From 2d542fa542cbcec3ea2d359ed85480e74ba046be Mon Sep 17 00:00:00 2001 From: Abhishek Dharwadkar Date: Mon, 8 Jun 2020 21:46:40 -0700 Subject: [PATCH 1/4] HLD update for PBR and Klish commands for Flow based services and ACL --- L24Services/ACL/ACLEnhancements.md | 1698 +++++++++++++++++----------- 1 file changed, 1050 insertions(+), 648 deletions(-) diff --git a/L24Services/ACL/ACLEnhancements.md b/L24Services/ACL/ACLEnhancements.md index 6c3f6b938a2e..a2975bf8c377 100644 --- a/L24Services/ACL/ACLEnhancements.md +++ b/L24Services/ACL/ACLEnhancements.md @@ -1,165 +1,219 @@ -# ACL Enhancements in SONiC -High level design document version 0.3 +# ACL and Flow Based Services in SONiC + +High level design document version 0.4 # Table of Contents -- **[List of Tables](#List-of-Tables)** -- **[Revision](#Revision)** -- **[About this Manual](#About-this-Manual)** -- **[Scope](#Scope)** -- **[Definition/Abbreviation](#Definition_Abbreviation)** - - [Table 1 Abbreviations](#Table-1-Abbreviations) -- **[1 Feature Overview](#1-Feature-Overview)** - - [1.1 Access control Lists](#1_1-Access-control-Lists) - - [1.2 Flow Based Services](#1_2-Flow-Based-Services) - - [1.3 Requirements](#1_3-Requirements) - - [1.3.1 Functional Requirements](#1_3_1-Functional-Requirements) - - [1.3.2 Configuration and Management Requirements](#1_3_2-Configuration-and-Management-Requirements) - - [1.3.3 Scalability Requirements](#1_3_3-Scalability-Requirements) - - [1.3.4 Warm Boot Requirements](#1_3_4-Warm-Boot-Requirements) - - [1.4 Design Overview](#1_4-Design-Overview) - - [1.4.1 Basic Approach](#1_4_1-Basic-Approach) - - [1.4.1.1 ACL Enhancements](#1_4_1_1-ACL-Enhancements) - - [1.4.1.2 Flow Based Services](#1_4_1_2-Flow-Based-Services) - - [1.4.2 Container](#1_4_2-Container) - - [1.4.3 SAI Overview](#1_4_3-SAI-Overview) -- **[2 Functionality](#2-Functionality)** - - [2.1 Target Deployment Use Cases](#2_1-Target-Deployment-Use-Cases) - - [2.2 Functional Description](#2_2-Functional-Description) - - [2.2.1 ACL](#2_2_1-ACL) - - [2.2.1.1 ACL enhancements for table of type l3 and l3v6](#2_2_1_1-ACL-enhancements-for-table-of-type-l3-and-l3v6) - - [2.2.1.2 L2 ACLs](#2_2_1_2-L2-ACLs) - - [2.2.1.3 VLAN ACLs](#2_2_1_3-VLAN-ACLs) - - [2.2.1.4 Switch ACLs](#2_2_1_4-Switch-ACLs) - - [2.2.1.5 ACL Lookup mode](#2_2_1_5-ACL-Lookup-mode) - - [2.2.1.6 Default rule for ACL tables of type l2, l3 and l3v6](#2_2_1_6-Default-rule-for-ACL-tables-of-type-l2,-l3-and-l3v6) - - [2.2.1.7 Evaluation of ACLs applied on different interfaces](#2_2_1_7-Evaluation-of-ACLs-applied-on-different-interfaces) - - [2.2.1.8 Interaction of L2 and IPv4/IPv6 ACLs](#2_2_1_8-Interaction-of-L2-and-IPv4_IPv6-ACLs) - - [2.2.2 Flow based services](#2_2_2-Flow-based-services) - - [2.2.2.1 Classifiers](#2_2_2_1-Classifiers) - - *[2.2.2.1.1 Classification using ACLs](#2_2_2_1_1-Classification-using-ACLs)* - - *[2.2.2.1.1.1 ACL Rules with permit action](#2_2_2_1_1_1-ACL-Rules-with-permit-action)* - - *[2.2.2.1.1.2 ACL Rules with deny action](#2_2_2_1_1_2-ACL-Rules-with-deny-action)* - - *[2.2.2.1.2 Classification using L2-L4 header fields](#2_2_2_1_2-Classification-using-L2_L4-header-fields)* - - [2.2.2.2 Policies](#2_2_2_2-Policies) - - *[2.2.2.2.1 Policy of type QoS](#2_2_2_2_1-Policy-of-type-QoS)* - - *[2.2.2.2.2 Policy of type Monitoring](#2_2_2_2_2-Policy-of-type-Monitoring)* - - [2.2.2.3 Applying policies to interfaces](#2_2_2_3-Applying-policies-to-interfaces) - - *[2.2.2.3.1 Evaluation of traffic within the same policy](#2_2_2_3_1-Evaluation-of-traffic-within-the-same-policy)* - - *[2.2.2.3.2 Evaluation of traffic across interfaces of same types](#2_2_2_3_2-Evaluation-of-traffic-across-interfaces-of-same-types)* - - *[2.2.2.3.3 Evaluation of traffic across interfaces of different types](#2_2_2_3_3-Evaluation-of-traffic-across-interfaces-of-different-types)* - - *[2.2.2.3.4 Evaluation of traffic across policies of different types](#2_2_2_3_4-Evaluation-of-traffic-across-policies-of-different-types)* - - [2.3 Feature support matrix](#2_3-Feature-support-matrix) - - [2.3.1 Policy Type support](#2_3_1-Policy-Type-support) - - [2.3.2 QoS Policy actions support](#2_3_2-QoS-Policy-actions-support) - - [2.3.3 Monitoring Policy actions support](#2_3_3-Monitoring-Policy-actions-support) -- **[3 Design](#3-Design)** - - [3.1 Overview](#3_1-Overview) - - [3.2 DB Changes](#3_2-DB-Changes) - - [3.2.1 Config DB](#3_2_1-Config-DB) - - [3.2.1.1 Hardware Table](#3_2_1_1-Hardware-Table) - - [3.2.1.2 ACL Table](#3_2_1_2-ACL-Table) - - [3.2.1.3 ACL Rule](#3_2_1_3-ACL-Rule) - - *[3.2.1.3.1 ACL Rule of type L2](#3_2_1_3_1-ACL-Rule-of-type-L2)* - - [3.2.1.4 ACL Rule of type l3 or l3v6](#3_2_1_4-ACL-Rule-of-type-l3-or-l3v6) - - [3.2.1.5 Classifier table](#3_2_1_5-Classifier-table) - - [3.2.1.6 Policy table](#3_2_1_6-Policy-table) - - [3.2.1.7 Policy sections table](#3_2_1_7-Policy-sections-table) - - [3.2.1.8 Policy binding table](#3_2_1_8-Policy-binding-table) - - [3.2.2 App DB](#3_2_2-App-DB) - - [3.2.2.1 ACL Table](#3_2_2_1-ACL-Table) - - [3.2.2.2 ACL Rule](#3_2_2_2-ACL-Rule) - - [3.2.3 State DB](#3_2_3-State-DB) - - [3.2.4 ASIC DB](#3_2_4-ASIC-DB) - - [3.2.5 Counter DB](#3_2_5-Counter-DB) - - [3.3 Switch State Service Design](#3_3-Switch-State-Service-Design) - - [3.3.1 Orchestration Agent](#3_3_1-Orchestration-Agent) - - [3.3.2 ACL Services daemon](#3_3_2-ACL-Services-daemon) - - [3.3.2.1 ACL Manager](#3_3_2_1-ACL-Manager) - - [3.3.2.2 Policy Manager](#3_3_2_2-Policy-Manager) - - [3.3.3 Other Process](#3_3_3-Other-Process) - - [3.4 SyncD](#3_4-SyncD) - - [3.5 SAI](#3_5-SAI) - - [3.6 Manageability](#3_6-Manageability) - - [3.6.1 Data Models](#3_6_1-Data-Models) - - [3.6.2 Configuration Commands](#3_6_2-Configuration-Commands) - - [3.6.2.1 Configuring ACL lookup mode](#3_6_2_1-Configuring-ACL-lookup-mode) - - [3.6.2.2 Create classifier](#3_6_2_2-Create-classifier) - - [3.6.2.3 Update classifier with match parameters](#3_6_2_3-Update-classifier-with-match-parameters) - - [3.6.2.4 Delete classifier](#3_6_2_4-Delete-classifier) - - [3.6.2.5 Add policy](#3_6_2_5-Add-policy) - - [3.6.2.6 Delete policy](#3_6_2_6-Delete-policy) - - [3.6.2.7 Add flow identified by a classifier to a policy](#3_6_2_7-Add-flow-identified-by-a-classifier-to-a-policy) - - [3.6.2.8 Delete flow identified by a classifier to a policy](#3_6_2_8-Delete-flow-identified-by-a-classifier-to-a-policy) - - [3.6.2.9 Add action(s) to flows](#3_6_2_9-Add-actions-to-flows) - - [3.6.2.10 Apply and remove the policy to interface](#3_6_2_10-Apply-and-remove-the-policy-to-interface) - - [3.6.3 Show Commands](#3_6_3-Show-Commands) - - [3.6.3.1 Show classifier details](#3_6_3_1-Show-classifier-details) - - [3.6.3.2 Show policy details](#3_6_3_2-Show-policy-details) - - [3.6.3.3 Show policy binding summary](#3_6_3_3-Show-policy-binding-summary) - - [3.6.3.4 Show/Clear policy binding and counters for an interface](#3_6_3_4-Show_Clear-policy-binding-and-counters-for-an-interface) - - [3.6.3.5 Show/Clear policy binding and counters for a policy](#3_6_3_5-Show_Clear-policy-binding-and-counters-for-a-policy) - - [3.6.3.6 TCAM Allocation](#3_6_3_6-TCAM-Allocation) - - *[3.6.3.6.1 Available predefined TCAM profiles](#3_6_3_6_1-Available-predefined-TCAM-profiles)* - - *[3.6.3.6.2 Predefined TCAM profile details](#3_6_3_6_2-Predefined-TCAM-profile-details)* - - *[3.6.3.6.3 Setting the predefined profile](#3_6_3_6_3-Setting-the-predefined-profile)* - - *[3.6.3.6.4 Checking the current TCAM Allocation](#3_6_3_6_4-Checking-the-current-TCAM-Allocation)* - - *[3.6.3.6.5 Clearing the TCAM Allocation scheme.](#3_6_3_6_5-Clearing-the-TCAM-Allocation-scheme_)* - - *[3.6.3.6.6 Modifying the current TCAM allocation](#3_6_3_6_6-Modifying-the-current-TCAM-allocation)* - - *[3.6.3.6.7 Setting a custom TCAM allocation](#3_6_3_6_7-Setting-a-custom-TCAM-allocation)* - - [3.6.4 REST / gNMI / IS CLI API Support](#3_6_4-REST-_-gNMI-_-IS-CLI-API-Support) -- **[4 Flow Diagrams](#4-Flow-Diagrams)** - - [4.1 Create a Classifier](#4_1-Create-a-Classifier) - - [4.2 Create a QoS Policy and Section](#4_2-Create-a-QoS-Policy-and-Section) - - [4.3 Bind QoS policy to an interface](#4_3-Bind-QoS-policy-to-an-interface) - - [4.4 Creating ACL rules with policer](#4_4-Creating-ACL-rules-with-policer) - - [4.5 Deleting ACL Rules with policer](#4_5-Deleting-ACL-Rules-with-policer) -- **[5 Error Handling](#5-Error-Handling)** -- **[6 Serviceability and Debug](#6-Serviceability-and-Debug)** -- **[7 Warm Boot Support](#7-Warm-Boot-Support)** -- **[8 Scalability](#8-Scalability)** - - [8.1 Software scalability](#8_1-Software-scalability) - - [8.2 ACL Table Scalability](#8_2-ACL-Table-Scalability) -- **[9 Limitation](#9-Limitation)** -- **[10 Unit Test](#10-Unit-Test)** -- **[11 Appendix A: Sample configuration](#11-Appendix-A:-Sample-configuration)** -- **[12 Internal Design Information](#12-Internal-Design-Information)** - - [12.1 Future Design Enhancements](#12_1-Future-Design-Enhancements) - - [12.2 IS CLIs (Deferred from Buzznik release)](#12_2-IS-CLIs-Deferred-from-Buzznik-release) - - [12.2.1 Configuration Commands](#12_2_1-Configuration-Commands) - - [12.2.1.1 Create or delete classifiers](#12_2_1_1-Create-or-delete-classifiers) - - [12.2.1.2 Add or Delete Match ACL to classifier](#12_2_1_2-Add-or-Delete-Match-ACL-to-classifier) - - [12.2.1.3 Add or Delete Match on Source MAC](#12_2_1_3-Add-or-Delete-Match-on-Source-MAC) - - [12.2.1.4 Add or Delete Match on Destination MAC](#12_2_1_4-Add-or-Delete-Match-on-Destination-MAC) - - [12.2.1.5 Add or Delete Match on Ethertype](#12_2_1_5-Add-or-Delete-Match-on-Ethertype) - - [12.2.1.6 Add or Delete Match on Source IPv4 Address](#12_2_1_6-Add-or-Delete-Match-on-Source-IPv4-Address) - - [12.2.1.7 Add or Delete Match on Destination IPv4 Address](#12_2_1_7-Add-or-Delete-Match-on-Destination-IPv4-Address) - - [12.2.1.8 Add or Delete Match on Source IPv6 Address](#12_2_1_8-Add-or-Delete-Match-on-Source-IPv6-Address) - - [12.2.1.9 Add or Delete Match on Destination IPv6 Address](#12_2_1_9-Add-or-Delete-Match-on-Destination-IPv6-Address) - - [12.2.1.10 Add or Delete Match on IP Protocol](#12_2_1_10-Add-or-Delete-Match-on-IP-Protocol) - - [12.2.1.11 Match Source or Destination TCP or UDP Port](#12_2_1_11-Match-Source-or-Destination-TCP-or-UDP-Port) - - [12.2.1.12 Match Source or Destination TCP or UDP Port](#12_2_1_12-Match-Source-or-Destination-TCP-or-UDP-Port) - - [12.2.1.13 Match TCP Flags](#12_2_1_13-Match-TCP-Flags) - - [12.2.1.14 Add or delete description to the classifier](#12_2_1_14-Add-or-delete-description-to-the-classifier) - - [12.2.1.15 Add or delete policy](#12_2_1_15-Add-or-delete-policy) - - [12.2.1.16 Add or delete flow identified by a classifier to a policy](#12_2_1_16-Add-or-delete-flow-identified-by-a-classifier-to-a-policy) - - [12.2.1.17 Add DSCP Remarking action for QoS policy](#12_2_1_17-Add-DSCP-Remarking-action-for-QoS-policy) - - [12.2.1.18 Add PCP Remarking action for QoS policy](#12_2_1_18-Add-PCP-Remarking-action-for-QoS-policy) - - [12.2.1.19 Add policer for QoS policy](#12_2_1_19-Add-policer-for-QoS-policy) - - [12.2.1.20 Apply and remove the policy to interface](#12_2_1_20-Apply-and-remove-the-policy-to-interface) - - [12.2.2 Show Commands](#12_2_2-Show-Commands) - - [12.2.2.1 Show classifier details](#12_2_2_1-Show-classifier-details) - - [12.2.2.2 Show policy details](#12_2_2_2-Show-policy-details) - - [12.2.2.3 Show policy binding summary](#12_2_2_3-Show-policy-binding-summary) - - [12.2.2.4 Show policy binding for an interface](#12_2_2_4-Show-policy-binding-for-an-interface) - - [12.2.2.5 Show policy binding for a given policy](#12_2_2_5-Show-policy-binding-for-a-given-policy) - - [12.2.2.6 Clear policy binding statistics for an interface](#12_2_2_6-Clear-policy-binding-statistics-for-an-interface) - - [12.2.2.7 Clear policy binding statistics for a given policy](#12_2_2_7-Clear-policy-binding-statistics-for-a-given-policy) - - [12.2.2.8 Configuring ACL lookup mode](#12_2_2_8-Configuring-ACL-lookup-mode) - - [12.2.2.9 Creating a MAC ACL](#12_2_2_9-Creating-a-MAC-ACL) - - [12.2.2.10 Creating a MAC ACL Rule](#12_2_2_10-Creating-a-MAC-ACL-Rule) - - [12.2.2.11 Applying ACL to different interfaces](#12_2_2_11-Applying-ACL-to-different-interfaces) - - [12.2.2.12 Applying ACL to switch](#12_2_2_12-Applying-ACL-to-switch) +- **[List of Tables](#list-of-tables)** +- **[Revision](#revision)** +- **[About this Manual](#about-this-manual)** +- **[Scope](#scope)** +- **[Definition / Abbreviation](#definition-_-abbreviation)** + - [Table 1 Abbreviations](#table-1-abbreviations) +- **[1 Feature Overview](#1-feature-overview)** + - [1.1 Access control Lists](#11-access-control-lists) + - [1.2 Flow Based Services](#12-flow-based-services) + - [1.3 Requirements](#13-requirements) + - [1.3.1 Functional Requirements](#131-functional-requirements) + - [1.3.2 Configuration and Management Requirements](#132-configuration-and-management-requirements) + - [1.3.3 Scalability Requirements](#133-scalability-requirements) + - [1.3.4 Warm Boot Requirements](#134-warm-boot-requirements) + - [1.4 Design Overview](#14-design-overview) + - [1.4.1 Basic Approach](#141-basic-approach) + - [1.4.1.1 ACL Enhancements](#1411-acl-enhancements) + - [1.4.1.2 Flow Based Services](#1412-flow-based-services) + - [1.4.2 Container](#142-container) + - [1.4.3 SAI Overview](#143-sai-overview) +- **[2 Functionality](#2-functionality)** + - [2.1 Target Deployment Use Cases](#21-target-deployment-use-cases) + - [2.2 Functional Description](#22-functional-description) + - [2.2.1 ACL](#221-acl) + - [2.2.1.1 ACL enhancements for table of type l3 and l3v6](#2211-acl-enhancements-for-table-of-type-l3-and-l3v6) + - [2.2.1.2 L2 ACLs](#2212-l2-acls) + - [2.2.1.3 VLAN ACLs](#2213-vlan-acls) + - [2.2.1.4 Switch ACLs](#2214-switch-acls) + - [2.2.1.5 ACL Lookup mode](#2215-acl-lookup-mode) + - [2.2.1.6 Default rule for ACL tables of type l2, l3 and l3v6](#2216-default-rule-for-acl-tables-of-type-l2-l3-and-l3v6) + - [2.2.1.7 Evaluation of ACLs applied on different interfaces](#2217-evaluation-of-acls-applied-on-different-interfaces) + - [2.2.1.8 Interaction of L2 and IPv4 / IPv6 ACLs](#2218-interaction-of-l2-and-ipv4-_-ipv6-acls) + - [2.2.2 Flow based services](#222-flow-based-services) + - [2.2.2.1 Classifiers](#2221-classifiers) + - *[2.2.2.1.1 Classification using ACLs](#22211-classification-using-acls)* + - *[2.2.2.1.1.1 ACL Rules with permit action](#222111-acl-rules-with-permit-action)* + - *[2.2.2.1.1.2 ACL Rules with deny action](#222112-acl-rules-with-deny-action)* + - *[2.2.2.1.2 Classification using L2-L4 header fields](#22212-classification-using-l2-l4-header-fields)* + - [2.2.2.2 Policies](#2222-policies) + - *[2.2.2.2.1 Policy of type QoS](#22221-policy-of-type-qos)* + - *[2.2.2.2.2 Policy of type Monitoring](#22222-policy-of-type-monitoring)* + - *[2.2.2.2.3 Policy of type Forwarding](#22223-policy-of-type-forwarding)* + - [2.2.2.3 Applying policies to interfaces](#2223-applying-policies-to-interfaces) + - *[2.2.2.3.1 Evaluation of traffic within the same policy](#22231-evaluation-of-traffic-within-the-same-policy)* + - *[2.2.2.3.2 Evaluation of traffic across interfaces of same types](#22232-evaluation-of-traffic-across-interfaces-of-same-types)* + - *[2.2.2.3.3 Evaluation of traffic across interfaces of different types](#22233-evaluation-of-traffic-across-interfaces-of-different-types)* + - *[2.2.2.3.4 Evaluation of traffic across policies of different types](#22234-evaluation-of-traffic-across-policies-of-different-types)* + - [2.3 Feature support matrix](#23-feature-support-matrix) + - [2.3.1 Policy Type support](#231-policy-type-support) + - [2.3.2 QoS policy actions support](#232-qos-policy-actions-support) + - [2.3.3 