Software

Networking Storage Software

Networking Storage Software

Celestica Documentation Portal

Find your product documents here

Software

Software Contents

SONiC

CLI Reference Guide

Revision 1.1

Access Control Lists

IPv4 ACL Commands

IPv4 Access-list rules create and delete

IPv4 Access-list rules create and delete

Adds new rules for the IPv4 access-list from the config-ipv4-acl mode.


Syntax for L3 protocols {protocol-number \| ip \| icmp}	`sequence <seq-number> {permit \| deny} {protocol-number \| ip \| icmp} <source-ip-address> <destination-ip-address> [dscp <dscp-value>]`
Command mode	ACL IPv4 mode
Parameters	`seq-number` – Sequence number for the ACL rule. Range: 1 – 65535. `permit` – Forward the traffic. `deny` – Drop the traffic. `protocol-number` – Supported protocol number (1, 2, 6, 17, 46, 47, 51, 58, 103, 115). Range: 0 – 255. `ip` – IP packets. `icmp` – ICMP packets. `source-ip-address` – Can be one of the below value: `A.B.C.D/mask` – Source IPv4 prefix. `any` – Keyword for matching any IPv4 address. `src-host <ipv4-address>` – Source Host IPv4 address. `destination-ip-address` – Can be one of the below value: `A.B.C.D/mask` – Destination IPv4 prefix. `any` – Keyword for matching any IPv4 address. `dst-host <ipv4-address>` – Destination Host IPv4 address. `dscp-value` – Considers only packets matching the DSCP value. Range: 0 – 63.
Syntax for L4 protocols {tcp \| udp}	`sequence <seq-number> {permit \| deny} {tcp \| udp} <source-ip-address> [src-eq <src-l4-port>\| src-gt <src-start-l4-port> \| src-lt <src-end-l4-port> \| src-range <src-start-l4-port> <src-end-l4-port>] <destination-ip-address> [dst-eq <dst-l4-port>\| dst-gt <dst-start-l4-port> \| dst-lt <dst-end-l4-port> \| dst-range <dst-start-l4-port> <dst-end-l4-port>] [ack \| fin \| psh \| rst \| syn \| urg] [dscp <dscp-value>]`
Parameters	`src-l4-port` – L4 port number. Range: 0 – 65535. `src-start-l4-port` – Matches all the L4 source port number greater than the given L4 port number. Range: 0 – 65534. `src-end-l4-port` – Matches all the L4 source port number lesser than the given L4 port number. Range: 1 – 65535. `dst-l4-port` – L4 port number. Range: 0 – 65535. `dst-start-l4-port` – Matches all the L4 destination port number greater than the given L4 port number. Range: 0 – 65534. `dst-end-l4-port` – Matches all the L4 destination port number lesser than the given L4 port number. Range: 1 – 65535. `ack \| fin \| psh \| rst \| syn \| urg` – Matches the TCP flags. Applicable only for TCP protocol.
Usage	Use the `no sequence <sequence-number>` command to remove the access-list rule corresponding to the given sequence number.
Supported Releases	1.0.0 or later
Click command	`config acl update {full \| incremental} <filename>` `full` – Full update of the ACL rules configuration. `incremental` – Incremental update of the ACL rule configuration.
Example `sonic(config)# ip access-list ip_access_name sonic(config-ipv4-acl)# sequence 1 permit ip 1.1.1.1/24 2.2.2.2/16 dscp 63 sonic(config-ipv4-acl)# sequence 2 deny tcp src-host 1.1.1.1 src-eq 1000 dst-host 2.2.2.2 dst-range 2000 4000 ack urg dscp 63 sonic# configure terminal sonic(config)# ip access-list ip_access_name sonic(config-ipv4-acl)# no sequence 1 sonic(config-ipv4-acl)# no sequence 2`

Last updated: October 8, 2024