ACL Configuration
For configuring an access control list, you define filter criteria (with match conditions) for the packets and an action for the device to take if the packets match the filtering criteria.
Configuration Syntax and Commands
The following sections describe the ACL configuration syntax and commands.
Configuring ACLs
Syntax:
set forwarding-options acl [l2 | l3v4 | l3v6] rule <name> ordinal <number> <option> <attribute> <value>
| Options | Description |
|---|---|
<name> |
Name of the ACL rule. |
<number> |
Specifies the ordinal number. |
match <…> |
Match configuration hierarchy. Please refer to section 2.2.1.1 for the ACL match criteria configuration. |
action <…> |
Action configuration hierarchy. Please refer to section 2.2.1.2 for the ACL actions configuration. |
priority <priority> |
Specifies the ACL priority value. The default entry priority for user-defined ACLs changes to 500. The configurable ACL entry priority range becomes 100 - 20000. A lower number indicates higher priority. |
Configuring ACL Match Criteria
set forwarding-options acl [ l2 | l3v4 | l3v6 ] rule <rulename> ordinal <ordinal_value> match <attribute> <value>
| Attribute | Description |
|---|---|
destination-mac <destination-mac> |
ACL L2 destination mac match. |
destination-ipv4-prefix <destination-ipv4-prefix> |
ACL L3 IPv4 destination prefix match. |
destination-ipv4-prefix-list <destination-ipv4-prefix-list> |
ACL destination IPv4 prefix-list name. You can apply a prefix list that is previously configured. Refer to section Configuring Prefix Lists. |
destination-l4-port <destination-l4-port> |
ACL L4 destination port match. |
destination-ipv4-local true |
Indicates whether match support is enabled for all traffic destined for the routers' IP addresses. Note: To disable the configuration, use the |
destination-ipv6-prefix <destination-ipv6-prefix> |
ACL L3 IPv6 destination prefix match. |
destination-ipv6-prefix-list <destination-ipv6-prefix-list> |
ACL destination IPv6 prefix-list name. You can apply a prefix list that is previously configured. Refer to section Configuring Prefix Lists. |
destination-ipv6-local true |
Indicates whether match support is enabled for all traffic destined for the routers' IP addresses. To disable the configuration, use the |
direction ingress |
ACL L2/L3 direction match. Currently, only the ingress direction is supported. |
ethertype <ethertype> |
ACL L2 EtherType match. |
inner-tag-protocol-id <inner-tag-protocol-id> |
ACL L2 inner TPID match. |
inner-vlan <inner-vlan> |
ACL L2 inner-VLAN match. |
inner-vlan-cfi <inner-vlan-cfi> |
ACL L2 inner-VLAN CFI match. |
inner-vlan-priority <inner-vlan-priority> |
ACL L2 inner-VLAN priority match. |
interface <interface> |
Interface match. |
ip-options true |
Match if the IPv4 packet has options. Supported value: true. |
ip-protocol <protocol> |
ACL IP protocol value match such as TCP, UDP, ICMP. |
ipv4-dscp <ipv4-dscp> |
IPv4 DSCP value. |
ipv4-tos <ipv4-tos> |
IPv4 ToS value. |
ipv6-tc <ipv6-tc> |
Codepoint class value. |
logical-interface <logical-interface> |
Logical interface match. |
source-ipv4-prefix <source-ipv4-prefix> |
ACL L3 IPv4 source prefix match. |
source-ipv4-prefix-list <source-ipv4-prefix-list> |
ACL source IPv4 prefix-list name. You can apply a prefix list that is previously configured. Refer to section Configuring Prefix Lists. |
source-ipv6-prefix <source-ipv6-prefix> |
Configure ACL L3 IPv6 source prefix match. |
source-ipv6-prefix-list <source-ipv6-prefix-list> |
ACL source IPv6 prefix-list name. You can apply a prefix list that is previously configured. Refer to section Configuring Prefix Lists. |
source-l4-port <source-l4-port> |
ACL L4 source port match. |
outer-tag-protocol-id <outer-tag-protocol-id> |
ACL L2 outer TPID match. |
outer-vlan <outer-vlan> |
ACL L2 outer-VLAN match. |
outer-vlan-cfi <outer-vlan-cfi> |
ACL L2 outer VLAN CFI match. |
outer-vlan-priority <outer-vlan-priority> |
ACL L2 outer VLAN priority match. |
source-mac <source-mac> |
ACL L2 source MAC match. |
traffic-class <class> |
Forward class value. Supported values: class-0 to class-7, class-all. |
ttl <ttl> |
IPv4 time-to-live value. |