Monitoring policy actions support](#233-monitoring-policy-actions-support) + - [2.3.4 Forwarding policy actions support](#234-forwarding-policy-actions-support) +- **[3 Design](#3-design)** + - [3.1 Overview](#31-overview) + - [3.2 DB Changes](#32-db-changes) + - [3.2.1 Config DB](#321-config-db) + - [3.2.1.1 Hardware Table](#3211-hardware-table) + - [3.2.1.2 ACL Table](#3212-acl-table) + - [3.2.1.3 ACL Rule](#3213-acl-rule) + - *[3.2.1.3.1 ACL Rule of type L2](#32131-acl-rule-of-type-l2)* + - [3.2.1.4 ACL Rule of type l3 or l3v6](#3214-acl-rule-of-type-l3-or-l3v6) + - [3.2.1.5 Classifier table](#3215-classifier-table) + - [3.2.1.6 Policy table](#3216-policy-table) + - [3.2.1.7 Policy sections table](#3217-policy-sections-table) + - [3.2.1.8 Policy binding table](#3218-policy-binding-table) + - [3.2.2 App DB](#322-app-db) + - [3.2.2.1 ACL Table](#3221-acl-table) + - [3.2.2.2 ACL Rule Table](#3222-acl-rule-table) + - [3.2.2.3 Policy based forwarding group table](#3223-policy-based-forwarding-group-table) + - [3.2.3 State DB](#323-state-db) + - [3.2.3.1 Policy based forwarding group state](#3231-policy-based-forwarding-group-state) + - [3.2.4 ASIC DB](#324-asic-db) + - [3.2.5 Counter DB](#325-counter-db) + - [3.3 Switch State Service Design](#33-switch-state-service-design) + - [3.3.1 Orchestration Agent](#331-orchestration-agent) + - [3.3.1.1 Policy Based Forwarding Orchestration agent](#3311-policy-based-forwarding-orchestration-agent) + - [3.3.2 ACL Services daemon](#332-acl-services-daemon) + - [3.3.2.1 ACL Manager](#3321-acl-manager) + - [3.3.2.2 Policy Manager](#3322-policy-manager) + - [3.3.3 Other Process](#333-other-process) + - [3.4 SyncD](#34-syncd) + - [3.5 SAI](#35-sai) + - [3.6 Manageability](#36-manageability) + - [3.6.1 Data Models](#361-data-models) + - [3.6.2 Configuration Commands](#362-configuration-commands) + - [3.6.2.1 Configuring ACL Counter mode](#3621-configuring-acl-counter-mode) + - *[3.6.2.1.1 Configuring ACL Counter mode using Sonic-CLI](#36211-configuring-acl-counter-mode-using-sonic-cli)* + - *[3.6.2.1.2 Configuring ACL lookup mode using Click CLI (Deprecated)](#36212-configuring-acl-lookup-mode-using-click-cli-deprecated)* + - [3.6.2.2 Creating/Deleting a MAC/IPv4/IPv6 ACL](#3622-creating_deleting-a-mac_ipv4_ipv6-acl) + - [3.6.2.3 Creating/Deleting a MAC ACL Rule](#3623-creating_deleting-a-mac-acl-rule) + - [3.6.2.4 Creating/Deleting a IP ACL Rule](#3624-creating_deleting-a-ip-acl-rule) + - [3.6.2.5 Creating/Deleting a IPv6 ACL Rule](#3625-creating_deleting-a-ipv6-acl-rule) + - [3.6.2.6 Adding/Deleting ACL remark](#3626-adding_deleting-acl-remark) + - [3.6.2.7 Adding/Deleting ACL Rule Remark](#3627-adding_deleting-acl-rule-remark) + - [3.6.2.8 Applying ACL](#3628-applying-acl) + - *[3.6.2.8.1 Applying ACL to different interfaces](#36281-applying-acl-to-different-interfaces)* + - *[3.6.2.8.2 Applying ACL globally](#36282-applying-acl-globally)* + - *[3.6.2.8.3 Applying ACL to Control Plane](#36283-applying-acl-to-control-plane)* + - [3.6.2.9 Create classifier](#3629-create-classifier) + - *[3.6.2.9.1 Creating classifier through Sonic-CLI](#36291-creating-classifier-through-sonic-cli)* + - *[3.6.2.9.2 Creating classifier through click cli (Deprecated)](#36292-creating-classifier-through-click-cli-deprecated)* + - [3.6.2.10 Update classifier match parameters](#36210-update-classifier-match-parameters) + - *[3.6.2.10.1 Update classifier match parameters using Sonic-CLI](#362101-update-classifier-match-parameters-using-sonic-cli)* + - *[3.6.2.10.1.1 Add or delete match ACL to classifier](#3621011-add-or-delete-match-acl-to-classifier)* + - *[3.6.2.10.1.2 Add or delete match on source MAC](#3621012-add-or-delete-match-on-source-mac)* + - *[3.6.2.10.1.3 Add or delete match on destination MAC](#3621013-add-or-delete-match-on-destination-mac)* + - *[3.6.2.10.1.4 Add or delete match on ethertype](#3621014-add-or-delete-match-on-ethertype)* + - *[3.6.2.10.1.5 Add or delete match on PCP](#3621015-add-or-delete-match-on-pcp)* + - *[3.6.2.10.1.6 Add or delete match on VLAN ID](#3621016-add-or-delete-match-on-vlan-id)* + - *[3.6.2.10.1.7 Add or delete match on source IPv4 Address](#3621017-add-or-delete-match-on-source-ipv4-address)* + - *[3.6.2.10.1.8 Add or delete match on destination IPv4 Address](#3621018-add-or-delete-match-on-destination-ipv4-address)* + - *[3.6.2.10.1.9 Add or delete match on source IPv6 Address](#3621019-add-or-delete-match-on-source-ipv6-address)* + - *[3.6.2.10.1.10 Add or delete match on destination IPv4 Address](#36210110-add-or-delete-match-on-destination-ipv4-address)* + - *[3.6.2.10.1.11 Add or delete match on IP Protocol](#36210111-add-or-delete-match-on-ip-protocol)* + - *[3.6.2.10.1.12 Add or delete match on source TCP or UDP Port](#36210112-add-or-delete-match-on-source-tcp-or-udp-port)* + - *[3.6.2.10.1.13 Add or delete match on destination TCP or UDP Port](#36210113-add-or-delete-match-on-destination-tcp-or-udp-port)* + - *[3.6.2.10.1.14 Add or delete match on TCP flags](#36210114-add-or-delete-match-on-tcp-flags)* + - *[3.6.2.10.2 Update classifier match parameters using Click CLI (Deprecated)](#362102-update-classifier-match-parameters-using-click-cli-deprecated)* + - [3.6.2.11 Add classifier description](#36211-add-classifier-description) + - [3.6.2.12 Delete classifier description](#36212-delete-classifier-description) + - [3.6.2.13 Delete classifier](#36213-delete-classifier) + - *[3.6.2.13.1 Delete classifier using Sonic-CLI](#362131-delete-classifier-using-sonic-cli)* + - *[3.6.2.13.2 Delete classifier using Click CLI (Deprecated)](#362132-delete-classifier-using-click-cli-deprecated)* + - [3.6.2.14 Add policy](#36214-add-policy) + - *[3.6.2.14.1 Add policy using Sonic-CLI](#362141-add-policy-using-sonic-cli)* + - *[3.6.2.14.2 Add policy using Click CLI (Deprecated)](#362142-add-policy-using-click-cli-deprecated)* + - [3.6.2.15 Delete policy](#36215-delete-policy) + - *[3.6.2.15.1 Deleting policy using Sonic-CLI](#362151-deleting-policy-using-sonic-cli)* + - *[3.6.2.15.2 Deleting policy using Click CLI (Deprecated)](#362152-deleting-policy-using-click-cli-deprecated)* + - [3.6.2.16 Add policy description](#36216-add-policy-description) + - [3.6.2.17 Delete policy description](#36217-delete-policy-description) + - [3.6.2.18 Add flow identified by a classifier to a policy](#36218-add-flow-identified-by-a-classifier-to-a-policy) + - *[3.6.2.18.1 Add flow using Sonic-CLI](#362181-add-flow-using-sonic-cli)* + - *[3.6.2.18.2 Add flow using Click CLI (Deprecated)](#362182-add-flow-using-click-cli-deprecated)* + - [3.6.2.19 Delete flow identified by a classifier to a policy](#36219-delete-flow-identified-by-a-classifier-to-a-policy) + - [3.6.2.20 Deleting flow using Sonic-CLI](#36220-deleting-flow-using-sonic-cli) + - [3.6.2.21 Deleting flow using Click CLI (Deprecated)](#36221-deleting-flow-using-click-cli-deprecated) + - [3.6.2.22 Add flow description](#36222-add-flow-description) + - [3.6.2.23 Delete flow description](#36223-delete-flow-description) + - [3.6.2.24 Add action(s) to flows](#36224-add-actions-to-flows) + - *[3.6.2.24.1 Add QoS actions to the flow using Sonic-CLI](#362241-add-qos-actions-to-the-flow-using-sonic-cli)* + - *[3.6.2.24.1.1 Add DSCP remarking action](#3622411-add-dscp-remarking-action)* + - *[3.6.2.24.1.2 Delete DSCP remarking action](#3622412-delete-dscp-remarking-action)* + - *[3.6.2.24.1.3 Add PCP remarking action](#3622413-add-pcp-remarking-action)* + - *[3.6.2.24.1.4 Delete PCP remarking action](#3622414-delete-pcp-remarking-action)* + - *[3.6.2.24.1.5 Add policer action](#3622415-add-policer-action)* + - *[3.6.2.24.1.6 Delete policer action](#3622416-delete-policer-action)* + - *[3.6.2.24.1.7 Add set traffic-class action](#3622417-add-set-traffic-class-action)* + - *[3.6.2.24.1.8 Delete set traffic-class action](#3622418-delete-set-traffic-class-action)* + - *[3.6.2.24.2 Adding monitoring actions to the flow](#362242-adding-monitoring-actions-to-the-flow)* + - *[3.6.2.24.2.1 Adding mirror session action](#3622421-adding-mirror-session-action)* + - *[3.6.2.24.2.2 Deleting mirror session action](#3622422-deleting-mirror-session-action)* + - *[3.6.2.24.3 Adding forwarding actions to the flow](#362243-adding-forwarding-actions-to-the-flow)* + - *[3.6.2.24.3.1 Adding / Deleting IPv4 next-hop](#3622431-adding-_-deleting-ipv4-next-hop)* + - *[3.6.2.24.3.2 Adding / Deleting IPv6 next-hop](#3622432-adding-_-deleting-ipv6-next-hop)* + - *[3.6.2.24.3.3 Adding / Deleting egress interface](#3622433-adding-_-deleting-egress-interface)* + - *[3.6.2.24.3.4 Adding default drop action](#3622434-adding-default-drop-action)* + - *[3.6.2.24.4 Add flow actions using Click CLIs (Deprecated)](#362244-add-flow-actions-using-click-clis-deprecated)* + - [3.6.2.25 Applying the policy to an interface](#36225-applying-the-policy-to-an-interface) + - *[3.6.2.25.1 Applying policy to an interface using Sonic-CLI](#362251-applying-policy-to-an-interface-using-sonic-cli)* + - *[3.6.2.25.2 Applying policy to an interface using Click CLI (Deprecated)](#362252-applying-policy-to-an-interface-using-click-cli-deprecated)* + - [3.6.2.26 Removing policy from an interface](#36226-removing-policy-from-an-interface) + - *[3.6.2.26.1 Removing policy from an interface using Sonic-CLI](#362261-removing-policy-from-an-interface-using-sonic-cli)* + - *[3.6.2.26.2 Removing policy from an interface using Click CLI (Deprecated)](#362262-removing-policy-from-an-interface-using-click-cli-deprecated)* + - [3.6.3 Show Commands](#363-show-commands) + - [3.6.3.1 Show ACL binding summary](#3631-show-acl-binding-summary) + - [3.6.3.2 Show ACL Rules and statistics](#3632-show-acl-rules-and-statistics) + - [3.6.3.3 Clear ACL statistics](#3633-clear-acl-statistics) + - [3.6.3.4 Show classifier details](#3634-show-classifier-details) + - *[3.6.3.4.1 Show classifier details using Sonic-CLI](#36341-show-classifier-details-using-sonic-cli)* + - *[3.6.3.4.2 Show classifier details using Click CLI (Deprecated)](#36342-show-classifier-details-using-click-cli-deprecated)* + - *[3.6.3.4.3 Show classifier sample output](#36343-show-classifier-sample-output)* + - [3.6.3.5 Show policy details](#3635-show-policy-details) + - *[3.6.3.5.1 Show policy details using Sonic-CLI](#36351-show-policy-details-using-sonic-cli)* + - *[3.6.3.5.2 Show policy details using Click-CLI (Deprecated)](#36352-show-policy-details-using-click-cli-deprecated)* + - *[3.6.3.5.3 Sample output](#36353-sample-output)* + - [3.6.3.6 Show policy binding summary](#3636-show-policy-binding-summary) + - *[3.6.3.6.1 Show policy binding summary using Sonic-CLI](#36361-show-policy-binding-summary-using-sonic-cli)* + - *[3.6.3.6.2 Show policy binding summary using Click CLI (Deprecated)](#36362-show-policy-binding-summary-using-click-cli-deprecated)* + - *[3.6.3.6.3 Show policy binding summary sample output](#36363-show-policy-binding-summary-sample-output)* + - [3.6.3.7 Show/Clear policy binding and counters for an interface](#3637-show_clear-policy-binding-and-counters-for-an-interface) + - *[3.6.3.7.1 Show/Clear policy binding and counters using SONiC-CLI](#36371-show_clear-policy-binding-and-counters-using-sonic-cli)* + - *[3.6.3.7.2 Show/Clear policy binding and counters using Click CLI (Deprecated)](#36372-show_clear-policy-binding-and-counters-using-click-cli-deprecated)* + - *[3.6.3.7.3 Show policy binding and counters sample output](#36373-show-policy-binding-and-counters-sample-output)* + - [3.6.3.8 TCAM Allocation](#3638-tcam-allocation) + - *[3.6.3.8.1 Available predefined TCAM profiles](#36381-available-predefined-tcam-profiles)* + - *[3.6.3.8.2 Predefined TCAM profile details](#36382-predefined-tcam-profile-details)* + - *[3.6.3.8.3 Setting the predefined profile](#36383-setting-the-predefined-profile)* + - *[3.6.3.8.4 Checking the current TCAM Allocation](#36384-checking-the-current-tcam-allocation)* + - *[3.6.3.8.5 Clearing the TCAM Allocation scheme.](#36385-clearing-the-tcam-allocation-scheme)* + - *[3.6.3.8.6 Modifying the current TCAM allocation](#36386-modifying-the-current-tcam-allocation)* + - *[3.6.3.8.7 Setting a custom TCAM allocation](#36387-setting-a-custom-tcam-allocation)* + - [3.6.4 REST / gNMI / IS CLI API Support](#364-rest-_-gnmi-_-is-cli-api-support) +- **[4 Flow Diagrams](#4-flow-diagrams)** + - [4.1 Create a Classifier](#41-create-a-classifier) + - [4.2 Create a QoS Policy and Section](#42-create-a-qos-policy-and-section) + - [4.3 Bind QoS policy to an interface](#43-bind-qos-policy-to-an-interface) + - [4.4 Creating ACL rules with policer](#44-creating-acl-rules-with-policer) + - [4.5 Deleting ACL Rules with policer](#45-deleting-acl-rules-with-policer) +- **[5 Error Handling](#5-error-handling)** +- **[6 Serviceability and Debug](#6-serviceability-and-debug)** +- **[7 Warm Boot Support](#7-warm-boot-support)** +- **[8 Scalability](#8-scalability)** + - [8.1 Software scalability](#81-software-scalability) + - [8.2 ACL Table Scalability](#82-acl-table-scalability) +- **[9 Limitation](#9-limitation)** +- **[10 Unit Test](#10-unit-test)** +- **[11 Appendix: Sample configuration](#11-appendix-sample-configuration)** +- **[12 Internal Design Information](#12-internal-design-information)** + - [12.1 Future Design Enhancements](#121-future-design-enhancements) # List of Tables [Table 1 Abbreviations](#table-1-abbreviations) @@ -169,7 +223,8 @@ High level design document version 0.3 | ---- | ---------- | ------------------- | ---------------------------------------- | | 0.1 | 07/12/2019 | Abhishek Dharwadkar | Initial version | | 0.2 | 10/15/2019 | Abhishek Dharwadkar | Add ACL enhancement and policing details | -| 0.3 | 11/10/2019 | Abhishek Dharwadkar | Add FBS support for mirroring | +| 0.3 | 11/10/2019 | Abhishek Dharwadkar | Add FBS support for mirroring | +| 0.4 | 03/25/2020 | Abhishek Dharwadkar | Add FBS support for forwarding | # About this Manual This document provides general information about the ACL enhancements and Flow Based Services feature in SONiC. @@ -177,7 +232,7 @@ This document provides general information about the ACL enhancements and Flow B # Scope This document provides general information about the ACL enhancements and Flow Based Services feature implementation in SONiC. -# Definition/Abbreviation +# Definition / Abbreviation ## Table 1 Abbreviations | **Term** | **Meaning** | @@ -187,6 +242,10 @@ This document provides general information about the ACL enhancements and Flow B | SPAN | Switch Port ANalyzer | | sFlow | Sampled flow | | MQC | Modular QoS CLIs | +| CIR | Commited Information Rate | +| CBS | Commited Burst Size | +| PIR | Peak Information Rate | +| PBS | Peak Burst Size | # 1 Feature Overview @@ -211,7 +270,7 @@ Example features might be: - 2. Monitoring (e.g. SPAN, sFlow) 3. Forwarding (e.g. PBR, L2 redirect) -This feature provides a common infrastructure service for such features, and implements DHCP and PCP remarking as the first user of this service - other features are to follow in future releases. The common infrastructure service can itself use the SONiC ACL feature for packet match rule definition, or can use it's own UI for more sophisticated classifiers. +This feature provides a common infrastructure service for such features. The common infrastructure service can itself use the SONiC ACL feature for packet match rule definition, or can use it's own UI for more sophisticated classifiers. ## 1.3 Requirements @@ -226,8 +285,8 @@ The following are the requirements for ACL enhancements and Flow Based Services 3. Provide a industry standard MQC equivalent framework for fine grained classification of the traffic via ACL or fields of L2-L4 header and take specific actions on the classified traffic. 