ACL OpenConfig Translation
Enable management attributes
This XML configuration snippet is used to create an ACL (access control list) entry to operate over L2 data traffic.
Release
This configuration was introduced in OcNOS version 6.1.0.
OpenConfig NetConf Payload
Here is a sample OpenConfig NetConf Payload to enable management attributes.
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>ACL_OC_L2</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<config>
<name>ACL_OC_L2</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<description>ACL L2 CFG Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>1</sequence-id>
<config>
<sequence-id>1</sequence-id>
</config>
<l2>
<config>
<destination-mac>00BB.CCDD.EEFF</destination-mac>
<destination-mac-mask>AC00.0000.0000</destination-mac-mask>
<ethertype>ETHERTYPE_IPV4</ethertype>
<source-mac>0000.CCDD.EEFF</source-mac>
<source-mac-mask>AABB.0000.0000</source-mac-mask>
</config>
</l2>
<actions>
<config>
<forwarding-action
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACCEPT</forwarding-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
OcNOS CLI Command
his CLI command is used to enable management attributes.
mac access-list ACL_OC_L2
remark ACL L2 CFG Test
1 permit 0000.CCDD.EEFF AABB.0000.0000 00BB.CCDD.EEFF AC00.0000.0000 ipv4
!
OcNOS NetConf Payload
Here is a sample OcNOS NetConf Payload to enable management attributes.
<acl xmlns="http://www.ipinfusion.com/yang/ocnos/ipi-acl">
<acl-sets>
<acl-set>
<name>ACL_OC_L2</name>
<type>mac</type>
<config>
<name>ACL_OC_L2</name>
<type>mac</type>
<description>ACL L2 CFG Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>1</sequence-id>
<config>
<sequence-id>1</sequence-id>
</config>
<mac>
<config>
<destination-mac-address>0000.0000.0000</destination-mac-address>
<destination-mac-mask>AA32.CCDD.EE10</destination-mac-mask>
<ethertype>ipv4</ethertype>
<source-mac-address>0000.0000.00EE</source-mac-address>
<source-mac-mask>AABB.CCDD.EE11</source-mac-mask>
<forwarding-action>permit</forwarding-action>
</config>
</mac>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
Validation with NetConf get
Here is a NetConf validation response that provides detailed information to enable management attributes.
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>ACL_OC_L2</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<config>
<name>ACL_OC_L2</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<description>ACL L2 CFG Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>1</sequence-id>
<config>
<sequence-id>1</sequence-id>
</config>
<mac>
<config>
<source-mac>0000.CCDD.EEFF</source-mac>
<source-mac-mask>AABB.0000.0000</source-mac-mask>
<ethertype>ETHERTYPE_IPV4</ethertype>
<destination-mac>00BB.CCDD.EEFF</destination-mac>
<destination-mac-mask>AC00.0000.0000</destination-mac-mask>
</config>
</mac>
<actions>
<config>
<forwarding-action
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACCEPT</forwarding-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
Restrictions
The leaf /oc-acl:acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/log-action is only valid on DC platform. All other leaves are valid on all platforms.
Create IPv4 entries
This XML configuration snippet is used to create an ACL entry to operate over IPv4 data traffic.
Release
This configuration was introduced in OcNOS version 6.1.0.
OpenConfig NetConf Payload
Here is a sample OpenConfig NetConf Payload to create IPv4 entries.
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>ACL_OC_IPV4</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<config>
<name>ACL_OC_IPV4</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<description>ACL TFW Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>10</sequence-id>
<config>
<sequence-id>10</sequence-id>
</config>
<ipv4>
<config>
<source-address>1.1.1.0/24</source-address>
<destination-address>2.2.2.0/24</destination-address>
<dscp>18</dscp>
<protocol>6</protocol>
</config>
</ipv4>
<actions>
<config>
<forwarding-action
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACCEPT</forwarding-action>
</config>
</actions>
<transport>
<config>
<explicit-tcp-flags
xmlns:oc-pkt-match-types="http://openconfig.net/yang/packet-match-types">oc-pkt-match-types:TCP_SYN</explicit-tcp-flags>
<source-port>22</source-port>
<destination-port>80</destination-port>
</config>
</transport>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
OcNOS CLI Command
This CLI command is used to create IPv4 entries.
ip access-list ACL_OC_IPV4
remark ACL TFW Test
10 permit tcp 1.1.1.0/24 2.2.2.0/24 dscp af21 syn
!
OcNOS NetConf Payload
Here is a sample OcNOS NetConf Payload to create IPv4 entries.
