Command Line Reference
Security Configuration
ACL Configuration
11 min
acl configuration acl configuration show acl table \[ show acl table \[ table name ] \[command] show acl table \[ table name ] \[purpose] show existing acl tables \[parameter] true 124,386 left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type \[view] system view \[use cases] sonic# show acl table name type binding description stage \ table 2 l3 ethernet8 table 2 ingress show acl rule \[ show acl rule \[ table name ] \[ rule id ] \[command] show acl rule \[ table name ] \[ rule id ] \[purpose] show existing acl rules \[parameter] true 115,395 left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 1 1 unhandled content type left #d8e5f5 1 1 unhandled content type \[view] system view \[use cases] sonic# show acl rule table rule priority action match \ dataacl rule 1 9999 drop src ip 10 0 0 2/32 dataacl rule 2 9998 drop dst ip 192 168 0 16/32 dataacl rule 3 9997 drop l4 src port 4661 dataacl rule 4 9996 drop ip protocol 126 dataacl rule 13 9987 drop ip protocol 1 src ip 10 0 0 2/32 sonic# show acl rule table 1 rule 1 table rule priority action match \ table 1 rule 1 100 drop src ip 200 0 0 2/24 show counters acl \[ show counters acl \[ acl table name ] \[ rule id ] \[command ] show counters acl \[ acl table name ] \[ rule id ] \[purpose] show acl hit count \[parameter] true 145,365 left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 1 1 unhandled content type left #d8e5f5 1 1 unhandled content type \[view] system view \[notes] allows multiple tables and rules to be entered, either as individual tables or as table + rule table and table are separated by ",", rule and rule are separated by ","; table and rule are separated by spaces \[use cases] sonic# show counters acl table 1,table 2 rule name table name prio packets count bytes count \ rule 1 table 1 100 n/a n/a rule 2 table 2 2 n/a n/a rule 1 table 2 1 n/a n/a clear counters acl clear counters acl \[command] clear counters acl \[purpose] clear acl hit count \[use cases] sonic# clear counters acl access list table type access list table type table name table stage \[command] access list table type table name table stage no access list table name \[purpose] create acl table and enter acl view \[parameter] true 140,370 left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 1 1 unhandled content type left #d8e5f5 1 1 unhandled content type left #d8e5f5 1 1 unhandled content type left #d8e5f5 1 1 unhandled content type \[view] system configuration view \[notes] acl table is for ports binding ports means that the acl table is effective for traffic on those ports an acl table can bind multiple ports, and multiple acl tables can exist on a single port, i e , a "many to many" relationship \[use cases] sonic# configure terminal sonic(config)# access list l3 table 1 ingress rule rule \[command] rule rule id \[{packet action {deny|permit|trap to cpu|no nat}}] \[src mac mac address ] \[src ip ip address ] \[dst ip ip address ] \[src port port ] \[dst port port ] \[ip protocol protocol ] no rule rule id \[purpose] add acl rules \[parameter] 140,521#4283c7 1 1 unhandled content type #4283c7 1 1 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type unhandled content type unhandled content type #d8e5f5 unhandled content type #d8e5f5 unhandled content type \[view] acl view \[notes] multiple acl rules can exist per table \<rule id> the higher the value, the higher the priority, the same table does not allow the configuration of the same priority rules \[use cases] sonic# configure terminal sonic(config)# access list l3 table 1 ingress sonic(config l3 acl table 1)# rule 1 src ip 10 0 0 3/24 packet action permit acl \[string] priority \[num] acl \[string] priority \[num] \[command] acl string priority num no acl string \[purpose] bind acl rules on the interface and set the priority of acl tables relative to this interface \[parameter] true 140,521 left #4283c7 1 1 unhandled content type left #4283c7 1 1 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type \[view] interface view, supporting physical port interface, lag if, vlan if, and sub interface binding acl table \[notes] the priority of the same table can be different on different interfaces; all tables bound to the same interface must not have duplicate priorities and cannot be modified only deletion before addition is supported, which means unbinding first and then modifying the priority before binding the table; note that for vlan if and its member ports, if they are all bound to the same table, the priority must be the same; if different tables are bound, the priority must also be different \[use cases] sonic# configure terminal sonic(config)# interface ethernet 13 sonic(config if 13)# acl test priority 300
