How to configure ACL
ACL (Access Control List)
Objective
An access control list (ACL) consists of one or more access control entries (ACEs) that collectively define the network traffic profile. Each ACL includes an action element (permit or deny) and a filter element based on criteria such as source address, destination address, protocol, and protocol-specific parameters.
Prerequisites
Hardware:
Switches or routers that support VLANs
(e.g., edgecore, ufispace)
Software:
Network operating systems that support VLAN configuration
(e.g., SONiC.master )
Access:
Administrative or privileged CLI access
Network:
IP addressing details (source and destination).
Protocol and port requirements (if filtering by service).
Topology:
Basic Configuration Steps
Note: Commands are to be executed in sudo mode
Step 1: Create an ACL table by CLI
Usage
root@sonic:/home/admin# config acl add table [OPTIONS] <table_name> <table_type> [-d <description>] [-p <ports>] [-s (ingress | egress)]
Parameters
table_name: The name of the ACL table to create.
table_type: The type of ACL table to create (e.g. “L3”, ”L3V6”, “MIRROR”)
description: A description of the table for a user (default is the table_name)
ports: A comma-separated list of ports/interfaces to add to the table.
Stage: The stage this ACL table will applied to, either ingress or egress
root@sonic:/home/admin# config acl add table DATAACL L3 -d 'forward' -p 'Ethernet51' -s 'ingress'
Step 2: Check ACL table by SONiC command
root@soni:/home/admin# show acl table
Name Type Binding Description Stage Status
------- ------ ---------- ------------- ------- --------
DATAACL L3 Ethernet51 forward ingress Active
Step 3: Create a JSON file for ACL rules
root@sonic:/home/admin# vi acl_rule.json
{
"acl": {
"acl-sets": {
"acl-set": {
"dataacl": {
"acl-entries": {
"acl-entry": {
"1": {
"actions": {
"config": {
"forwarding-action": "DROP"
}
},
"config": {
"sequence-id": 1
},
"ip": {
"config": {
"source-ip-address": "10.0.0.2/32"
}
}
},
"2": {
"actions": {
"config": {
"forwarding-action": "ACCEPT"
}
},
"config": {
"sequence-id": 2
},
"ip": {
"config": {
"destination-ip-address": "10.0.0.3/32"
}
}
}
}
}
}
}
}
}
}
Parameters
The key “1” and “2” are the names of rules of ACL table DATAACL
If key “type” of ACL table is L3 or L3V6
Key in ACL rule is PACKET_ACTION
The value of PACKET_ACTION is forward or drop.
If key “type” of ACL rule is MIRROR
Key in ACL rule is MIRROR_ACTION
The value of MIRROR_ACTION is the name of mirror_session
Here are the values for “IP_TYPE”
ANY | Filter IPv4, IPv6, Ether type |
IP | Filter IPv4, IPv6 |
NON_IP | Filter Ether type only |
IPV4ANY | Filter IPv4 only |
NON_IPv4 | Filter IPv6, Ether type |
IPV6ANY | Filter IPv6 only |
NON_IPv6 | Filter IPv4, Ether type |
Other parameters
DST_IP example: "DST_IP": "192.168.1.10/32"
SRC_IP example:
“SRC_IP”:”192.168.1.11/32”
SRC_IPV6 example: "SRC_IPV6": "2001::1"
DST_IPV6 example: "DST_IPV6": "2001::2"
ETHER_TYPE example: "ETHER_TYPE": "0x842" or "ETHER_TYPE": "2114"
L4_SRC_PORT example: "L4_SRC_PORT": "53"
L4_DST_PORT example: "L4_DST_PORT": "53"
IP_PROTOCOL example: "IP_PROTOCOL": "1"
L4_SRC_PORT_RANGE example: "L4_SRC_PORT_RANGE": "1028-4096"
L4_DST_PORT_RANGE example: "L4_DST_PORT_RANGE": "1028-4096"
Step 4: Apply ACL rules json file with command
Usage
This command is to update the rules in all the tables or in one specific table in full and this command will remove all rules from all the ACL tables and insert all the rules present in this input file.
root@sonic:/home/admin# config acl update full [--table_name <table_name>] [--session_name <session_name>] [--mirror_stage (ingress | egress)] [--max_priority <priority_value>] <acl_json_file_name>
Parameters
table_name: Specify the name of the ACL table to load. Example: config acl update full "--table_name DT_ACL_T1 /etc/sonic/acl_table_1.json"
session_name: Specify the name of the ACL session to load. Example: config acl update full "--session_name mirror_ses1 /etc/sonic/acl_table_1.json"
priority_value: Specify the maximum priority to use when loading ACL rules. Example: config acl update full "--max-priority 100 /etc/sonic/acl_table_1.json"
Note
All these optional parameters should be inside double quotes. If none of the options are provided, double quotes are not required for specifying filename alone.
