acl

此内容尚不支持你的语言。

AsterNOS Model for Access Control List

module: asternos-acl
  +--rw access-lists
     +--rw access-list* [name]
        +--rw name                   string
        +--rw type                   identityref
        +--rw stage?                 acl-stage
        +--rw services*              identityref
        +--rw description?           string
        +--rw bind-intfs*            if:interface-ref
        +--rw access-list-entries
           +--rw access-list-entry* [ruleid]
              +--rw ruleid     uint16
              +--rw actions
              |  +--rw packet-action?            identityref
              |  +--rw ingress-mirror-session?   uint8
              |  +--rw egress-mirror-session?    uint8
              |  +--rw set-dscp?                 uint8
              |  +--rw ingress-sample-rate?      uint32
              |  +--rw egress-sample-rate?       uint32
              |  +--rw traffic-behavior?         string
              |  +--rw redirect-action?          redirect-destination
              +--rw matches
                 +--rw ethernet-type?      string
                 +--rw outer-vlan?         string
                 +--rw ip-type?            acl-ip-type
                 +--rw ip-protocol?        uint8
                 +--rw source-ip?          inet:ipv4-address
                 +--rw destination-ip?     inet:ipv4-address
                 +--rw source-ipv6?        inet:ipv6-address
                 +--rw destination-ipv6?   inet:ipv6-address
                 +--rw icmp-type?          uint8
                 +--rw icmpv6-type?        uint8
                 +--rw source-port?        inet:port-number
                 +--rw destination-port?   inet:port-number
                 +--rw vlan-pri?           uint8
                 +--rw source-mac?         yang:mac-address
                 +--rw dscp?               uint8

  rpcs:
    +---x show-counters-acl
    |  +---w input
    |  |  +---w table-name*   string
    |  |  +---w rule-id*      string
    |  +--ro output
    |     +--ro data?   <anydata>
    +---x clear-counters-acl

Resources

Resource List

Path	Access
/access-lists	Read-Write
/access-lists/access-list	Read-Write
/access-lists/access-list/name	Read-Write
/access-lists/access-list/type	Read-Write
/access-lists/access-list/stage	Read-Write
/access-lists/access-list/services	Read-Write
/access-lists/access-list/description	Read-Write
/access-lists/access-list/bind-intfs	Read-Write
/access-lists/access-list/access-list-entries	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/ruleid	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/actions	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/actions/packet-action	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/actions/ingress-mirror-session	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/actions/egress-mirror-session	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/actions/set-dscp	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/actions/ingress-sample-rate	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/actions/egress-sample-rate	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/actions/traffic-behavior	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/actions/redirect-action	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/ethernet-type	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/outer-vlan	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/ip-type	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/ip-protocol	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/source-ip	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ip	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/source-ipv6	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ipv6	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/icmp-type	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/icmpv6-type	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/source-port	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-port	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/vlan-pri	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/source-mac	Read-Write
/access-lists/access-list/access-list-entries/access-list-entry/matches/dscp	Read-Write

Detailed Nodes

/access-lists

Path

/access-lists

Node Type

container

Access

Read-Write

/access-lists/access-list

Path

/access-lists/access-list

Node Type

list

Access

Read-Write

Constraints

Has local type

/access-lists/access-list/name

Path

/access-lists/access-list/name

Node Type

leaf

Access

Read-Write

Data Type

Constraints

String with length: 1 to 64

/access-lists/access-list/type

Path

/access-lists/access-list/type

Node Type

leaf

Access

Read-Write

Data Type

Constraints

IdentityRef with options:

CTRLPLANE
L3
L3V6
CTRLPLANEV6

Mandatory

Yes

/access-lists/access-list/stage

Path

/access-lists/access-list/stage

Node Type

leaf

Access

Read-Write

Data Type

Constraints

Enumeration with options:

ingress
egress

/access-lists/access-list/services

Path

/access-lists/access-list/services

Node Type

leaf-list

Description

Only supported on tables where type is ctrlplane.