<acl xmlns="http://www.ipinfusion.com/yang/ocnos/ipi-acl">
<acl-sets>
<acl-set>
<name>ACL_OC_IPV4</name>
<type>ip</type>
<config>
<name>ACL_OC_IPV4</name>
<type>ip</type>
<description>ACL TFW Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>10</sequence-id>
<config>
<sequence-id>10</sequence-id>
</config>
<ipv4>
<config>
<source-address>1.1.1.0/24</source-address>
<destination-address>2.2.2.0/24</destination-address>
<dscp>18</dscp>
<protocol-tcp />
<tcp-source-port>22</tcp-source-port>
<tcp-destination-port>80</tcp-destination-port>
<tcp-flags>syn</tcp-flags>
<forwarding-action>permit</forwarding-action>
</config>
</ipv4>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
Validation with NetConf get
Here is a NetConf validation response that provides detailed information about creating IPv4 entries.
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>ACL_OC_IPV4</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<config>
<name>ACL_OC_IPV4</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<description>ACL TFW Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>10</sequence-id>
<config>
<sequence-id>10</sequence-id>
</config>
<ipv4>
<config>
<source-address>1.1.1.0/24</source-address>
<destination-address>2.2.2.0/24</destination-address>
<dscp>18</dscp>
<protocol>6</protocol>
</config>
</ipv4>
<actions>
<config>
<forwarding-action
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACCEPT</forwarding-action>
</config>
</actions>
<transport>
<config>
<explicit-tcp-flags
xmlns:oc-pkt-match-types="http://openconfig.net/yang/packet-match-types">oc-pkt-match-types:TCP_SYN</explicit-tcp-flags>
</config>
</transport>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
Restrictions
• The leaf /oc-acl:acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/log-action is only valid on DC platform.
• Non-contiguous bits netmask is not supported for the configuration of source-address and destination-address leaves in the /oc-acl:acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config xpath. Even if it is supported in OcNOS side, the mask must be left contiguous for Openconfig.
• The OpenConfig leaf /oc-acl:acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/tcp-flags was named in version 2.0.0. It is now renamed explicit-tcp-flags. The new XPath is /oc-acl:acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/explicit-tcp-flags.
• The OpenConfig leaves /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/explicit-tcp-flags and /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/state/explicit-tcp-flags have the following mapping:
OpenConfig XPath /oc-acl:acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/explicit-tcp-flags | OcNOS XPath /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config/tcp-flags |
TCP_ACK | ack |
TCP_FIN | fin |
TCP_PSH | psh |
TCP_RST | rst |
TCP_SYN | syn |
TCP_URG | urg |
TCP_IPI_ESTABLISHED Note: This value was add by OcNOS through deviation file ipi-oc-acl-deviations.yang | established |
• OpenConfig leaf /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config/protocol have the following mapping:
OpenConfig xpath /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config/protocol | OcNOS xpath /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config/(protocol-tcp, protocol-udp, protocol-icmp, protocol-name)leaves |
IP_TCP(6) | protocol-tcp |
IP_UDP(17) | protocol-udp |
IP_ICMP(1) | protocol-icmp |
IP_IGMP(2) | protocol-name(igmp) |
IP_PIM(103) | protocol-name(pim) |
IP_RSVP(46) | protocol-name(rsvp) |
IP_GRE(47) | protocol-name(gre) |
IP_AUTH(51) | protocol-name(ahp) |
IP_L2TP(115) | protocol-name(115) |
IP_IN_IP(4) | protocol-name(ipip) |
IP_ANY (Pay attention, this value was add by OcNOS deviation file ipi-oc-acl-deviations.yang) | protocol-name(any) |
Create IPv6 Entries
This XML configuration snippet is used to create an Access Control List (ACL) entry to operate over IPv6 data traffic.
Release
This configuration was introduced in OcNOS version 6.5.0
OpenConfig NetConf Payload
Here is a sample OpenConfig NetConf Payload to create IPv6 entries.
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>ACL_OC_IPV6</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV6</type>
<config>
<name>ACL_OC_IPV6</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV6</type>
<description>ACL TFW Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>11</sequence-id>
<config>
<sequence-id>11</sequence-id>
</config>
<ipv6>
<config>
<source-address>2000::/8</source-address>
<destination-address>2001::/16</destination-address>
<dscp>23</dscp>
<protocol>6</protocol>
</config>
</ipv6>
<actions>
<config>
<forwarding-action
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:REJECT</forwarding-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
OcNOS CLI Command
This CLI command is used to create IPv6 entries.
ipv6 access-list ACL_OC_IPV6
remark ACL TFW Test
11 deny tcp 2000::/8 2001::/16 dscp 23
!