4. Support DSCP, COS Remarking and Policing QoS action. 8. Support mirroring/SPAN action. -9. Enhance monitoring capabilities by supporting Flow based sFlow in future. -10. Enhance forwarding capabilities by supporting Flow based routing and Flow based forwarding in future. +9. Support flow based forwarding/routing. +10. Enhance monitoring capabilities by supporting Flow based sFlow in future. 11. Ability to bind multiple policies of different types to Ports/LAGs, VLANs and Switch. 12. Independent ingress and egress policy binding for a given interface. 13. Merge non conflicting actions from different policies using ASIC capabilities to simplify user configuration. @@ -306,15 +365,20 @@ The following diagram shows the different ACLs supported and the location where **Figure 1: ACL application at different stages** -The following diagram shows the evaluation order for datapath ACLs. The same is applicable for Flow based services also and will be captured in upcoming sections. datapath ACLs have a default deny any rule. This rule will be applied only after user configured ACL rules are evaluated at Port/LAG, VLAN and Switch Level. +The following diagram shows the evaluation order for datapath ACLs. The same is applicable for Flow based services also and will be captured in upcoming sections. Datapath ACLs have a default deny any rule. This rule will be applied only after user configured ACL rules are evaluated at Port/LAG, VLAN and Switch Level. ![ACL Evaluation order](images/ACLEvalMultiIntf.png "ACL Evaluation order") **Figure 2: ACL Evaluation order** -#### 2.2.1.8 Interaction of L2 and IPv4/IPv6 ACLs +#### 2.2.1.8 Interaction of L2 and IPv4 / IPv6 ACLs + +Security ACL match can result the following actions + +**Permit** : This action allows forwarding in data plane and trap to CPU. +**Deny** : This action disallows forwarding in data plane but allows traps to CPU. -An incoming traffic can match both L2 and L3 (IPv4/IPv6) datapath ACLs. The traffic will be dropped when either of the ACL gives a result of drop. The counters for both ACLs will be incremented to indicate the match. +An incoming traffic can match both L2 and L3 (IPv4/IPv6) datapath ACLs. The following table shows the combined result. The counters for both ACLs will be incremented to indicate the match. | Result from L2 ACL | Result from L3 ACL (IPv4 or IPv6) | Final Result | | ------------------ | --------------------------------- | ------------ | @@ -323,11 +387,13 @@ An incoming traffic can match both L2 and L3 (IPv4/IPv6) datapath ACLs. The traf | FORWARD | DROP | DROP | | DROP | DROP | DROP | +Please note that in the above table, its assumed that the L2ACL result is also applicable for L3 traffic. + ### 2.2.2 Flow based services Flow based services provide a modular and extensible framework to classify traffic and take appropriate action for the traffic. Flow based services can be used for different features like QoS, Forwarding and Monitoring. Flow based services configuration is made up of 3 parts -1. Classification of traffic via Classifiers +1. Classification of traffic via classifiers 2. Configuring actions to be taken for each classified flow via a Policy 3. Application of Policy to different interfaces @@ -371,6 +437,19 @@ Monitoring policies only support the following actions 1. SPAN/ERSPAN session using session name +Monitoring policies are supported only at ingress. + +##### 2.2.2.2.3 Policy of type Forwarding + +Forwarding policies only support the following actions + +1. Route IPv4 traffic to a IPv4 next-hop. +2. Route IPv6 traffic to a IPv6 next-hop. +3. Forward L2 traffic to specified interface. +4. Drop action if none of the next-hops are reachable or egress interface is not L2 and link up. + +Forwarding policies are supported only at ingress. + #### 2.2.2.3 Applying policies to interfaces When a policy is applied to an interface at ingress or egress, action will be taken in case of match, only traffic is ingressing or egressing from that interface. Traffic ingressing or egressing from other interfaces will not be affected. @@ -386,9 +465,9 @@ A policy can be applied to the following interface types 2. VLAN : Traffic tagged with or classified into the VLAN will be affected if matched. 3. Switch : All traffic flowing through the switch will be affect if matched -Only 1 policy of a given type (e.g QoS) can be applied to an interface in a given direction. For example on Ethernet0 only 1 QoS policy say P1 can be applied at ingress. Its not possible to apply another QoS policy say P2 for Ethernet0 at ingress. +Only 1 policy of a given type (e.g QoS) can be applied to an interface in a given direction. For example on Ethernet0 only 1 QoS policy say P1 can be applied at ingress. Its not possible to apply another QoS policy say P2 for Ethernet0 at ingress. However user can apply policies of different types to the same interface. This gives user ability to classify the same traffic (using same or different classifier) and apply multiple actions of type qos, monitoring and forwarding etc to it. -The same policy can be applied to different interfaces and both ingress and egress. +The same policy can be also be applied to different interfaces and both ingress and egress (if supported). ##### 2.2.2.3.1 Evaluation of traffic within the same policy @@ -435,8 +514,10 @@ Policies of different types are designed to take specific actions. QoS Polices a | Policy Type | Release supported | | ----------- | ----------------- | | QoS | SONiC 3.0 | +| Monitoring | SONiC 3.0 | +| Forwarding | SONiC 3.1 | -### 2.3.2 QoS Policy actions support +### 2.3.2 QoS policy actions support | Feature | Release supported | | -------------- | ----------------- | @@ -444,12 +525,21 @@ Policies of different types are designed to take specific actions. QoS Polices a | PCP Remarking | SONiC 3.0 | | Policing | SONiC 3.0 | -### 2.3.3 Monitoring Policy actions support +### 2.3.3 Monitoring policy actions support | Feature | Release supported | | ------------------- | ----------------- | | SPAN/ERSPAN session | SONiC 3.0 | +### 2.3.4 Forwarding policy actions support + +| Feature | Release supported | +| -------------------- | ----------------- | +| IPv4 / IPv6 Next Hop | SONiC 3.1 | +| L2 Egress interface | SONiC 3.1 | +| Default drop action | SONiC 3.1 | + + # 3 Design ## 3.1 Overview @@ -652,7 +742,7 @@ key = POLICY_TABLE:name ; name must be unique ; name must be 1-63 chars long ;field = value -TYPE = "qos" ; Only QoS is supported now. +TYPE = "qos" / "monitoring" / "forwarding" ; DESCRIPTION = 1*255VCHAR ; Policy Description ;value annotations @@ -663,22 +753,50 @@ DESCRIPTION = 1*255VCHAR ; Policy Description Policy details table provides information on the classifiers to use and their corresponding actions. A policy can have up to 128 classifiers ``` -key = POLICY_SECTIONS_TABLE:policy_name:classifier_name ; name must be unique - ; name must be 1-63 chars long - -;field = value -PRIORITY = 1*3DIGIT ; Valid Range is 0-999 -DESCRIPTION = 1*255VCHAR ; Policy Description -SET_DSCP = dscp_val -SET_PCP = pcp_val -SET_POLICER_CIR = 1*12DIGIT -SET_POLICER_CBS = 1*12DIGIT -SET_POLICER_PIR = 1*12DIGIT -SET_POLICER_PBS = 1*12DIGIT +key = POLICY_SECTIONS_TABLE:policy_name:classifier_name ; name must be unique + ; name must be 1-63 chars long + +;field = value +PRIORITY = 1*4DIGIT ; Valid Range is 0-1023 +DESCRIPTION = 1*255VCHAR ; Policy Description +SET_DSCP = dscp_val ; Valid only when policy is of type "qos" +SET_PCP = pcp_val ; Valid only when policy is of type "qos" +SET_POLICER_CIR = 1*12DIGIT ; Valid only when policy is of type "qos" +SET_POLICER_CBS = 1*12DIGIT ; Valid only when policy is of type "qos" +SET_POLICER_PIR = 1*12DIGIT ; Valid only when policy is of type "qos" +SET_POLICER_PBS = 1*12DIGIT ; Valid only when policy is of type "qos" +SET_MIRROR_SESSION = 1*72VCHAR ; Valid only when policy is of type "monitoring" +SET_IP_NEXT_HOP = [1-64]*nh-entry ; Valid only when policy is of type "forwarding" +SET_IPV6_NEXT_HOP = [1-64]*v6nh-entry ; Valid only when policy is of type "forwarding" +SET_INTERFACE = [1-64]*port-entry ; Valid only when policy is of type "forwarding" +DEFAULT_PACKET_ACTION = "DROP" / "FORWARD" ; Valid only when policy is of type "forwarding" ;value annotations -dscp_val = DIGIT / %x31-36 %x30-33 -pcp_val = %x30-37 +dscp_val = DIGIT / %x31-36 %x30-33 +pcp_val = %x30-37 +d8 = DIGIT ; 0-9 + / %x31-39 DIGIT ; 10-99 + / "1" 2DIGIT ; 100-199 + / "2" %x30-34 DIGIT ; 200-249 + / "25" %x30-35 ; 250-255 +ip-addr = d8 "." d8 "." d8 "." d8 +vrf-name = "default" / "Vrf"1*63VCHAR +priority = 1*4DIGIT / %x31-36 %x30-35 %x30-35 %x30-33 %x30-35 +h16 = 1*4HEXDIG +ipv6-addr = 7(h16 ":") h16 + / "::" 6(h16 ":") h16 + / [ h16 ] "::" 5(h16 ":") h16 + / [ *1(h16 ":") h16 ] "::" 4(h16 ":") h16 + / [ *2(h16 ":") h16 ] "::" 3(h16 ":") h16 + / [ *3(h16 ":") h16 ] "::" 2(h16 ":") h16 + / [ *4(h16 ":") h16 ] "::" h16 ":" h16 + / [ *5(h16 ":") h16 ] "::" h16 + / [ *6(h16 ":") h16 ] "::" +port-name = "Ethernet"1*3DIGIT / "PortChannel"1*3DIGIT + +nh-entry = ip-addr "|" vrf-name "|" priority +v6nh-entry = ipv6-addr "|" vrf-name "|" priority +port-entry = port-name "|" priority ``` #### 3.2.1.8 Policy binding table @@ -692,8 +810,8 @@ key = POLICY_BINDING_TABLE:port_name ; port_name is the name of the ;field = value INGRESS_QOS_POLICY = 1*63VCHAR INGRESS_MONITORING_POLICY = 1*63VCHAR +INGRESS_FORWARDING_POLICY = 1*63VCHAR EGRESS_QOS_POLICY = 1*63VCHAR -EGRESS_MONITORING_POLICY = 1*63VCHAR ;value annotations ``` @@ -704,7 +822,7 @@ EGRESS_MONITORING_POLICY = 1*63VCHAR ACL Table in the App DB will follow the same schema as that of Config DB. ACL Table in App DB is produced by ACL services daemon based on the Config DB information. The information will be consumed by ACL Orchagent to populate the ASIC DB. The ACL Table and Rule names will be different and will be populated by ACL Services daemon -#### 3.2.2.2 ACL Rule +#### 3.2.2.2 ACL Rule Table ACL Rule in App DB will contain additional packet actions for DSCP, PCP remarking and rate limiting. @@ -716,11 +834,12 @@ key: ACL_RULE_TABLE:table_name:rule_name ; key of the rule entry in the table, ; A rule is always assocaited with a ; ACL table. -;field = value +;field = value SET_DSCP = dscp_val SET_PCP = pcp_val SET_POLICER = 1*63VCHAR ; Name of the policer SET_MIRROR_SESSION = 1*63VCHAR ; Name of the mirror session +SET_PBF_GROUP = 1*63VCHAR ; Name of the policy based forwarding group ;value annotations dscp_val = DIGIT / %x31-36 %x30-33 @@ -729,9 +848,40 @@ pcp_val = %x30-37 The SET_POLICER action uses the policer name as defined in POLICER_TABLE schema at https://github.com/Azure/sonic-swss/blob/master/doc/swss-schema.md +#### 3.2.2.3 Policy based forwarding group table + +A new table called `PBF_GROUP_TABLE` is added. This table will be referenced by the ACL rule. The `CONFIGURED_EGRESS` contains egress information (Next-hop/interface) as configured by the user. `DERIVED_EGRESS` contains egress information (Next-hop/interface) derived by using interface VRF when VRF is not configured explicitly by the user. This table will be populated by aclsvcd. + +``` +key: PBF_GROUP_TABLE:group_name ; group_name will be internally generated by aclsvcd + +;field = value +TYPE = "IPV4" / "IPV6" / "L2" +DEFAULT_PACKET_ACTION = "DROP" +CONFIGURED_EGRESS = [0-64]*nh-entry / [0-64]*v6nh-entry / [0-64]*port-entry +DERIVED_EGRESS = [0-64]*nh-entry / [0-64]*v6nh-entry / [0-64]*port-entry + +;value annotations +The details of nh-entry or v6nh-entry or port-entry is same as described in Config DB. +``` + ### 3.2.3 State DB -None +#### 3.2.3.1 Policy based forwarding group state + +The PBF_GROUP_STATE_TABLE contains the information about the currently selected egress for forwarding. This information can be used to show the same information to the user. This table will be populated by PBF orch agent. + +``` +key: PBF_GROUP_TABLE:group_name ; group_name will be internally generated by aclsvcd + +;field = value +TYPE = "IPV4" / "IPV6" / "L2" +SELECTED_CONFIGURED = nh-entry / v6nh-entry / port-entry / "DROP" +SELECTED_DERIVED = nh-entry / v6nh-entry / port-entry / "DROP" + +;value annotations +The details of nh-entry or v6nh-entry or port-entry is same as described in Config DB. +``` ### 3.2.4 ASIC DB @@ -782,6 +932,10 @@ RedBytes : Flow based services manager will utilize and extend the ACL Orchagent. ACL Orchagent will be extended to support DSCP, PCP remarking and policing action. To support policer as of the actions, Acl orchagent has to interact with Policer orchagent to get the SAI object ID associated with the policer name. This will be done using the existing APIs exposed by the policer orchagent namely `policerExists`, `getPolicerOid`, `increaseRefCount`, `decreaseRefCount`. +#### 3.3.1.1 Policy Based Forwarding Orchestration agent + +To add support for Forwarding in Policy based services, a new Orchagent called Policy Based Forwarding (PBF) orchagent will be added. PBF orch will consume `PBF_GROUP_TABLE` and will listen to Route Orch, Neighbor Orch , Port Orch and FDB Orch to decide when a Next-hop or Interface is ready for forwarding. ACL Orchagent will register with PBF orchagent for any changes in the selected egress. PBF orchagent will notify the current selected egress per group and ACL Orchagent will update the ACL entries if necessary. + ### 3.3.2 ACL Services daemon #### 3.3.2.1 ACL Manager @@ -807,14 +961,21 @@ No change to SAI. ## 3.6 Manageability ### 3.6.1 Data Models -Not supported in first release. +Openconfig ACL and Openconfig Flow based services models are supported. Openconfig flow based services is a proprietary yang model following openconfig style. Openconfig QoS and Openconfig Policy Forwarding model are not supported as they do not support all SONiC functionality like Flow prioritization, Match on ACL, Layer 2 forwarding etc. ### 3.6.2 Configuration Commands The following commands are used to configure Policy based services -#### 3.6.2.1 Configuring ACL lookup mode +#### 3.6.2.1 Configuring ACL Counter mode +##### 3.6.2.1.1 Configuring ACL Counter mode using Sonic-CLI +| Mode | Config | +| ---- | ------ | +| Syntax | sonic(config)# **hardware**
sonic(config-hardware)# **access-list**
sonic(config-hardware-acl)# **counters** { **per-entry** \| **per-interface-entry** }
 ***per-entry*** : ACL counters are aggregated over all interfaces, and reported only per ACL entry.
 ***per-interface-entry*** : ACL counters are reported per ACL entry and per interface for all ACL bindings. | +| Change history | SONiC 3.1 - Introduced | + +##### 3.6.2.1.2 Configuring ACL lookup mode using Click CLI (Deprecated) ``` root@sonic:/home/admin# config hardware access-list --help Usage: config hardware access-list [OPTIONS] @@ -829,7 +990,80 @@ Options: -?, -h, --help Show this message and exit. ``` -#### 3.6.2.2 Create classifier +#### 3.6.2.2 Creating/Deleting a MAC/IPv4/IPv6 ACL +| Mode | Config | +| ---- | ------ | +| Syntax | \[no\] { **mac** \| **ip** \| **ipv6** } **access-list** *NAME* | +| Arguments | ***NAME***: Name of the ACL. String max 63 characters. Must begin with alpha numeric character | +| Change history | SONiC 3.1 - Introduced | + + +#### 3.6.2.3 Creating/Deleting a MAC ACL Rule +| Mode | ACL | +| ---- | ------ | +| Syntax | sonic(config-mac-acl)# **seq** *<1-65535>* { **permit** \| **deny** } { **any** \| **host** *SMAC* \| *SMAC* *SMAC_MASK* } { *any* \| **host** *DMAC* \| *DMAC* *DMAC_MASK* } \[ *ETHERTYPE* \| **ipv4** \| **ipv6** \| **arp** \] \[ **vlan** *VLANID* \] \[ **pcp** *<0-7>* \] \[ **dei** *<0-1>* \] **remark** *DESCRIPTION*
sonic(config-mac-acl)# **no seq** *<1-65535>* | +| Arguments | ***SMAC***: Source MAC address in xxxx.xxxx.xxxx or xx:xx:xx:xx:xx:xx format