Access

Read-Write

Data Type

Constraints

IdentityRef with options:

SNMP
TELNET
SSH
NTP

/access-lists/access-list/description

Path

/access-lists/access-list/description

Node Type

leaf

Access

Read-Write

Data Type

/access-lists/access-list/bind-intfs

Path

/access-lists/access-list/bind-intfs

Node Type

leaf-list

Description

The acl rule can be bound to either the aggregation port or the Ethernet port to take effect.

Access

Read-Write

Data Type

Constraints

Multiple constraints:

Must condition: starts-with(., ‘Ethernet’) or starts-with(., ‘PortChannel’)
LeafRef pointing to: asternos-interfaces:interface-ref

/access-lists/access-list/access-list-entries

Path

/access-lists/access-list/access-list-entries

Node Type

container

Access

Read-Write

/access-lists/access-list/access-list-entries/access-list-entry

Path

/access-lists/access-list/access-list-entries/access-list-entry

Node Type

list

Access

Read-Write

/access-lists/access-list/access-list-entries/access-list-entry/ruleid

Path

/access-lists/access-list/access-list-entries/access-list-entry/ruleid

Node Type

leaf

Access

Read-Write

Data Type

Constraints

Valid range: 0 to 2999

/access-lists/access-list/access-list-entries/access-list-entry/actions

Path

/access-lists/access-list/access-list-entries/access-list-entry/actions

Node Type

container

Access

Read-Write

/access-lists/access-list/access-list-entries/access-list-entry/actions/packet-action

Path

/access-lists/access-list/access-list-entries/access-list-entry/actions/packet-action

Node Type

leaf

Description

Specifies the packet action to be taken as part of the ACL rule.

This action determines how packets are forwarded, dropped, or processed further.

Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress,

CTRLPLANE/CTRLPLANEV6 ingress

Access

Read-Write

Data Type

Constraints

IdentityRef with options:

COPY
TRAP
FORWARD
DROP

/access-lists/access-list/access-list-entries/access-list-entry/actions/ingress-mirror-session

Path

/access-lists/access-list/access-list-entries/access-list-entry/actions/ingress-mirror-session

Node Type

leaf

Description

Configures an ingress mirror session identifier (1-7) for mirroring incoming traffic.

This action allows duplicating traffic to a monitoring or analysis port.

Applicable to ACL tables: Mirror/Mirrorv6 ingress

Access

Read-Write

Data Type

Constraints

Valid range: 1 to 7

/access-lists/access-list/access-list-entries/access-list-entry/actions/egress-mirror-session

Path

/access-lists/access-list/access-list-entries/access-list-entry/actions/egress-mirror-session

Node Type

leaf

Description

Configures an egress mirror session identifier (1-7) for mirroring outgoing traffic.

Facilitates traffic analysis by directing a copy of traffic to a designated port.

Applicable to ACL tables: Mirror/Mirrorv6 egress

Access

Read-Write

Data Type

Constraints

Valid range: 1 to 7

/access-lists/access-list/access-list-entries/access-list-entry/actions/set-dscp

Path

/access-lists/access-list/access-list-entries/access-list-entry/actions/set-dscp

Node Type

leaf

Description

Sets the DSCP.

Applicable to ACL tables: Layer 3 IPv4/IPv6 egress

Access

Read-Write

Data Type

Constraints

Valid range: 0 to 63

/access-lists/access-list/access-list-entries/access-list-entry/actions/ingress-sample-rate

Path

/access-lists/access-list/access-list-entries/access-list-entry/actions/ingress-sample-rate

Node Type

leaf

Description

Sets the sample rate for ingress traffic.

Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress

Access

Read-Write

Data Type

Constraints

Valid range: 8000 to 1000000

/access-lists/access-list/access-list-entries/access-list-entry/actions/egress-sample-rate

Path

/access-lists/access-list/access-list-entries/access-list-entry/actions/egress-sample-rate

Node Type

leaf

Description

Sets the sample rate for egress traffic.

