Command Line Reference
Security Configuration
ACL
36 min
acl view acl view table 1 acl view table 1 acl view command purpose show acl table \[ table name ] display existing acl tables show acl rule \[ table name ] \[ rule id ] display existing acl rules show counters acl \[table name] \[ rule id ] display acl counters clear counters acl clear acl counters show time range { all timer name } show acl table \[ show acl table \[ table name ] \[command] show acl table \[ table name ] \[purpose] display existing acl tables \[parameters] parameter description table name specify the table name \[view] privileged user view \[use cases] sonic# show acl table name type binding description stage \ table 2 l3 ethernet8 table 2 ingress table 1 vxlan stats table 1 ingress sonic# show acl table table 1 name type binding description stage \ table 1 vxlan stats table 1 ingress show acl rule \[ show acl rule \[ table name ] \[ rule id ] \[command] show acl rule \[ table name ] \[ rule id ] \[purpose] display existing acl rules \[parameters] parameter description table name specify the table name rule id specify the rule name \[view] privileged user view \[use cases] sonic# show acl rule table rule priority action match \ dataacl rule 1 9999 drop src ip 10 0 0 2/32 dataacl rule 2 9998 drop dst ip 192 168 0 16/32 dataacl rule 3 9997 drop l4 src port 4661 dataacl rule 4 9996 drop ip protocol 126 dataacl rule 13 9987 drop ip protocol 1 src ip 10 0 0 2/32 sonic# show acl rule table 1 rule 1 table rule priority action match \ table 1 rule 1 100 drop src ip 200 0 0 2/24 show counters acl \[ show counters acl \[ table name ] \[ rule id ] \[command] show counters acl \[ table name ] \[ rule id ] \[purpose] display acl counters \[parameters] parameter description table name specify the table name rule id specify the rule name \[view] privileged user view \[notes] specify multiple tables or rules separated by commas \[use cases] sonic# show counters acl table 1,table 2 rule name table name prio packets count bytes count \ rule 1 table 1 100 n/a n/a rule 2 table 2 2 n/a n/a rule 1 table 2 1 n/a n/a clear counters acl clear counters acl \[command] clear counters acl \[purpose] clear acl counters \[view] privileged user view \[use cases] sonic# clear counters acl show time range {all| show time range {all| timer name } \[command] show time range { all | timer name } \[purpose] display acl effective time configures \[view] privileged user view \[use cases] sonic# show time range all sonic# show time range timer 1 acl config acl config control plane acl control plane acl table 2 control plane acl table 2 control plane acl command purpose access list table name ctrlplane protocol add a control plane acl table rule rule id packet action { accept | deny } \[ source ip sip | source ipv6 sipv6 ] \[ time range timer name ] add an acl rule rule default drop \[ interface all ] config a drop acl rule access list access list table name ctrlplane protocol \[command] access list table name ctrlplane protocol \[purpose] add a control plane acl table \[parameters] parameter description table name acl table name protocol specify one or more control plane protocols, optionally ntp/snmp/ssh/bgp/telnet specify multiple protocols separated by commas \[view] global configuration view \[notes] run command no access list table name to delete the acl table \[use cases] sonic# configure terminal sonic(config)# access list test1 ctrlplane ssh sonic(config ctrlplane acl test1)# rule rule rule id packet action {accept|deny} \[source ip sip |source ipv6 sipv6 ] \[time range timer name ] \[command] rule rule id packet action { accept|deny } \[ source ip sip | source ipv6 sipv6 ] \[ time range timer name ] \[purpose] add an acl rule \[parameters] parameter description rule id acl rule id, also indicates the priority, range from 0 to 500 the larger the value, the higher the priority sip source ip, a b c d (/m) sipv6 source ipv6, x\ x x\ x (/m) timer name acl time range name \[view] acl table configuration view \[notes] rules with the same priority is not allowed in one acl table run command no rule rule id to delete the acl rule \[use cases] sonic# configure terminal sonic(config)# access list test1 ctrlplane ssh sonic(config ctrlplane acl test1)# rule 100 packet action deny source ip 192 168 10 85 sonic(config ctrlplane acl test1)# rule 1 source ip 192 168 30 138 packet action deny time range timer 1 sonic(config ctrlplane acl test1)# show this ! access list test1 ctrlplane ssh rule 100 packet action deny source ip 192 168 10 85 rule 1 source ip 192 168 30 138 packet action deny time range timer 1 rule default drop \[interface all] rule default drop \[interface all] \[command] rule default drop \[ interface all ] \[purpose] add drop rule \[parameters] parameter description interface all drop all protocol packets of interfaces without this parameter, only protocol packets of eth0 port are discarded by default \[view] acl table configuration view \[notes] run command no ruledefault drop to delete drop rule \[use cases] sonic# configure terminal sonic(config)# access list test1 ctrlplane ssh sonic(config ctrlplane acl test1)# rule default drop interface all sonic(config ctrlplane acl test1)# show this ! access list test1 ctrlplane ssh rule default drop interface all data plane acl data plane acl table 3 data plane acl table 3 data plane acl command purpose access list table name {l2|l3|l3v6|mirror|mirrorv6|flow control} {ingress|egress} add a data plane acl table bind interface {{ ethernet | link aggregation } interface name | all } apply the acl table to the interface rule rule id aciton rule \[ time range timer name] create an acl rule access list access list table name {l2|l3|l3v6|mirror|mirrorv6|flow control} {ingress|egress} \[command] access list table name { l2 | l3 | l3v6 | mirror | mirrorv6 | flow control } { ingress | egress } \[purpose] add a data plane acl table \[parameters] parameter description table name acl table name \[view] global configuration view \[notes] acls of type l2/l3/l3v6 are used for layer 2/layer 3/layer 3 ipv6 traffic forwarding, respectively mirror/mirrorv6 are used to local mirror span and remotely mirror erspan flow control are usually used together with policer module to implement rate limiting for specific flows run command no access list table name to delete the acl table \[use cases] sonic# configure terminal sonic(config)# access list table 1 flow control ingress sonic(config)# access list table 3 l3 egress bind interface {{ethernet|link aggregation} bind interface {{ethernet|link aggregation} interface name |all} \[command] bind interface {{ ethernet | link aggregation } interface name | all } \[purpose] apply the acl table to the interface \[parameters] parameter description interface name interface name (eg 0/1) all binds to all interfaces \[view] acl table configuration view \[notes] acl table is for ports when you bind an acl table to some ports, it means that the acl table is valid for the traffic on these ports an acl table can be bound to multiple ports, and a port can also have multiple acl tables, which means a "many to many" relationship run command no bind interface {{ ethernet | link aggregation } interface name | all } to unbind the interface \[use cases] sonic# configure terminal sonic(config)# access list table 1 l3 ingress sonic(config l3 acl table 1)# bind interface ethernet 0/1 sonic(config l3 acl table 1)# bind interface all rule rule rule id action rule \[time range timer name ] \[command] rule rule id packet action { drop | deny | permit | trap to cpu | copy to cpu } rule \[ time range timer name ] drop/deny/forward/trap to cpu/trap to cpu and forward (ingress only) (ingress only) rule rule id packet action { deny | permit | trap to cpu | copy to cpu } rule \[ time range timer name ] deny/forward (egress only) (egress only) rule rule id redirect action {{ ethernet|link aggregation } interface name|a b c d|x\ x x\ x } rule \[ time range timer name ] redirect (ingress only) (ingress only) rule