***SMAC_MASK***: Source MAC address mask in xxxx.xxxx.xxxx or xx:xx:xx:xx:xx:xx format
***DMAC***: Destination MAC address in xxxx.xxxx.xxxx or xx:xx:xx:xx:xx:xx format
***DMAC_MASK***: Destination MAC address mask in xxxx.xxxx.xxxx or xx:xx:xx:xx:xx:xx format
***ETHERTYPE***: Ethertype value in range 1536-65536 in hex or decimal format.
***VLANID***: VLAN ID in range 1-4094 in decimal format
***DESCRIPTION***: A string describing the rule. Must be in double quotes if it contains spaces. | +| Change history | SONiC 3.1 - Introduced | + +#### 3.6.2.4 Creating/Deleting a IP ACL Rule +| Mode | ACL | +| ---- | ------ | +| Syntax | sonic(config-ipv4-acl)# **seq** *<1-65535>* { **permit** \| **deny** } **tcp** { **any** \| **host** *SIP* \| *SIP* \[ / *SIP_PREFIX_LEN* \] } \[ { **eq** \| **gt** \| **lt** } *PORT* \| **range** *BEGIN* *END* } \] { **any** \| **host** *DIP* \| *DIP* \[ / *DIP_PREFIX_LEN* \] } \[ { **eq** \| **gt** \| **lt** } *PORT* \| **range** *BEGIN* *END* } \] \[ **dscp** *DSCP_VAL* \] \[ **fin** \| **syn** \| **rst** \| **psh** \| **ack** \| **urg** \] \[ **vlan** *VLANID* \] [ **remark** *DESCRIPTION* ]

sonic(config-ipv4-acl)# **seq** *<1-65535>* { **permit** \| **deny** } **udp** { **any** \| **host** *SIP* \| *SIP* \[ / *SIP_PREFIX_LEN* \] } \[ { **eq** \| **gt** \| **lt** } *PORT* \| **range** *BEGIN* *END* } \] { **any** \| **host** *DIP* \| *DIP* \[ / *DIP_PREFIX_LEN* \] } \[ { **eq** \| **gt** \| **lt** } *PORT* \| **range** *BEGIN* *END* } \] \[ **dscp** *DSCP_VAL* \] \[ **vlan** *VLANID* \] [ **remark** *DESCRIPTION* ]

sonic(config-ipv4-acl)# **seq** *<1-65535>* { **permit** \| **deny** } **icmp** { **any** \| **host** *SIP* \| *SIP* \[ / *SIP_PREFIX_LEN* \] } { **any** \| **host** *DIP* \| *DIP* \[ / *DIP_PREFIX_LEN* \] } \[ **dscp** *DSCP_VAL* \] \[ **type** *ICMP_TYPE* \] \[ **code** *ICMP_CODE* \] \[ **vlan** *VLANID* \] [ **remark** *DESCRIPTION* ]

sonic(config-ipv4-acl)# **seq** *<1-65535>* { **permit** \| **deny** } { **ip** \| *IP_PROTOCOL* } { **any** \| **host** *SIP* \| *SIP* \[ / *SIP_PREFIX_LEN* \] } { **any** \| **host** *DIP* \| *DIP* \[ / *DIP_PREFIX_LEN* \] } \[ **dscp** *DSCP_VAL* \] \[ **vlan** *VLANID* \] [ **remark** *DESCRIPTION* ]

sonic(config-ip-acl)# **no seq** *<1-65535>* | +| Arguments | ***IP_PROTOCOL***: IP Protocol value in decimal format
***SIP***: Source IPv4 address
***SIP_PREFIX_LEN***: Source IPv4 address prefix length
***DIP***: Destination IPv4 address
***DIP_PREFIX_LEN***: Destination IPv4 address prefix length
***PORT, BEGIN, END***: TCP or UDP Port number in decimal format. END > BEGIN. Valid only when IP_PROTOCOL is 6, 17 ie TCP or UDP
***DSCP_VAL***: DSCP value in decimal format
***ICMP_TYPE***: ICMP type in decimal format. Valid only when IP_PROTOCOL is 1 i.e. ICMP
***ICMP_CODE***: ICMP code in decimal format. Valid only when IP_PROTOCOL is 1 i.e. ICMP
***VLANID***: VLAN ID in range 1-4094 in decimal format
***DESCRIPTION***: A string describing the rule. Must be in double quotes if it contains spaces. | +| Change history | SONiC 3.1 - Introduced | + +#### 3.6.2.5 Creating/Deleting a IPv6 ACL Rule +| Mode | ACL | +| ---- | ------ | +| Syntax | sonic(config-ipv6-acl)# **seq** *<1-65535>* { **permit** \| **deny** } **tcp** { **any** \| **host** *SIPV6* \| *SIPV6* \[ / *SIPV6_PREFIX_LEN* \] } \[ { **eq** \| **gt** \| **lt** } *PORT* \| **range** *BEGIN* *END* } \] { **any** \| **host** *DIP* \| *DIP* \[ / *DIP_PREFIX_LEN* \] } \[ { **eq** \| **gt** \| **lt** } *PORT* \| **range** *BEGIN* *END* } \] \[ **dscp** *DSCP_VAL* \] \[ **fin** \| **syn** \| **rst** \| **psh** \| **ack** \| **urg** \] \[ **vlan** *VLANID* \] [ **remark** *DESCRIPTION* ]

sonic(config-ipv6-acl)# **seq** *<1-65535>* { **permit** \| **deny** } **udp** { **any** \| **host** *SIPV6* \| *SIPV6* \[ / *SIPV6_PREFIX_LEN* \] } \[ { **eq** \| **gt** \| **lt** } *PORT* \| **range** *BEGIN* *END* } \] { **any** \| **host** *DIPV6* \| *DIPV6* \[ / *DIPV6_PREFIX_LEN* \] } \[ { **eq** \| **gt** \| **lt** } *PORT* \| **range** *BEGIN* *END* } \] \[ **dscp** *DSCP_VAL* \] \[ **vlan** *VLANID* \] [ **remark** *DESCRIPTION* ]

sonic(config-ipv6-acl)# **seq** *<1-65535>* { **permit** \| **deny** } **icmp** { **any** \| **host** *SIPV6* \| *SIPV6* \[ / *SIPV6_PREFIX_LEN* \] } { **any** \| **host** *DIPV6* \| *DIPV6* \[ / *DIPV6_PREFIX_LEN* \] } \[ **dscp** *DSCP_VAL* \] \[ **type** *ICMP_TYPE* \] \[ **code** *ICMP_CODE* \] \[ **vlan** *VLANID* \] [ **remark** *DESCRIPTION* ]

sonic(config-ipv6-acl)# **seq** *<1-65535>* { **permit** \| **deny** } *IPV6_PROTOCOL* { **any** \| **host** *SIPV6* \| *SIPV6* \[ / *SIPV6_PREFIX_LEN* \] } { **any** \| **host** *DIPV6* \| *DIPV6* \[ / *DIPV6_PREFIX_LEN* \] } \[ **dscp** *DSCP_VAL* \] \[ **vlan** *VLANID* \] [ **remark** *DESCRIPTION* ]

sonic(config-ipv6-acl)# **no seq** *<1-65535>* | +| Arguments | ***IPV6_PROTOCOL***: IPv6 Protocol value in decimal format
***SIPV6***: Source IPv6 address
***SIPV6_PREFIX_LEN***: Source IPv6 address prefix length
***DIPV6***: Destination IPv6 address
***DIPV6_PREFIX_LEN***: Destination IPv6 address prefix length
***PORT, BEGIN, END***: TCP or UDP Port number in decimal format. END > BEGIN. Valid only when IP_PROTOCOL is 6, 17 ie TCP or UDP
***DSCP_VAL***: DSCP value in decimal format
***ICMP_TYPE***: ICMP type in decimal format. Valid only when IP_PROTOCOL is 58 i.e. ICMPv6
***ICMP_CODE***: ICMP code in decimal format. Valid only when IP_PROTOCOL is 58 i.e. ICMPv6
***VLANID***: VLAN ID in range 1-4094 in decimal format
***DESCRIPTION***: A string describing the rule. Must be in double quotes if it contains spaces. | +| Change history | SONiC 3.1 - Introduced | + +#### 3.6.2.6 Adding/Deleting ACL remark +| Mode | ACL | +| ---- | ------ | +| Syntax | sonic(config-xxx-acl)# **remark** *DESCRIPTION*
sonic(config-xxx-acl)# **no remark** | +| Arguments | ***DESCRIPTION***: A string describing the ACL. Must be in double quotes if it contains spaces. | +| Change history | SONiC 3.1 - Introduced | + +#### 3.6.2.7 Adding/Deleting ACL Rule Remark +| Mode | ACL | +| ---- | ------ | +| Syntax | sonic(config-xxx-acl)# **seq** *<1-65535>* **remark** *DESCRIPTION*
sonic(config-xxx-acl)# **no seq** *<1-65535>* **remark** | +| Arguments | ***DESCRIPTION***: A string describing the rule. Must be in double quotes if it contains spaces. Remark can be set to an existing rule only. | +| Change history | SONiC 3.1 - Introduced | + +#### 3.6.2.8 Applying ACL +##### 3.6.2.8.1 Applying ACL to different interfaces +| Mode | Config | +| ---- | ------ | +| Syntax | sonic(config-if-xxx)# \[ **no** \] { **mac** \| **ip** \| **ipv6** } **access-group** *NAME* { **in** \| **out** } | +| Change history | SONiC 3.1 - Introduced | + +##### 3.6.2.8.2 Applying ACL globally +| Mode | Config | +| ---- | ------ | +| Syntax | sonic(config)# \[ **no** \] { **mac** \| **ip** \| **ipv6** } **access-group** *NAME* { **in** \| **out** } | +| Change history | SONiC 3.1 - Introduced | + +##### 3.6.2.8.3 Applying ACL to Control Plane +| Mode | Config | +| ---- | ------ | +| Syntax | sonic(config)# **line vty**
sonic(config-line-vty)# \[ **no** \] { **ip** \| **ipv6** } **access-group** *NAME* **in** | +| Change history | SONiC 3.1 - Introduced | + +#### 3.6.2.9 Create classifier + +##### 3.6.2.9.1 Creating classifier through Sonic-CLI + +| Mode | Config | +| ---- | --------------------------------------------------- | +| Syntax | SONiC(config)# **classifier** *NAME* **match-type** **acl** | +| Syntax | SONiC(config)# **classifier** *NAME* **match-type** **fields** **match-all** | +| Arguments | ***NAME***: String of 1-63 characters in length. Must begin with a alpha numeric character. Rest of the characters can be alpha numeric or hyphen (-) or underscore (\_). | +| Change history | SONiC 3.1 - Introduced | + +##### 3.6.2.9.2 Creating classifier through click cli (Deprecated) ``` root@sonic:~# config classifier add --help @@ -845,8 +1079,138 @@ Options: ``` -#### 3.6.2.3 Update classifier with match parameters +#### 3.6.2.10 Update classifier match parameters + +##### 3.6.2.10.1 Update classifier match parameters using Sonic-CLI +###### 3.6.2.10.1.1 Add or delete match ACL to classifier + +| Mode | Classifier | +| ------ | ------------------------------------------------------- | +| Syntax | SONiC(config-classifier)# **match access-group** { **mac** \| **ip** \| **ipv6** } *NAME* | +| Syntax | SONiC(config-classifier)# **no match access-group** | +| Arguments | ***NAME***: String of 1-63 characters in length. Must begin with a alpha numeric character. Rest of the characters can be alpha numeric or hyphen (-) or underscore (\_). | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.10.1.2 Add or delete match on source MAC + +| Mode | Classifier | +| ------ | ------------------------------------------------------------ | +| Syntax | SONiC(config-classifier)# **match source-address mac** *MAC* [ / *MAC_MASK*] | +| Syntax | SONiC(config-classifier)# **no match source-address mac** | +| Arguments | ***MAC***: MAC address in xxxx.xxxx.xxxx or xx:xx:xx:xx:xx:xx format
***MAC_MASK***: MAC address mask in xxxx.xxxx.xxxx or xx:xx:xx:xx:xx:xx format | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.10.1.3 Add or delete match on destination MAC + +| Mode | Classifier | +| ------ | ------------------------------------------------------------ | +| Syntax | SONiC(config-classifier)# **match destination-address mac** *MAC* [ / *MAC_MASK*] | +| Syntax | SONiC(config-classifier)# **no match destination-mac** | +| Arguments | ***MAC***: MAC address in xxxx.xxxx.xxxx or xx:xx:xx:xx:xx:xx format
***MAC_MASK***: MAC address mask in xxxx.xxxx.xxxx or xx:xx:xx:xx:xx:xx format | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.10.1.4 Add or delete match on ethertype + +| Mode | Classifier | +| ------ | ------------------------------------------------------------ | +| Syntax | SONiC(config-classifier)# **match ether-type** { **ip** \| **ipv6** \| *ETHER_TYPE* } | +| Syntax | SONiC(config-classifier)# **no match ether-type** | +| Arguments | ***ETHER_TYPE***: Ethertype value in hex format in range 0x600 - 0xFFFF | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.10.1.5 Add or delete match on PCP + +| Mode | Classifier | +| -------------- | ------------------------------------------------------------ | +| Syntax | SONiC(config-classifier)# **match pcp** { **be** \| **bk** \| **ee** \| **ca** \| **vi** \| **vo** \| **ic** \| **nc** \| *PCP_VAL* } | +| Syntax | SONiC(config-classifier)# **no match pcp** | +| Arguments | ***be***: Best effort (0)
***bk***: Background (1)
***ee***: Excellent effort (2)
***ca***: Critical applications (3)
***vi***: Video, < 100 ms latency and jitter (4)
***vo***: Voice, < 10 ms latency and jitter (5)
***ic***: Internetwork control (6)
***nc***: Network control (7)
***PCP_VAL***: PCP Value in range 0-7 | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.10.1.6 Add or delete match on VLAN ID +| Mode | Classifier| +| ------ | ----------------------------------------------------------- | +| Syntax | SONiC(config-classifier)# **match vlan** *VLAN_ID* | +| Syntax | SONiC(config-classifier)# **no match vlan** | +| Arguments | ***VLAN_ID***: VLAN ID in range 1-4094 | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.10.1.7 Add or delete match on source IPv4 Address + +| Mode | Classifier | +| ------ | ---------------------------------------------------------- | +| Syntax | SONiC(config-classifier)# **match source-address ip** { **host** *IP_ADDR* \| *IP_ADDR/PREFIX* } | +| Syntax | SONiC(config-classifier)# **no match source-address ip** | +| Arguments | ***IP_ADDR***: IPv4 address
***PREFIX***: Prefix in range 1-31 | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.10.1.8 Add or delete match on destination IPv4 Address + +| Mode | Classifier | +| ------ | ---------------------------------------------------------- | +| Syntax | SONiC(config-classifier)# **match destination-address ip** { **host** *IP_ADDR* \| *IP_ADDR/PREFIX* } | +| Syntax | SONiC(config-classifier)# **no match destination-address ip** | +| Arguments | ***IP_ADDR***: IPv4 address
***PREFIX***: Prefix in range 1-31 | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.10.1.9 Add or delete match on source IPv6 Address + +| Mode | Classifier | +| ------ | ---------------------------------------------------------- | +| Syntax | SONiC(config-classifier)# **match source-address ipv6** { **host** *IPV6_ADDR* \| *IPV6_ADDR/PREFIX* } | +| Syntax | SONiC(config-classifier)# **no match source-address ipv6** | +| Arguments | ***IPV6_ADDR***: IPv6 address
***PREFIX***: Prefix in range 1-127 | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.10.1.10 Add or delete match on destination IPv4 Address + +| Mode | Classifier | +| ------ | ---------------------------------------------------------- | +| Syntax | SONiC(config-classifier)# **match destination-address ipv6** { **host** *IPV6_ADDR* \| *IPV6_ADDR/PREFIX* } | +| Syntax | SONiC(config-classifier)# **no match destination-address ipv6** | +| Arguments | ***IPV6_ADDR***: IPv6 address
***PREFIX***: Prefix in range 1-127 | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.10.1.11 Add or delete match on IP Protocol + +| Mode | Classifier | +| ------ | ----------------------------------------------------------- | +| Syntax | SONiC(config-classifier)# **match ip protocol** { **tcp** \| **udp** \| **icmp** \| **icmpv6** \| *NUMBER* } | +| Syntax | SONiC(config-classifier)# **no match protocol** | +| Arguments | ***NUMBER***: IP Protocol number in range 0-255 | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.10.1.12 Add or delete match on source TCP or UDP Port +Match on source port is allowed only when IP protocol is set to TCP or UDP. + +| Mode | Classifier | +| ------ | ----------------------------------------------------------- | +| Syntax | SONiC(config-classifier)# **match l4-port source** { **eq** *NUMBER* \| **range** *BEGIN* *END*} | +| Syntax | SONiC(config-classifier)# **no match l4-port source** | +| Arguments | ***NUMBER***: Port number 0-65535
***BEGIN***,***END***: Port number 0-65535. END must be greater than BEGIN | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.10.1.13 Add or delete match on destination TCP or UDP Port +Match on destination port is allowed only when IP protocol is set to TCP or UDP. + +| Mode | Classifier | +| ------ | ----------------------------------------------------------- | +| Syntax | SONiC(config-classifier)# **match l4-port destination** { **eq** *NUMBER* \| **range** *BEGIN* *END*} | +| Syntax | SONiC(config-classifier)# **no match l4-port destination** | +| Arguments | ***NUMBER***: Port number 0-65535
***BEGIN***,***END***: Port number 0-65535. END must be greater than BEGIN | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.10.1.14 Add or delete match on TCP flags +Match on TCP flags is allowed only when IP protocol is set to TCP. `not-xxx` keyword can be used to match the corresponding flag set to 0. + +| Mode | Classifier | +| ------ | ----------------------------------------------------------- | +| Syntax | SONiC(config-classifier)# **match tcp-flags** { **syn** \| **not-syn** } { **ack** \| **not-ack** } { **fin** \| **not-fin** } { **ack** \| **not-ack** } { **psh** \| **not-psh** } { **urg** \| **not-urg** } | +| Syntax | SONiC(config-classifier)# **no** **match tcp-flags** [ { **syn** \| **not-syn** } { **ack** \| **not-ack** } { **fin** \| **not-fin** } { **ack** \| **not-ack** } { **psh** \| **not-psh** } { **urg** \| **not-urg** } ] | +| Change history | SONiC 3.1 - Introduced | + +##### 3.6.2.10.2 Update classifier match parameters using Click CLI (Deprecated) ``` root@sonic:~# config classifier update --help Usage: config classifier update [OPTIONS] @@ -903,8 +1267,32 @@ Options: -d, --description --help Show this message and exit. ``` +#### 3.6.2.11 Add classifier description + +| Mode | Classifier | +| ------ | ----------------------------------------------------------- | +| Syntax | SONiC(config-classifier)# **description** *STRING* | +| Arguments | ***STRING***: A string describing the classifier. Max 256 characters. Description should be in double quotes if it has spaces. | +| Change history | SONiC 3.1 - Introduced | + +#### 3.6.2.12 Delete classifier description + +| Mode | Classifier | +| ------ | ----------------------------------------------------------- | +| Syntax | SONiC(config-classifier)# **no description** | +| Change history | SONiC 3.1 - Introduced | -#### 3.6.2.4 Delete classifier +#### 3.6.2.13 Delete classifier + +##### 3.6.2.13.1 Delete classifier using Sonic-CLI + +| Mode | Config | +| ---- | --------------------------------------------------- | +| Syntax | SONiC(config)# **no classifier** *NAME* | +| Arguments | ***NAME***: String of 1-63 characters in length. Must begin with a alpha numeric character. Rest of the characters can be alpha numeric or hyphen (-) or underscore (\_). | +| Change history | SONiC 3.1 - Introduced | + +##### 3.6.2.13.2 Delete classifier using Click CLI (Deprecated) ``` root@sonic:~# config classifier del --help @@ -916,7 +1304,19 @@ Options: --help Show this message and exit. ``` -#### 3.6.2.5 Add policy +#### 3.6.2.14 Add policy + +##### 3.6.2.14.1 Add policy using Sonic-CLI + +| Mode | Config | +| ---- | ------ | +| Syntax | SONiC(config)# **policy** *NAME* **type** { **qos** \| **monitoring** \| **forwarding** } | +| Arguments | ***NAME***: Name of the policy to be created. String of 1-63 characters in length. Must begin with a alpha numeric character. Rest of the characters can be alpha numeric or hyphen (-) or underscore (\_). | +| Change history | SONiC 3.1 - Introduced | + +NOTE: **forwarding** policies can be created only using Sonic-CLI. + +##### 3.6.2.14.2 Add policy using Click CLI (Deprecated) ``` root@sonic:~# config policy add --help @@ -931,8 +1331,16 @@ Options: --help Show this message and exit. ``` -#### 3.6.2.6 Delete policy +#### 3.6.2.15 Delete policy +##### 3.6.2.15.1 Deleting policy using Sonic-CLI +| Mode | Config | +| ---- | ------ | +| Syntax | SONiC(config)# **no policy** *NAME* | +| Arguments | ***NAME***: Name of the policy to be deleted. String of 1-63 characters in length. Must begin with a alpha numeric character. Rest of the characters can be alpha numeric or hyphen (-) or underscore (\_). | +| Change history | SONiC 3.1 - Introduced | + +##### 3.6.2.15.2 Deleting policy using Click CLI (Deprecated) ``` root@sonic:~# config policy del --help Usage: config policy del [OPTIONS] @@ -943,7 +1351,32 @@ Options: --help Show this message and exit. ``` -#### 3.6.2.7 Add flow identified by a classifier to a policy +#### 3.6.2.16 Add policy description + +| Mode | Policy | +| ------ | ------ | +| Syntax | SONiC(config-policy)# **description** *STRING* | +| Arguments | ***STRING***: A string describing the policy. Max 256 characters. Description should be in double quotes if it has spaces. | +| Change history | SONiC 3.1 - Introduced | + +#### 3.6.2.17 Delete policy description + +| Mode | Policy | +| ------ | ------ | +| Syntax | SONiC(config-policy)# **no description** | +| Change history | SONiC 3.1 - Introduced | + +#### 3.6.2.18 Add flow identified by a classifier to a policy + +##### 3.6.2.18.1 Add flow using Sonic-CLI + +| Mode | Policy | +| ------ | ------ | +| Syntax | SONiC(config-policy)# **class** *NAME* **priority** *PRIORITY* | +| Arguments | ***NAME***: Classifier name. String of 1-63 characters in length. Must begin with a alpha numeric character. Rest of the characters can be alpha numeric or hyphen (-) or underscore (\_).
***PRIORITY***: Priority number in range 0-1023 | +| Change history | SONiC 3.1 - Introduced | + +##### 3.6.2.18.2 Add flow using Click CLI (Deprecated) ``` root@sonic:~# config flow add --help @@ -958,7 +1391,17 @@ Options: --help Show this message and exit. ``` -#### 3.6.2.8 Delete flow identified by a classifier to a policy +#### 3.6.2.19 Delete flow identified by a classifier to a policy + +#### 3.6.2.20 Deleting flow using Sonic-CLI + +| Mode | Policy | +| ------ | ------ | +| Syntax | SONiC(config-policy)# **no class** *NAME* | +| Arguments | ***NAME***: Classifier name. String of 1-63 characters in length. Must begin with a alpha numeric character. Rest of the characters can be alpha numeric or hyphen (-) or underscore (\_). | +| Change history | SONiC 3.1 - Introduced | + +#### 3.6.2.21 Deleting flow using Click CLI (Deprecated) ``` root@sonic:~# config flow del --help @@ -969,8 +1412,143 @@ Usage: config flow del [OPTIONS] Options: --help Show this message and exit. ``` +#### 3.6.2.22 Add flow description -#### 3.6.2.9 Add action(s) to flows +| Mode | Flow | +| ------ | ------ | +| Syntax | SONiC(config-classifier)# **description** *STRING* | +| Arguments | *STRING*: A string describing the flow. Max 256 characters. Description should be in double quotes if it has spaces. | +| Change history | SONiC 3.1 - Introduced | + +#### 3.6.2.23 Delete flow description + +| Mode | Flow | +| ------ | ------ | +| Syntax | SONiC(config-classifier)# **no description** | +| Change history | SONiC 3.1 - Introduced | + +#### 3.6.2.24 Add action(s) to flows + +##### 3.6.2.24.1 Add QoS actions to the flow using Sonic-CLI +The following QoS actions can be added to the flow. QoS actions can be added/enabled only if the policy is of type **qos**. + +###### 3.6.2.24.1.1 Add DSCP remarking action + +| Mode | Flow | +| ------ | ---- | +| Syntax | SONiC(config-policy-flow)# **set dscp** *\<0-63\>* | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.24.1.2 Delete DSCP remarking action + +| Mode | Flow | +| ------ | ---- | +| Syntax | SONiC(config-policy-flow)# **no set dscp** | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.24.1.3 Add PCP remarking action + +| Mode | Flow | +| ------ | ---- | +| Syntax | SONiC(config-policy-flow)# **set pcp** *\<0-7\>* | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.24.1.4 Delete PCP remarking action + +| Mode | Flow | +| ------ | ---- | +| Syntax | SONiC(config-policy-flow)# **no set pcp** | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.24.1.5 Add policer action + +| Mode | Flow | +| ------ | ---- | +| Syntax | SONiC(config-policy-flow)# **police cir** *CIR* \[**cbs** *CBS* \] \[**pir** *PIR* \] \[**pbs** *PBS* \] | +| Arguments | ***CIR***: Committed information rate in bits per second. CIR is mandatory. The value can be optionally suffixed with kbps(1000), mbps(1000000), gbps (1000000000) or tbps (1000000000000).
