/actions/packet-action”Path
/access-lists/access-list/access-list-entries/access-list-entry/actions/packet-action
Node Type
leaf
Description
Specifies the packet action to be taken as part of the ACL rule.
This action determines how packets are forwarded, dropped, or processed further.
Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress,
CTRLPLANE/CTRLPLANEV6 ingress
Access
Read-Write
Data Type
Constraints
IdentityRef with options:
- COPY
- TRAP
- FORWARD
- DROP
/access-lists/access-list/access-list-entries/access-list-entry/actions/ingress-mirror-session
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/actions/ingress-mirror-session”Path
/access-lists/access-list/access-list-entries/access-list-entry/actions/ingress-mirror-session
Node Type
leaf
Description
Configures an ingress mirror session identifier (1-7) for mirroring incoming traffic.
This action allows duplicating traffic to a monitoring or analysis port.
Applicable to ACL tables: Mirror/Mirrorv6 ingress
Access
Read-Write
Data Type
Constraints
Valid range: 1 to 7
/access-lists/access-list/access-list-entries/access-list-entry/actions/egress-mirror-session
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/actions/egress-mirror-session”Path
/access-lists/access-list/access-list-entries/access-list-entry/actions/egress-mirror-session
Node Type
leaf
Description
Configures an egress mirror session identifier (1-7) for mirroring outgoing traffic.
Facilitates traffic analysis by directing a copy of traffic to a designated port.
Applicable to ACL tables: Mirror/Mirrorv6 egress
Access
Read-Write
Data Type
Constraints
Valid range: 1 to 7
/access-lists/access-list/access-list-entries/access-list-entry/actions/set-dscp
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/actions/set-dscp”Path
/access-lists/access-list/access-list-entries/access-list-entry/actions/set-dscp
Node Type
leaf
Description
Sets the DSCP.
Applicable to ACL tables: Layer 3 IPv4/IPv6 egress
Access
Read-Write
Data Type
Constraints
Valid range: 0 to 63
/access-lists/access-list/access-list-entries/access-list-entry/actions/ingress-sample-rate
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/actions/ingress-sample-rate”Path
/access-lists/access-list/access-list-entries/access-list-entry/actions/ingress-sample-rate
Node Type
leaf
Description
Sets the sample rate for ingress traffic.
Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress
Access
Read-Write
Data Type
Constraints
Valid range: 8000 to 1000000
/access-lists/access-list/access-list-entries/access-list-entry/actions/egress-sample-rate
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/actions/egress-sample-rate”Path
/access-lists/access-list/access-list-entries/access-list-entry/actions/egress-sample-rate
Node Type
leaf
Description
Sets the sample rate for egress traffic.
Applicable to ACL tables: Layer 3 IPv4/IPv6 egress
Access
Read-Write
Data Type
Constraints
Valid range: 8000 to 1000000
/access-lists/access-list/access-list-entries/access-list-entry/actions/traffic-behavior
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/actions/traffic-behavior”Path
/access-lists/access-list/access-list-entries/access-list-entry/actions/traffic-behavior
Node Type
leaf
Description
Configuring Interface Speed Limiting Policies.
Applicable to ACL tables: Layer 2 ingress, Layer 3 IPv4/IPv6 ingress, Mirror/Mirrorv6 ingress, Flowctrl ingress
Access
Read-Write
Data Type
/access-lists/access-list/access-list-entries/access-list-entry/actions/redirect-action
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/actions/redirect-action”Path
/access-lists/access-list/access-list-entries/access-list-entry/actions/redirect-action
Node Type
leaf
Description
Defines the redirection destination for matched packets.
Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress.
Access
Read-Write
Data Type
Constraints
Multiple constraints:
- The ipv6-address type represents an IPv6 address in full, mixed, shortened, and shortened-mixed notation. The IPv6 address may include a zone index, separated by a % sign.
If a system uses zone names that are not represented in UTF-8, then an implementation needs to use some mechanism to transform the local name into UTF-8. The definition of such a mechanism is outside the scope of this document.
The zone index is used to disambiguate identical address values. For link-local addresses, the zone index will typically be the interface index number or the name of an interface. If the zone index is not present, the default zone of the device will be used.