rule id set tc tc rule \[ time range timer name ] set cos (ingress only) (ingress only) rule rule id set dscp dscp rule \[ time range timer name ] set dscp rule rule id set pcp pcp rule \[ time range timer name ] set vlan priority rule rule id traffic behavior traffic behavior name rule \[ time range timer name ] limit the speed for a specific stream (flow control only) (flow control only) rule rule id action mirror session session id configure traffic mirroring for specific flows \[purpose] create an acl rule \[parameters] parameter description rule id acl rule id, also indicates the priority, range from 0 to 500 the larger the value, the higher the priority different acl table types support different match fields l2 acl table l2 acl table field description outer vlan outer vlan range \[1,4094] ethernet type eth type hex<0 ffff> source mac smac hh\ hh\ hh\ hh\ hh\ hh or nn\ nn\ nn\ nn\ nn \ nn /mask ( nn\ nn\ nn\ nn\ nn\ nn ) (ingress only) (ingress only) destination mac dmac hh\ hh\ hh\ hh\ hh\ hh or nn\ nn\ nn\ nn\ nn \ nn /mask ( nn\ nn\ nn\ nn\ nn\ nn ) (ingress only) (ingress only) vlan pri vlan pri range 0 7 l3 acl table l3 acl table field description vlan pri vlan pri range 0 7 outer vlan outer vlan range \[1,4094] ip protocol ip protocol range 0 255 source port sport range 0 65535 destination port dport range 0 65535 tcp flags tcp flags range 0 63 source ip sip a b c d (/m) destination ip dip a b c d (/m) icmp type icmp type range 0 16 icmp code icmp code range 0 5 ethernet type eth type hex<0 ffff>(ingress only) ecn ecn range 0 3 dscp dscp range 0 63 ip precedence ip precedence range 0 7 ip type ip type any/ip/non ip/ipv4any/non ipv4/ipv6any/non ipv6/arp/arp request/arp reply l3v6 acl table l3v6 acl table field description ip protocol ip protocol range 0 255 (ingress only) (ingress only) source port sport range 0 65535 (only supported on cx308p 48y n v2, cx532p n v2 and cx732q n v2) (only supported on cx308p 48y n v2, cx532p n v2 and cx732q n v2) destination port dport range 0 65535 (only supported on cx308p 48y n v2, cx532p n v2 and cx732q n v2) (only supported on cx308p 48y n v2, cx532p n v2 and cx732q n v2) source ipv6 sipv6 x\ x x\ x(/m) (only match high 64 bit addresses) (only match high 64 bit addresses) destination ipv6 dipv6 x\ x x\ x(/m) (only match high 64 bit addresses) (only match high 64 bit addresses) icmpv6 type icmpv6 type range 1 137 (ingress only) (ingress only) icmpv6 code icmpv6 code range 0 4 (ingress only) (ingress only) ethernet type eth type hex <0 ffff> (ingress only) (ingress only) dscp dscp range 0 63 flow label flow label hex <0 ffff> (ingress only) (ingress only) mirror acl table mirror acl table field description outer vlan outer vlan range \[1,4094] source port sport range 0 65535 destination port dport range 0 65535 tcp flags tcp flags range 0 63 source ip sip a b c d (/m) destination ip dip a b c d (/m) icmp type icmp type range 0 16 icmp code icmp code range 0 5 dscp dscp range 0 63 ip type ip type any/ip/non ip/ipv4any/non ipv4/ipv6any/non ipv6/arp/arp request/arp reply bth opcode bth opcode range 0 255 aeth syndrome aeth syndrome range 0 255 mirrorv6 acl table mirrorv6 acl table field description source ipv6 sipv6 x\ x x\ x(/m) destination ipv6 dipv6 x\ x x\ x(/m) bth opcode bth opcode range 0 255 aeth syndrome aeth syndrome range 0 255 flow control acl table flow control acl table field description outer vlan outer vlan range \[1,4094] ip protocol ip protocol range 0 255 source port sport range 0 65535 destination port dport range 0 65535 source ip sip a b c d(/m) destination ip dip a b c d(/m) source mac smac hh\ hh\ hh\ hh\ hh\ hh or nn\ nn\ nn\ nn\ nn\ nn/mask(nn\ nn\ nn\ nn\ nn\ nn ) (ingress only) (ingress only) destination mac dmac hh\ hh\ hh\ hh\ hh \ hh or nn\ nn\ nn\ nn\ nn \ nn /mask(nn\ nn\ nn\ nn\ nn\ nn ) (ingress only) (ingress only) in ports port list specify a list of bound interfaces, with multiple interfaces separated by commas \[view] acl table configuration view \[notes] an acl