Applicable to ACL tables: Layer 3 IPv4/IPv6 egress

Access

Read-Write

Data Type

Constraints

Valid range: 8000 to 1000000

/access-lists/access-list/access-list-entries/access-list-entry/actions/traffic-behavior

Path

/access-lists/access-list/access-list-entries/access-list-entry/actions/traffic-behavior

Node Type

leaf

Description

Configuring Interface Speed Limiting Policies.

Applicable to ACL tables: Layer 2 ingress, Layer 3 IPv4/IPv6 ingress, Mirror/Mirrorv6 ingress, Flowctrl ingress

Access

Read-Write

Data Type

/access-lists/access-list/access-list-entries/access-list-entry/actions/redirect-action

Path

/access-lists/access-list/access-list-entries/access-list-entry/actions/redirect-action

Node Type

leaf

Description

Defines the redirection destination for matched packets.

Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress.

Access

Read-Write

Data Type

Constraints

Multiple constraints:

The ipv6-address type represents an IPv6 address in full, mixed, shortened, and shortened-mixed notation. The IPv6 address may include a zone index, separated by a % sign.

If a system uses zone names that are not represented in UTF-8, then an implementation needs to use some mechanism to transform the local name into UTF-8. The definition of such a mechanism is outside the scope of this document.

The zone index is used to disambiguate identical address values. For link-local addresses, the zone index will typically be the interface index number or the name of an interface. If the zone index is not present, the default zone of the device will be used.

The canonical format of IPv6 addresses uses the textual representation defined in Section 4 of RFC 5952. The canonical format for the zone index is the numerical format as described in Section 11.2 of RFC 4007.

The ipv4-address type represents an IPv4 address in dotted-quad notation. The IPv4 address may include a zone index, separated by a % sign. If a system uses zone names that are not represented in UTF-8, then an implementation needs to use some mechanism to transform the local name into UTF-8. The definition of such a mechanism is outside the scope of this document.

The canonical format for the zone index is the numerical format

/access-lists/access-list/access-list-entries/access-list-entry/matches

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches

Node Type

container

Access

Read-Write

/access-lists/access-list/access-list-entries/access-list-entry/matches/ethernet-type

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/ethernet-type

Node Type

leaf

Description

Matches the Ethernet frame type to be matched in the ACL rule.

It accepts hexadecimal values ranging from 0x0000 to 0xffff, aiding in distinguishing different L2 protocols.

Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress

Access

Read-Write

Data Type

/access-lists/access-list/access-list-entries/access-list-entry/matches/outer-vlan

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/outer-vlan

Node Type

leaf

Description

Matches the outer VLAN tag in a tagged frame, supporting a wide range of VLAN IDs (from 1 to 4094) with optional EtherType (in hexadecimal format) following a slash (/) for further refinement.

Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress

Access

Read-Write

Data Type

/access-lists/access-list/access-list-entries/access-list-entry/matches/ip-type

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/ip-type

Node Type

leaf

Description

Matches the IP type(NON-IP/IPV4ANY/IPV6ANY/ARP) to be inspected by the ACL.

Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress

Access

Read-Write

Data Type

Constraints

Enumeration with options:

NON-IP
IPV4ANY
IPV6ANY
ARP

/access-lists/access-list/access-list-entries/access-list-entry/matches/ip-protocol

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/ip-protocol

Node Type

leaf

Description

Matches the protocol field in the IP header, accepting values between 0 and 255 to filter traffic based on the upper-layer protocol used.

Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress

Access

Read-Write

Data Type

Constraints

Valid range: 0 to 255

/access-lists/access-list/access-list-entries/access-list-entry/matches/source-ip

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/source-ip

Node Type

leaf

Description

Matches the source IPv4 address to filter network traffic based on its origin.

