This module contains a collection of IOS-XR YANG model derived from CLI. Copyright (c) 2019-2021 by Cisco Systems, Inc. All ri...
Version: 2021-01-12
module Cisco-IOS-XR-um-ipv6-access-list-cfg { yang-version 1; namespace "http://cisco.com/ns/yang/Cisco-IOS-XR-um-ipv6-access-list-cfg"; prefix um-ipv6-acl-cfg; import cisco-semver { prefix semver; } import ietf-inet-types { prefix inet; } import Cisco-IOS-XR-um-access-list-datatypes { prefix um-acl-types; } import Cisco-IOS-XR-types { prefix xr2; } organization "Cisco Systems, Inc."; contact " Cisco Systems, Inc. Customer Service Postal: 170 W Tasman Drive San Jose, CA 95134 Tel: +1 1800 553-NETS E-mail: cs-yang@cisco.com "; description " This module contains a collection of IOS-XR YANG model derived from CLI. Copyright (c) 2019-2021 by Cisco Systems, Inc. All rights reserved. "; revision "2021-01-12" { description "Added udf support 2020-12-03 Limit length of remark string"; } revision "2019-06-10" { description "Establish semantic version baseline."; } revision "2019-04-01" { description "Initial version"; } semver:module-version "2.0.0"; semver:module-version "1.0.0"; feature ipv6_acl_object_groups_supported { description "Port object group"; } feature ipv6_acl_counter_supported { description "Counter for access-list entry"; } feature ipv6_acl_protocol_range_implemented { description "Range of protocol numbers"; } feature ipv6_acl_abf_implemented { description "Forward to specified nexthop on match against access-list entry"; } feature ipv6_acl_abf_track_implemented { description "Match a specific TRACK Name"; } feature ipv6_acl_rollback_permit_supported { description "Rollback of access-list"; } feature IP_ACL_TCP_URG_FLAG_IMPLEMENTED { description "Match on URG bit"; } feature IP_ACL_TCP_FLEXFLAGS_IMPLEMENTED { description "Match all the options specified for TCP flags"; } feature ipv6_acl_pktlen_implemented { description "Check packet length"; } feature ipv6_acl_is_udf_supported { description "Set User Defined Fields"; } feature ipv6_acl_capture_implemented { description "Capture matched packet"; } feature ipv6_acl_is_set_action_supported { description "Set action on access-list entry"; } feature ipv6_acl_is_set_qos_group_supported { description "Set QoS group"; } feature ipv6_acl_is_set_ttl_supported { description "Set ttl value"; } feature ipv6_acl_undetermined_transport_supported { description "Undetermined transport packet"; } grouping ace-common { container source { must "address or any or host or net-group"; uses source-address; } // container source container destination { must "address or any or host or net-group"; uses destination-address; } // container destination uses tcp-flags { when "protocol='tcp'"; } uses icmp { when "protocol='icmpv6'"; } uses undetermined-transport; uses headers; uses dscp; uses packet-length; uses ttl; uses udf; } // grouping ace-common grouping source-address { leaf address { type inet:ipv6-address; must "not(../any or ../host or ../net-group) and (../wildcard-mask or ../prefix-length)"; description "Source IP address"; } leaf wildcard-mask { type inet:ipv6-address-no-zone; must "not(../prefix-length)"; description "Source IP address mask. Either wildcard-mask or prefix-length is supported along with address."; } leaf prefix-length { type xr2:Ipv6-prefix-length; must "not(../wildcard-mask)"; description "Source IP address prefix length.Either wildcard-mask or prefix-length is supported along with address."; } container any { must "not(../address or ../host or ../net-group)"; presence "Any host"; description "Any source host"; } // container any leaf host { type inet:ipv6-address; must "not(../address or ../any or ../net-group)"; description "A single source host"; } leaf net-group { if-feature ipv6_acl_object_groups_supported; type string { length "1..64"; } must "not(../address or ../any or ../host)"; description "IPv6 source network object group"; } container port { when "../../protocol='tcp' or ../../protocol='sctp' or ../../protocol='udp'"; description "Match based on a port number"; leaf eq { type um-acl-types:ipv6-port-number; must "not(../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets on a given port number"; } leaf gt { type um-acl-types:ipv6-port-number; must "not(../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater port number"; } leaf lt { type um-acl-types:ipv6-port-number; must "not(../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower port number"; } leaf neq { type um-acl-types:ipv6-port-number; must "not(../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given port"; } container range { description "Match only packets in the range of port numbers"; leaf start-value { type um-acl-types:ipv6-port-number; must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "Port