ACL Configuration
show acl table [
Section titled “show acl table [”[Command] show acl table [table_name]
[Purpose] Show existing ACL tables
[Parameter]
| Parameter | Description |
|---|---|
| table_name | Specify the table name |
[View] System view
[Use Cases]
sonic# show acl tableName Type Binding Description Stage------- ----------- --------- ------------- -------TABLE_2 L3 Ethernet8 TABLE_2 ingressshow acl rule [
Section titled “show acl rule [”[Command] show acl rule [table_name] [rule_id]
[Purpose] Show existing ACL rules
[Parameter]
| Parameter | Description |
|---|---|
| table_name | Specify the table name |
| rule_id | Specify the rule name |
[View] System view
[Use Cases]
sonic# show acl ruleTable Rule Priority Action Match------- ------------ ---------- -------- -----------------------DATAACL RULE_1 9999 DROP SRC_IP: 10.0.0.2/32DATAACL RULE_2 9998 DROP DST_IP: 192.168.0.16/32DATAACL RULE_3 9997 DROP L4_SRC_PORT: 4661DATAACL RULE_4 9996 DROP IP_PROTOCOL: 126DATAACL RULE_13 9987 DROP IP_PROTOCOL: 1SRC_IP: 10.0.0.2/32sonic# show acl rule TABLE_1 RULE_1Table Rule Priority Action Match------- ------ ---------- -------- --------------------TABLE_1 RULE_1 100 DROP SRC_IP: 200.0.0.2/24show counters acl [
Section titled “show counters acl [”[Command***]**** * show counters acl [acl-table-name] [rule-id]
[Purpose] Show ACL hit count
[Parameter]
| Parameter | Description |
|---|---|
| acl-table-name | ACL Table Name |
| rule-id | rule id |
[View] System view
[Notes] Allows multiple tables and rules to be entered, either as individual tables or as table + rule.
Table and table are separated by ”,”, rule and rule are separated by ”,”; table and rule are separated by spaces.
[Use Cases]
sonic# show counters acl TABLE_1,TABLE_2RULE NAME TABLE NAME PRIO PACKETS COUNT BYTES COUNT----------- ------------ ------ --------------- -------------RULE_1 TABLE_1 100 N/A N/Arule_2 TABLE_2 2 N/A N/Arule_1 TABLE_2 1 N/A N/Aclear counters acl
Section titled “clear counters acl”[Command] clear counters acl
[Purpose] Clear ACL hit count
[Use Cases]
sonic# clear counters aclaccess-list table_type
Section titled “access-list table_type”[Command] access-listtable_type table-name table_stage
no access-listtable-name
[Purpose] Create ACL table and enter ACL view
[Parameter]
| Parameter | Description |
|---|---|
| table_type | ACL table type, optional L3, L3v6, CTRLPLANE |
| table-name | ACL Table Name |
| table_stage | Specify the inbound/outbound direction, ingress/egress |
[View] System configuration view
[Notes] ACL table is for ports. Binding ports means that the ACL table is effective for traffic on those ports. An ACL table can bind multiple ports, and multiple ACL tables can exist on a single port, i.e., a “many-to-many” relationship.
[Use Cases]
sonic# configure terminalsonic(config)# access-list l3 TABLE_1 ingress[Command] rulerule_id**[{packet-action {deny|permit|trap-to-cpu|no-nat}}] [src-macmac-address] [src-ipip-address] [dst-ipip-address] [src-portport] [dst-portport] [ip-protocolprotocol]**
no rulerule_id
[Purpose] Add ACL rules
[Parameter]
| Parameter | Description |
|---|---|
| rule_id | Rule ID, the range of values: 0-500; also indicates the rule priority, the larger the number the higher the priority, not repeatable |
| packet-action | Packet processing actions for hit rules deny Drop permit Allowed to pass trap-to-cpu Upload to CPU for processing no-nat Not using the nat function |
| src-ip | Source IP address, format: A.B.C.D/M |
| dst-ip | Destination IP address, format: A.B.C.D/M |
[View] ACL view
[Notes] Multiple ACL rules can exist per table.
<rule_id> The higher the value, the higher the priority, the same table does not allow the configuration of the same priority rules.
[Use Cases]
sonic# configure terminalsonic(config)# access-list l3 TABLE_1 ingresssonic(config-l3-acl-table_1)# rule 1 src-ip 10.0.0.3/24 packet-action permitacl [string] priority [num]
Section titled “acl [string] priority [num]”[Command] aclstringprioritynum
no aclstring
[Purpose] Bind ACL rules on the interface and set the priority of ACL tables relative to this interface.
[Parameter]
| Parameter | Description |
|---|---|
| string | Name of ACL table |
| num | ACL table priority at interface level, range: 1~65535 |
| dst-ip | Destination IP address, format: A.B.C.D/M |
[View] Interface view, supporting physical port interface, lag if, vlan if, and sub interface binding ACL table
[Notes] The priority of the same table can be different on different interfaces; All tables bound to the same interface must not have duplicate priorities and cannot be modified. Only deletion before addition is supported, which means unbinding first and then modifying the priority before binding the table;
Note that for VLAN if and its member ports, if they are all bound to the same table, the priority must be the same; If different tables are bound, the priority must also be different.
[Use Cases]
sonic# configure terminalsonic(config)# interface ethernet 13sonic(config-if-13)# acl test priority 300