The canonical format of IPv6 addresses uses the textual representation defined in Section 4 of RFC 5952. The canonical format for the zone index is the numerical format as described in Section 11.2 of RFC 4007.
- The ipv4-address type represents an IPv4 address in dotted-quad notation. The IPv4 address may include a zone index, separated by a % sign. If a system uses zone names that are not represented in UTF-8, then an implementation needs to use some mechanism to transform the local name into UTF-8. The definition of such a mechanism is outside the scope of this document.
The zone index is used to disambiguate identical address values. For link-local addresses, the zone index will typically be the interface index number or the name of an interface. If the zone index is not present, the default zone of the device will be used.
The canonical format for the zone index is the numerical format
/access-lists/access-list/access-list-entries/access-list-entry/matches
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches
Node Type
container
Access
Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/ethernet-type
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/ethernet-type”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/ethernet-type
Node Type
leaf
Description
Matches the Ethernet frame type to be matched in the ACL rule.
It accepts hexadecimal values ranging from 0x0000 to 0xffff, aiding in distinguishing different L2 protocols.
Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress
Access
Read-Write
Data Type
/access-lists/access-list/access-list-entries/access-list-entry/matches/outer-vlan
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/outer-vlan”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/outer-vlan
Node Type
leaf
Description
Matches the outer VLAN tag in a tagged frame, supporting a wide range of VLAN IDs (from 1 to 4094) with optional EtherType (in hexadecimal format) following a slash (/) for further refinement.
Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress
Access
Read-Write
Data Type
/access-lists/access-list/access-list-entries/access-list-entry/matches/ip-type
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/ip-type”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/ip-type
Node Type
leaf
Description
Matches the IP type(NON-IP/IPV4ANY/IPV6ANY/ARP) to be inspected by the ACL.
Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress
Access
Read-Write
Data Type
Constraints
Enumeration with options:
- NON-IP
- IPV4ANY
- IPV6ANY
- ARP
/access-lists/access-list/access-list-entries/access-list-entry/matches/ip-protocol
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/ip-protocol”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/ip-protocol
Node Type
leaf
Description
Matches the protocol field in the IP header, accepting values between 0 and 255 to filter traffic based on the upper-layer protocol used.
Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress
Access
Read-Write
Data Type
Constraints
Valid range: 0 to 255
/access-lists/access-list/access-list-entries/access-list-entry/matches/source-ip
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/source-ip”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/source-ip
Node Type
leaf
Description
Matches the source IPv4 address to filter network traffic based on its origin.
Applicable to ACL tables: Layer 3 IPv4 ingress/egress, CTRLPLANE ingress
Access
Read-Write
Data Type
Constraints
The ipv4-address type represents an IPv4 address in dotted-quad notation. The IPv4 address may include a zone index, separated by a % sign. If a system uses zone names that are not represented in UTF-8, then an implementation needs to use some mechanism to transform the local name into UTF-8. The definition of such a mechanism is outside the scope of this document.
The zone index is used to disambiguate identical address values. For link-local addresses, the zone index will typically be the interface index number or the name of an interface. If the zone index is not present, the default zone of the device will be used.
The canonical format for the zone index is the numerical format
/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ip
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ip”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ip
Node Type
leaf
Description
Matches the destination IPv4 address to filter network traffic based on its intended endpoint.
Applicable to ACL tables: Layer 3 IPv4 ingress/egress, CTRLPLANE ingress
Access
Read-Write
Data Type
Constraints
The ipv4-address type represents an IPv4 address in dotted-quad notation. The IPv4 address may include a zone index, separated by a % sign. If a system uses zone names that are not represented in UTF-8, then an implementation needs to use some mechanism to transform the local name into UTF-8. The definition of such a mechanism is outside the scope of this document.
The zone index is used to disambiguate identical address values. For link-local addresses, the zone index will typically be the interface index number or the name of an interface. If the zone index is not present, the default zone of the device will be used.
The canonical format for the zone index is the numerical format
/access-lists/access-list/access-list-entries/access-list-entry/matches/source-ipv6
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/source-ipv6”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/source-ipv6
Node Type
leaf
Description
Matches the source IPv6 address to filter network traffic based on its origin.