OcNOS NetConf Payload
Here is a sample OcNOS NetConf Payload to create IPv6 entries.
<acl xmlns="http://www.ipinfusion.com/yang/ocnos/ipi-acl">
<acl-sets>
<acl-set>
<name>ACL_OC_IPV6</name>
<type>ipv6</type>
<config>
<name>ACL_OC_IPV6</name>
<type>ipv6</type>
<description>ACL TFW Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>11</sequence-id>
<config>
<sequence-id>11</sequence-id>
</config>
<ipv6>
<config>
<source-address>2000::/8</source-address>
<destination-address>2001::/16</destination-address>
<dscp>23</dscp>
<protocol-tcp />
<forwarding-action>deny</forwarding-action>
</config>
</ipv6>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
Validation with NetConf get
Here is a NetConf validation response that provides detailed information about creating IPv6 entries.
<acl xmlns="http://openconfig.net/yang/acl">
<acl-sets>
<acl-set>
<name>ACL_OC_IPV6</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV6</type>
<config>
<name>ACL_OC_IPV6</name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV6</type>
<description>ACL TFW Test</description>
</config>
<acl-entries>
<acl-entry>
<sequence-id>11</sequence-id>
<config>
<sequence-id>11</sequence-id>
</config>
<ipv6>
<config>
<source-address>2000::/8</source-address>
<destination-address>2001::/16</destination-address>
<dscp>23</dscp>
<protocol>6</protocol>
</config>
</ipv6>
<actions>
<config>
<forwarding-action
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:REJECT</forwarding-action>
</config>
</actions>
</acl-entry>
</acl-entries>
</acl-set>
</acl-sets>
</acl>
Restrictions
• The leaf /oc-acl:acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/log-action is only valid on DC platform.
• Non-contiguous bits netmask is not supported for the configuration of source-address and destination-address leaves in the /oc-acl:acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config xpath. Even if it is supported in OcNOS side, the mask must be left contiguous for Openconfig.
• The old Open Config leaf /oc-acl:acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/tcp-flags was renamed on Open Config version 2.0.0, now it is named explicit-tcp-flags. The new xpath is /oc-acl:acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/explicit-tcp-flags.
• OpenConfig leaves /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/explicit-tcp-flags and /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/state/explicit-tcp-flags have the following mapping:
OpenConfig XPath /oc-acl:acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/explicit-tcp-flags | OcNOS XPath /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config/tcp-flags |
TCP_ACK | ack |
TCP_FIN | fin |
TCP_PSH | psh |
TCP_RST | rst |
TCP_SYN | syn |
TCP_URG | urg |
TCP_IPI_ESTABLISHED Note: This value has been added by OcNOS through deviation file ipi-oc-acl-deviations.yang | established |
• OpenConfig leaf /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config/protocol have the following mapping:
OpenConfig xpath /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config/protocol | OcNOS xpath /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config/(protocol-tcp, protocol-udp, protocol-icmp, protocol-sctp, protocol-name) |
IP_TCP(6) | protocol-tcp |
IP_UDP(17) | protocol-udp |
IP_ICMP(1) | protocol-icmp |
IP_SCTP(132) | protocol-sctp |
IP_IGMP(2) | protocol-name(igmp) |
IP_PIM(103) | protocol-name(pim) |
IP_RSVP(46) | protocol-name(rsvp) |
IP_GRE(47) | protocol-name(gre) |
IP_AUTH(51) | protocol-name(ahp) |
IP_L2TP(115) | protocol-name(115) |
IP_IN_IP(4) | protocol-name(ipip) |
IP_ANY (Pay attention, this value was add by OcNOS deviation file ipi-oc-acl-deviations.yang) | protocol-name(any) |
Create Interfaces Egress for IPv4/IPv6
This XML configuration snippet is used to associate an Access Control List (ACL) entry type IPv4/IPv6 to an interface on egress direction.
The interface can associate only one ACL entry at a time.
Release
This configuration was introduced in OcNOS version 6.5.0.
OpenConfig NetConf Payload
Here is a sample OpenConfig NetConf Payload to create interfaces egress for IPv4/IPv6.
