OpenConfig ACL
Enable management attributes
Release
This configuration was introduced in OcNOS version 6.1.0.
Configuration
Use the commands indicated on this chapter to create an ACL (access control list) entry to operate over L2 data traffic.
OpenConfig NETCONF Payload
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>ACL_OC_L2</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<config>
<name>ACL_OC_L2</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<description>ACL L2 CFG Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>1</sequence-id>
<config>
<sequence-id>1</sequence-id>
</config>
<l2>
<config>
<destination-mac>00BB.CCDD.EEFF</destination-mac>
<destination-mac-mask>AC00.0000.0000</destination-mac-mask>
<ethertype>ETHERTYPE_IPV4</ethertype>
<source-mac>0000.CCDD.EEFF</source-mac>
<source-mac-mask>AABB.0000.0000</source-mac-mask>
</config>
</l2>
<actions>
<config>
<forwarding-action
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACCEPT</forwarding-action>
<log-action>LOG_SYSLOG</log-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
OcNOS CLI command
mac access-list ACL_OC_L2
remark ACL L2 CFG Test
1 permit 0000.CCDD.EEFF AABB.0000.0000 00BB.CCDD.EEFF AC00.0000.0000 ipv4
!
OcNOS NETCONF Payload
<acl xmlns="http://www.ipinfusion.com/yang/ocnos/ipi-acl">
<acl-sets>
<acl-set>
<name>ACL_OC_L2</name>
<type>mac</type>
<config>
<name>ACL_OC_L2</name>
<type>mac</type>
<description>ACL L2 CFG Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>1</sequence-id>
<config>
<sequence-id>1</sequence-id>
</config>
<mac>
<config>
<destination-mac-address>0000.0000.0000</destination-mac-address>
<destination-mac-mask>AA32.CCDD.EE10</destination-mac-mask>
<ethertype>ipv4</ethertype>
<source-mac-address>0000.0000.00EE</source-mac-address>
<source-mac-mask>AABB.CCDD.EE11</source-mac-mask>
<forwarding-action>permit</forwarding-action>
<monitor-action>log</monitor-action>
</config>
</mac>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
Validation with NETCONF get
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>ACL_OC_L2</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<config>
<name>ACL_OC_L2</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<description>ACL L2 CFG Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>1</sequence-id>
<config>
<sequence-id>1</sequence-id>
</config>
<mac>
<config>
<source-mac>0000.CCDD.EEFF</source-mac>
<source-mac-mask>AABB.0000.0000</source-mac-mask>
<ethertype>ETHERTYPE_IPV4</ethertype>
<destination-mac>00BB.CCDD.EEFF</destination-mac>
<destination-mac-mask>AC00.0000.0000</destination-mac-mask>
</config>
</mac>
<actions>
<config>
<forwarding-action
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACCEPT</forwarding-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
Restrictions
None.
Create IPv4 entries
Release
This configuration was introduced in OcNOS version 6.1.0.
Configuration
Use the commands indicated on this chapter to create an ACL entry to operate over IPv4 data traffic.
OpenConfig NETCONF Payload
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>ACL_OC_IPV4</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<config>
<name>ACL_OC_IPV4</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<description>ACL TFW Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>10</sequence-id>
<config>
<sequence-id>10</sequence-id>
</config>
<ipv4>
<config>
<source-address>1.1.1.0/24</source-address>
<destination-address>2.2.2.0/24</destination-address>
<dscp>18</dscp>
<protocol>6</protocol>
</config>
</ipv4>
<actions>
<config>
<forwarding-action
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACCEPT</forwarding-action>
<log-action>LOG_SYSLOG</log-action>
</config>
</actions>
<transport>
<config>
<explicit-tcp-flags
xmlns:oc-pkt-match-types="http://openconfig.net/yang/packet-match-types">oc-pkt-match-types:TCP_SYN</explicit-tcp-flags>
<source-port>22</source-port>
<destination-port>80</destination-port>
</config>
</transport>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
OcNOS CLI command
ip access-list ACL_OC_IPV4
remark ACL TFW Test
10 permit tcp 1.1.1.0/24 2.2.2.0/24 dscp af21 syn
!
