This module contains a collection of IOS-XR YANG model derived from CLI. Copyright (c) 2013-2020 by Cisco Systems, Inc. All ri...
Version: 2020-12-03
module Cisco-IOS-XR-um-ipv4-access-list-cfg { yang-version 1; namespace "http://cisco.com/ns/yang/Cisco-IOS-XR-um-ipv4-access-list-cfg"; prefix um-ipv4-acl-cfg; import cisco-semver { prefix semver; } import ietf-inet-types { prefix inet; } import Cisco-IOS-XR-um-access-list-datatypes { prefix um-acl-types; } import Cisco-IOS-XR-types { prefix xr2; } organization "Cisco Systems, Inc."; contact " Cisco Systems, Inc. Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 Tel: +1 1800 553-NETS E-mail: cs-yang@cisco.com "; description " This module contains a collection of IOS-XR YANG model derived from CLI. Copyright (c) 2013-2020 by Cisco Systems, Inc. All rights reserved. "; revision "2020-12-03" { description "Limit length of remark string 2020-10-21 Added udf support"; } revision "2019-06-10" { description "Establish semantic version baseline."; } revision "2019-04-01" { description "Initial version"; } semver:module-version "2.0.0"; semver:module-version "1.0.0"; feature ipv4_acl_object_groups_supported { description "Port object group"; } feature ipv4_acl_support_counter { description "Counter for access-list entry"; } feature ipv4_acl_protocol_range_implemented { description "Range of protocol numbers"; } feature ipv4_acl_abf_implemented { description "Forward to specified nexthop on match against access-list entry"; } feature ipv4_acl_abf_track_implemented { description "Match a specific TRACK Name"; } feature ipv4_acl_rollback_permit_supported { description "Rollback of access-list"; } feature IP_ACL_TCP_URG_FLAG_IMPLEMENTED { description "Match on URG bit"; } feature IP_ACL_TCP_FLEXFLAGS_IMPLEMENTED { description "Match all the options specified for TCP flags"; } feature ipv4_acl_pktlen_implemented { description "Check packet length"; } feature ipv4_acl_fragment_offset_implemented { description "Match fragment-offset"; } feature ipv4_acl_is_frag_flags_supported { description "Match fragment type for a packet"; } feature ipv4_acl_is_udf_supported { description "Set User Defined Fields"; } feature ipv4_acl_capture_implemented { description "Capture matched packet"; } feature ipv4_acl_is_set_action_supported { description "Set action on access-list entry"; } feature ipv4_acl_is_set_qos_group_supported { description "Set QoS group"; } feature ipv4_acl_is_set_ttl_supported { description "Set ttl value"; } container ipv4 { description "Configure ipv4 access-list"; container access-list-options { container log-update { description "Control access lists log updates"; leaf threshold { type uint32 { range "1..2147483647"; } description "Set access-list logging threshold"; } leaf rate { type uint16 { range "1..1000"; } description "Set access-list logging rate (num. logs per second)"; } } // container log-update } // container access-list-options container access-lists { description "Access-lists"; list access-list { key "access-list-name"; description "Access-list configuration"; leaf access-list-name { type string { length "1..64"; } description "Access list name - maximum 64 characters"; } container sequences { description "Access list entries"; list sequence { must "deny or permit or remark"; key "sequence-number"; description "access list entry"; leaf sequence-number { type uint32 { range "1..2147483643"; } description "Sequence number for this entry"; } container deny { must "(protocol or eq or range) and (source and destination) and (not(log and log-input))"; presence "Grant type Deny"; leaf protocol { type um-acl-types:ipv4-protocol; must "not(../eq or ../range/start-protocol or ../range/end-protocol)"; description "An IPv4 Protocol"; } leaf eq { type um-acl-types:ipv4-protocol; must "not(../protocol or ../range/start-protocol or ../range/end-protocol)"; description "Match only packets with exact protocol numbers"; } container range { if-feature ipv4_acl_protocol_range_implemented; description "Match only packets in the range of protocol numbers"; leaf start-protocol { type um-acl-types:ipv4-protocol; must "not(../../protocol or ../../eq) and (../end-protocol)"; description "An IPv4 Protocol"; } leaf end-protocol { type um-acl-types:ipv4-protocol; must "not(../../protocol or ../../eq) and (../start-protocol)"; description "An IPv4 Protocol"; } } // container range container source { must "address or any or host or net-group"; leaf address { type inet:ipv4-address-no-zone; must "not(../any or ../host or ../net-group) and (../wildcard-mask or ../prefix-length)"; description "Source IP