***CBS***: Committed burst size in bytes. The value can be suffixed with KB(1000), MB(1000000), GB(1000000000) or TB(1000000000000). The default value is 20% of the CIR in bytes. If configured by the user, it must be greater than or equal to CIR in bytes.
***PIR***: Peak information rate in bits per second. The value can be optionally suffixed with kbps(1000), mbps(1000000), gbps (1000000000) or tbps (1000000000000). If configured by the user, it must be greater than CIR
***PBS***: Peak burst size. The value can be suffixed with KB(1000), MB(1000000), GB(1000000000) or TB(1000000000000). The default value is 20% of the PIR value in bytes. If configured by the user, it must be greater than PIR value in bytes and also CBS value. | +| Change history | SONiC 3.1 - Introduced | + +If only CIR is configured, then its 1 rate, 2 color policer. Any traffic exceeding CIR value will be marked as red and will be dropped. + +If both CIR and PIR is configured, then is 2 rate 3 color policer. Any traffic that exceeds CIR but less than PIR will be marked as yellow. Any traffic that is more than PIR will be marked as red and will be dropped. + +###### 3.6.2.24.1.6 Delete policer action +| Mode | Flow | +| ------ | ---- | +| Syntax | SONiC(config-policy-flow)# **no police** \[ **cir** \] \[**cbs** \] \[**pir** \] \[**pbs** \] | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.24.1.7 Add set traffic-class action + +| Mode | Flow | +| ------ | ---- | +| Syntax | SONiC(config-policy-flow)# **set traffic-class** *\<0-7\>* | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.24.1.8 Delete set traffic-class action + +| Mode | Flow | +| ------ | ---- | +| Syntax | SONiC(config-policy-flow)# **no set traffic-class** | +| Change history | SONiC 3.1 - Introduced | + +##### 3.6.2.24.2 Adding monitoring actions to the flow +The following monitoring actions can be added to the flow. Monitoring actions can be added/enabled only if the policy is of type **monitoring**. + +###### 3.6.2.24.2.1 Adding mirror session action +| Mode | Flow | +| ------ | ---- | +| Syntax | SONiC(config-policy-flow)# **set mirror-session** *SESSION_NAME* | +| Arguments | *SESSION_NAME*: Mirror session name | +| Change history | SONiC 3.1 - Introduced | + +###### 3.6.2.24.2.2 Deleting mirror session action +| Mode | Flow | +| ------ | ---- | +| Syntax | SONiC(config-policy-flow)# **no set mirror-session** | +| Change history | SONiC 3.1 - Introduced | + +##### 3.6.2.24.3 Adding forwarding actions to the flow +The following forwarding actions can be added to the flow. Forwarding actions can be added/enabled only if the policy is of type **forwarding**. This configuration is only available in Sonic-CLI. + +###### 3.6.2.24.3.1 Adding / Deleting IPv4 next-hop +| Mode | Flow | +| ------ | ---- | +| Syntax | SONiC(config-policy-flow)# \[ **no** \] **set ip next-hop** *IP_ADDR* \[ vrf *VRF_NAME* \] \[ priority *PRIORITY* \] | +| Arguments | ***IP_ADDR***: IPv4 Address
***VRF_NAME***: VRF name. If the VRF name is not specified then it will be derived from the VRF of the interface on which the policy is applied or default will be used for global application.
***PRIORITY***: Priority of the next-hop. Range is 1-65535. Default is 0 ie lowest priority if not configured by the user. The next-hop with the higher priority will be picked up for forwarding first. If more than 1 next-hops have the same priority then the next-hop which is configured first will be used. | +| Change history | SONiC 3.1 - Introduced | + +IPv4 next-hops are valid only if the classifier uses IPv4 ACL for match. Only IPv4 routed traffic will be forwarded to the configured next-hop. Combining IPv4 next-hops with IPv6 next-hops or egress interface (except NULL) is not permitted. The next-hop must be reachable for it to be selected for routing. NULL egress can be configured to select drop as egress action if none of the next-hops are reachable. If NULL egress is not configured then the traffic will be routed normally. + +###### 3.6.2.24.3.2 Adding / Deleting IPv6 next-hop +| Mode | Flow | +| ------ | ---- | +| Syntax | SONiC(config-policy-flow)# \[ **no** \] **set ipv6 next-hop** *IPV6_ADDR* \[ vrf *VRF_NAME* \] \[ priority *PRIORITY* \] | +| Arguments | ***IPV6_ADDR***: IPv6 Address
***VRF_NAME***: VRF name. If the VRF name is not specified then it will be derived from the VRF of the interface on which the policy is applied or default will be used for global application.
***PRIORITY***: Priority of the next-hop. Range is 1-65535. Default is 0 ie lowest priority if not configured by the user. The next-hop with the higher priority will be picked up for forwarding first. If more than 1 next-hops have the same priority then the next-hop which is configured first will be used. | +| Change history | SONiC 3.1 - Introduced | + +IPv6 next-hops are valid only if the classifier uses IPv6 ACL for match. Only IPv6 routed traffic will be forwarded to the configured next-hop. Combining IPv6 next-hops with IPv4 next-hops or egress interface (except NULL) is not permitted. The next-hop must be reachable for it to be selected for routing. NULL egress can be configured to select drop as egress action if none of the next-hops are reachable. If NULL egress is not configured then the traffic will be routed normally. + +###### 3.6.2.24.3.3 Adding / Deleting egress interface + +| Mode | Flow | +| ------ | ---- | +| Syntax | SONiC(config-policy-flow)# \[ **no** \] **set interface** { **Ethernet***ID* \| **PortChannel***ID* } \[ priority *PRIORITY* \] | +| Arguments | ***ID***: Ethernet or PortChannel number.
***PRIORITY***: Priority of the egress port. Range is 1-65535. Default is 0 ie lowest priority if not configured by the user. The port with the higher priority will be picked up for forwarding first. If more than 1 ports have the same priority then the port which is configured first will be used. | +| Change history | SONiC 3.1 - Introduced | + +Egress interfaces configuration is valid only if the classifier uses MAC/L2 ACL for match. Only L2 switched traffic will be forwarded to the configured egress interface. Combining egress interface with IPv4 or IPv6 next-hops is not permitted. The egress interface must be a switchport and online for it to be selectable for forwarding, else it will be forward referenced. User is expected to make sure egress interface is part of necessary VLANs. NULL egress can be configured to select drop as egress action if none of the egress interfaces are online. If NULL egress is not configured then the traffic will be forwarded normally. + +###### 3.6.2.24.3.4 Adding default drop action + +| Mode | Flow | +| ------ | ---- | +| Syntax | SONiC(config-policy-flow)# \[ **no** \] **set interface null** | +| Change history | SONiC 3.1 - Introduced | + +Drop action if configured will be of the lowest priority and will be chosen if none of the configured next-hops or egress interfaces can be used for forwarding. + +##### 3.6.2.24.4 Add flow actions using Click CLIs (Deprecated) ``` root@sonic:~# config flow update --help @@ -998,21 +1576,51 @@ Options: --help Show this message and exit. ``` -The policers are implicitly configured as TRTCM policers of type bytes in color blind mode and drop as default action for packets of color red. +If only CIR is configured, then its 1 rate, 2 color policer. Any traffic exceeding CIR value will be marked as red and will be dropped. + +If both CIR and PIR is configured, then is 2 rate 3 color policer. Any traffic that exceeds CIR but less than PIR will be marked as yellow. Any traffic that is more than PIR will be marked as red and will be dropped. -#### 3.6.2.10 Apply and remove the policy to interface +Forwarding actions are supported only in Sonic-CLI. + +#### 3.6.2.25 Applying the policy to an interface + +##### 3.6.2.25.1 Applying policy to an interface using Sonic-CLI +| Mode | Config or Interface | +| ------ | ------------------- | +| Syntax | SONiC(config)# **service-policy type qos** { **in** \| **out** } *NAME*
SONiC(config)# **service-policy type** { **monitoring** \| **forwarding** } **in** *NAME* | +| Syntax | SONiC(config-if-xxxx)# **service-policy type qos** { **in** \| **out** } *NAME*
SONiC(config-if-xxxx)# **service-policy type** { **monitoring** \| **forwarding** } **in** *NAME* | +| Arguments | *NAME*: Name of the policy to be applied | +| Change history | SONiC 3.1 - Introduced | + +NOTE: Forwarding policy can be applied only using Sonic-CLI. When a forwarding policy is applied globally, the next-hops +are assumed to be in default VRF unless user has specified the VRF explicitly. + +##### 3.6.2.25.2 Applying policy to an interface using Click CLI (Deprecated) ``` root@sonic:~# config service-policy bind --help -Usage: config service-policy bind [OPTIONS] - +Usage: config service-policy bind [OPTIONS] Apply policy to interface Options: --help Show this message and exit. +``` + +#### 3.6.2.26 Removing policy from an interface + +##### 3.6.2.26.1 Removing policy from an interface using Sonic-CLI +| Mode | Config or Interface | +| ------ | ------------------- | +| Syntax | SONiC(config)# **no service-policy type qos** { **in** \| **out** }
SONiC(config)# **no service-policy type** { **monitoring** \| **forwarding** } **in** | +| Syntax | SONiC(config-if-xxxx)# **no service-policy type qos** { **in** \| **out** }
SONiC(config-if-xxxx)# **service-policy type** { **monitoring** \| **forwarding** } **in** | +| Change history | SONiC 3.1 - Introduced | +NOTE: Forwarding policy can be removed only using Sonic-CLI. +##### 3.6.2.26.2 Removing policy from an interface using Click CLI (Deprecated) + +``` root@sonic:~# config service-policy unbind --help Usage: config service-policy unbind [OPTIONS] @@ -1024,7 +1632,55 @@ Options: ### 3.6.3 Show Commands -#### 3.6.3.1 Show classifier details +#### 3.6.3.1 Show ACL binding summary +| Mode | Exec | +| ------ | ------------------- | +| Syntax | SONiC# **show** { **mac** \| **ip** \| **ipv6** } **access-group** | +| Change history | SONiC 3.1 - Introduced | + +***Sample Output:*** + +``` +sonic# show ip access-group +Ingress IP access-list ipacl on Ethernet0 +Ingress IP access-list ipacl on PortChannel1 +Ingress IP access-list ipacl on Vlan100 +``` + +#### 3.6.3.2 Show ACL Rules and statistics +| Mode | Exec | +| ------ | ------------------- | +| Syntax | SONiC# **show** { **mac** \| **ip** \| **ipv6** } **access-list** \[ *NAME* \] | +| Change history | SONiC 3.1 - Introduced | + +***Sample Output:*** + +``` +sonic# show ip access-lists +ip access-list ipacl + seq 1 permit ip host 10.1.1.1 host 20.1.1.1 (0 packets) [0 bytes] + seq 2 permit ip host 10.1.1.2 host 20.1.1.2 (0 packets) [0 bytes] + seq 3 permit ip host 10.1.1.3 host 20.1.1.3 (0 packets) [0 bytes] + seq 4 permit ip host 10.1.1.4 host 20.1.1.4 (0 packets) [0 bytes] +``` + +#### 3.6.3.3 Clear ACL statistics + +| Mode | Exec | +| ------ | ------------------- | +| Syntax | SONiC# **clear { **mac** \| **ip** \| **ipv6** } counters** **access-list** \[ *NAME* \] | +| Change history | SONiC 3.1 - Introduced | + +#### 3.6.3.4 Show classifier details + +##### 3.6.3.4.1 Show classifier details using Sonic-CLI + +| Mode | Exec | +| ------ | ------------------- | +| Syntax | SONiC# **show classifier** [ *NAME* \| **match-type** { **acl** \| **fields** } ] | +| Change history | SONiC 3.1 - Introduced | + +##### 3.6.3.4.2 Show classifier details using Click CLI (Deprecated) ``` root@sonic:~# show classifier --help @@ -1037,26 +1693,29 @@ Options: -?, -h, --help Show this message and exit. ``` -The following is the sample output +##### 3.6.3.4.3 Show classifier sample output -``` -root@sonic:~# show classifier class0 -classifier class0 match-type acl - match-acl l3_ACL_0 - Referenced in flows: - policy policy0 at priority 200 - -root@sonic:~# show classifier fields_class_0 -Classifier fields_class_0 match-type fields - Description: - Match: - src-ip 40.1.1.100/32 - Referenced in flows: - policy mon_policy_0 at priority 999 - policy qos_policy_0 at priority 999 -``` +| CLI Type | CLI Syntax | +| -------- | ---------- | +| Sonic-CLI | SONiC# show classifier class0 | +| Click-CLI *(Deprecated)* | root@sonic:~# show classifier class0 | +| Sample Output | Classifier class0 match-type acl
  match-acl l3_ACL_0
    Referenced in flows:
      policy policy0 at priority 200 | + +| CLI Type | CLI Syntax | +| -------- | ---------- | +| Sonic-CLI | SONiC# show classifier match-type fields | +| Click-CLI *(Deprecated)* | root@sonic:~# show classifier -m fields | +| Sample Output | Classifier fields_class_0 match-type fields
  Description:
  Match:
    src-ip 40.1.1.100/32
  Referenced in flows:
    policy mon_policy_0 at priority 999
    policy qos_policy_0 at priority 999 | + +#### 3.6.3.5 Show policy details + +##### 3.6.3.5.1 Show policy details using Sonic-CLI +| Mode | Exec | +| ------ | ------------------- | +| Syntax | SONiC# **show policy** [ *NAME* \| **type** { **qos** \| **monitoring** \| **forwarding** } ] | +| Change history | SONiC 3.1 - Introduced | -#### 3.6.3.2 Show policy details +##### 3.6.3.5.2 Show policy details using Click-CLI (Deprecated) ``` root@sonic:~# show policy --help @@ -1070,55 +1729,32 @@ Options: -?, -h, --help Show this message and exit. ``` -The following is the sample output - -``` -root@sonic:~# show policy qos_policy_0 -Policy qos_policy_0 Type qos - Description: - Flow fields_class_0 at priority 999 - Description: - set-pcp 1 - set-pcp 1 - police cir 10000000 cbs 1000000 pir 0 pbs 0 - Flow fields_class_1 at priority 998 - Description: - set-pcp 2 - set-pcp 2 - police cir 20000000 cbs 2000000 pir 0 pbs 0 - Flow fields_class_2 at priority 997 - Description: - set-pcp 3 - set-pcp 3 - police cir 30000000 cbs 3000000 pir 0 pbs 0 - Flow fields_class_3 at priority 996 - Description: - set-pcp 4 - set-pcp 4 - police cir 40000000 cbs 4000000 pir 0 pbs 0 - Applied to: - Ethernet0 at ingress - -root@sonic:~# show policy mon_policy_0 -Policy mon_policy_0 Type monitoring - Description: - Flow fields_class_0 at priority 999 - Description: - mirror-session ERSPAN_DestIP_50.1.1.2 - Flow fields_class_1 at priority 998 - Description: - mirror-session ERSPAN_DestIP_60.1.1.2 - Flow fields_class_2 at priority 997 - Description: - mirror-session ERSPAN_DestIP_50.1.1.2 - Flow fields_class_3 at priority 996 - Description: - mirror-session ERSPAN_DestIP_60.1.1.2 - Applied to: - Ethernet0 at ingress -``` - -#### 3.6.3.3 Show policy binding summary +##### 3.6.3.5.3 Sample output + +| CLI Type | CLI Syntax | +| -------- | ---------- | +| Sonic-CLI | SONiC# show policy qos_policy_0 | +| Click-CLI (Deprecated) | root@sonic~# show policy qos_policy_0 | +| Sample Output | Policy qos_policy_0 Type qos
  Description:
  Flow fields_class_0 at priority 999
    Description:
    set-pcp 1
    set-pcp 1
    police cir 10000000 cbs 1000000 pir 0 pbs 0
  Flow fields_class_1 at priority 998
    Description:
    set-pcp 2
    set-pcp 2
    police cir 20000000 cbs 2000000 pir 0 pbs 0
  Flow fields_class_2 at priority 997
    Description:
    set-pcp 3
    set-pcp 3
    police cir 30000000 cbs 3000000 pir 0 pbs 0
  Flow fields_class_3 at priority 996
    Description:
    set-pcp 4
    set-pcp 4
    police cir 40000000 cbs 4000000 pir 0 pbs 0
  Applied to:
    Ethernet0 at ingress | + + +| CLI Type | CLI Syntax | +| -------- | ---------- | +| Sonic-CLI | SONiC# show policy type monitoring | +| Click-CLI (Deprecated) | root@sonic~# show policy -t monitoring | +| Sample Output | Policy mon_policy_0 Type monitoring
  Description:
  Flow fields_class_0 at priority 999
    Description:
    mirror-session ERSPAN_DestIP_50.1.1.2
  Flow fields_class_1 at priority 998
    Description:
    mirror-session ERSPAN_DestIP_60.1.1.2
  Flow fields_class_2 at priority 997
    Description:
    mirror-session ERSPAN_DestIP_50.1.1.2
  Flow fields_class_3 at priority 996
    Description:
    mirror-session ERSPAN_DestIP_60.1.1.2
  Applied to:
    Ethernet0 at ingress | + +#### 3.6.3.6 Show policy binding summary + +##### 3.6.3.6.1 Show policy binding summary using Sonic-CLI + +| Mode | Exec | +| --------- | ---- | +| Syntax | SONiC# **show service-policy summary** \[ **interface** { **Ethernet** *ID* \| **PortChannel** *ID* \| **Vlan** *ID* \| **Switch** } \] \[ **type** { **qos** \| **monitoring** \| **forwarding** } \] | +| Arguments | *ID*: Number of Ethernet or PortChannel or Vlan | +| Change history | SONiC 3.1 - Introduced | + +##### 3.6.3.6.2 Show policy binding summary using Click CLI (Deprecated) ``` root@sonic:~# show service-policy summary --help @@ -1132,24 +1768,24 @@ Options: -?, -h, --help Show this message and exit. ``` -The following is the sample output +##### 3.6.3.6.3 Show policy binding summary sample output -``` -root@sonic:~# show service-policy summary -Ethernet0 - qos policy policy0 at ingress - monitoring policy mon_policy_0 at ingress -Ethernet4 - qos policy policy0 at ingress -Ethernet8 - qos policy policy0 at egress +| CLI Type | CLI Syntax | +| -------- | ---------- | +| Sonic-CLI | SONiC# show service-policy summary | +| Click-CLI (Deprecated) | root@sonic~# show service-policy summary | +| Sample Output | Ethernet0
  qos policy qos_policy0 at ingress
  monitoring policy mon_policy_0 at ingress
PortChannel100
  qos policy policy0 at egress
Vlan100
  forwarding policy pbr0 at ingress | -root@sonic:~# show service-policy summary -i Ethernet0 -Ethernet0 - qos policy policy0 at ingress -``` +#### 3.6.3.7 Show/Clear policy binding and counters for an interface -#### 3.6.3.4 Show/Clear policy binding and counters for an interface +##### 3.6.3.7.1 Show/Clear policy binding and counters using SONiC-CLI +| Mode | Exec | +| --------- | ---- | +| Syntax | SONiC# **show service-policy** { **interface** { **Ethernet** *ID* \| **PortChannel** *ID* \| **Vlan** *ID* \| **Switch** } \[ **type** { **qos** \| **monitoring** \| **forwarding** } \] \| **policy** *NAME* \[ **interface** { **Ethernet** *ID* \| **PortChannel** *ID* \| **Vlan** *ID* \| **Switch** \] }

SONiC# **clear counters service-policy** { **interface** { **Ethernet** *ID* \| **PortChannel** *ID* \| **Vlan** *ID* \| **Switch** } \[ **type** { **qos** \| **monitoring** \| **forwarding** } \] \| **policy** *NAME* \[ **interface** { **Ethernet** *ID* \| **PortChannel** *ID* \| **Vlan** *ID* \| **Switch** \] } | +| Arguments | *ID*: Number of Ethernet or PortChannel or Vlan
*NAME*: Name of the policy applied. | +| Change history | SONiC 3.1 - Introduced | + +##### 3.6.3.7.2 Show/Clear policy binding and counters using Click CLI (Deprecated) ``` root@sonic:~# show service-policy interface --help @@ -1164,38 +1800,6 @@ Options: -?, -h, --help Show this message and exit. ``` -The following is the sample output - -``` -root@sonic:~# show service-policy interface Ethernet0 -Ethernet0 - Policy qos_policy_0 Type qos at ingress - Description: - Flow fields_class_3 at priority 996 (Active) - Description: - set-pcp 4 - set-dscp 4 - police: cir 40000000 cbs 4000000 pir 0 pbs 0 - type bytes mode color-blind - operational cir 40000000 cbs 4000000 pir 0 pbs 0 - conformed 0 packets 0 bytes action forward - exceed 0 frames 0 bytes action forward - violated 0 frames 0 bytes action drop - Packet matches: 0 frames 0 bytes - Flow fields_class_2 at priority 997 (Active) - Description: - set-pcp 3 - set-dscp 3 - police: cir 30000000 cbs 3000000 pir 0 pbs 0 - type bytes mode color-blind - operational cir 30000000 cbs 3000000 pir 0 pbs 0 - conformed 0 packets 0 bytes action forward - exceed 0 frames 0 bytes action forward - violated 0 frames 0 bytes action drop - Packet matches: 0 frames 0 bytes -``` -#### 3.6.3.5 Show/Clear policy binding and counters for a policy - ``` root@sonic:~# show service-policy policy --help Usage: show service-policy policy [OPTIONS] @@ -1208,32 +1812,29 @@ Options: -?, -h, --help Show this message and exit. ``` -The following is the sample output +##### 3.6.3.7.3 Show policy binding and counters sample output +| CLI Type | CLI Syntax | +| -------- | ---------- | +| Sonic-CLI | SONiC# show service-policy interface Ethernet0 | +| Click-CLI (Deprecated) | root@sonic:~# show service-policy interface Ethernet0 | +| Sample Output | Ethernet0