OcNOS NETCONF Payload
<acl xmlns="http://www.ipinfusion.com/yang/ocnos/ipi-acl">
<acl-sets>
<acl-set>
<name>ACL_OC_IPV4</name>
<type>ip</type>
<config>
<name>ACL_OC_IPV4</name>
<type>ip</type>
<description>ACL TFW Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>10</sequence-id>
<config>
<sequence-id>10</sequence-id>
</config>
<ipv4>
<config>
<source-address>1.1.1.0/24</source-address>
<destination-address>2.2.2.0/24</destination-address>
<dscp>18</dscp>
<protocol-tcp />
<tcp-source-port>22</tcp-source-port>
<tcp-destination-port>80</tcp-destination-port>
<tcp-flags>syn</tcp-flags>
<forwarding-action>permit</forwarding-action>
<monitor-action>log</monitor-action>
</config>
</ipv4>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
Validation with NETCONF get
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>ACL_OC_IPV4</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<config>
<name>ACL_OC_IPV4</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<description>ACL TFW Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>10</sequence-id>
<config>
<sequence-id>10</sequence-id>
</config>
<ipv4>
<config>
<source-address>1.1.1.0/24</source-address>
<destination-address>2.2.2.0/24</destination-address>
<dscp>18</dscp>
<protocol>6</protocol>
</config>
</ipv4>
<actions>
<config>
<forwarding-action
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACCEPT</forwarding-action>
</config>
</actions>
<transport>
<config>
<explicit-tcp-flags
xmlns:oc-pkt-match-types="http://openconfig.net/yang/packet-match-types">oc-pkt-match-types:TCP_SYN</explicit-tcp-flags>
</config>
</transport>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
Restrictions
None.
Create IPv6 entries
Release
This configuration was introduced in OcNOS version 6.1.0.
Configuration
Use the commands indicated on this chapter to create an ACL (access control list) entry to operate over IPv6 data traffic.
OpenConfig NETCONF Payload
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>ACL_OC_IPV6</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV6</type>
<config>
<name>ACL_OC_IPV6</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV6</type>
<description>ACL TFW Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>11</sequence-id>
<config>
<sequence-id>11</sequence-id>
</config>
<ipv6>
<config>
<source-address>2000::/8</source-address>
<destination-address>2001::/16</destination-address>
<dscp>23</dscp>
<protocol>6</protocol>
</config>
</ipv6>
<actions>
<config>
<forwarding-action
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:REJECT</forwarding-action>
<log-action>LOG_SYSLOG</log-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
OcNOS CLI command
ipv6 access-list ACL_OC_IPV6
remark ACL TFW Test
11 deny tcp 2000::/8 2001::/16 dscp 23
!
OcNOS NETCONF Payload
<acl xmlns="http://www.ipinfusion.com/yang/ocnos/ipi-acl">
<acl-sets>
<acl-set>
<name>ACL_OC_IPV6</name>
<type>ipv6</type>
<config>
<name>ACL_OC_IPV6</name>
<type>ipv6</type>
<description>ACL TFW Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>11</sequence-id>
<config>
<sequence-id>11</sequence-id>
</config>
<ipv6>
<config>
<source-address>2000::/8</source-address>
<destination-address>2001::/16</destination-address>
<dscp>23</dscp>
<protocol-tcp />
<forwarding-action>deny</forwarding-action>
<monitor-action>log</monitor-action>
</config>
</ipv6>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
Validation with NETCONF get
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>ACL_OC_IPV6</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV6</type>
<config>
<name>ACL_OC_IPV6</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV6</type>
<description>ACL TFW Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>11</sequence-id>
<config>
<sequence-id>11</sequence-id>
</config>
<ipv6>
<config>
<source-address>2000::/8</source-address>
<destination-address>2001::/16</destination-address>
<dscp>23</dscp>
<protocol>6</protocol>
</config>
</ipv6>
<actions>
<config>
<forwarding-action
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:REJECT</forwarding-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
Restrictions
None.