address"; } leaf wildcard-mask { type inet:ipv4-address-no-zone; must "not(../prefix-length)"; description "Source IP address wildcard mask. Either wildcard-mask or prefix-length can be used along with address."; } leaf prefix-length { type xr2:Ipv4-prefix-length; must "not(../wildcard-mask)"; description "Source IP address prefix length. Either wildcard-mask or prefix-length can be used along with address."; } container any { must "not(../address or ../host or ../net-group)"; presence "Any host"; description "Any source host"; } // container any leaf host { type inet:ipv4-address; must "not(../address or ../any or ../net-group)"; description "A single source host"; } leaf net-group { if-feature ipv4_acl_object_groups_supported; type string { length "1..64"; } must "not(../address or ../any or ../host)"; description "IPv4 source network object group"; } container port { when "../../protocol='tcp' or ../../protocol='sctp' or ../../protocol='udp'"; description "Match based on a port number"; leaf eq { type um-acl-types:ipv4-port-number; must "not(../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets on a given port number"; } leaf gt { type um-acl-types:ipv4-port-number; must "not(../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater port number"; } leaf lt { type um-acl-types:ipv4-port-number; must "not(../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower port number"; } leaf neq { type um-acl-types:ipv4-port-number; must "not(../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given port"; } container range { description "Match only packets in the range of port numbers"; leaf start-value { type um-acl-types:ipv4-port-number; must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "Port number"; } leaf end-value { type um-acl-types:ipv4-port-number; must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "Port number"; } } // container range } // container port leaf port-group { when "../../protocol='tcp' or ../../protocol='sctp' or ../../protocol='udp'"; if-feature ipv4_acl_object_groups_supported; type string { length "1..64"; } description "source port object group"; } } // container source container destination { must "address or any or host or net-group"; leaf address { type inet:ipv4-address-no-zone; must "not(../any or ../host or ../net-group) and (../wildcard-mask or ../prefix-length)"; description "Destination IP address"; } leaf wildcard-mask { type inet:ipv4-address-no-zone; must "not(../prefix-length)"; description "Destination IP address wildcard mask. Either wildcard-mask or prefix-length can be used along with address."; } leaf prefix-length { type xr2:Ipv4-prefix-length; must "not(../wildcard-mask)"; description "Destination IP address prefix length. Either wildcard-mask or prefix-length can be used along with address."; } container any { must "not(../address or ../host or ../net-group)"; presence "Any host"; description "Any destination host"; } // container any leaf host { type inet:ipv4-address; must "not(../address or ../any or ../net-group)"; description "A single destination host"; } leaf net-group { if-feature ipv4_acl_object_groups_supported; type string { length "1..64"; } must "not(../address or ../any or ../host)"; description "IPv4 destination network object group"; } container port { when "../../protocol='tcp' or ../../protocol='sctp' or ../../protocol='udp'"; description "Match based on a port number"; leaf eq { type um-acl-types:ipv4-port-number; must "not(../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets on a given port number"; } leaf gt { type um-acl-types:ipv4-port-number; must "not(../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater port number"; } leaf lt { type um-acl-types:ipv4-port-number; must "not(../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower port number"; } leaf neq { type um-acl-types:ipv4-port-number; must "not(../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given port"; } container range { description "Match only packets in the range of port numbers"; leaf start-value { type um-acl-types:ipv4-port-number; must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "Port number"; } leaf end-value { type um-acl-types:ipv4-port-number; must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "Port number"; } } // container range } // container port leaf port-group { when "../../protocol='tcp' or ../../protocol='sctp' or ../../protocol='udp'"; if-feature ipv4_acl_object_groups_supported; type string { length "1..64"; } description "destination port object group"; } } // container destination container tcp-flags { container match-all { if-feature IP_ACL_TCP_FLEXFLAGS_IMPLEMENTED; must "not(../match-any)"; presence "indicates match-all is configured"; description "Match all the options specified for TCP flags"; leaf tcp-bits { type string { pattern "((\\+|\\-)(fin|syn|rst|psh|ack|urg)[ ]{0,1})+"; } description "TCP bits to match with set(+) or not set(-) indication"; } } // container match-all container match-any { if-feature IP_ACL_TCP_FLEXFLAGS_IMPLEMENTED; must "not(../match-all)"; presence "indicates match-any is configured"; description "Match atleast one of the options specified for TCP flags"; leaf tcp-bits { type string { pattern "((\\+|\\-)(fin|syn|rst|psh|ack|urg)[ ]{0,1})+"; } description "TCP bits to match with set(+) or not set(-) indication"; } } // container match-any leaf tcp-bits { type um-acl-types:tcp-bits-type; must "not(../match-all) and not(../match-any)"; description "TCP bits to match"; } } // container tcp-flags container icmp { description "Match on ICMP message"; leaf message-type-name { type um-acl-types:ipv4-icmp-message-type; must "not(../message-type or ../message-code)"; description "ICMP message type"; } leaf message-type { type uint8 { range "0..255"; } must "not(../message-type-name)"; description "ICMP message type"; } leaf message-code { type uint8 { range "0..255"; } must "not(../message-type-name)"; description "ICMP message code"; } } // container icmp leaf igmp-type { type union { type uint8 { range "0..255"; } type enumeration { enum "host-query" { value 0; description "Host query"; } enum "host-report" { value 1; description "Host report"; } enum "dvmrp" { value 2; description "Distance Vector Multicast Routing Protocol"; } enum "pim" { value 3; description "Portocol Independent Multicast"; } enum "trace" { value 4; description "Multicast trace"; } enum "v2-report" { value 5; description "Version 2 report"; } enum "v2-leave" { value 6; description "Version 2 leave"; } enum "mtrace-response" { value 7; description "mtrace response"; } enum "mtrace" { value 8; description "mtrace"; } enum "v3-report" { value 9; description "Version 3 report"; } } } description "Match on IGMP message"; } container dscp { description "Match packets with given DSCP value(s)"; leaf dscp-value { type um-acl-types:dscp-value; must "not(../eq or ../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; } leaf eq { type um-acl-types:dscp-value; must "not(../dscp-value or ../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets on a given DSCP value"; } leaf gt { type um-acl-types:dscp-value; must "not(../dscp-value or ../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater DSCP value"; } leaf lt { type um-acl-types:dscp-value; must "not(../dscp-value or ../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower DSCP value"; } leaf neq { type um-acl-types:dscp-value; must "not(../dscp-value or ../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given DSCP value"; } container range { description "Match only packets in the range of DSCP values"; leaf start-value { type um-acl-types:dscp-value; must "not(../../dscp-value or ../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "DSCP value"; } leaf end-value { type um-acl-types:dscp-value; must "not(../../dscp-value or ../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "DSCP value"; } } // container range } // container dscp leaf precedence { type um-acl-types:precedence-value; description "Match packets with given precedence"; } container packet-length { if-feature ipv4_acl_pktlen_implemented; description "Check packet length"; leaf eq { type uint16 { range "0..65535"; } must "not(../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a given value"; } leaf gt { type uint16 { range "0..65535"; } must "not(../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater value"; } leaf lt { type uint16 { range "0..65535"; } must "not(../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower value"; } leaf neq { type uint16 { range "0..65535"; } must "not(../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given value"; } container range { description "Match only packets in the range of value"; leaf start-value { type uint16 { range "0..65535"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "Packet length start"; } leaf end-value { type uint16 { range "0..65535"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "Packet length end"; } } // container range } // container packet-length container ttl { description "match against ttl"; leaf eq { type uint8 { range "0..255"; } must "not(../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a given value"; } leaf gt { type uint8 { range "0..255"; } must "not(../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater value"; } leaf lt { type uint8 { range "0..255"; } must "not(../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower value"; } leaf neq { type uint8 { range "0..255"; } must "not(../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given value"; } container range { description "Match only packets in the range of value"; leaf start-value { type uint8 { range "0..255"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "ttl range lower value"; } leaf end-value { type uint8 { range "0..255"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "ttl range higher value"; } } // container range } // container ttl container fragment-offset { if-feature ipv4_acl_fragment_offset_implemented; description "match fragment-offset"; leaf eq { type uint16 { range "0..8191"; } must "not(../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a given value"; } leaf gt { type uint16 { range "0..8191"; } must "not(../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater value"; } leaf lt { type uint16 { range "0..8191"; } must "not(../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower value"; } leaf neq { type uint16 { range "0..8191"; } must "not(../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given value"; } container range { description "Match only packets in the range of value"; leaf start-value { type uint16 { range "0..8191"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "fragment-offset value"; } leaf end-value { type uint16 { range "0..8191"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "fragment-offset value"; } } // container range } // container fragment-offset container fragments { must "not(../source/port/eq or ../source/port/gt or ../source/port/lt or ../source/port/neq or ../source/port/range/start-value) and not(../destination/port/eq or ../destination/port/gt or ../destination/port/lt or ../destination/port/neq or ../destination/port/range/start-value) and not(../icmp/message-type-name) and not(../icmp/message-type) and not(../icmp/message-code) and not(../igmp-type)"; presence "Check non-initial fragments"; description "Check non-initial fragments"; } // container fragments leaf fragment-type { if-feature ipv4_acl_is_frag_flags_supported; type enumeration { enum "dont-fragment" { value 0; description "Match don't fragment flag"; } enum "first-fragment" { value 1; description "Match first fragment flag"; } enum "is-fragment" { value 2; description "Match is-fragment flag"; } enum "last-fragment" { value 3; description "Match last fragment flag"; } enum "dont-fragment is-fragment" { value 4; description "Match don't fragment flag and is fragment flag"; } enum "dont-fragment first-fragment" { value 5; description "Match don't fragment flag and first fragment flag"; } enum "dont-fragment last-fragment" { value 6; description "Match don't fragment flag and last fragment flag"; } } description "Fragment type for a packet"; } list udf { if-feature ipv4_acl_is_udf_supported; key "udf-name"; max-elements 8; description "Set User Defined Fields on this entry"; leaf udf-name { type string { length "1..16"; } description "UDF name"; } leaf udf-value { type xr2:Hex-integer; description "UDF value"; } leaf udf-mask { type xr2:Hex-integer; description "UDF mask"; } } // list udf container default { presence "Use specified default nexthop on match against this entry"; description "Use specified default nexthop on match against this entry"; } // container default container nexthop1 { if-feature ipv4_acl_abf_implemented; presence "Forward to specified nexthop on match against this entry"; description "Forward to specified nexthop on match against this entry"; leaf ipv4 { type inet:ipv4-address; description "nexthop1 ipv4 address"; } leaf track { if-feature ipv4_acl_abf_track_implemented; type string { length "1..32"; } description "specific TRACK Name for this nexthop"; } leaf vrf { type string { length "1..32"; } description "Specific VRF Name for this nexthop"; } } // container nexthop1 container nexthop2 { must "(../nexthop1/vrf and ../nexthop1/ipv4) or ../nexthop1/vrf or ../nexthop1/ipv4"; presence "Forward to specified nexthop on match against this entry"; description "Another nexthop"; leaf ipv4 { type inet:ipv4-address; description "nexthop2 ipv4 address"; } leaf track { if-feature ipv4_acl_abf_track_implemented; type string { length "1..32"; } description "specific TRACK Name for this nexthop"; } leaf vrf { type string { length "1..32"; } description "Specific VRF Name for this nexthop"; } } // container nexthop2 container