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1</id>
<config>
<id>eth1</id>
</config>
<egress-acl-sets>
<egress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<set-name>ACL_OC_IPV4</set-name>
<config>
<set-name>ACL_OC_IPV4</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
</config>
</egress-acl-set>
</egress-acl-sets>
<interface-ref>
<config>
<interface>eth1</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
OcNOS CLI Command
This CLI command is used to create interfaces egress for IPv4/IPv6.
ip access-list ACL_OC_IPV4
remark ACL TFW Test
10 permit tcp 1.1.1.0/24 2.2.2.0/24 dscp af21 syn
!
interface eth1
ip access-group ACL_OC_IPV4 out
OcNOS NetConf Payload
Here is a sample OcNOS NetConf Payload to create interfaces egress for IPv4/IPv6.
<acl xmlns="http://www.ipinfusion.com/yang/ocnos/ipi-acl">
<interfaces>
<interface>
<name>eth1</name>
<config>
<name>eth1</name>
</config>
<egress-acl-sets>
<egress-acl-set>
<acl-type>ip</acl-type>
<access-groups>
<access-group>
<acl-name>ACL_OC_IPV4</acl-name>
<config>
<acl-name>ACL_OC_IPV4</acl-name>
</config>
</access-group>
</access-groups>
<config>
<acl-type>ip</acl-type>
</config>
</egress-acl-set>
</egress-acl-sets>
</interface>
</interfaces>
</acl>
Validation with NetConf get
Here is a NetConf validation response that provides detailed information about creating interfaces egress for IPv4/IPv6.
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1</id>
<config>
<id>eth1</id>
</config>
<egress-acl-sets>
<egress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<set-name>ACL_OC_IPV4</set-name>
<config>
<set-name>ACL_OC_IPV4</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
</config>
</egress-acl-set>
</egress-acl-sets>
<interface-ref>
<config>
<interface>eth1</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
Restrictions
• Only one ACL entry can be associate on interface on egress direction.
• The leaf /acl/interfaces/interface/id must have the format “<interface>.<subinterface>”, e.g., xe10.2, and it is limited to 32 characters.
Create interfaces ingress for IPv4/IPv6
This XML configuration snippet is used to associate an Access Control List (ACL) entry type IPv4/IPv6 to an interface on ingress direction.
The interface can associate only one ACL entry at a time.
Release
This configuration was introduced in OcNOS version 6.5.0.
OpenConfig NetConf Payload
Here is a sample OpenConfig NetConf Payload to create interfaces ingress for IPv4/IPv6.
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1</id>
<config>
<id>eth1</id>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<set-name>ACL_OC_IPV4</set-name>
<config>
<set-name>ACL_OC_IPV4</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth1</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
OcNOS CLI Command
This CLI command is used to create interfaces ingress for IPv4/IPv6.
ip access-list ACL_OC_IPV4
remark ACL TFW Test
10 permit tcp 1.1.1.0/24 2.2.2.0/24 dscp af21 syn
!
interface eth1
ip access-group ACL_OC_IPV4 in
OcNOS NetConf Payload
Here is a sample OcNOS NetConf Payload to create interfaces ingress for IPv4/IPv6.
<acl xmlns="http://www.ipinfusion.com/yang/ocnos/ipi-acl">
<interfaces>
<interface>
<name>eth1</name>
<config>
<name>eth1</name>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<acl-type>ip</acl-type>
<access-groups>
<access-group>
<acl-name>ACL_OC_IPV4</acl-name>
<config>
<acl-name>ACL_OC_IPV4</acl-name>
</config>
</access-group>
</access-groups>
<config>
<acl-type>ip</acl-type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
</interface>
</interfaces>
</acl>
Validation with NetConf get
Here is a NetConf validation response that provides detailed information about creating interfaces ingress for IPv4/IPv6.
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth1</id>
<config>
<id>eth1</id>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
<set-name>ACL_OC_IPV4</set-name>
<config>
<set-name>ACL_OC_IPV4</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_IPV4</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth1</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
Restrictions
• Only one ACL entry can be associate on interface on ingress direction.
• The leaf /acl/interfaces/interface/id must have the format “<interface>.<subinterface>”, e.g., xe10.2, and it is limited to 32 characters.
Create Interfaces Egress for L2
This XML configuration snippet is used to associate an Access Control List (ACL) entry type L2 to an interface on egress direction.
The interface can associate only one ACL entry at a time.
Release
This configuration was introduced in OcNOS version 6.5.0.
OpenConfig NetConf Payload
Here is a sample OpenConfig NetConf Payload to create interfaces egress for L2.