Create interfaces egress for IPv4/IPv6
Release
This configuration was introduced in OcNOS version 6.1.0.
Configuration
Use the commands indicated on this chapter to associate an ACL (access control list) entry type IPv4/IPv6 to an interface on egress direction.
The interface can associate only one ACL (access control list) entry at time.
OpenConfig NETCONF Payload
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1</id>
<config>
<id>eth1</id>
</config>
<egress-acl-sets>
<egress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<set-name>ACL_OC_IPV4</set-name>
<config>
<set-name>ACL_OC_IPV4</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
</config>
</egress-acl-set>
</egress-acl-sets>
<interface-ref>
<config>
<interface>eth1</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
OcNOS CLI command
ip access-list ACL_OC_IPV4
remark ACL TFW Test
10 permit tcp 1.1.1.0/24 2.2.2.0/24 dscp af21 syn
!
interface eth1
ip access-group ACL_OC_IPV4 out
OcNOS NETCONF Payload
<acl xmlns="http://www.ipinfusion.com/yang/ocnos/ipi-acl">
<interfaces>
<interface>
<name>eth1</name>
<config>
<name>eth1</name>
</config>
<egress-acl-sets>
<egress-acl-set>
<acl-type>ip</acl-type>
<access-groups>
<access-group>
<acl-name>ACL_OC_IPV4</acl-name>
<config>
<acl-name>ACL_OC_IPV4</acl-name>
</config>
</access-group>
</access-groups>
<config>
<acl-type>ip</acl-type>
</config>
</egress-acl-set>
</egress-acl-sets>
</interface>
</interfaces>
</acl>
Validation with NETCONF get
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1</id>
<config>
<id>eth1</id>
</config>
<egress-acl-sets>
<egress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<set-name>ACL_OC_IPV4</set-name>
<config>
<set-name>ACL_OC_IPV4</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
</config>
</egress-acl-set>
</egress-acl-sets>
<interface-ref>
<config>
<interface>eth1</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
Restrictions
Only one ACL entry can be associate on interface on egress direction.
/acl/interfaces/interface/id
This leaf must have the format “<interface>.<subinterface>”, e.g., xe10.2, and it is limited to 32 characters.
Create interfaces ingress for IPv4/IPv6
Release
This configuration was introduced in OcNOS version 6.1.0.
Configuration
Use the commands indicated on this chapter to associate an ACL (access control list) entry type IPv4/IPv6 to an interface on ingress direction.
The interface can associate only one ACL (access control list) entry at time.
OpenConfig NETCONF Payload
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1</id>
<config>
<id>eth1</id>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<set-name>ACL_OC_IPV4</set-name>
<config>
<set-name>ACL_OC_IPV4</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth1</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
OcNOS CLI command
ip access-list ACL_OC_IPV4
remark ACL TFW Test
10 permit tcp 1.1.1.0/24 2.2.2.0/24 dscp af21 syn
!
interface eth1
ip access-group ACL_OC_IPV4 in
OcNOS NETCONF Payload
<acl xmlns="http://www.ipinfusion.com/yang/ocnos/ipi-acl">
<interfaces>
<interface>
<name>eth1</name>
<config>
<name>eth1</name>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<acl-type>ip</acl-type>
<access-groups>
<access-group>
<acl-name>ACL_OC_IPV4</acl-name>
<config>
<acl-name>ACL_OC_IPV4</acl-name>
</config>
</access-group>
</access-groups>
<config>
<acl-type>ip</acl-type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
</interface>
</interfaces>
</acl>
Validation with NETCONF get
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1</id>
<config>
<id>eth1</id>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<set-name>ACL_OC_IPV4</set-name>
<config>
<set-name>ACL_OC_IPV4</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth1</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
Restrictions
Only one ACL (access control list) entry can be associate on interface on ingress direction.
/acl/interfaces/interface/id
This leaf must have the format “<interface>.<subinterface>”, e.g., xe10.2, and it is limited to 32 characters.
