Security Configuration
ACL Configuration
Section titled “ACL Configuration”show acl table [table_name]
Section titled “show acl table [table_name]”[Command]
show acl table [table_name]
[Purpose]
Show existing ACL tables
[Parameter]
table_name Specify the table name
[View]
System view
[Use Cases]
sonic# show acl tableName Type Binding Description Stage------- ----------- --------- ------------- -------TABLE_2 L3 Ethernet8 TABLE_2 ingressshow acl rule [table_name] [rule_id]
Section titled “show acl rule [table_name] [rule_id]”[Command]
show acl rule [table_name] [rule_id]
[Purpose]
Show existing ACL rules
[Parameter]
table_name Specify the table name
rule_id Specify the rule name
[View]
System view
[Use Cases]
sonic# show acl ruleTable Rule Priority Action Match------- ------------ ---------- -------- -----------------------DATAACL RULE_1 9999 DROP SRC_IP: 10.0.0.2/32DATAACL RULE_2 9998 DROP DST_IP: 192.168.0.16/32DATAACL RULE_3 9997 DROP L4_SRC_PORT: 4661DATAACL RULE_4 9996 DROP IP_PROTOCOL: 126DATAACL RULE_13 9987 DROP IP_PROTOCOL: 1SRC_IP: 10.0.0.2/32sonic# show acl rule TABLE_1 RULE_1Table Rule Priority Action Match------- ------ ---------- -------- --------------------TABLE_1 RULE_1 100 DROP SRC_IP: 200.0.0.2/24show counters acl [acl-table-name] [rule-id]
Section titled “show counters acl [acl-table-name] [rule-id]”[Command]
show counters acl [acl-table-name] [rule-id]
[Purpose]
Show ACL hit count
[Parameter]
acl-table-name ACL Table Name
rule-id rule id
[View]
System view
[Notes]
Allows multiple tables and rules to be entered, either as individual tables or as table + rule.
Table and table are separated by ”,”, rule and rule are separated by ”,”; table and rule are separated by spaces.
[Use Cases]
sonic# show counters acl TABLE_1,TABLE_2RULE NAME TABLE NAME PRIO PACKETS COUNT BYTES COUNT----------- ------------ ------ --------------- -------------RULE_1 TABLE_1 100 N/A N/Arule_2 TABLE_2 2 N/A N/Arule_1 TABLE_2 1 N/A N/Aclear counters acl
Section titled “clear counters acl”[Command]
clear counters acl
[Purpose]
Clear ACL hit count
[Use Cases]
sonic# clear counters aclaccess-list table_type table_name table_stage
Section titled “access-list table_type table_name table_stage”[Command]
access-list table_type table-name table_stage
no access-list table-name
[Purpose]
Create ACL table and enter ACL view
[Parameter]
table_type ACL table type, optional L3, L3v6, CTRLPLANE
table-name ACL Table Name
table_stage Specify the inbound/outbound direction, ingress/egress
[View]
System configuration view
[Notes]
ACL table is for ports. Binding ports means that the ACL table is effective for traffic on those ports. An ACL table can bind multiple ports, and multiple ACL tables can exist on a single port, i.e., a “many-to-many” relationship.
[Use Cases]
sonic# configure terminalsonic(config)# access-list l3 TABLE_1 ingress[Command]
rule rule_id [{packet-action {deny|permit|trap-to-cpu|no-nat}}] [src-mac mac-address] [src-ip ip-address] [dst-ip ip-address] [src-port port] [dst-port port] [ip-protocol protocol]
no rule rule_id
[Purpose]
Add ACL rules
[Parameter]
| rule_id | Rule ID, the range of values: 0-500; also indicates the rule priority, the larger the number the higher the priority, not repeatable |
| packet-action | Packet processing actions for hit rules deny Drop permit Allowed to pass trap-to-cpu Upload to CPU for processing no-nat Not using the nat function |
| src-ip |
Source IP address, format: A.B.C.D/M |
| dst-ip |
Destination IP address, format: A.B.C.D/M |
[View]
ACL view
[Notes]
Multiple ACL rules can exist per table.
<rule_id> The higher the value, the higher the priority, the same table does not allow the configuration of the same priority rules.
[Use Cases]
sonic# configure terminalsonic(config)# access-list l3 TABLE_1 ingresssonic(config-l3-acl-table_1)# rule 1 src-ip 10.0.0.3/24 packet-action permit