nexthop3 { must "(../nexthop2/vrf and ../nexthop2/ipv4) or ../nexthop2/vrf or ../nexthop2/ipv4"; presence "Forward to specified nexthop on match against this entry"; description "Another nexthop"; leaf ipv4 { type inet:ipv4-address; description "nexthop3 ipv4 address"; } leaf track { if-feature ipv4_acl_abf_track_implemented; type string { length "1..32"; } description "specific TRACK Name for this nexthop"; } leaf vrf { type string { length "1..32"; } description "Specific VRF Name for this nexthop"; } } // container nexthop3 container capture { if-feature ipv4_acl_capture_implemented; presence "Capture matched packet"; description "Capture matched packet"; } // container capture leaf counter { if-feature ipv4_acl_support_counter; type string { length "1..64"; } description "counter for this ACE"; } container log { presence "Log matches against this entry"; description "Log matches against this entry"; } // container log container log-input { presence "Log matches against this entry, including input interface"; description "Log matches against this entry, including input interface"; } // container log-input container set { if-feature ipv4_acl_is_set_action_supported; description "Set action on this entry"; leaf qos-group { if-feature ipv4_acl_is_set_qos_group_supported; type uint16 { range "0..512"; } description "qos-group number"; } leaf ttl { if-feature ipv4_acl_is_set_ttl_supported; type uint8 { range "0..255"; } description "Set ttl value"; } } // container set container icmp-off { presence "Do not generate the ICMP message"; description "Do not generate the ICMP message"; } // container icmp-off } // container deny container permit { must "(protocol or eq or range) and (source and destination) and (not(log and log-input))"; presence "Grant type Permit"; leaf protocol { type um-acl-types:ipv4-protocol; must "not(../eq or ../range/start-protocol or ../range/end-protocol)"; description "An IPv4 Protocol"; } leaf eq { type um-acl-types:ipv4-protocol; must "not(../protocol or ../range/start-protocol or ../range/end-protocol)"; description "Match only packets with exact protocol numbers"; } container range { if-feature ipv4_acl_protocol_range_implemented; description "Match only packets in the range of protocol numbers"; leaf start-protocol { type um-acl-types:ipv4-protocol; must "not(../../protocol or ../../eq) and (../end-protocol)"; description "An IPv4 Protocol"; } leaf end-protocol { type um-acl-types:ipv4-protocol; must "not(../../protocol or ../../eq) and (../start-protocol)"; description "An IPv4 Protocol"; } } // container range container source { must "address or any or host or net-group"; leaf address { type inet:ipv4-address-no-zone; must "not(../any or ../host or ../net-group) and (../wildcard-mask or ../prefix-length)"; description "Source IP address"; } leaf wildcard-mask { type inet:ipv4-address-no-zone; must "not(../prefix-length)"; description "Source IP address wildcard mask. Either wildcard-mask or prefix-length can be used along with address."; } leaf prefix-length { type xr2:Ipv4-prefix-length; must "not(../wildcard-mask)"; description "Source IP address prefix length. Either wildcard-mask or prefix-length can be used along with address."; } container any { must "not(../address or ../host or ../net-group)"; presence "Any host"; description "Any source host"; } // container any leaf host { type inet:ipv4-address; must "not(../address or ../any or ../net-group)"; description "A single source host"; } leaf net-group { if-feature ipv4_acl_object_groups_supported; type string { length "1..64"; } must "not(../address or ../any or ../host)"; description "IPv4 source network object group"; } container port { when "../../protocol='tcp' or ../../protocol='sctp' or ../../protocol='udp'"; description "Match based on a port number"; leaf eq { type um-acl-types:ipv4-port-number; must "not(../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets on a given port number"; } leaf gt { type um-acl-types:ipv4-port-number; must "not(../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater port number"; } leaf lt { type um-acl-types:ipv4-port-number; must "not(../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower port number"; } leaf neq { type um-acl-types:ipv4-port-number; must "not(../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given port"; } container range { description "Match only packets in the range of port numbers"; leaf start-value { type um-acl-types:ipv4-port-number; must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "Port number"; } leaf end-value { type