rule can only be added to one table, but a table can have more than one rule, that is, rule and table is a "many to one" relationship rules with the same priority is not allowed in one acl table run command no rule rule id to delete the acl rule \[use cases] sonic# configure terminal sonic(config)# access list table 1 l3 ingress sonic(config l3 acl table 1)# rule 1 source ip 10 0 0 3/24 packet action permit sonic(config l3 acl table 1)# rule 1 source ip 192 168 30 138 set tc 6 time range timer 1 policy routing based on acl policy routing based on acl table 4 policy routing based on acl table 4 policy routing based on acl command purpose access list nexthop group group number add a next hop group ip address { a b c d|x\ x x\ x } add next hops to the next hop group access list table name { l3 | l3v6 } ingress add an acl table bind interface {{ ethernet | link aggregation } interface name | all } apply the acl table to the interface rule rule id redirect action nexthop group group number \[ rule ] \[ time range timer name ] add a policy route based on acl access list nexthop group access list nexthop group group number \[command] access list nexthop group group number \[purpose] add a next hop group \[parameters] parameter description group number next hop group number, the range is 1 12 \[view] global configuration view \[notes] run command no access list nexthop group group number to delete the nexthop group \[use cases] sonic# configure terminal sonic(config)# access list nexthop group 1 sonic(config acl nexthop group 1)# ip address { ip address { a b c d|x\ x x\ x } \[command] ip address { a b c d|x\ x x\ x } \[purpose] add next hops to the next hop group \[parameters] parameter description a b c d ipv4 address x\ x x\ x ipv6 address \[view] next hop group configuration view \[notes] the next hop address is required to be reachable, and the configuration takes effect after commit run command no ip address { a b c d|x\ x x \ x } to delete next hops address \[use cases] sonic# configure terminal sonic(config)# access list nexthop group 1 sonic(config acl nexthop group 1)# ip address 1 0 0 1 sonic(config acl nexthop group 1)# ip address 2 0 0 1 sonic(config acl nexthop group 1)# ip address 2000 1 sonic(config acl nexthop group 1)# ip address 2001 1 sonic(config acl nexthop group 1)# commit sonic(config acl nexthop group 1)# show this ! access list nexthop group 1 ip address 1 0 0 1 ip address 2 0 0 1 ip address 2000 1 ip address 2001 1 commit access list access list table name {l3|l3v6} ingress \[command] access list table name { l3 | l3v6 } ingress \[purpose] add an acl table \[parameters] parameter description table name acl table name \[view] global configuration view \[notes] run command no access list table name to delete the acl table \[use cases] sonic# configure terminal sonic(config)# access list test l3 ingress bind interface {{ethernet|link aggregation} bind interface {{ethernet|link aggregation} interface name |all} \[command] bind interface {{ ethernet | link aggregation } interface name | all } \[purpose] apply the acl table to the interface \[parameters] parameter description interface name interface name (eg 0/1) all binds to all interfaces \[view] acl table configuration view \[notes] run command no bind interface {{ ethernet | link aggregation } interface name | all } to unbind the interface \[use cases] sonic# configure terminal sonic(config)# access list test l3 ingress sonic(config l3 acl test)# bind interface ethernet 0/1 sonic(config l3 acl test)# rule 10 destination ip 96 0 0 7 redirect action nexthop group 1 rule rule rule id redirect action nexthop group group number \[ rule ] \[time range timer name ] \[command] rule rule id redirect action nexthop group group number \[ rule ] \[ time range timer name ] \[purpose] add a policy route based on acl \[parameters] parameter description rule id acl rule id, also indicates the priority, range from 0 to 500 the larger the value, the higher the priority group number next hop group