Create interfaces egress for L2
Release
This configuration was introduced in OcNOS version 6.1.0.
Configuration
Use the commands indicated on this chapter to associate an ACL (access control list) entry type L2 to an interface on egress direction.
The interface can associate only one ACL (access control list) entry at time.
OpenConfig NETCONF Payload
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth3</id>
<config>
<id>eth3</id>
</config>
<egress-acl-sets>
<egress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<set-name>ACL_OC_L2</set-name>
<config>
<set-name>ACL_OC_L2</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
</config>
</egress-acl-set>
</egress-acl-sets>
<interface-ref>
<config>
<interface>eth3</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
OcNOS CLI command
mac access-list ACL_OC_L2
remark ACL L2 CFG Test
1 permit 0000.CCDD.EEFF AABB.0000.0000 00BB.CCDD.EEFF AC00.0000.0000 ipv4
!
interface eth3
mac access-group ACL_OC_L2 out
!
OcNOS NETCONF Payload
<acl xmlns="http://www.ipinfusion.com/yang/ocnos/ipi-acl">
<interfaces>
<interface>
<name>eth3</name>
<config>
<name>eth3</name>
</config>
<egress-acl-sets>
<egress-acl-set>
<acl-type>mac</acl-type>
<access-groups>
<access-group>
<acl-name>ACL_OC_L2</acl-name>
<config>
<acl-name>ACL_OC_L2</acl-name>
</config>
</access-group>
</access-groups>
<config>
<acl-type>mac</acl-type>
</config>
</egress-acl-set>
</egress-acl-sets>
</interface>
</interfaces>
</acl>
Validation with NETCONF get
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth3</id>
<config>
<id>eth3</id>
</config>
<egress-acl-sets>
<egress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<set-name>ACL_OC_L2</set-name>
<config>
<set-name>ACL_OC_L2</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
</config>
</egress-acl-set>
</egress-acl-sets>
<interface-ref>
<config>
<interface>eth3</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
Restrictions
Only one ACL (access control list) entry can be associate on interface on egress direction.
/acl/interfaces/interface/id
This leaf must have the format “<interface>.<subinterface>”, e.g., xe10.2, and it is limited to 32 characters.
Create interfaces ingress for L2
Release
This configuration was introduced in OcNOS version 6.1.0.
Configuration
Use the commands indicated on this chapter to associate an ACL (access control list) entry type L2 to an interface on ingress direction.
The interface can associate only one ACL entry at time.
OpenConfig NETCONF Payload
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth3</id>
<config>
<id>eth3</id>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<set-name>ACL_OC_L2</set-name>
<config>
<set-name>ACL_OC_L2</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth3</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
OcNOS CLI command
mac access-list ACL_OC_L2
remark ACL L2 CFG Test
1 permit 0000.CCDD.EEFF AABB.0000.0000 00BB.CCDD.EEFF AC00.0000.0000 ipv4
!
interface eth3
mac access-group ACL_OC_L2 in
!
OcNOS NETCONF Payload
<acl xmlns="http://www.ipinfusion.com/yang/ocnos/ipi-acl">
<interfaces>
<interface>
<name>eth3</name>
<config>
<name>eth3</name>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<acl-type>mac</acl-type>
<access-groups>
<access-group>
<acl-name>ACL_OC_L2</acl-name>
<config>
<acl-name>ACL_OC_L2</acl-name>
</config>
</access-group>
</access-groups>
<config>
<acl-type>mac</acl-type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
</interface>
</interfaces>
</acl>
Validation with NETCONF get
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth3</id>
<config>
<id>eth3</id>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<set-name>ACL_OC_L2</set-name>
<config>
<set-name>ACL_OC_L2</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth3</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
Restrictions
Only one ACL (access control list) entry can be associate on interface on ingress direction.
/acl/interfaces/interface/id
This leaf must have the format “<interface>.<subinterface>”, e.g., xe10.2, and it is limited to 32 characters.