Applicable to ACL tables: Layer 3 IPv4 ingress/egress, CTRLPLANE ingress

Access

Read-Write

Data Type

Constraints

The ipv4-address type represents an IPv4 address in dotted-quad notation. The IPv4 address may include a zone index, separated by a % sign. If a system uses zone names that are not represented in UTF-8, then an implementation needs to use some mechanism to transform the local name into UTF-8. The definition of such a mechanism is outside the scope of this document.

The canonical format for the zone index is the numerical format

/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ip

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ip

Node Type

leaf

Description

Matches the destination IPv4 address to filter network traffic based on its intended endpoint.

Applicable to ACL tables: Layer 3 IPv4 ingress/egress, CTRLPLANE ingress

Access

Read-Write

Data Type

Constraints

The canonical format for the zone index is the numerical format

/access-lists/access-list/access-list-entries/access-list-entry/matches/source-ipv6

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/source-ipv6

Node Type

leaf

Description

Matches the source IPv6 address to filter network traffic based on its origin.

Applicable to ACL tables: Layer 3 IPv6 ingress/egress, CTRLPLANEV6 ingress

Access

Read-Write

Data Type

Constraints

The ipv6-address type represents an IPv6 address in full, mixed, shortened, and shortened-mixed notation. The IPv6 address may include a zone index, separated by a % sign.

/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ipv6

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-ipv6

Node Type

leaf

Description

Matches the destination IPv6 address to filter network traffic based on its intended endpoint.

Applicable to ACL tables: Layer 3 IPv6 ingress/egress, CTRLPLANEV6 ingress

Access

Read-Write

Data Type

Constraints

The ipv6-address type represents an IPv6 address in full, mixed, shortened, and shortened-mixed notation. The IPv6 address may include a zone index, separated by a % sign.

/access-lists/access-list/access-list-entries/access-list-entry/matches/icmp-type

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/icmp-type

Node Type

leaf

Description

Matches the ICMP traffic based on the message type.

Applicable to ACL tables: Layer 3 IPv4 ingress/egress

Access

Read-Write

Data Type

Constraints

Valid range: 0 to 16

/access-lists/access-list/access-list-entries/access-list-entry/matches/icmpv6-type

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/icmpv6-type

Node Type

leaf

Description

Matches the ICMPv6 traffic based on the message type.

Applicable to ACL tables: Layer 3 IPv6 ingress

Access

Read-Write

Data Type

Constraints

Valid range: 1 to 137

/access-lists/access-list/access-list-entries/access-list-entry/matches/source-port

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/source-port

Node Type

leaf

Description

Matches the source transport layer port numbers.

Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress

Access

Read-Write

Data Type

Constraints

Valid range: 0 to 65535

/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-port

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/destination-port

Node Type

leaf

Description

Matches the destination transport layer port numbers.

Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress

Access

Read-Write

Data Type

Constraints

Valid range: 0 to 65535

/access-lists/access-list/access-list-entries/access-list-entry/matches/vlan-pri

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/vlan-pri

Node Type

leaf

Description

Matches the the 3-bit VLAN Priority Code Point.

Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress/egress

Access

Read-Write

Data Type

Constraints

Valid range: 0 to 7

/access-lists/access-list/access-list-entries/access-list-entry/matches/source-mac

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/source-mac

Node Type

leaf

Description

Matches the source mac-address.

Applicable to ACL tables: Layer 3 IPv4/IPv6 ingress

Access

Read-Write

Data Type

Constraints

The mac-address type represents an IEEE 802 MAC address.

The canonical representation uses lowercase characters.

In the value set and its semantics, this type is equivalent to the MacAddress textual convention of the SMIv2.

/access-lists/access-list/access-list-entries/access-list-entry/matches/dscp

Path

/access-lists/access-list/access-list-entries/access-list-entry/matches/dscp

Node Type

leaf

Description

Matches the Differentiated Services Code Point in the IP header, allowing Quality of Service (QoS) differentiation with a range of 0 to 63.

Applicable to ACL tables: Layer 3 IPv4 or IPv6 ingress/egress

Access

Read-Write

Data Type

Constraints

Valid range: 0 to 63