Supported ACL Features in Broadcom

Supported ACL Features in Broadcom

Supported ACL Features in Broadcom 

 

Objective 

This document explains the key ACL (Access Control List) features supported in Broadcom ASICs. ACLs are used to control and filter network traffic based on rules matching packet headers, providing security, traffic management, and policy enforcement. 

Prerequisites 

Hardware: 

  • Switches or routers that support VLANs 
    (e.g., edgecore, ufispace) 

Software: 

  • Network operating systems that support VLAN configuration 
    (e.g., SONiC-OS-4.4.0-Enterprise_Base, SONiC-OS-4.4.2-Enterprise_Base) 

Access: 

  • Administrative or privileged CLI access 

Network: 

  • Defined use cases for traffic filtering, classification, or QoS 

 

Basic Configuration Steps 

 
1. Supported protocols  

sonic(config-ipv4-acl)# seq 10 permit 

  <0..255>  Protocol number (0 to 255) 

  icmp      ICMP Packets 

  ip        Any IPv4 Packets 

  tcp       TCP packets 

  udp       UDP packets 

 

Supported protocols in SONiC IPv4 ACLs: IP, ICMP, TCP, UDP, or protocol numbers 0–255. 

2. Supported features in ipv4 

 

sonic(config-ipv4-acl)# seq 10 permit ip any any 

  dscp    Match packets using DSCP value 

  vlan    Match packets using VLAN ID value 

  remark  Set remark or description for rule 

 

Supported match options in SONiC IPv4 ACLs: DSCP value, VLAN ID, or add a remark/description. 

3. Supported features in tcp 

 

sonic(config-ipv4-acl)# seq 10 permit tcp any any 

  eq           Match packets with TCP/UDP destination port equal to the given port number 

  gt           Match packets with TCP/UDP destination port greater than the given port number 

  lt           Match packets with TCP/UDP destination port lesser than the given port number 

  range        Match packets with TCP/UDP destination port in the given range 

  dscp         Match packets using DSCP value 

  established   Match packets which are part of established TCP session 

  fin          Match packets with FIN TCP flag set 

  not-fin      Match packets with FIN TCP flag cleared 

  syn          Match packets with SYN TCP flag set 

  not-syn      Match packets with SYN TCP Flag cleared 

  rst          Match packets with RST TCP flag set 

  not-rst      Match packets with RST TCP flag cleared 

  psh          Match packets with PSH TCP flag set 

  not-psh      Match packets with PSH TCP flag cleared 

  ack          Match packets with ACK TCP flag set 

  not-ack      Match packets with ACK TCP flag cleared 

  urg          Match packets with URG TCP flag set 

  not-urg      Match packets with URG TCP flag cleared 

  vlan         Match packets using VLAN ID value 

  remark       Set remark or description for rule 

 

In SONiC, when configuring an IPv4 ACL with permit tcp any any, you can match packets using: 

  • Destination port: match by exact (eq), greater (gt), less (lt), or within a range (range). 

  • DSCP: match based on Differentiated Services Code Point value. 

  • TCP flags: match packets with specific flags set or cleared — like established, fin, syn, rst, psh, ack, urg. 

  • VLAN ID: match packets based on VLAN tag. 

  • Remark: add a description or comment to the rule. 

 

 

4. Supported features in udp 

sonic(config-ipv4-acl)# seq 10 permit udp any any 

  eq      Match packets with TCP/UDP destination port equal to the given port number 

  gt      Match packets with TCP/UDP destination port greater than the given port number 

  lt      Match packets with TCP/UDP destination port lesser than the given port number 

  range   Match packets with TCP/UDP destination port in the given range 

  dscp    Match packets using DSCP value 

  vlan    Match packets using VLAN ID value 

  remark  Set remark or description for rule 

  

 

In SONiC, permit udp any any supports matching by UDP port, DSCP, VLAN ID, and adding remarks. 

4. Supported features in icmp 

sonic(config-ipv4-acl)# seq 10 permit icmp any any 

  dscp    Match packets using DSCP value 

  type    Match packets using ICMP type 

  code    Match packets using ICMP code 

  vlan    Match packets using VLAN ID value 

  remark  Set remark or description for rule 

 

Troubleshooting Tips 

  • Ensure ACL table capacity is not exceeded (ASIC limits). 

  •  Match fields supported by the Broadcom chip (check documentation). 

  • Confirm correct binding to interfaces or VLANs. 

  • Check logs or debug outputs for dropped or denied packets. 

 

 

 

 

    • Related Articles

    • How to Configure ACL (Access Control List)

      ACL (Access Control List) Objective This document explains how to configure Access Control Lists (ACLs) on broadcom sonic. ACLs consist of one or more access control entries (ACEs) that define rules to permit or deny network traffic based on ...
    • How to configure ACL

      ACL (Access Control List) Objective An access control list (ACL) consists of one or more access control entries (ACEs) that collectively define the network traffic profile. Each ACL includes an action element (permit or deny) and a filter element ...
    • How to Configure snmp in broadcom sonic

      SNMP Overview Simple Network Management Protocol (SNMP) is a widely used application-layer protocol that enables centralized monitoring and management of network devices such as switches, routers, and servers. It supports real-time alerts, ...
    • What are the key features of the SONiC NetPro Suite?

      The SONiC NetPro Suite is equipped with a wide range of features designed to optimize every aspect of your network: 24/7 Tier 1 and Tier 2 TAC Service: Immediate access to expert technical support whenever you need it. Pre-Deployment and ...
    • Basic Show Commands in Broadcom sonic

      Basic Show Commands Objective This document explains how to use basic show commands on broadcom sonic to retrieve system information, hardware details, software versions, and transceiver status. These commands help network administrators quickly ...