How to Configure ACL (Access Control List)

How to Configure ACL (Access Control List)

ACL (Access Control List) 

Objective 

This document explains how to configure Access Control Lists (ACLs) on broadcom sonic. ACLs consist of one or more access control entries (ACEs) that define rules to permit or deny network traffic based on source/destination addresses, protocols, and ports, providing control over traffic flow and security. 

Prerequisites 

Hardware: 

  • Switches or routers that support VLANs 
     (e.g., edgecore, ufispace) 

Software: 

  • Network operating systems that support VLAN configuration 
     (e.g., SONiC-OS-4.4.0-Enterprise_Base, SONiC-OS-4.4.2-Enterprise_Base) 

Access: 

  • Administrative or privileged CLI access 

Network: 

  • IP addressing details (source and destination). 

  • Protocol and port requirements (if filtering by service). 

 

Topology Diagram 

Picture 
 

Example: 

ACL controlling traffic from Host A to Host B on specific ports or protocols. 

Basic Configuration Steps 

1. Define the ACL 

Create an ACL with one or more ACEs specifying permit or deny actions and match conditions. 

2. Specify Match Conditions 

Use criteria such as: 

  • Source/destination IP addresses or subnets 

  • Protocols (TCP, UDP, ICMP, etc.) 

  • Source/destination ports (if applicable) 

 

3. Apply the ACL 

Bind the ACL to an interface (inbound or outbound) or globally depending on the platform. 

Example Configuration (DUT_1 and DUT_2) 

DUT_1 

configure terminal 

ip access-list ssh_block 

seq 10 deny tcp any any eq 22 

interface Ethernet0 

mtu 9100 

speed 100000 

unreliable-los auto 

no shutdown 

ip access-group ssh_block in 

 

Verification 

show access-group              # Displays ACL configuration 
 
Test traffic 

  • Attempt SSH connection to verify it is blocked. 

  • Confirm other services are still allowed. 

 

Troubleshooting Tips 

  • Ensure ACLs are applied in the correct direction (inbound or outbound). 

  • Remember ACLs are processed top-down; order matters. 

  • Verify there is an implicit deny all at the end of most ACLs — explicitly permit needed traffic. 

  • Use hit counters to confirm which rules are matching. 

  • Be cautious when applying ACLs remotely to avoid locking yourself out. 

 

 

 

    • Related Articles

    • How to configure ACL

      ACL (Access Control List) Objective An access control list (ACL) consists of one or more access control entries (ACEs) that collectively define the network traffic profile. Each ACL includes an action element (permit or deny) and a filter element ...

    • Supported ACL Features in Broadcom

      Supported ACL Features in Broadcom Objective This document explains the key ACL (Access Control List) features supported in Broadcom ASICs. ACLs are used to control and filter network traffic based on rules matching packet headers, providing ...

    • How to Configure BGP (Border Gateway Protocol)

      BGP (Border Gateway Protocol) Objective This document explains how to configure Border Gateway Protocol (BGP) on [device or platform name]. BGP is the protocol that enables the global routing system by exchanging routing information between ...

    • How to Configure eBGP and iBGP with Peer-Groups

      BGP (Border Gateway Protocol) with peer-group configurations Objective This document explains how to configure eBGP (External BGP) and iBGP (Internal BGP) using peer-groups on routers. Peer-groups help simplify BGP configuration by grouping neighbors ...

    • How to configure BGP

      BGP (Border Gateway Protocol) Objective BGP (Border Gateway Protocol) is the protocol that enables the global routing system of the internet. It manages how packets get routed from network to network by exchanging routing and reachability information ...