Supported ACL Features in Broadcom
Objective
This document explains the key ACL (Access Control List) features supported in Broadcom ASICs. ACLs are used to control and filter network traffic based on rules matching packet headers, providing security, traffic management, and policy enforcement.
Prerequisites
Hardware:
Switches or routers that support VLANs
(e.g., edgecore, ufispace)
Software:
Network operating systems that support VLAN configuration
(e.g., SONiC-OS-4.4.0-Enterprise_Base, SONiC-OS-4.4.2-Enterprise_Base)
Access:
Administrative or privileged CLI access
Network:
Defined use cases for traffic filtering, classification, or QoS
Basic Configuration Steps
1. Supported protocols
sonic(config-ipv4-acl)# seq 10 permit
<0..255> Protocol number (0 to 255)
icmp ICMP Packets
ip Any IPv4 Packets
tcp TCP packets
udp UDP packets
Supported protocols in SONiC IPv4 ACLs: IP, ICMP, TCP, UDP, or protocol numbers 0–255.
2. Supported features in ipv4
sonic(config-ipv4-acl)# seq 10 permit ip any any
dscp Match packets using DSCP value
vlan Match packets using VLAN ID value
remark Set remark or description for rule
Supported match options in SONiC IPv4 ACLs: DSCP value, VLAN ID, or add a remark/description.
3. Supported features in tcp
sonic(config-ipv4-acl)# seq 10 permit tcp any any
eq Match packets with TCP/UDP destination port equal to the given port number
gt Match packets with TCP/UDP destination port greater than the given port number
lt Match packets with TCP/UDP destination port lesser than the given port number
range Match packets with TCP/UDP destination port in the given range
dscp Match packets using DSCP value
established Match packets which are part of established TCP session
fin Match packets with FIN TCP flag set
not-fin Match packets with FIN TCP flag cleared
syn Match packets with SYN TCP flag set
not-syn Match packets with SYN TCP Flag cleared
rst Match packets with RST TCP flag set
not-rst Match packets with RST TCP flag cleared
psh Match packets with PSH TCP flag set
not-psh Match packets with PSH TCP flag cleared
ack Match packets with ACK TCP flag set
not-ack Match packets with ACK TCP flag cleared
urg Match packets with URG TCP flag set
not-urg Match packets with URG TCP flag cleared
vlan Match packets using VLAN ID value
remark Set remark or description for rule
In SONiC, when configuring an IPv4 ACL with permit tcp any any, you can match packets using:
Destination port: match by exact (eq), greater (gt), less (lt), or within a range (range).
DSCP: match based on Differentiated Services Code Point value.
TCP flags: match packets with specific flags set or cleared — like established, fin, syn, rst, psh, ack, urg.
VLAN ID: match packets based on VLAN tag.
Remark: add a description or comment to the rule.
4. Supported features in udp
sonic(config-ipv4-acl)# seq 10 permit udp any any
eq Match packets with TCP/UDP destination port equal to the given port number
gt Match packets with TCP/UDP destination port greater than the given port number
lt Match packets with TCP/UDP destination port lesser than the given port number
range Match packets with TCP/UDP destination port in the given range
dscp Match packets using DSCP value
vlan Match packets using VLAN ID value
remark Set remark or description for rule
In SONiC, permit udp any any supports matching by UDP port, DSCP, VLAN ID, and adding remarks.
4. Supported features in icmp
sonic(config-ipv4-acl)# seq 10 permit icmp any any
dscp Match packets using DSCP value
type Match packets using ICMP type
code Match packets using ICMP code
vlan Match packets using VLAN ID value
remark Set remark or description for rule
Troubleshooting Tips
Ensure ACL table capacity is not exceeded (ASIC limits).
Match fields supported by the Broadcom chip (check documentation).
Confirm correct binding to interfaces or VLANs.
Check logs or debug outputs for dropped or denied packets.