um-acl-types:ipv4-port-number; must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "Port number"; } } // container range } // container port leaf port-group { when "../../protocol='tcp' or ../../protocol='sctp' or ../../protocol='udp'"; if-feature ipv4_acl_object_groups_supported; type string { length "1..64"; } description "source port object group"; } } // container source container destination { must "address or any or host or net-group"; leaf address { type inet:ipv4-address-no-zone; must "not(../any or ../host or ../net-group) and (../wildcard-mask or ../prefix-length)"; description "Destination IP address"; } leaf wildcard-mask { type inet:ipv4-address-no-zone; must "not(../prefix-length)"; description "Destination IP address wildcard mask. Either wildcard-mask or prefix-length can be used along with address."; } leaf prefix-length { type xr2:Ipv4-prefix-length; must "not(../wildcard-mask)"; description "Destination IP address prefix length. Either wildcard-mask or prefix-length can be used along with address."; } container any { must "not(../address or ../host or ../net-group)"; presence "Any host"; description "Any destination host"; } // container any leaf host { type inet:ipv4-address; must "not(../address or ../any or ../net-group)"; description "A single destination host"; } leaf net-group { if-feature ipv4_acl_object_groups_supported; type string { length "1..64"; } must "not(../address or ../any or ../host)"; description "IPv4 destination network object group"; } container port { when "../../protocol='tcp' or ../../protocol='sctp' or ../../protocol='udp'"; description "Match based on a port number"; leaf eq { type um-acl-types:ipv4-port-number; must "not(../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets on a given port number"; } leaf gt { type um-acl-types:ipv4-port-number; must "not(../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater port number"; } leaf lt { type um-acl-types:ipv4-port-number; must "not(../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower port number"; } leaf neq { type um-acl-types:ipv4-port-number; must "not(../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given port"; } container range { description "Match only packets in the range of port numbers"; leaf start-value { type um-acl-types:ipv4-port-number; must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "Port number"; } leaf end-value { type um-acl-types:ipv4-port-number; must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "Port number"; } } // container range } // container port leaf port-group { when "../../protocol='tcp' or ../../protocol='sctp' or ../../protocol='udp'"; if-feature ipv4_acl_object_groups_supported; type string { length "1..64"; } description "destination port object group"; } } // container destination container tcp-flags { container match-all { if-feature IP_ACL_TCP_FLEXFLAGS_IMPLEMENTED; must "not(../match-any)"; presence "indicates match-all is configured"; description "Match all the options specified for TCP flags"; leaf tcp-bits { type string { pattern "((\\+|\\-)(fin|syn|rst|psh|ack|urg)[ ]{0,1})+"; } description "TCP bits to match with set(+) or not set(-) indication"; } } // container match-all container match-any { if-feature IP_ACL_TCP_FLEXFLAGS_IMPLEMENTED; must "not(../match-all)"; presence "indicates match-any is configured"; description "Match atleast one of the options specified for TCP flags"; leaf tcp-bits { type string { pattern "((\\+|\\-)(fin|syn|rst|psh|ack|urg)[ ]{0,1})+"; } description "TCP bits to match with set(+) or not set(-) indication"; } } // container match-any leaf tcp-bits { type um-acl-types:tcp-bits-type; must "not(../match-all) and not(../match-any)"; description "TCP bits to match"; } } // container tcp-flags container icmp { description "Match on ICMP message"; leaf message-type-name { type um-acl-types:ipv4-icmp-message-type; must "not(../message-type or ../message-code)"; description "ICMP message type"; } leaf message-type { type uint8 { range "0..255"; } must "not(../message-type-name)"; description "ICMP message type"; } leaf message-code { type uint8 { range "0..255"; } must "not(../message-type-name)"; description "ICMP message code"; } } // container icmp leaf igmp-type { type union { type uint8 { range "0..255"; } type enumeration { enum "host-query" { value 0; description "Host query"; } enum "host-report" { value 1; description "Host report"; } enum "dvmrp" { value 2; description "Distance Vector Multicast Routing Protocol"; } enum "pim" { value 3; description "Portocol Independent Multicast"; } enum "trace" { value 4; description "Multicast trace"; } enum "v2-report" { value 