number, the range is 1 12 different acl table types support different match fields l3 acl table l3 acl table field description vlan pri vlan pri range 0 7 outer vlan outer vlan range \[1,4094] ip protocol ip protocol range 0 255 source port sport range 0 65535 destination port dport range 0 65535 tcp flags tcp flags hex<0 ff> source ip sip a b c d (/m) destination ip dip a b c d (/m) icmp type icmp type range 0 16 icmp code icmp code range 0 5 ethernet type eth type hex<0 ffff> ecn ecn range 0 3 dscp dscp range 0 63 l3v6 acl table l3v6 acl table field description ip protocol ip protocol range 0 255 source port sport range 0 65535 destination port dport range 0 65535 tcp flags tcp flags hex<0 ff> source ipv6 sipv6 x\ x x\ x(/m) destination ipv6 dipv6 x\ x x\ x(/m) icmpv6 type icmpv6 type range 1 137 icmpv6 code icmpv6 code range 0 4 ethernet type eth type hex<0 ffff> \[view] acl table configuration view \[notes] rules with the same priority is not allowed in one acl table run command no rule rule id to delete the acl rule \[use cases] sonic# configure terminal sonic(config)# access list table 1 l3 ingress set a time period for acl set a time period for acl table 5 set a time period for acl table 5 set a time period for acl command purpose time range timer name xx\ xx to xx\ xx days create a time period based on a periodic time range time range timer name from xx\ xx xxxx/xx/xx to xx\ xx xxxx/xx/xx create a time period based on an absolute time range time range time range timer name xx\ xx to xx\ xx days \[command] time range timer name xx\ xx to xx\ xx days \[purpose] create a time period based on a periodic time range \[parameters] parameter description timer name time range name, the maximum length is 32 characters xx\ xx 24 hour time, such as 18 49 days the optional values for the weekly effective time are as follows 1) 0 6 :corresponds to sunday through saturday it can be configured as follows: 0 6 or 0,1,2,3,4,5,6 2) mon/tue/wed/thu/fri/sat/sun :it can be configured as follows\ configuration takes effect on monday of the week: mon configuration takes effect on monday and wednesday of the week: mon, wed 3) daily take effect on every day4) off day :take effect on sun and sat5) working day :take effect from mon to fri \[view] global configuration view \[notes] multiple periodic time ranges can be configured on the same timer name run command no time range timer name to delete the acl timer run command no time range timer name xx\ xx to xx\ xx days to delete a single time range under the acl timer \[use cases] sonic# configure terminal sonic(config)# time range timer 1 23 59 to 11 38 0,1 sonic(config)# time range timer 1 11 40 to 11 45 0 1 sonic(config)# time range timer 1 11 40 to 11 45 2 sonic(config)# time range timer 1 11 50 to 11 55 mon,wed sonic(config)# time range timer 1 12 05 to 12 15 daily sonic(config)# time range timer 1 13 05 to 13 15 off day sonic(config)# time range timer 1 14 05 to 14 15 working day time range time range timer name from xx\ xx xxxx/xx/xx to xx\ xx xxxx/xx/xx \[command] time range timer name from xx\ xx xxxx/xx/xx to xx\ xx xxxx/xx/xx \[purpose] create a time period based on an absolute time range \[parameters] parameter description timer name time range name, the maximum length is 32 characters xx\ xx 24 hour time, such as 18 49 xxxx/xx/xx effective date, the format is y/m/d \[view] global configuration view \[notes] multiple absolute time ranges can be configured on the same timer name absolute time range and periodic time range can be configured on the same timer name the effective time is the intersection of these two time range configurations run command no time range timer name to delete the acl timer run command no time range from xx\ xx xxxx/xx/xx to xx\ xx xxxx/xx/xx to delete a single time range under the acl timer \[use cases] sonic# configure terminal sonic(config)# time range timer 1 from 11 00 2024/10/14 to 11 00 2024/10/20 sonic(config)# time range timer 1 from 11 00 2024/10/25 to 11 00 2024/10/28