Applicable to ACL tables: Layer 3 IPv6 ingress/egress, CTRLPLANEV6 ingress
Access
Read-Write
Data Type
Constraints
The ipv6-address type represents an IPv6 address in full, mixed, shortened, and shortened-mixed notation. The IPv6 address may include a zone index, separated by a % sign.
If a system uses zone names that are not represented in UTF-8, then an implementation needs to use some mechanism to transform the local name into UTF-8. The definition of such a mechanism is outside the scope of this document.
The zone index is used to disambiguate identical address values. For link-local addresses, the zone index will typically be the interface index number or the name of an interface. If the zone index is not present, the default zone of the device will be used.
The canonical format of IPv6 addresses uses the textual representation defined in Section 4 of RFC 5952. The canonical format for the zone index is the numerical format as described in Section 11.2 of RFC 4007.
/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ipv6
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ipv6”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ipv6
Node Type
leaf
Description
Matches the destination IPv6 address to filter network traffic based on its intended endpoint.
Applicable to ACL tables: Layer 3 IPv6 ingress/egress, CTRLPLANEV6 ingress
Access
Read-Write
Data Type
Constraints
The ipv6-address type represents an IPv6 address in full, mixed, shortened, and shortened-mixed notation. The IPv6 address may include a zone index, separated by a % sign.
If a system uses zone names that are not represented in UTF-8, then an implementation needs to use some mechanism to transform the local name into UTF-8. The definition of such a mechanism is outside the scope of this document.
The zone index is used to disambiguate identical address values. For link-local addresses, the zone index will typically be the interface index number or the name of an interface. If the zone index is not present, the default zone of the device will be used.
The canonical format of IPv6 addresses uses the textual representation defined in Section 4 of RFC 5952. The canonical format for the zone index is the numerical format as described in Section 11.2 of RFC 4007.
/access-lists/access-list/access-list-entries/access-list-entry/matches/icmp-type
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/icmp-type”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/icmp-type
Node Type
leaf
Description
Matches the ICMP traffic based on the message type.
Applicable to ACL tables: Layer 3 IPv4 ingress/egress
Access
Read-Write
Data Type
Constraints
Valid range: 0 to 16
/access-lists/access-list/access-list-entries/access-list-entry/matches/icmpv6-type
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/icmpv6-type”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/icmpv6-type
Node Type
leaf
Description
Matches the ICMPv6 traffic based on the message type.
Applicable to ACL tables: Layer 3 IPv6 ingress
Access
Read-Write
Data Type
Constraints
Valid range: 1 to 137
/access-lists/access-list/access-list-entries/access-list-entry/matches/source-port
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/source-port”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/source-port
Node Type
leaf
Description
Matches the source transport layer port numbers.
Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress
Access
Read-Write
Data Type
Constraints
Valid range: 0 to 65535
/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-port
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-port”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-port
Node Type
leaf
Description
Matches the destination transport layer port numbers.
Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress
Access
Read-Write
Data Type
Constraints
Valid range: 0 to 65535
/access-lists/access-list/access-list-entries/access-list-entry/matches/vlan-pri
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/vlan-pri”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/vlan-pri
Node Type
leaf
Description
Matches the the 3-bit VLAN Priority Code Point.
Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress
Access
Read-Write
Data Type
Constraints
Valid range: 0 to 7
/access-lists/access-list/access-list-entries/access-list-entry/matches/source-mac
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/source-mac”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/source-mac
Node Type
leaf
Description
Matches the source mac-address.
Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress
Access
Read-Write
Data Type
Constraints
The mac-address type represents an IEEE 802 MAC address.
The canonical representation uses lowercase characters.
In the value set and its semantics, this type is equivalent to the MacAddress textual convention of the SMIv2.
/access-lists/access-list/access-list-entries/access-list-entry/matches/dscp
Section titled “/access-lists/access-list/access-list-entries/access-list-entry/matches/dscp”Path
/access-lists/access-list/access-list-entries/access-list-entry/matches/dscp
Node Type
leaf
Description
Matches the Differentiated Services Code Point in the IP header, allowing Quality of Service (QoS) differentiation with a range of 0 to 63.
Applicable to ACL tables: Layer 3 IPv4 or IPv6 ingress/egress
Access
Read-Write
Data Type
Constraints
Valid range: 0 to 63