Any number of optional parameters can be configured in the same command.
root@sonic:/home/admin# config acl update full acl_rule.json
Usage
This command is used to perform incremental update of ACL rule table. This command gets existing rules from Config DB and compares with rules specified in input file and performs corresponding modifications.
root@sonic:/home/admin# config acl update incremental [--session_name <session_name>] [--mirror_stage (ingress | egress)] [--max_priority <priority_value>] <acl_json_file_name>
Parameters
table_name: Specify the name of the ACL table to load. Example: config acl update incremental "--table_name DT_ACL_T1 /etc/sonic/acl_table_1.json"
session_name: Specify the name of the ACL session to load. Example: config acl update incremental "--session_name mirror_ses1 /etc/sonic/acl_table_1.json"
priority_value: Specify the maximum priority to use when loading ACL rules. Example: config acl update incremental "--max-priority 100 /etc/sonic/acl_table_1.json"
Note
All these optional parameters should be inside double quotes. If none of the options are provided, double quotes are not required for specifying filename alone.
Any number of optional parameters can be configured in the same command.
root@sonic:/home/admin# config acl update incremental acl_rule.json
Step 5: Check ACL rules by SONiC command
root@sonic:/home/admin# show acl rule
Table Rule Priority Action Match Status
------- ------------ ---------- -------- ------------------- --------
DATAACL RULE_1 9999 DROP ETHER_TYPE: 2048 Active
SRC_IP: 10.0.0.2/32
DATAACL RULE_2 9998 FORWARD DST_IP: 10.0.0.3/32 Active
ETHER_TYPE: 2048
DATAACL DEFAULT_RULE 1 DROP ETHER_TYPE: 2048 Active
Check ACL rules configuration in running-config
root@sonic:/home/admin# show runningconfiguration acl
{
"DATAACL|DEFAULT_RULE": {
"ETHER_TYPE": "2048",
"PACKET_ACTION": "DROP",
"PRIORITY": "1"
},
"DATAACL|RULE_1": {
"ETHER_TYPE": "2048",
"PACKET_ACTION": "DROP",
"PRIORITY": "9999",
"SRC_IP": "10.0.0.2/32"
},
"DATAACL|RULE_2": {
"DST_IP": "10.0.0.3/32",
"ETHER_TYPE": "2048",
"PACKET_ACTION": "FORWARD",
"PRIORITY": "9998"
}
}
Result:
Send packets from traffic generator and verify the packets.
Verify the packets for Rule_1(PACKET_ACTION: DROP)
root@sonic:/home/admin# show interfaces counters -i Ethernet51
Last cached time was 2022-12-30 18:15:47.047544
IFACE STATE RX_OK RX_BPS RX_UTIL RX_ERR RX_DRP RX_OVR TX_OK TX_BPS TX_UTIL TX_ERR TX_DRP TX_OVR
---------- ------- ------- --------- --------- -------- -------- -------- ------- --------- --------- -------- -------- --------
Ethernet51 U 223 23.74 B/s 0.00% 0 100 0 25 13.09 B/s 0.00% 0 0 0
Verify the packets for Rule_2(PACKET_ACTION: FORWARD)
root@sonic:/home/admin# show interfaces counters -i Ethernet51
Last cached time was 2022-12-30 18:33:04.337182
IFACE STATE RX_OK RX_BPS RX_UTIL RX_ERR RX_DRP RX_OVR TX_OK TX_BPS TX_UTIL TX_ERR TX_DRP TX_OVR
---------- ------- ------- ---------- --------- -------- -------- -------- ------- -------- --------- -------- -------- --------
Ethernet51 U 101 361.99 B/s 0.00% 0 0 0 1 0.81 B/s 0.00% 0 0 0
Troubleshooting Tips
Ensure ACLs are applied in the correct direction (inbound or outbound).
Remember ACLs are processed top-down; order matters.
Verify there is an implicit deny all at the end of most ACLs — explicitly permit needed traffic.
Use hit counters to confirm which rules are matching.
Be cautious when applying ACLs remotely to avoid locking yourself out.
Related Articles
How to Configure ACL (Access Control List)
ACL (Access Control List) Objective This document explains how to configure Access Control Lists (ACLs) on broadcom sonic. ACLs consist of one or more access control entries (ACEs) that define rules to permit or deny network traffic based on ...Supported ACL Features in Broadcom
Supported ACL Features in Broadcom Objective This document explains the key ACL (Access Control List) features supported in Broadcom ASICs. ACLs are used to control and filter network traffic based on rules matching packet headers, providing ...How to configure subinterface
Sub-Interface: Sub interfaces divide the parent interface into two or more virtual interfaces on which you can assign unique Layer 3 parameters such as IP addresses and dynamic routing protocols. The IP address for each sub interface should be in a ...How to configure BGP
BGP (Border Gateway Protocol) Objective BGP (Border Gateway Protocol) is the protocol that enables the global routing system of the internet. It manages how packets get routed from network to network by exchanging routing and reachability information ...How to Configure Basic VRF Management
VRF Management Objective This document explains how to configure Basic VRF (Virtual Routing and Forwarding) Management on SONiC-OS-4.4.2-Enterprise_Base. Management VRF provides a separate routing table specifically for out-of-band management ...