  Policy qos_policy_0 Type qos at ingress
  Description:
    Flow fields_class_3 at priority 996 (Active)
      Description:
      set-pcp 4
      set-dscp 4
      police: cir 40000000 cbs 4000000 pir 0 pbs 0
        type bytes mode color-blind
        operational cir 40000000 cbs 4000000 pir 0 pbs 0
        conformed 0 packets 0 bytes action forward
        exceed 0 frames 0 bytes action forward
        violated 0 frames 0 bytes action drop
      Packet matches: 0 frames 0 bytes
    Flow fields_class_2 at priority 997 (Active)
      Description:
      set-pcp 3
      set-dscp 3
      police: cir 30000000 cbs 3000000 pir 0 pbs 0
        type bytes mode color-blind
        operational cir 30000000 cbs 3000000 pir 0 pbs 0
        conformed 0 packets 0 bytes action forward
        exceed 0 frames 0 bytes action forward
        violated 0 frames 0 bytes action drop
      Packet matches: 0 frames 0 bytes | + -``` -root@sonic:~# show service-policy policy mon_policy_0 -Ethernet0 - Policy mon_policy_0 Type monitoring at ingress - Description: - Flow fields_class_3 at priority 996 (Active) - Description: - mirror-session ERSPAN_DestIP_60.1.1.2 - Packet matches: 0 frames 0 bytes - Flow fields_class_2 at priority 997 (Active) - Description: - mirror-session ERSPAN_DestIP_50.1.1.2 - Packet matches: 0 frames 0 bytes - Flow fields_class_1 at priority 998 (Active) - Description: - mirror-session ERSPAN_DestIP_60.1.1.2 - Packet matches: 0 frames 0 bytes - Flow fields_class_0 at priority 999 (Active) - Description: - mirror-session ERSPAN_DestIP_50.1.1.2 - Packet matches: 0 frames 0 bytes -``` -#### 3.6.3.6 TCAM Allocation +| CLI Type | CLI Syntax | +| -------- | ---------- | +| Sonic-CLI | SONiC# show service-policy policy mon_policy_0 | +| Click-CLI (Deprecated) | root@sonic:~# show service-policy policy mon_policy_0 | +| Sample Output | Ethernet0
  Policy mon_policy_0 Type monitoring at ingress
  Description:
    Flow fields_class_3 at priority 996 (Active)
      Description:
      mirror-session ERSPAN_DestIP_60.1.1.2
      Packet matches: 0 frames 0 bytes
    Flow fields_class_2 at priority 997 (Active)
      Description:
      mirror-session ERSPAN_DestIP_50.1.1.2
      Packet matches: 0 frames 0 bytes
    Flow fields_class_1 at priority 998 (Active)
      Description:
      mirror-session ERSPAN_DestIP_60.1.1.2
      Packet matches: 0 frames 0 bytes
    Flow fields_class_0 at priority 999 (Active)
      Description:
      mirror-session ERSPAN_DestIP_50.1.1.2
      Packet matches: 0 frames 0 bytes | + + + +| CLI Type | CLI Syntax | +| -------- | ---------- | +| Sonic-CLI | SONiC# show service-policy interface Vlan 100 type forwarding | +| Sample Output | Vlan100
  Policy pbr_policy_example Type forwarding at ingress
  Description:
    Flow acl_class_1000 at priority 1000 (Active)
      Description:
      set ip next-hop 10.1.1.1 vrf default
      set ip next-hop 20.1.1.1 vrf VrfRed
      set ip next-hop 30.1.1.1 (Selected)
      set interface null
      Packet matches: 128 frames 128000 bytes
    Flow acl_class_999 at priority 999 (Active)
      Description:
      set ip next-hop 11.1.1.1 vrf default (Selected)
      set ip next-hop 21.1.1.1 vrf VrfRed
      set ip next-hop 31.1.1.1
      set interface null
      Packet matches: 0 frames 0 bytes
    Flow fields_class_0 at priority 999 (Active)
      Description:
      set ip next-hop 1111::1 vrf default
      set ip next-hop 2222::1 vrf VrfRed (Selected)
      set ip next-hop 3333::1
      set interface null
      Packet matches: 0 frames 0 bytes | + +#### 3.6.3.8 TCAM Allocation By default the TCAM allocation is set to First come first serve. When certain features are configured beyond scale, after reboot they may consume more resources than pre-reboot which may affect other features. The feature behavior becomes unpredictable across reboots. A TCAM allocation utility is provided to partition the TCAMs as per users requirements. This ensures that all TCAM based features only consume the resources allocated to them and not impact others when they are configured beyond what's allocation in the allocation scheme. @@ -1245,7 +1846,7 @@ By default the TCAM allocation is set to First come first serve. When certain fe 3) PFC Watchdog -##### 3.6.3.6.1 Available predefined TCAM profiles +##### 3.6.3.8.1 Available predefined TCAM profiles The following command can be used to view the predefined profile names. @@ -1258,7 +1859,7 @@ DEFAULT-L2 Optimized for Layer 2 ACLs DEFAULT-L3 Optimized for Layer 3 ACLs ``` -##### 3.6.3.6.2 Predefined TCAM profile details +##### 3.6.3.8.2 Predefined TCAM profile details The following command can be used to see the predefined profile details. The following is an example and the output will be different on different platforms depending on the capabilities of the ASIC used. @@ -1306,7 +1907,7 @@ Total 9 TCAM slices of 9 allocated. Each slice has 256 entries Total 2 TCAM slices of 2 allocated. Each slice has 256 entries ``` -##### 3.6.3.6.3 Setting the predefined profile +##### 3.6.3.8.3 Setting the predefined profile The following command is used to set the TCAM profile. A `--startup` option is also available to modify the TCAM allocation in startup configuration. `--startup` requires the system to be rebooted/config reload for the TCAM allocation to take effect. @@ -1317,7 +1918,7 @@ Example: admin@sonic:~$ sudo tcamutil set profile DEFAULT-L2 ``` -##### 3.6.3.6.4 Checking the current TCAM Allocation +##### 3.6.3.8.4 Checking the current TCAM Allocation The following command can be used to check the current TCAM allocation @@ -1366,7 +1967,7 @@ Total 2 TCAM slices of 2 allocated. Each slice has 256 entries ``` -##### 3.6.3.6.5 Clearing the TCAM Allocation scheme. +##### 3.6.3.8.5 Clearing the TCAM Allocation scheme. The following command can be used to clear the TCAM allocation scheme and set it to First Come First Serve. A `--startup` option is also available to modify the TCAM allocation in startup configuration. `--startup` requires the system to be rebooted/config reload for the TCAM allocation to take effect. @@ -1375,17 +1976,60 @@ admin@sonic:~$ sudo tcamutil clear Info: TCAM Allocation cleared from the running config. Please save the config before doing reboot or config reload ``` -##### 3.6.3.6.6 Modifying the current TCAM allocation +##### 3.6.3.8.6 Modifying the current TCAM allocation The following command is used to modify the current TCAM allocation scheme. A `--startup` option is also available to modify the TCAM allocation in startup configuration. `--startup` requires the system to be rebooted/config reload for the TCAM allocation to take effect. ``` admin@sonic:~$ sudo tcamutil modify {ingress,egress,both} ... + + +admin@sonic:~$ sudo tcamutil modify ingress --help +usage: tcamutil modify ingress [-h] [--startup] [-f] [--l2-acl SIZE] + [--ipv4-acl SIZE] [--ipv6-acl SIZE] + [--ip-acl SIZE] [--l2-fbqos SIZE] + [--ipv4-fbqos SIZE] [--ipv6-fbqos SIZE] + [--l2ipv4-fbqos SIZE] [--ip-fbqos SIZE] + [--l2-fbmonitoring SIZE] + [--ipv4-fbmonitoring SIZE] + [--ipv6-fbmonitoring SIZE] + [--l2ipv4-fbmonitoring SIZE] + [--ip-fbmonitoring SIZE] [--tam SIZE] + [--mclag SIZE] [--ip-helper SIZE] + + + +admin@Belgrade2:~$ sudo tcamutil modify egress --help +usage: tcamutil modify egress [-h] [--startup] [-f] [--l2-acl SIZE] + [--ipv4-acl SIZE] [--ipv6-acl SIZE] + [--ip-acl SIZE] [--l2-fbqos SIZE] + [--ipv4-fbqos SIZE] [--ipv6-fbqos SIZE] + [--l2ipv4-fbqos SIZE] [--ip-fbqos SIZE] + +optional arguments: + -h, --help show this help message and exit + --startup Modify startup config. (Requires reboot/config reload + for changes to take effect). + -f, --force Force TCAM allocation modification even when TCAM based + features are configured + --l2-acl SIZE MAC ACLs + --ipv4-acl SIZE IPv4 ACLs + --ipv6-acl SIZE IPv6 ACLs + --ip-acl SIZE IPv4 and IPv6 ACLs + --l2-fbqos SIZE Flow based QoS using MAC ACL/fields + --ipv4-fbqos SIZE Flow based QoS using IPv4 ACL/fields + --ipv6-fbqos SIZE Flow based QoS using IPv6 ACL/fields + --l2ipv4-fbqos SIZE Flow based QoS using MAC and IPv4 ACL/fields + --ip-fbqos SIZE Flow based QoS using IPv4 and IPv6 ACL/fields + +SIZE should be in format NumTablesxNumEntries if the feature supports multiple +tables or NumEntries if the feature supports single table. Example 2x256 or +256 ``` A TCAM allocation must be set currently to modify it. If no current TCAM allocation is set then use the **set** option described below. -##### 3.6.3.6.7 Setting a custom TCAM allocation +##### 3.6.3.8.7 Setting a custom TCAM allocation The following command is used to set the current TCAM allocation scheme. This can be used when the predefined profile fit the requirement and and its not desired to set a predefined profile and modify it multiple times to fit the need. A `--startup` option is also available to modify the TCAM allocation in startup configuration. `--startup` requires the system to be rebooted/config reload for the TCAM allocation to take effect. @@ -1437,7 +2081,6 @@ tables or NumEntries if the feature supports single table. Example 2x256 or ``` - ``` admin@sonic:~$ sudo tcamutil set allocation egress --help @@ -1564,6 +2207,8 @@ The following the ASIC limitations that must be noted when configuring the polic 3. All applied policies of the same type must have the same ACL key combinations across all interfaces. Example its not valid to apply QoS Policy P1 on Ethernet0 which uses L2 ACL1 and IPv4 ACL2 and QoS Policy P2 on Ethernet4 which uses IPv4 ACL3 and IPv6 ACL4. 4. Flow counters are not available for QoS Policies at egress. 5. Only policer Green and Red counters will be supported due to ASIC limitation at egress. +6. BCM56980 (TH3) ASIC based platform does not support egress policers. +7. For Trident2 based platforms, QoS policies do not support Match counters. Only Red and Green counters are supported. # 10 Unit Test 1. Verify Classifier creation with ACL @@ -1573,7 +2218,7 @@ The following the ASIC limitations that must be noted when configuring the polic 5. Verify DSCP remarking action add, delete and update 6. Verify PCP remarking action add, delete and update 7. Verify Policy binding at ingress and egress for Ethernet interface -8. Verify Policy binding at ingress and egress for Port-channel interface +8. Verify Policy binding at ingress and egress for PortChannel interface 9. Verify Policy binding at ingress and egress for Vlan interface 10. Verify Policy binding at ingress and egress for Switch interface 11. Verify DSCP remarking with switched and routed traffic @@ -1593,324 +2238,81 @@ The following the ASIC limitations that must be noted when configuring the polic 25. Verify monitoring policy with active mirror session and verify deactivate and reactivate -# 11 Appendix A: Sample configuration +# 11 Appendix: Sample configuration -The following example shows configuration for Policy to do PCP and DSCP Remarking using 3 ACLs to classify and active on Ethernet0 interface at ingress. +The following example shows configuration for Policy to take QoS, Monitoring and Forwarding actions. -**Using CLIs** +**Using Sonic-CLI** ``` # Create classifier class0 -config classifier add class0 -m acl -config classifier update class0 -a l3_ACL_0 +SONiC(config)# classifier class0 match-type acl +SONiC(config-classifier)# match access-group ip l3_ACL_0 # Create classifier class1 -config classifier add class1 -m acl -config classifier update class1 -a l2_ACL_0 +SONiC(config)# classifier class1 match-type acl +SONiC(config-classifier)# match access-group mac l2_ACL_0 -# Create policy policy0 -config policy add policy0 -t qos +# ------------------------------------- +# Create policy policy0 for QoS actions +# ------------------------------------- +SONiC(config)# policy policy0 type qos # Create flow using classifier class0 and set results -config flow add policy0 class0 -p 200 -config flow update policy0 class0 --set-dscp 15 --set-pcp 5 +SONiC(config-policy)# class class0 priority 200 +SONiC(config-policy-flow)# set pcp 5 +SONiC(config-policy-flow)# set dscp 15 # Create flow using classifier class0 and set results -config flow add policy0 class1 -p 100 -config flow update policy0 class1 --set-dscp 30 --set-pcp 2 - -# Apply policy to required interfaces -config service-policy bind Ethernet0 qos in policy0 -config service-policy bind Ethernet4 qos in policy0 -config service-policy bind Ethernet8 qos out policy0 -``` - -**Using JSON** - -```json -{ - "CLASSIFIER_TABLE": { - "class0": { - "ACL_NAME": "l3_ACL_0", - "DESCRIPTION": "", - "MATCH_TYPE": "acl" - }, - "class1": { - "ACL_NAME": "l2_ACL_0", - "DESCRIPTION": "", - "MATCH_TYPE": "acl" - } - }, - "POLICY_TABLE": { - "policy0": { - "DESCRIPTION": "", - "TYPE": "qos" - } - }, - "POLICY_SECTIONS_TABLE": { - "policy0|class0": { - "PRIORITY": "200", - "SET_DSCP": "15", - "SET_PCP": "5" - }, - "policy0|class1": { - "PRIORITY": "100", - "SET_DSCP": "30", - "SET_PCP": "2" - } - }, - "POLICY_BINDING_TABLE": { - "Ethernet0": { - "INGRESS_QOS_POLICY": "policy0" - }, - "Ethernet4": { - "INGRESS_QOS_POLICY": "policy0" - }, - "Ethernet8": { - "EGRESS_QOS_POLICY": "policy0" - } - } -} -``` - -# 12 Internal Design Information - -Internal BRCM information to be removed before sharing with the community - -## 12.1 Future Design Enhancements - -1. Once ACLs supports UDF, provide an option to use UDF also as part of field qualifier. -2. Use framework for Routing/Forwarding, sFlow etc. -3. Optimized mode can also support TCAM sharing for ports and VLANs. It can be enabled in next release. - -## 12.2 IS CLIs (Deferred from Buzznik release) -### 12.2.1 Configuration Commands - -The following commands are used to configure Policy based services - -#### 12.2.1.1 Create or delete classifiers - -| Mode | Config | -| --------- | ------------------------------------------------------------ | -| Syntax | SONiC(config)# [**no**] **classifier** *NAME* **type** { **acl** \| **fields**} | -| SONiC 3.0 | Introduced | - -#### 12.2.1.2 Add or Delete Match ACL to classifier - -| Mode | Classifier | -| ------ | ------------------------------------------------------- | -| Syntax | SONiC(config-classifier)# [**no**] **match access-list** *NAME* | -| SONiC 3.0 | Introduced | - -#### 12.2.1.3 Add or Delete Match on Source MAC - -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# [**no**] **match source-mac** *MAC* [ / *MAC_MASK*] | -| SONiC 3.0 | Introduced | - -#### 12.2.1.4 Add or Delete Match on Destination MAC - -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# [**no**] **match destination-mac** *MAC* [ / *MAC*_MASK] | -| SONiC 3.0 | Introduced | - -#### 12.2.1.5 Add or Delete Match on Ethertype - -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# [**no**] **match ether-type** *ETHER_TYPE* | -| SONiC 3.0 | Introduced | - -#### 12.2.1.6 Add or Delete Match on Source IPv4 Address - -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# [**no**] **match source ip-address** *IP_ADDR/PREFIX* | -| SONiC 3.0 | Introduced | +SONiC(config-policy)# class class1 priority 100 +SONiC(config-policy-flow)# police cir 10mbps cbs 20MB pir 50mbps pbs 100MB -#### 12.2.1.7 Add or Delete Match on Destination IPv4 Address -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# [**no**] **match destination ip-address** *IP_ADDR/PREFIX* | -| SONiC 3.0 | Introduced | - -#### 12.2.1.8 Add or Delete Match on Source IPv6 Address - -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# [**no**] **match source ipv6-address** *IPV6_ADDR/PREFIX* | -| SONiC 3.0 | Introduced | +# -------------------------------------------- +# Create policy policy1 for Monitoring actions +# -------------------------------------------- +SONiC(config)# policy policy1 type monitoring -#### 12.2.1.9 Add or Delete Match on Destination IPv6 Address +# Create flow using class1 and set results +SONiC(config-policy)# class class1 priority 100 +SONiC(config-policy-flow)# set mirror-sesion test_session -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# [**no**] **match destination ipv6-address** *IPV6_ADDR/PREFIX* | -| SONiC 3.0 | Introduced | -#### 12.2.1.10 Add or Delete Match on IP Protocol - -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# [**no**] **match protocol** *{ **tcp** \| **udp** \| NUMBER }* | -| SONiC 3.0 | Introduced | - -#### 12.2.1.11 Match Source or Destination TCP or UDP Port - -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# [**no**] **match** { **tcp** \| **udp** } **port** { **eq** *NUMBER* \| **range** *BEGIN* *END* } | -| SONiC 3.0 | Introduced | - -#### 12.2.1.12 Match Source or Destination TCP or UDP Port - -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# [**no**] **match** { **source** \| **destination** } **port** { **eq** *NUMBER* \| **range** *BEGIN* *END* } | -| SONiC 3.0 | Introduced | +# ------------------------------------ +# Create policy policy2 for Forwarding +# ------------------------------------ +SONiC(config)# policy policy2 type forwarding +SONiC(config-policy)# class class0 priority 100 +SONiC(config-policy-flow)# set ip next-hop 10.1.1.1 priority 900 +SONiC(config-policy-flow)# set ip next-hop 100.1.1.1 vrf default priority 800 +SONiC(config-policy-flow)# set ip next-hop 132.45.2.100 vrf VrfOrange priority 700 +SONiC(config-policy-flow)# set ip next-hop 100.10.20.30 +SONiC(config-policy-flow)# set interface null -#### 12.2.1.13 Match TCP Flags -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# [**no**] **match tcp-flags** { **syn** \| **ack** \| **fin** \| **ack** \| **psh** \| **urg** \| **ece** \| **cwr**} | -| SONiC 3.0 | Introduced | - -#### 12.2.1.14 Add or delete description to the classifier - -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# [**no**] **description** *STRING* | -| SONiC 3.0 | Introduced | - -#### 12.2.1.15 Add or delete policy - -| Mode | Config | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config)# [**no**] **policy** *NAME* **type** { **qos** \| **monitoring** } | -| SONiC 3.0 | Introduced | - -#### 12.2.1.16 Add or delete flow identified by a classifier to a policy - -| Mode | Policy | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-policy)# [**no**] **flow** *NAME* **priority** *NUMBER* | -| SONiC 3.0 | Introduced | - -#### 12.2.1.17 Add DSCP Remarking action for QoS policy - -| Mode | Policy Classify | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-policy-flow)# [**no**] **set dscp** *<0-63>* | -| SONiC 3.0 | Introduced | - -#### 12.2.1.18 Add PCP Remarking action for QoS policy - -| Mode | Config | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-policy-flow)# [**no**] **set pcp** *<0-7>* | -| SONiC 3.0 | Introduced | +# ------------------------------------ +# Apply policy to required interfaces. +# ------------------------------------ +SONiC(config)# interface Ethernet 0 +SONiC(conf-if-Ethernet0)# service-policy type qos in policy0 +SONiC(conf-if-Ethernet4)# service-policy type monitoring in policy1 +SONiC(conf-if-Ethernet4)# service-policy type forwarding in policy2 +SONiC(conf-if-Ethernet0)# exit -#### 12.2.1.19 Add policer for QoS policy +SONiC(config)# interface Ethernet 4 +SONiC(conf-if-Ethernet4)# service-policy type monitoring in policy1 +SONiC(conf-if-Ethernet4)# exit -| Mode | Config | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-policy-flow)# [**no**] **police cir** ** **cbs** ** [**pir** ** **pbs** **] | -| SONiC 3.0 | Introduced | - - -#### 12.2.1.20 Apply and remove the policy to interface - -| Mode | Config or Interface | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config)# [**no**] **service-policy** { **qos** \| **monitoring**} { **in** \| **out** } *NAME* | -| Syntax | SONiC(config-if)# [**no**] **service-policy** { **qos** \| **monitoring**} { **in** \| **out** } *NAME* | -| SONiC 3.0 | Introduced | - -### 12.2.2 Show Commands - -#### 12.2.2.1 Show classifier details - -| Mode | Exec | -| --------- | ----------------------------------- | -| Syntax | SONiC# **show classifier** [*NAME*] | -| SONiC 3.0 | Introduced | - -#### 12.2.2.2 Show policy details -| Mode | Exec | -| --------- | --------------------------------------------------- | -| Syntax | SONiC# **show policy** [*POLICY_NAME*] [**flow** [*CLASSIFIER_NAME*]] | -| SONiC 3.0 | Introduced | - -#### 12.2.2.3 Show policy binding summary -| Mode | Exec | -| --------- | --------------------------------------- | -| Syntax | SONiC# **show service-policy summary** | -| SONiC 3.0 | Introduced | - -#### 12.2.2.4 Show policy binding for an interface -| Mode | Exec | -| --------- | --------------------------------------------------------- | -| Syntax | SONiC# **show service-policy interface** *INTERFACE_NAME* | -| SONiC 3.0 | Introduced | - -#### 12.2.2.5 Show policy binding for a given policy -| Mode | Exec | -| --------- | --------------------------------------------------------- | -| Syntax | SONiC# **show service-policy policy** *POLICY_NAME* | -| SONiC 3.0 | Introduced | - -#### 12.2.2.6 Clear policy binding statistics for an interface -| Mode | Exec | -| --------- | ------------------------------------------------------------ | -| Syntax | SONiC# **clear statistics service-policy interface** *INTERFACE_NAME* | -| SONiC 3.0 | Introduced | - -#### 12.2.2.7 Clear policy binding statistics for a given policy -| Mode | Exec | -| --------- | ------------------------------------------------------------ | -| Syntax | SONiC# **clear statistics service-policy policy** *POLICY_NAME* | -| SONiC 3.0 | Introduced | - -#### 12.2.2.8 Configuring ACL lookup mode - -``` -sonic(config)# hardware -sonic(config-hardware)# access-list -sonic(config-hardware-acl)# lookup { optimized | legacy } -sonic(config-hardware-acl)# counter { per-rule | per-interface-rule } +SONiC(config)# interface Ethernet 8 +SONiC(conf-if-Ethernet8)# service-policy type forwarding in policy2 ``` -#### 12.2.2.9 Creating a MAC ACL - -``` -sonic(config)# [no] mac access-list NAME -``` - -#### 12.2.2.10 Creating a MAC ACL Rule - -``` -sonic(config-mac-acl)# [no] seq <1-65535> {permit | deny} {any | SMAC[/SMAC_MASK]} {any | DMAC[/DMAC_MASK]} [ETHERTYPE | ipv4 | ipv6 | arp] [vlan VLANID] [pcp <0-7>] -``` - -MAC address are in format documented in Config DB schema. - -ETHERTYPE can be in decimal or hexadecimal format. - -#### 12.2.2.11 Applying ACL to different interfaces - -``` -sonic(config)# interface INTF_TYPE INTF_ID -sonic(config-if)# mac access-group NAME {in | out} -``` +# 12 Internal Design Information -Supported INTF_TYPE are Ethernet, Vlan and PortChannel +Internal BRCM information to be removed before sharing with the community -#### 12.2.2.12 Applying ACL to switch +## 12.1 Future Design Enhancements -``` -sonic(config)# [no] {mac|ip|ipv6} access-group NAME {in | out} -``` +1. Once ACLs supports UDF, provide an option to use UDF also as part of fields classifier. +2. Use monitoring policy for more actions like sFlow etc. +3. Optimized mode can also support TCAM sharing for ports and VLANs. From ec2fccde5301405b19703771b77715f01d92912d Mon Sep 17 00:00:00 2001 From: Abhishek Dharwadkar Date: Wed, 30 Sep 2020 16:52:22 -0700 Subject: [PATCH 2/4] Update document to add details of PBR over VXLAN --- L24Services/ACL/ACLEnhancements.md | 241 ++++++++++++++--------------- 1 file changed, 113 insertions(+), 128 deletions(-) diff --git a/L24Services/ACL/ACLEnhancements.md b/L24Services/ACL/ACLEnhancements.md index a2975bf8c377..e88e810fd72a 100644 --- a/L24Services/ACL/ACLEnhancements.md +++ b/L24Services/ACL/ACLEnhancements.md @@ -196,7 +196,6 @@ High level design document version 0.4 - *[3.6.3.8.5 Clearing the TCAM Allocation scheme.](#36385-clearing-the-tcam-allocation-scheme)* - *[3.6.3.8.6 Modifying the current TCAM allocation](#36386-modifying-the-current-tcam-allocation)* - *[3.6.3.8.7 Setting a custom TCAM allocation](#36387-setting-a-custom-tcam-allocation)* - - [3.6.4 REST / gNMI / IS CLI API Support](#364-rest-_-gnmi-_-is-cli-api-support) - **[4 Flow Diagrams](#4-flow-diagrams)** - [4.1 Create a Classifier](#41-create-a-classifier) - [4.2 Create a QoS Policy and Section](#42-create-a-qos-policy-and-section) @@ -535,9 +534,10 @@ Policies of different types are designed to take specific actions. QoS Polices a | Feature | Release supported | | -------------------- | ----------------- | -| IPv4 / IPv6 Next Hop | SONiC 3.1 | -| L2 Egress interface | SONiC 3.1 | -| Default drop action | SONiC 3.1 | +| IPv4 / IPv6 underlay next Hop | SONiC 3.1 | +| IPv4 / IPv6 overlay next hop | SONiC 3.1.1 | +| L2 Egress interface | SONiC 3.1 | +| Default drop action | SONiC 3.1 | # 3 Design @@ -761,6 +761,7 @@ PRIORITY = 1*4DIGIT ; Valid Range is 0-1023 DESCRIPTION = 1*255VCHAR ; Policy Description SET_DSCP = dscp_val ; Valid only when policy is of type "qos" SET_PCP = pcp_val ; Valid only when policy is of type "qos" +SET_TC = tc_val ; Valid only when policy is of type "qos" SET_POLICER_CIR = 1*12DIGIT ; Valid only when policy is of type "qos" SET_POLICER_CBS = 1*12DIGIT ; Valid only when policy is of type "qos" SET_POLICER_PIR = 1*12DIGIT ; Valid only when policy is of type "qos" @@ -774,6 +775,7 @@ DEFAULT_PACKET_ACTION = "DROP" / "FORWARD" ; Valid only when policy is of type " ;value annotations dscp_val = DIGIT / %x31-36 %x30-33 pcp_val = %x30-37 +tc_val = %x30-37 d8 = DIGIT ; 0-9 / %x31-39 DIGIT ; 10-99 / "1" 2DIGIT ; 100-199 @@ -1058,8 +1060,8 @@ Options: | Mode | Config | | ---- | --------------------------------------------------- | -| Syntax | SONiC(config)# **classifier** *NAME* **match-type** **acl** | -| Syntax | SONiC(config)# **classifier** *NAME* **match-type** **fields** **match-all** | +| Syntax | SONiC(config)# **class-map** *NAME* **match-type** **acl** | +| Syntax | SONiC(config)# **class-map** *NAME* **match-type** **fields** **match-all** | | Arguments | ***NAME***: String of 1-63 characters in length. Must begin with a alpha numeric character. Rest of the characters can be alpha numeric or hyphen (-) or underscore (\_). | | Change history | SONiC 3.1 - Introduced | @@ -1085,99 +1087,99 @@ Options: ###### 3.6.2.10.1.1 Add or delete match ACL to classifier -| Mode | Classifier | -| ------ | ------------------------------------------------------- | -| Syntax | SONiC(config-classifier)# **match access-group** { **mac** \| **ip** \| **ipv6** } *NAME* | -| Syntax | SONiC(config-classifier)# **no match access-group** | +| Mode | Classifier | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **match access-group** { **mac** \| **ip** \| **ipv6** } *NAME* | +| Syntax | SONiC(config-class-map)# **no match access-group** | | Arguments | ***NAME***: String of 1-63 characters in length. Must begin with a alpha numeric character. Rest of the characters can be alpha numeric or hyphen (-) or underscore (\_). | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.10.1.2 Add or delete match on source MAC -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# **match source-address mac** *MAC* [ / *MAC_MASK*] | -| Syntax | SONiC(config-classifier)# **no match source-address mac** | +| Mode | Classifier | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **match source-address mac** *MAC* [ / *MAC_MASK*] | +| Syntax | SONiC(config-class-map)# **no match source-address mac** | | Arguments | ***MAC***: MAC address in xxxx.xxxx.xxxx or xx:xx:xx:xx:xx:xx format
***MAC_MASK***: MAC address mask in xxxx.xxxx.xxxx or xx:xx:xx:xx:xx:xx format | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.10.1.3 Add or delete match on destination MAC -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# **match destination-address mac** *MAC* [ / *MAC_MASK*] | -| Syntax | SONiC(config-classifier)# **no match destination-mac** | +| Mode | Classifier | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **match destination-address mac** *MAC* [ / *MAC_MASK*] | +| Syntax | SONiC(config-class-map)# **no match destination-mac** | | Arguments | ***MAC***: MAC address in xxxx.xxxx.xxxx or xx:xx:xx:xx:xx:xx format
***MAC_MASK***: MAC address mask in xxxx.xxxx.xxxx or xx:xx:xx:xx:xx:xx format | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.10.1.4 Add or delete match on ethertype -| Mode | Classifier | -| ------ | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# **match ether-type** { **ip** \| **ipv6** \| *ETHER_TYPE* } | -| Syntax | SONiC(config-classifier)# **no match ether-type** | +| Mode | Classifier | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **match ether-type** { **ip** \| **ipv6** \| *ETHER_TYPE* } | +| Syntax | SONiC(config-class-map)# **no match ether-type** | | Arguments | ***ETHER_TYPE***: Ethertype value in hex format in range 0x600 - 0xFFFF | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.10.1.5 Add or delete match on PCP -| Mode | Classifier | -| -------------- | ------------------------------------------------------------ | -| Syntax | SONiC(config-classifier)# **match pcp** { **be** \| **bk** \| **ee** \| **ca** \| **vi** \| **vo** \| **ic** \| **nc** \| *PCP_VAL* } | -| Syntax | SONiC(config-classifier)# **no match pcp** | +| Mode | Classifier | +| -------------- | ---------- | +| Syntax | SONiC(config-class-map)# **match pcp** { **be** \| **bk** \| **ee** \| **ca** \| **vi** \| **vo** \| **ic** \| **nc** \| *PCP_VAL* } | +| Syntax | SONiC(config-class-map)# **no match pcp** | | Arguments | ***be***: Best effort (0)
***bk***: Background (1)
***ee***: Excellent effort (2)
***ca***: Critical applications (3)
***vi***: Video, < 100 ms latency and jitter (4)
***vo***: Voice, < 10 ms latency and jitter (5)
***ic***: Internetwork control (6)
***nc***: Network control (7)
***PCP_VAL***: PCP Value in range 0-7 | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.10.1.6 Add or delete match on VLAN ID -| Mode | Classifier| -| ------ | ----------------------------------------------------------- | -| Syntax | SONiC(config-classifier)# **match vlan** *VLAN_ID* | -| Syntax | SONiC(config-classifier)# **no match vlan** | +| Mode | Classifier | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **match vlan** *VLAN_ID* | +| Syntax | SONiC(config-class-map)# **no match vlan** | | Arguments | ***VLAN_ID***: VLAN ID in range 1-4094 | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.10.1.7 Add or delete match on source IPv4 Address | Mode | Classifier | -| ------ | ---------------------------------------------------------- | -| Syntax | SONiC(config-classifier)# **match source-address ip** { **host** *IP_ADDR* \| *IP_ADDR/PREFIX* } | -| Syntax | SONiC(config-classifier)# **no match source-address ip** | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **match source-address ip** { **host** *IP_ADDR* \| *IP_ADDR/PREFIX* } | +| Syntax | SONiC(config-class-map)# **no match source-address ip** | | Arguments | ***IP_ADDR***: IPv4 address
***PREFIX***: Prefix in range 1-31 | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.10.1.8 Add or delete match on destination IPv4 Address | Mode | Classifier | -| ------ | ---------------------------------------------------------- | -| Syntax | SONiC(config-classifier)# **match destination-address ip** { **host** *IP_ADDR* \| *IP_ADDR/PREFIX* } | -| Syntax | SONiC(config-classifier)# **no match destination-address ip** | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **match destination-address ip** { **host** *IP_ADDR* \| *IP_ADDR/PREFIX* } | +| Syntax | SONiC(config-class-map)# **no match destination-address ip** | | Arguments | ***IP_ADDR***: IPv4 address
***PREFIX***: Prefix in range 1-31 | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.10.1.9 Add or delete match on source IPv6 Address | Mode | Classifier | -| ------ | ---------------------------------------------------------- | -| Syntax | SONiC(config-classifier)# **match source-address ipv6** { **host** *IPV6_ADDR* \| *IPV6_ADDR/PREFIX* } | -| Syntax | SONiC(config-classifier)# **no match source-address ipv6** | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **match source-address ipv6** { **host** *IPV6_ADDR* \| *IPV6_ADDR/PREFIX* } | +| Syntax | SONiC(config-class-map)# **no match source-address ipv6** | | Arguments | ***IPV6_ADDR***: IPv6 address
***PREFIX***: Prefix in range 1-127 | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.10.1.10 Add or delete match on destination IPv4 Address | Mode | Classifier | -| ------ | ---------------------------------------------------------- | -| Syntax | SONiC(config-classifier)# **match destination-address ipv6** { **host** *IPV6_ADDR* \| *IPV6_ADDR/PREFIX* } | -| Syntax | SONiC(config-classifier)# **no match destination-address ipv6** | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **match destination-address ipv6** { **host** *IPV6_ADDR* \| *IPV6_ADDR/PREFIX* } | +| Syntax | SONiC(config-class-map)# **no match destination-address ipv6** | | Arguments | ***IPV6_ADDR***: IPv6 address
***PREFIX***: Prefix in range 1-127 | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.10.1.11 Add or delete match on IP Protocol | Mode | Classifier | -| ------ | ----------------------------------------------------------- | -| Syntax | SONiC(config-classifier)# **match ip protocol** { **tcp** \| **udp** \| **icmp** \| **icmpv6** \| *NUMBER* } | -| Syntax | SONiC(config-classifier)# **no match protocol** | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **match ip protocol** { **tcp** \| **udp** \| **icmp** \| **icmpv6** \| *NUMBER* } | +| Syntax | SONiC(config-class-map)# **no match protocol** | | Arguments | ***NUMBER***: IP Protocol number in range 0-255 | | Change history | SONiC 3.1 - Introduced | @@ -1185,9 +1187,9 @@ Options: Match on source port is allowed only when IP protocol is set to TCP or UDP. | Mode | Classifier | -| ------ | ----------------------------------------------------------- | -| Syntax | SONiC(config-classifier)# **match l4-port source** { **eq** *NUMBER* \| **range** *BEGIN* *END*} | -| Syntax | SONiC(config-classifier)# **no match l4-port source** | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **match l4-port source** { **eq** *NUMBER* \| **range** *BEGIN* *END*} | +| Syntax | SONiC(config-class-map)# **no match l4-port source** | | Arguments | ***NUMBER***: Port number 0-65535
***BEGIN***,***END***: Port number 0-65535. END must be greater than BEGIN | | Change history | SONiC 3.1 - Introduced | @@ -1195,9 +1197,9 @@ Match on source port is allowed only when IP protocol is set to TCP or UDP. Match on destination port is allowed only when IP protocol is set to TCP or UDP. | Mode | Classifier | -| ------ | ----------------------------------------------------------- | -| Syntax | SONiC(config-classifier)# **match l4-port destination** { **eq** *NUMBER* \| **range** *BEGIN* *END*} | -| Syntax | SONiC(config-classifier)# **no match l4-port destination** | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **match l4-port destination** { **eq** *NUMBER* \| **range** *BEGIN* *END*} | +| Syntax | SONiC(config-class-map)# **no match l4-port destination** | | Arguments | ***NUMBER***: Port number 0-65535
***BEGIN***,***END***: Port number 0-65535. END must be greater than BEGIN | | Change history | SONiC 3.1 - Introduced | @@ -1205,9 +1207,9 @@ Match on destination port is allowed only when IP protocol is set to TCP or UDP. Match on TCP flags is allowed only when IP protocol is set to TCP. `not-xxx` keyword can be used to match the corresponding flag set to 0. | Mode | Classifier | -| ------ | ----------------------------------------------------------- | -| Syntax | SONiC(config-classifier)# **match tcp-flags** { **syn** \| **not-syn** } { **ack** \| **not-ack** } { **fin** \| **not-fin** } { **ack** \| **not-ack** } { **psh** \| **not-psh** } { **urg** \| **not-urg** } | -| Syntax | SONiC(config-classifier)# **no** **match tcp-flags** [ { **syn** \| **not-syn** } { **ack** \| **not-ack** } { **fin** \| **not-fin** } { **ack** \| **not-ack** } { **psh** \| **not-psh** } { **urg** \| **not-urg** } ] | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **match tcp-flags** { **syn** \| **not-syn** } { **ack** \| **not-ack** } { **fin** \| **not-fin** } { **ack** \| **not-ack** } { **psh** \| **not-psh** } { **urg** \| **not-urg** } | +| Syntax | SONiC(config-class-map)# **no** **match tcp-flags** [ { **syn** \| **not-syn** } { **ack** \| **not-ack** } { **fin** \| **not-fin** } { **ack** \| **not-ack** } { **psh** \| **not-psh** } { **urg** \| **not-urg** } ] | | Change history | SONiC 3.1 - Introduced | ##### 3.6.2.10.2 Update classifier match parameters using Click CLI (Deprecated) @@ -1270,16 +1272,16 @@ Options: #### 3.6.2.11 Add classifier description | Mode | Classifier | -| ------ | ----------------------------------------------------------- | -| Syntax | SONiC(config-classifier)# **description** *STRING* | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **description** *STRING* | | Arguments | ***STRING***: A string describing the classifier. Max 256 characters. Description should be in double quotes if it has spaces. | | Change history | SONiC 3.1 - Introduced | #### 3.6.2.12 Delete classifier description | Mode | Classifier | -| ------ | ----------------------------------------------------------- | -| Syntax | SONiC(config-classifier)# **no description** | +| ------ | ---------- | +| Syntax | SONiC(config-class-map)# **no description** | | Change history | SONiC 3.1 - Introduced | #### 3.6.2.13 Delete classifier @@ -1287,7 +1289,7 @@ Options: ##### 3.6.2.13.1 Delete classifier using Sonic-CLI | Mode | Config | -| ---- | --------------------------------------------------- | +| ---- | ------ | | Syntax | SONiC(config)# **no classifier** *NAME* | | Arguments | ***NAME***: String of 1-63 characters in length. Must begin with a alpha numeric character. Rest of the characters can be alpha numeric or hyphen (-) or underscore (\_). | | Change history | SONiC 3.1 - Introduced | @@ -1310,7 +1312,7 @@ Options: | Mode | Config | | ---- | ------ | -| Syntax | SONiC(config)# **policy** *NAME* **type** { **qos** \| **monitoring** \| **forwarding** } | +| Syntax | SONiC(config)# **policy-map** *NAME* **type** { **qos** \| **monitoring** \| **forwarding** } | | Arguments | ***NAME***: Name of the policy to be created. String of 1-63 characters in length. Must begin with a alpha numeric character. Rest of the characters can be alpha numeric or hyphen (-) or underscore (\_). | | Change history | SONiC 3.1 - Introduced | @@ -1336,7 +1338,7 @@ Options: ##### 3.6.2.15.1 Deleting policy using Sonic-CLI | Mode | Config | | ---- | ------ | -| Syntax | SONiC(config)# **no policy** *NAME* | +| Syntax | SONiC(config)# **no policy-map** *NAME* | | Arguments | ***NAME***: Name of the policy to be deleted. String of 1-63 characters in length. Must begin with a alpha numeric character. Rest of the characters can be alpha numeric or hyphen (-) or underscore (\_). | | Change history | SONiC 3.1 - Introduced | @@ -1355,7 +1357,7 @@ Options: | Mode | Policy | | ------ | ------ | -| Syntax | SONiC(config-policy)# **description** *STRING* | +| Syntax | SONiC(config-policy-map)# **description** *STRING* | | Arguments | ***STRING***: A string describing the policy. Max 256 characters. Description should be in double quotes if it has spaces. | | Change history | SONiC 3.1 - Introduced | @@ -1363,7 +1365,7 @@ Options: | Mode | Policy | | ------ | ------ | -| Syntax | SONiC(config-policy)# **no description** | +| Syntax | SONiC(config-policy-map)# **no description** | | Change history | SONiC 3.1 - Introduced | #### 3.6.2.18 Add flow identified by a classifier to a policy @@ -1372,7 +1374,7 @@ Options: | Mode | Policy | | ------ | ------ | -| Syntax | SONiC(config-policy)# **class** *NAME* **priority** *PRIORITY* | +| Syntax | SONiC(config-policy-map)# **class** *NAME* **priority** *PRIORITY* | | Arguments | ***NAME***: Classifier name. String of 1-63 characters in length. Must begin with a alpha numeric character. Rest of the characters can be alpha numeric or hyphen (-) or underscore (\_).