5; description "Version 2 report"; } enum "v2-leave" { value 6; description "Version 2 leave"; } enum "mtrace-response" { value 7; description "mtrace response"; } enum "mtrace" { value 8; description "mtrace"; } enum "v3-report" { value 9; description "Version 3 report"; } } } description "Match on IGMP message"; } container dscp { description "Match packets with given DSCP value(s)"; leaf dscp-value { type um-acl-types:dscp-value; must "not(../eq or ../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; } leaf eq { type um-acl-types:dscp-value; must "not(../dscp-value or ../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets on a given DSCP value"; } leaf gt { type um-acl-types:dscp-value; must "not(../dscp-value or ../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater DSCP value"; } leaf lt { type um-acl-types:dscp-value; must "not(../dscp-value or ../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower DSCP value"; } leaf neq { type um-acl-types:dscp-value; must "not(../dscp-value or ../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given DSCP value"; } container range { description "Match only packets in the range of DSCP values"; leaf start-value { type um-acl-types:dscp-value; must "not(../../dscp-value or ../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "DSCP value"; } leaf end-value { type um-acl-types:dscp-value; must "not(../../dscp-value or ../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "DSCP value"; } } // container range } // container dscp leaf precedence { type um-acl-types:precedence-value; description "Match packets with given precedence"; } container packet-length { if-feature ipv4_acl_pktlen_implemented; description "Check packet length"; leaf eq { type uint16 { range "0..65535"; } must "not(../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a given value"; } leaf gt { type uint16 { range "0..65535"; } must "not(../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater value"; } leaf lt { type uint16 { range "0..65535"; } must "not(../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower value"; } leaf neq { type uint16 { range "0..65535"; } must "not(../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given value"; } container range { description "Match only packets in the range of value"; leaf start-value { type uint16 { range "0..65535"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "Packet length start"; } leaf end-value { type uint16 { range "0..65535"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "Packet length end"; } } // container range } // container packet-length container ttl { description "match against ttl"; leaf eq { type uint8 { range "0..255"; } must "not(../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a given value"; } leaf gt { type uint8 { range "0..255"; } must "not(../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater value"; } leaf lt { type uint8 { range "0..255"; } must "not(../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower value"; } leaf neq { type uint8 { range "0..255"; } must "not(../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given value"; } container range { description "Match only packets in the range of value"; leaf start-value { type uint8 { range "0..255"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "ttl range lower value"; } leaf end-value { type uint8 { range "0..255"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "ttl range higher value"; } } // container range } // container ttl container fragment-offset { if-feature ipv4_acl_fragment_offset_implemented; description "match fragment-offset"; leaf eq { type uint16 { range "0..8191"; } must "not(../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a given value"; } leaf gt { type uint16 { range "0..8191"; } must "not(../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater value"; } leaf lt { type uint16 { range "0..8191"; } must "not(../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower value"; } leaf neq { type uint16 { range "0..8191"; } must "not(../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given value"; } container range { description "Match only packets in the range of value"; leaf start-value { type uint16 { range "0..8191"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "fragment-offset value"; } leaf end-value { type uint16 { range "0..8191"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "fragment-offset value"; } } // container range } // container fragment-offset container fragments { must "not(../source/port/eq or ../source/port/gt or ../source/port/lt or ../source/port/neq or ../source/port/range/start-value) and not(../destination/port/eq or ../destination/port/gt or ../destination/port/lt or ../destination/port/neq or ../destination/port/range/start-value) and not(../icmp/message-type-name) and not(../icmp/message-type) and not(../icmp/message-code) and not(../igmp-type)"; presence "Check non-initial fragments"; description "Check non-initial fragments"; } // container fragments leaf fragment-type { if-feature ipv4_acl_is_frag_flags_supported; type enumeration { enum "dont-fragment" { value 0; description "Match don't fragment flag"; } enum "first-fragment" { value 1; description "Match first fragment flag"; } enum "is-fragment" { value 2; description "Match is-fragment flag"; } enum "last-fragment" { value 3; description "Match last fragment flag"; } enum "dont-fragment is-fragment" { value 4; description "Match don't fragment flag and is fragment flag"; } enum "dont-fragment first-fragment" { value 5; description "Match don't fragment flag and first fragment flag"; } enum "dont-fragment last-fragment" { value 6; description "Match don't fragment flag and last fragment flag"; } } description "Fragment type for a packet"; } list udf { if-feature ipv4_acl_is_udf_supported; key "udf-name"; max-elements 8; description "Set User Defined Fields on this entry"; leaf udf-name { type string { length "1..16"; } description "UDF name"; } leaf udf-value { type xr2:Hex-integer; description "UDF value"; } leaf udf-mask { type xr2:Hex-integer; description "UDF mask"; } } // list udf container default { presence "Use specified default nexthop on match against this entry"; description "Use specified default nexthop on match against this entry"; } // container default container nexthop1 { if-feature ipv4_acl_abf_implemented; presence "Forward to specified nexthop on match against this entry"; description "Forward to specified nexthop on match against this entry"; leaf ipv4 { type inet:ipv4-address; description "nexthop1 ipv4 address"; } leaf track { if-feature ipv4_acl_abf_track_implemented; type string { length "1..32"; } description "specific TRACK Name for this nexthop"; } leaf vrf { type string { length "1..32"; } description "Specific VRF Name for this nexthop"; } } // container nexthop1 container nexthop2 { must "(../nexthop1/vrf and ../nexthop1/ipv4) or ../nexthop1/vrf or ../nexthop1/ipv4"; presence "Forward to specified nexthop on match against this entry"; description "Another nexthop"; leaf ipv4 { type inet:ipv4-address; description "nexthop2 ipv4 address"; } leaf track { if-feature ipv4_acl_abf_track_implemented; type string { length "1..32"; } description "specific TRACK Name for this nexthop"; } leaf vrf { type string { length "1..32"; } description "Specific VRF Name for this nexthop"; } } // container nexthop2 container nexthop3 { must "(../nexthop2/vrf and ../nexthop2/ipv4) or ../nexthop2/vrf or ../nexthop2/ipv4"; presence "Forward to specified nexthop on match against this entry"; description "Another nexthop"; leaf ipv4 { type inet:ipv4-address; description "nexthop3 ipv4 address"; } leaf track { if-feature ipv4_acl_abf_track_implemented; type string { length "1..32"; } description "specific TRACK Name for this nexthop"; } leaf vrf { type string { length "1..32"; } description "Specific VRF Name for this nexthop"; } } // container nexthop3 container capture { if-feature ipv4_acl_capture_implemented; presence "Capture matched packet"; description "Capture matched packet"; } // container capture leaf counter { if-feature ipv4_acl_support_counter; type string { length "1..64"; } description "counter for this ACE"; } container log { presence "Log matches against this entry"; description "Log matches against this entry"; } // container log container log-input { presence "Log matches against this entry, including input interface"; description "Log matches against this entry, including input interface"; } // container log-input container set { if-feature ipv4_acl_is_set_action_supported; description "Set action on this entry"; leaf qos-group { if-feature ipv4_acl_is_set_qos_group_supported; type uint16 { range "0..512"; } description "qos-group number"; } leaf ttl { if-feature ipv4_acl_is_set_ttl_supported; type uint8 { range "0..255"; } description "Set ttl value"; } } // container set } // container permit leaf remark { type string { length "0..255"; } description "Comment for access list"; } } // list sequence } // container sequences } // list access-list } // container access-lists } // container ipv4 } // module Cisco-IOS-XR-um-ipv4-access-list-cfg
© 2023 YumaWorks, Inc. All rights reserved.