number"; } leaf end-value { type um-acl-types:ipv6-port-number; must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "Port number"; } } // container range } // container port leaf port-group { when "../../protocol='tcp' or ../../protocol='sctp' or ../../protocol='udp'"; if-feature ipv6_acl_object_groups_supported; type string { length "1..64"; } description "source port object group"; } } // grouping source-address grouping destination-address { leaf address { type inet:ipv6-address; must "not(../any or ../host or ../net-group) and (../wildcard-mask or ../prefix-length)"; description "Destination IP address"; } leaf wildcard-mask { type inet:ipv6-address-no-zone; must "not(../prefix-length)"; description "Destination IP address mask. Either wildcard-mask or prefix-length is supported along with address."; } leaf prefix-length { type xr2:Ipv6-prefix-length; must "not(../wildcard-mask)"; description "Destination IP address prefix length.Either wildcard-mask or prefix-length is supported along with address."; } container any { must "not(../address or ../host or ../net-group)"; presence "Any host"; description "Any destination host"; } // container any leaf host { type inet:ipv6-address; must "not(../address or ../any or ../net-group)"; description "A single destination host"; } leaf net-group { if-feature ipv6_acl_object_groups_supported; type string { length "1..64"; } must "not(../address or ../any or ../host)"; description "IPv6 destination network object group"; } container port { when "../../protocol='tcp' or ../../protocol='sctp' or ../../protocol='udp'"; description "Match based on a port number"; leaf eq { type um-acl-types:ipv6-port-number; must "not(../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets on a given port number"; } leaf gt { type um-acl-types:ipv6-port-number; must "not(../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater port number"; } leaf lt { type um-acl-types:ipv6-port-number; must "not(../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower port number"; } leaf neq { type um-acl-types:ipv6-port-number; must "not(../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given port"; } container range { description "Match only packets in the range of port numbers"; leaf start-value { type um-acl-types:ipv6-port-number; must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "Port number"; } leaf end-value { type um-acl-types:ipv6-port-number; must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "Port number"; } } // container range } // container port leaf port-group { when "../../protocol='tcp' or ../../protocol='sctp' or ../../protocol='udp'"; if-feature ipv6_acl_object_groups_supported; type string { length "1..64"; } description "destination port object group"; } } // grouping destination-address grouping tcp-flags { container tcp-flags { container match-all { if-feature IP_ACL_TCP_FLEXFLAGS_IMPLEMENTED; must "not(../match-any)"; presence "indicates match-all is configured"; description "Match all the options specified for TCP flags"; leaf tcp-bits { type string { pattern "((\\+|\\-)(fin|syn|rst|psh|ack|urg)[ ]{0,1})+"; } description "TCP bits to match with set(+) or not set(-) indication"; } } // container match-all container match-any { if-feature IP_ACL_TCP_FLEXFLAGS_IMPLEMENTED; must "not(../match-all)"; presence "indicates match-any is configured"; description "Match atleast one of the options specified for TCP flags"; leaf tcp-bits { type string { pattern "((\\+|\\-)(fin|syn|rst|psh|ack|urg)[ ]{0,1})+"; } description "TCP bits to match with set(+) or not set(-) indication"; } } // container match-any leaf tcp-bits { type um-acl-types:tcp-bits-type; must "not(../match-all) and not(../match-any)"; description "TCP bits to match"; } } // container tcp-flags } // grouping tcp-flags grouping icmp { container icmp { description "Match on ICMP message"; leaf message-type-name { type um-acl-types:ipv6-icmp-message-type; must "not(../message-type or ../message-code)"; description "ICMP message type"; } leaf message-type { type uint8 { range "0..255"; } must "not(../message-type-name)"; description "ICMP message type"; } leaf message-code { type uint8 { range "0..255"; } must "not(../message-type-name)"; description "ICMP message code"; } } // container icmp } // grouping icmp grouping dscp { container dscp { description "Match packets with given DSCP value(s)"; leaf dscp-value { type um-acl-types:dscp-value; must "not(../eq or ../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; } leaf eq { type um-acl-types:dscp-value; must "not(../dscp-value or ../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets on a given DSCP value"; } leaf gt { type um-acl-types:dscp-value; must "not(../dscp-value or ../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater DSCP value"; } leaf lt { type um-acl-types:dscp-value; must "not(../dscp-value or ../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower DSCP value"; } leaf neq { type um-acl-types:dscp-value; must "not(../dscp-value or ../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given DSCP value"; } container range { description "Match only packets in the range of DSCP values"; leaf start-value { type um-acl-types:dscp-value; must "not(../../dscp-value or ../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "DSCP value"; } leaf end-value { type um-acl-types:dscp-value; must "not(../../dscp-value or ../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "DSCP value"; } } // container range } // container dscp leaf precedence { type um-acl-types:precedence-value; description "Match packets with given precedence"; } } // grouping dscp grouping packet-length { container packet-length { if-feature ipv6_acl_pktlen_implemented; description "Check packet length"; leaf eq { type uint16 { range "0..65535"; } must "not(../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a given value"; } leaf gt { type uint16 { range "0..65535"; } must "not(../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater value"; } leaf lt { type uint16 { range "0..65535"; } must "not(../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower value"; } leaf neq { type uint16 { range "0..65535"; } must "not(../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given value"; } container range { description "Match only packets in the range of value"; leaf start-value { type uint16 { range "0..65535"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "Packet length start"; } leaf end-value { type uint16 { range "0..65535"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "Packet length end"; } } // container range } // container packet-length } // grouping packet-length grouping ttl { container ttl { description "match against ttl"; leaf eq { type uint8 { range "0..255"; } must "not(../gt or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a given value"; } leaf gt { type uint8 { range "0..255"; } must "not(../eq or ../lt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packet with a greater value"; } leaf lt { type uint8 { range "0..255"; } must "not(../eq or ../gt or ../neq or ../range/start-value or ../range/end-value)"; description "Match only packets with a lower value"; } leaf neq { type uint8 { range "0..255"; } must "not(../eq or ../gt or ../lt or ../range/start-value or ../range/end-value)"; description "Match only packets not on a given value"; } container range { description "Match only packets in the range of value"; leaf start-value { type uint8 { range "0..255"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../end-value)"; description "ttl range lower value"; } leaf end-value { type uint8 { range "0..255"; } must "not(../../eq or ../../gt or ../../lt or ../../neq) and (../start-value)"; description "ttl range higher value"; } } // container range } // container ttl } // grouping ttl grouping undetermined-transport { container undetermined-transport { if-feature ipv6_acl_undetermined_transport_supported; presence "Undetermined transport packet (L4 protocol cannot be read)"; description "Undetermined transport packet (L4 protocol cannot be read)"; } // container undetermined-transport } // grouping undetermined-transport grouping headers { leaf headers { type um-acl-types:header-bits-type; description "Match based on headers"; } } // grouping headers grouping udf { list udf { if-feature ipv6_acl_is_udf_supported; key "udf-name"; max-elements 8; description "Set User Defined Fields on this entry"; leaf udf-name { type string { length "1..16"; } description "UDF name"; } leaf udf-value { type xr2:Hex-integer; description "UDF value"; } leaf udf-mask { type xr2:Hex-integer; description "UDF mask"; } } // list udf } // grouping udf grouping match-option-common { container capture { if-feature ipv6_acl_capture_implemented; presence "Capture matched packet"; description "Capture matched packet"; } // container capture leaf counter { if-feature ipv6_acl_counter_supported; type string { length "1..64"; } description "counter for this ACE"; } container log { presence "Log matches against this entry"; description "Log matches against this entry"; } // container log container log-input { presence "Log matches against this entry, including input interface"; description "Log matches against this entry, including input interface"; } // container log-input container set { if-feature ipv6_acl_is_set_action_supported; description "Set action on this entry"; leaf qos-group { if-feature ipv6_acl_is_set_qos_group_supported; type uint16 { range "0..512"; } description "qos-group number"; } leaf ttl { if-feature ipv6_acl_is_set_ttl_supported; type uint8 { range "0..255"; } description "Set ttl value"; } } // container set } // grouping match-option-common grouping protocol-common { leaf protocol { type um-acl-types:ipv6-protocol; must "not(../eq or ../range/start-protocol or ../range/end-protocol)"; description "An IPv6 Protocol"; } leaf eq { type um-acl-types:ipv6-protocol; must "not(../protocol or ../range/start-protocol or ../range/end-protocol)"; description "Match only packets with exact protocol numbers"; } container range { if-feature ipv6_acl_protocol_range_implemented; description "Match only packets in the range of protocol numbers"; leaf start-protocol { type um-acl-types:ipv6-protocol; must "not(../../protocol or ../../eq) and (../end-protocol)"; description "An IPv6 Protocol"; } leaf end-protocol { type um-acl-types:ipv6-protocol; must "not(../../protocol or ../../eq) and (../start-protocol)"; description "An IPv6 Protocol"; } } // container range } // grouping protocol-common grouping nexthops { container default { presence "Use specified default nexthop on match against this entry"; description "Use specified default nexthop on match against this entry"; } // container default container nexthop1 { if-feature ipv6_acl_abf_implemented; presence "Forward to specified nexthop on match against this entry"; description "Forward to specified nexthop on match against this entry"; leaf ipv6 { type inet:ipv6-address; description "nexthop1 ipv6 address"; } leaf track { if-feature ipv6_acl_abf_track_implemented; type string { length "1..32"; } description "specific TRACK Name for this nexthop"; } leaf vrf { type string { length "1..32"; } description "Specific VRF Name for this nexthop"; } } // container nexthop1 container nexthop2 { must "(../nexthop1/vrf and ../nexthop1/ipv6) or ../nexthop1/vrf or ../nexthop1/ipv6"; presence "Forward to specified nexthop on match against this entry"; description "Another nexthop"; leaf ipv6 { type inet:ipv6-address; description "nexthop2 ipv6 address"; } leaf track { if-feature ipv6_acl_abf_track_implemented; type string { length "1..32"; } description "specific TRACK Name for this nexthop"; } leaf vrf { type string { length "1..32"; } description "Specific VRF Name for this nexthop"; } } // container nexthop2 container nexthop3 { must "(../nexthop2/vrf and ../nexthop2/ipv6) or ../nexthop2/vrf or ../nexthop2/ipv6"; presence "Forward to specified nexthop on match against this entry"; description "Another nexthop"; leaf ipv6 { type inet:ipv6-address; description "nexthop3 ipv6 address"; } leaf track { if-feature ipv6_acl_abf_track_implemented; type string { length "1..32"; } description "specific TRACK Name for this nexthop"; } leaf vrf { type string { length "1..32"; } description "Specific VRF Name for this nexthop"; } } // container nexthop3 } // grouping nexthops container ipv6 { description "Configure ipv6 access-list"; container access-list-options { container log-update { description "Control access lists log updates"; leaf threshold { type uint32 { range "1..2147483647"; } description "Set access-list logging threshold"; } leaf rate { type uint16 { range "1..1000"; } description "Set access-list logging rate (num. logs per second)"; } } // container log-update } // container access-list-options container access-lists { description "Access-lists"; list access-list { key "access-list-name"; description "Access-list commands"; leaf access-list-name { type string { length "1..64"; } description "Access list name - maximum 64 characters"; } container sequences { description "Access list entries"; list sequence { must "deny or permit or remark"; key "sequence-number"; description "access list entry"; leaf sequence-number { type uint32 { range "1..2147483643"; } description "Sequence number for this entry"; } container deny { must "(protocol or eq or range) and (source and destination) and (not(log and log-input))"; presence "Grant type Deny"; uses protocol-common; uses ace-common; uses match-option-common; container icmp-off { presence "Do not generate the ICMP message"; description "Do not generate the ICMP message"; } // container icmp-off } // container deny container permit { must "(protocol or eq or range) and (source and destination) and (not(log and log-input))"; presence "Grant type Permit"; uses protocol-common; uses ace-common; uses nexthops; uses match-option-common; } // container permit leaf remark { type string { length "0..255"; } description "Comment for access list"; } } // list sequence } // container sequences } // list access-list } // container access-lists } // container ipv6 } // module Cisco-IOS-XR-um-ipv6-access-list-cfg
© 2023 YumaWorks, Inc. All rights reserved.