match-mpls-traffic true |
Match single MPLS label termination. To disable, use the |
Example 1: Layer 2 Match Configuration
{
"rtbrick-config:acl": {
"l2": {
"rule": [
{
"rule-name": "a10nsp-drop-lag-2",
"ordinal": [
{
"ordinal-value": 1,
"match": {
"direction": "ingress",
"interface": "lag-2",
"outer-vlan-priority": 1
},
"action": {
"drop": "true",
"statistics": "true"
}
},
Example 2: Layer 3 IPv4 Match Configuration
{
"rtbrick-config:acl": {
"l3v4": {
"rule": [
{
"rule-name": "rtb_firewall_two",
"ordinal": [
{
"ordinal-value": 1000,
"match": {
"direction": "ingress",
"source-ipv4-prefix": "198.51.100.50/24",
"source-l4-port": 8080
},
"action": {
"drop": "true"
}
}
]
},
{
"rule-name": "rule2",
"ordinal": [
{
"ordinal-value": 5,
"match": {
"direction": "ingress",
"interface": "ifp-0/0/1"
}
}
]
}
]
}
}
}
Example 3: Layer 3 IPv6 Match Configuration
{
"rtbrick-config:l3v6": {
"rule": [
{
"rule-name": "rtb_firewall_two",
"ordinal": [
{
"ordinal-value": 1000,
"match": {
"direction": "ingress",
"source-ipv6-prefix": "2001:db8:0:11::/32",
"source-l4-port": 8080
},
"action": {
"permit": "true"
}
}
]
}
]
}
}
Example 4: Match support for all traffic destined for any of the router’s IP addresses
{
"rtbrick-config:acl": {
"l3v4": {
"rule": [
{
"rule-name": "rule4",
"ordinal": [
{
"ordinal-value": 4,
"match": {
"direction": "ingress",
"destination-ipv4-local": "true"
},
"action": {
"drop": "true"
}
}
]
}
]
},
"l3v6": {
"rule": [
{
"rule-name": "rule2",
"ordinal": [
{
"ordinal-value": 2,
"match": {
"direction": "ingress",
"destination-ipv6-local": "true"
},
"action": {
"drop": "true"
}
}
]
}
]
}
}
}
Configuring ACL Actions
Syntax:
set forwarding-options acl [l3v4 | l3v6] rule <rulename> ordinal <ordinal_value> action <attribute> <value>
| Attribute | Description | ||
|---|---|---|---|
drop true |
If the ACL rule specifies |
||
permit true |
If the ACL rule specifies |
||
action statistics true |
Configure action, enable statistics. Use the
|
||
forward-class <class> |
Specifies forward class value (class-0 to class-7, class-all) |
||
mirror <mirror> |
Specifies ACL action mirror name.
|
||
capture true |
You can enable the capture action when using the RBFS built-in capture feature with an ACL to more granularly specify the traffic to be captured. To disable, use the |
||
policer-name <policer-name> |
Specifies policer profile name. |
||
redirect-to-cpu true |
Configure action, redirect packets to CPU. To disable, use the |
Example
{
"rule-name": "rtb_firewall_two",
"ordinal": [
{
"ordinal-value": 1000,
"match": {
"direction": "ingress",
"source-ipv4-prefix": "198.51.100.50/24",
"source-l4-port": 8080
},
"action": {
"drop": "true"
}
}
]
}
Configuring Prefix Lists
Configuring IPv4/IPv6 Prefix List for ACL and Multifield Classifier
Syntax:
set forwarding-options prefix-list <prefix-list-name> <attribute> <value>
| Attribute | Description |
|---|---|
<prefix-list-name> |
Name of the prefix list, which will be later used to attach with ACL configuration. |
ipv4-prefix <ipv4_prefix> |
Specifies the IPv4 prefix address. |
ipv6-prefix <ipv6_prefix> |
Specifies the IPv6 prefix address. |
Example 1: Prefix List Configuration
supervisor@rtbrick>LEAF01: op> show config forwarding-options prefix-list
{
"rtbrick-config:prefix-list": [
{
"prefix-list-name": "ipv4-list",
"ipv4-prefix": [
{
"ipv4-prefix": "198.51.100.50/24"
},
{
"ipv4-prefix": "198.51.101.60/24"
},
{
"ipv4-prefix": "198.51.102.70/24"
}
]
}
]
}
Example 2: Using Prefix-list in Multifield-Classifier
supervisor@rtbrick>LEAF01: op> show config forwarding-options prefix-list pta-iptv-multicast
{
"rtbrick-config:prefix-list": [
{
"prefix-list-name": "ipv4-list",
"ipv4-prefix": [
{
"ipv4-prefix": "198.51.100.50/24"
},
{
"ipv4-prefix": "198.51.101.60/24"
},
{
"ipv4-prefix": "198.51.102.70/24"
}
]
}
]
}
Example 3: Viewing Multifield-Classifier Details
supervisor@rtbrick>LEAF01: op> show config forwarding-options class-of-service multifield-classifier acl l3v4 rule pta-triple-play-8queues ordinal 6000
{
"rtbrick-config:ordinal": [
{
"ordinal-value": 6000,
"match": {
"destination-ipv4-prefix-list": "ipv4-list"
},
"action": {
"forward-class": "class-1",
"remark-codepoint": 248
}
}
]
}