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth3</id>
<config>
<id>eth3</id>
</config>
<egress-acl-sets>
<egress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<set-name>ACL_OC_L2</set-name>
<config>
<set-name>ACL_OC_L2</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
</config>
</egress-acl-set>
</egress-acl-sets>
<interface-ref>
<config>
<interface>eth3</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
OcNOS CLI Command
This CLI command is used to create interfaces egress for L2.
mac access-list ACL_OC_L2
remark ACL L2 CFG Test
1 permit 0000.CCDD.EEFF AABB.0000.0000 00BB.CCDD.EEFF AC00.0000.0000 ipv4
!
interface eth3
mac access-group ACL_OC_L2 out
!
OcNOS NetConf Payload
Here is a sample OcNOS NetConf Payload to create interfaces egress for L2.
<acl xmlns="http://www.ipinfusion.com/yang/ocnos/ipi-acl">
<interfaces>
<interface>
<name>eth3</name>
<config>
<name>eth3</name>
</config>
<egress-acl-sets>
<egress-acl-set>
<acl-type>mac</acl-type>
<access-groups>
<access-group>
<acl-name>ACL_OC_L2</acl-name>
<config>
<acl-name>ACL_OC_L2</acl-name>
</config>
</access-group>
</access-groups>
<config>
<acl-type>mac</acl-type>
</config>
</egress-acl-set>
</egress-acl-sets>
</interface>
</interfaces>
</acl>
Validation with NetConf get
Here is a NetConf validation response that provides detailed information about creating interfaces egress for L2.
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth3</id>
<config>
<id>eth3</id>
</config>
<egress-acl-sets>
<egress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<set-name>ACL_OC_L2</set-name>
<config>
<set-name>ACL_OC_L2</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
</config>
</egress-acl-set>
</egress-acl-sets>
<interface-ref>
<config>
<interface>eth3</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
Restrictions
• Only one ACL entry can be associate on interface on egress direction.
• The leaf /acl/interfaces/interface/id must have the format “<interface>.<subinterface>”, e.g., xe10.2, and it is limited to 32 characters.
Create interfaces ingress for L2
This XML configuration snippet is used to associate an Access Control List (ACL) entry type L2 to an interface on ingress direction.
The interface can associate only one ACL entry at a time.
Release
This configuration was introduced in OcNOS version 6.5.0.
OpenConfig NetConf Payload
Here is a sample OpenConfig NetConf Payload to create interfaces ingress for L2.
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth3</id>
<config>
<id>eth3</id>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<set-name>ACL_OC_L2</set-name>
<config>
<set-name>ACL_OC_L2</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth3</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
OcNOS CLI Command
This CLI command is used to create interfaces ingress for L2.
mac access-list ACL_OC_L2
remark ACL L2 CFG Test
1 permit 0000.CCDD.EEFF AABB.0000.0000 00BB.CCDD.EEFF AC00.0000.0000 ipv4
!
interface eth3
mac access-group ACL_OC_L2 in
!
OcNOS NetConf Payload
Here is a sample OcNOS NetConf Payload to create interfaces ingress for L2.
<acl xmlns="http://www.ipinfusion.com/yang/ocnos/ipi-acl">
<interfaces>
<interface>
<name>eth3</name>
<config>
<name>eth3</name>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<acl-type>mac</acl-type>
<access-groups>
<access-group>
<acl-name>ACL_OC_L2</acl-name>
<config>
<acl-name>ACL_OC_L2</acl-name>
</config>
</access-group>
</access-groups>
<config>
<acl-type>mac</acl-type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
</interface>
</interfaces>
</acl>
Validation with NetConf get
Here is a NetConf validation response that provides detailed information about creating interfaces ingress for L2.
<acl xmlns="http://openconfig.net/yang/acl">
<interfaces>
<interface>
<id>eth3</id>
<config>
<id>eth3</id>
</config>
<ingress-acl-sets>
<ingress-acl-set>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
<set-name>ACL_OC_L2</set-name>
<config>
<set-name>ACL_OC_L2</set-name>
<type
xmlns:oc-acl="http://openconfig.net/yang/acl">oc-acl:ACL_L2</type>
</config>
</ingress-acl-set>
</ingress-acl-sets>
<interface-ref>
<config>
<interface>eth3</interface>
</config>
</interface-ref>
</interface>
</interfaces>
</acl>
Restrictions
• Only one ACL entry can be associate on interface on ingress direction.
• The leaf /acl/interfaces/interface/id must have the format “<interface>.<subinterface>”, e.g., xe10.2, and it is limited to 32 characters.