#
Access Control List
#
URL
frinx-openconfig-acl:acl/acl-sets/acl-set=,
#
OPENCONFIG YANG
{
"acl-set": [
{
"name": "",
"type": ""
"config": {
"name": "",
"type": "",
"frinx-acl-extension:default-fwd-action": "",
"frinx-acl-extension:enabled": false
},
"acl-entries": {
"acl-entry": [
{
"sequence-id": "",
"config": {
"sequence-id": "",
"frinx-acl-extension:term-name": ""
},
"frinx-acl-extension:precedence": "",
"ipv4|ipv6": {
"config": {
"protocol": ,
"source-address": "",
"destination-address": "",
"frinx-acl-extension:hop-range": "..",
"frinx-acl-extension:source-address-wildcarded": {
"wildcard-mask": "",
"address": ""
},
"frinx-acl-extension:destination-address-wildcarded": {
"wildcard-mask": "",
"address": ""
},
}
},
"icmp": {
"config": {
"msg-type": " | ANY"
}
},
"transport": {
"config": {
"source-port": "",
"destination-port": "",
"frinx-acl-extension:source-port-named": "",
"frinx-acl-extension:destination-port-named": "",
"frinx-acl-extension:established": //true or false
}
},
"frinx-acl-extension:option": ""|,
"actions": {
"config": {
"forwarding-action": "",
"frinx-acl-extension:instance-name": "",
"log-action": ""
}
}
}
]
}
}
]
}
#
OS Configuration Commands
#
Cisco IOS Classic
#
CLI
ipv4|ipv6 access-list
{eq|neq|range } {eq|neq|range } ttl range precedence option |
ipv4|ipv6 is a conversion of
*eq|neq|range * is a conversion of or , operation is selected by entered port range
*eq|neq|range * is a conversion of or , operatioons is selected by entered port range
| acl option could be defined by enumeration named options or by number in range 0-255
** is a conversion of , when true, value is "established", when false, there is empty value ""
#
Examples
ipv4 access-list test123 2 permit 4.4.4.4/32 7.7.7.7/32
ipv4 access-list test123 3 permit tcp 1.1.1.1/32 range 1024 65535 2.2.2.2/32 range 0 1023
ipv4 access-list test123 5 deny icmp 1.1.1.1/32 2.2.2.2/32 8 ttl range 0 10
#
Cisco IOS XR 5.3.4
#
CLI
ipv4|ipv6 access-list
{range } {range } ttl range
ipv4|ipv6 is a conversion of
#
Examples
ipv4 access-list test123 2 permit 4.4.4.4/32 7.7.7.7/32
ipv4 access-list test123 3 permit tcp 1.1.1.1/32 range 1024 65535 2.2.2.2/32 range 0 1023
ipv4 access-list test123 5 deny icmp 1.1.1.1/32 2.2.2.2/32 8 ttl range 0 10
#
Unit
Link to github : xr-unit
#
Cisco IOS XR 6.6.2
#
CLI
ipv4|ipv6 access-list
{range } {range }
ipv4|ipv6 is a conversion of
#
Examples
ipv4 access-list test123 10 deny ipv4 10.0.0.0/8 any 20 deny ipv4 any 172.16.0.0/12 30 permit ipv4 any any
ipv6 access-list test123 10 permit icmpv6 any any 20 deny ipv6 ::/8 any 30 permit ipv6 any any
#
Unit
Link to github : xr-unit
#
Cisco IOS XE 15.4(2)S
#
CLI
ip access-list extend
{range } {range }
ipv6 access-list
{range } {range } sequence
** is a conversion of , when true, value is "established", when false, there is empty value ""
#
Examples
ip access-list extended TEST1
3 permit tcp host 1.1.1.1 eq 1024 host 2.2.2.2 eq 0
10 deny ip any any
ipv6 access-list TEST2
deny icmp any any sequence 10
deny ipv6 any 2400:2000:3::/48 sequence 20
deny udp host 10:11:12::2 any sequence 2
#
Unit
Link to github : xe-unit
#
Junos 14.1X53-D40.8
#
CLI
set firewall family inet filter term from source-address set firewall family inet filter term from protocol set firewall family inet filter term from destination-port set firewall family inet filter term then
set firewall family inet filter term then routing-instance
#
Unit
Link to github : junos-unit
#
Ciena SAOS 6.14
#
CLI
access-list create acl-profile default-filter-action access-list disable profile access-list add profile rule precedence filter-action any
conversion is ACCEPT = allow, DROP = deny
*access-list disable profile * is a conversion of frinx-acl-extension:enabled set to false. Default value is true.
#
Unit
Link to github : [saos-unit]