***PRIORITY***: Priority number in range 0-1023 | | Change history | SONiC 3.1 - Introduced | @@ -1397,7 +1399,7 @@ Options: | Mode | Policy | | ------ | ------ | -| Syntax | SONiC(config-policy)# **no class** *NAME* | +| Syntax | SONiC(config-policy-map)# **no class** *NAME* | | Arguments | ***NAME***: Classifier name. String of 1-63 characters in length. Must begin with a alpha numeric character. Rest of the characters can be alpha numeric or hyphen (-) or underscore (\_). | | Change history | SONiC 3.1 - Introduced | @@ -1416,7 +1418,7 @@ Options: | Mode | Flow | | ------ | ------ | -| Syntax | SONiC(config-classifier)# **description** *STRING* | +| Syntax | SONiC(config-class-map)# **description** *STRING* | | Arguments | *STRING*: A string describing the flow. Max 256 characters. Description should be in double quotes if it has spaces. | | Change history | SONiC 3.1 - Introduced | @@ -1424,7 +1426,7 @@ Options: | Mode | Flow | | ------ | ------ | -| Syntax | SONiC(config-classifier)# **no description** | +| Syntax | SONiC(config-class-map)# **no description** | | Change history | SONiC 3.1 - Introduced | #### 3.6.2.24 Add action(s) to flows @@ -1436,35 +1438,35 @@ The following QoS actions can be added to the flow. QoS actions can be added/ena | Mode | Flow | | ------ | ---- | -| Syntax | SONiC(config-policy-flow)# **set dscp** *\<0-63\>* | +| Syntax | SONiC(config-policy-map-flow)# **set dscp** *\<0-63\>* | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.24.1.2 Delete DSCP remarking action | Mode | Flow | | ------ | ---- | -| Syntax | SONiC(config-policy-flow)# **no set dscp** | +| Syntax | SONiC(config-policy-map-flow)# **no set dscp** | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.24.1.3 Add PCP remarking action | Mode | Flow | | ------ | ---- | -| Syntax | SONiC(config-policy-flow)# **set pcp** *\<0-7\>* | +| Syntax | SONiC(config-policy-map-flow)# **set pcp** *\<0-7\>* | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.24.1.4 Delete PCP remarking action | Mode | Flow | | ------ | ---- | -| Syntax | SONiC(config-policy-flow)# **no set pcp** | +| Syntax | SONiC(config-policy-map-flow)# **no set pcp** | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.24.1.5 Add policer action | Mode | Flow | | ------ | ---- | -| Syntax | SONiC(config-policy-flow)# **police cir** *CIR* \[**cbs** *CBS* \] \[**pir** *PIR* \] \[**pbs** *PBS* \] | +| Syntax | SONiC(config-policy-map-flow)# **police cir** *CIR* \[**bc** *CBS* \] \[**pir** *PIR* \] \[**be** *PBS* \] | | Arguments | ***CIR***: Committed information rate in bits per second. CIR is mandatory. The value can be optionally suffixed with kbps(1000), mbps(1000000), gbps (1000000000) or tbps (1000000000000).
***CBS***: Committed burst size in bytes. The value can be suffixed with KB(1000), MB(1000000), GB(1000000000) or TB(1000000000000). The default value is 20% of the CIR in bytes. If configured by the user, it must be greater than or equal to CIR in bytes.
***PIR***: Peak information rate in bits per second. The value can be optionally suffixed with kbps(1000), mbps(1000000), gbps (1000000000) or tbps (1000000000000). If configured by the user, it must be greater than CIR
***PBS***: Peak burst size. The value can be suffixed with KB(1000), MB(1000000), GB(1000000000) or TB(1000000000000). The default value is 20% of the PIR value in bytes. If configured by the user, it must be greater than PIR value in bytes and also CBS value. | | Change history | SONiC 3.1 - Introduced | @@ -1475,21 +1477,21 @@ If both CIR and PIR is configured, then is 2 rate 3 color policer. Any traffic t ###### 3.6.2.24.1.6 Delete policer action | Mode | Flow | | ------ | ---- | -| Syntax | SONiC(config-policy-flow)# **no police** \[ **cir** \] \[**cbs** \] \[**pir** \] \[**pbs** \] | +| Syntax | SONiC(config-policy-map-flow)# **no police** \[ **cir** \] \[**cbs** \] \[**pir** \] \[**pbs** \] | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.24.1.7 Add set traffic-class action | Mode | Flow | | ------ | ---- | -| Syntax | SONiC(config-policy-flow)# **set traffic-class** *\<0-7\>* | +| Syntax | SONiC(config-policy-map-flow)# **set traffic-class** *\<0-7\>* | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.24.1.8 Delete set traffic-class action | Mode | Flow | | ------ | ---- | -| Syntax | SONiC(config-policy-flow)# **no set traffic-class** | +| Syntax | SONiC(config-policy-map-flow)# **no set traffic-class** | | Change history | SONiC 3.1 - Introduced | ##### 3.6.2.24.2 Adding monitoring actions to the flow @@ -1498,14 +1500,14 @@ The following monitoring actions can be added to the flow. Monitoring actions ca ###### 3.6.2.24.2.1 Adding mirror session action | Mode | Flow | | ------ | ---- | -| Syntax | SONiC(config-policy-flow)# **set mirror-session** *SESSION_NAME* | +| Syntax | SONiC(config-policy-map-flow)# **set mirror-session** *SESSION_NAME* | | Arguments | *SESSION_NAME*: Mirror session name | | Change history | SONiC 3.1 - Introduced | ###### 3.6.2.24.2.2 Deleting mirror session action | Mode | Flow | | ------ | ---- | -| Syntax | SONiC(config-policy-flow)# **no set mirror-session** | +| Syntax | SONiC(config-policy-map-flow)# **no set mirror-session** | | Change history | SONiC 3.1 - Introduced | ##### 3.6.2.24.3 Adding forwarding actions to the flow @@ -1514,8 +1516,8 @@ The following forwarding actions can be added to the flow. Forwarding actions ca ###### 3.6.2.24.3.1 Adding / Deleting IPv4 next-hop | Mode | Flow | | ------ | ---- | -| Syntax | SONiC(config-policy-flow)# \[ **no** \] **set ip next-hop** *IP_ADDR* \[ vrf *VRF_NAME* \] \[ priority *PRIORITY* \] | -| Arguments | ***IP_ADDR***: IPv4 Address
***VRF_NAME***: VRF name. If the VRF name is not specified then it will be derived from the VRF of the interface on which the policy is applied or default will be used for global application.
***PRIORITY***: Priority of the next-hop. Range is 1-65535. Default is 0 ie lowest priority if not configured by the user. The next-hop with the higher priority will be picked up for forwarding first. If more than 1 next-hops have the same priority then the next-hop which is configured first will be used. | +| Syntax | SONiC(config-policy-map-flow)# \[ **no** \] **set ip next-hop** *IP_ADDR* \[ vrf *VRF_NAME* \] \[ priority *PRIORITY* \] | +| Arguments | ***IP_ADDR***: IPv4 Address of the next-hop. It can be reachable via underlay or over VxLAN tunnel.
***VRF_NAME***: VRF name. If the VRF name is not specified then it will be derived from the VRF of the interface on which the policy is applied or default will be used for global application.
***PRIORITY***: Priority of the next-hop. Range is 1-65535. Default is 0 ie lowest priority if not configured by the user. The next-hop with the higher priority will be picked up for forwarding first. If more than 1 next-hops have the same priority then the next-hop which is configured first will be used. | | Change history | SONiC 3.1 - Introduced | IPv4 next-hops are valid only if the classifier uses IPv4 ACL for match. Only IPv4 routed traffic will be forwarded to the configured next-hop. Combining IPv4 next-hops with IPv6 next-hops or egress interface (except NULL) is not permitted. The next-hop must be reachable for it to be selected for routing. NULL egress can be configured to select drop as egress action if none of the next-hops are reachable. If NULL egress is not configured then the traffic will be routed normally. @@ -1523,8 +1525,8 @@ IPv4 next-hops are valid only if the classifier uses IPv4 ACL for match. Only IP ###### 3.6.2.24.3.2 Adding / Deleting IPv6 next-hop | Mode | Flow | | ------ | ---- | -| Syntax | SONiC(config-policy-flow)# \[ **no** \] **set ipv6 next-hop** *IPV6_ADDR* \[ vrf *VRF_NAME* \] \[ priority *PRIORITY* \] | -| Arguments | ***IPV6_ADDR***: IPv6 Address
***VRF_NAME***: VRF name. If the VRF name is not specified then it will be derived from the VRF of the interface on which the policy is applied or default will be used for global application.
***PRIORITY***: Priority of the next-hop. Range is 1-65535. Default is 0 ie lowest priority if not configured by the user. The next-hop with the higher priority will be picked up for forwarding first. If more than 1 next-hops have the same priority then the next-hop which is configured first will be used. | +| Syntax | SONiC(config-policy-map-flow)# \[ **no** \] **set ipv6 next-hop** *IPV6_ADDR* \[ vrf *VRF_NAME* \] \[ priority *PRIORITY* \] | +| Arguments | ***IPV6_ADDR***: IPv6 Address. It can be reachable via underlay or over VxLAN tunnel.
***VRF_NAME***: VRF name. If the VRF name is not specified then it will be derived from the VRF of the interface on which the policy is applied or default will be used for global application.
***PRIORITY***: Priority of the next-hop. Range is 1-65535. Default is 0 ie lowest priority if not configured by the user. The next-hop with the higher priority will be picked up for forwarding first. If more than 1 next-hops have the same priority then the next-hop which is configured first will be used. | | Change history | SONiC 3.1 - Introduced | IPv6 next-hops are valid only if the classifier uses IPv6 ACL for match. Only IPv6 routed traffic will be forwarded to the configured next-hop. Combining IPv6 next-hops with IPv4 next-hops or egress interface (except NULL) is not permitted. The next-hop must be reachable for it to be selected for routing. NULL egress can be configured to select drop as egress action if none of the next-hops are reachable. If NULL egress is not configured then the traffic will be routed normally. @@ -1533,7 +1535,7 @@ IPv6 next-hops are valid only if the classifier uses IPv6 ACL for match. Only IP | Mode | Flow | | ------ | ---- | -| Syntax | SONiC(config-policy-flow)# \[ **no** \] **set interface** { **Ethernet***ID* \| **PortChannel***ID* } \[ priority *PRIORITY* \] | +| Syntax | SONiC(config-policy-map-flow)# \[ **no** \] **set interface** { **Ethernet***ID* \| **PortChannel***ID* } \[ priority *PRIORITY* \] | | Arguments | ***ID***: Ethernet or PortChannel number.
***PRIORITY***: Priority of the egress port. Range is 1-65535. Default is 0 ie lowest priority if not configured by the user. The port with the higher priority will be picked up for forwarding first. If more than 1 ports have the same priority then the port which is configured first will be used. | | Change history | SONiC 3.1 - Introduced | @@ -1543,7 +1545,7 @@ Egress interfaces configuration is valid only if the classifier uses MAC/L2 ACL | Mode | Flow | | ------ | ---- | -| Syntax | SONiC(config-policy-flow)# \[ **no** \] **set interface null** | +| Syntax | SONiC(config-policy-map-flow)# \[ **no** \] **set interface null** | | Change history | SONiC 3.1 - Introduced | Drop action if configured will be of the lowest priority and will be chosen if none of the configured next-hops or egress interfaces can be used for forwarding. @@ -1677,7 +1679,7 @@ ip access-list ipacl | Mode | Exec | | ------ | ------------------- | -| Syntax | SONiC# **show classifier** [ *NAME* \| **match-type** { **acl** \| **fields** } ] | +| Syntax | SONiC# **show class-map** [ *NAME* \| **match-type** { **acl** \| **fields** } ] | | Change history | SONiC 3.1 - Introduced | ##### 3.6.3.4.2 Show classifier details using Click CLI (Deprecated) @@ -1697,13 +1699,13 @@ Options: | CLI Type | CLI Syntax | | -------- | ---------- | -| Sonic-CLI | SONiC# show classifier class0 | +| Sonic-CLI | SONiC# show class-map class0 | | Click-CLI *(Deprecated)* | root@sonic:~# show classifier class0 | | Sample Output | Classifier class0 match-type acl
  match-acl l3_ACL_0
    Referenced in flows:
      policy policy0 at priority 200 | | CLI Type | CLI Syntax | | -------- | ---------- | -| Sonic-CLI | SONiC# show classifier match-type fields | +| Sonic-CLI | SONiC# show class-map match-type fields | | Click-CLI *(Deprecated)* | root@sonic:~# show classifier -m fields | | Sample Output | Classifier fields_class_0 match-type fields
  Description:
  Match:
    src-ip 40.1.1.100/32
  Referenced in flows:
    policy mon_policy_0 at priority 999
    policy qos_policy_0 at priority 999 | @@ -1712,7 +1714,7 @@ Options: ##### 3.6.3.5.1 Show policy details using Sonic-CLI | Mode | Exec | | ------ | ------------------- | -| Syntax | SONiC# **show policy** [ *NAME* \| **type** { **qos** \| **monitoring** \| **forwarding** } ] | +| Syntax | SONiC# **show policy-map** [ *NAME* \| **type** { **qos** \| **monitoring** \| **forwarding** } ] | | Change history | SONiC 3.1 - Introduced | ##### 3.6.3.5.2 Show policy details using Click-CLI (Deprecated) @@ -1733,14 +1735,14 @@ Options: | CLI Type | CLI Syntax | | -------- | ---------- | -| Sonic-CLI | SONiC# show policy qos_policy_0 | +| Sonic-CLI | SONiC# show policy-map qos_policy_0 | | Click-CLI (Deprecated) | root@sonic~# show policy qos_policy_0 | | Sample Output | Policy qos_policy_0 Type qos
  Description:
  Flow fields_class_0 at priority 999
    Description:
    set-pcp 1
    set-pcp 1
    police cir 10000000 cbs 1000000 pir 0 pbs 0
  Flow fields_class_1 at priority 998
    Description:
    set-pcp 2
    set-pcp 2
    police cir 20000000 cbs 2000000 pir 0 pbs 0
  Flow fields_class_2 at priority 997
    Description:
    set-pcp 3
    set-pcp 3
    police cir 30000000 cbs 3000000 pir 0 pbs 0
  Flow fields_class_3 at priority 996
    Description:
    set-pcp 4
    set-pcp 4
    police cir 40000000 cbs 4000000 pir 0 pbs 0
  Applied to:
    Ethernet0 at ingress | | CLI Type | CLI Syntax | | -------- | ---------- | -| Sonic-CLI | SONiC# show policy type monitoring | +| Sonic-CLI | SONiC# show policy-map type monitoring | | Click-CLI (Deprecated) | root@sonic~# show policy -t monitoring | | Sample Output | Policy mon_policy_0 Type monitoring
  Description:
  Flow fields_class_0 at priority 999
    Description:
    mirror-session ERSPAN_DestIP_50.1.1.2
  Flow fields_class_1 at priority 998
    Description:
    mirror-session ERSPAN_DestIP_60.1.1.2
  Flow fields_class_2 at priority 997
    Description:
    mirror-session ERSPAN_DestIP_50.1.1.2
  Flow fields_class_3 at priority 996
    Description:
    mirror-session ERSPAN_DestIP_60.1.1.2
  Applied to:
    Ethernet0 at ingress | @@ -1781,7 +1783,7 @@ Options: ##### 3.6.3.7.1 Show/Clear policy binding and counters using SONiC-CLI | Mode | Exec | | --------- | ---- | -| Syntax | SONiC# **show service-policy** { **interface** { **Ethernet** *ID* \| **PortChannel** *ID* \| **Vlan** *ID* \| **Switch** } \[ **type** { **qos** \| **monitoring** \| **forwarding** } \] \| **policy** *NAME* \[ **interface** { **Ethernet** *ID* \| **PortChannel** *ID* \| **Vlan** *ID* \| **Switch** \] }

SONiC# **clear counters service-policy** { **interface** { **Ethernet** *ID* \| **PortChannel** *ID* \| **Vlan** *ID* \| **Switch** } \[ **type** { **qos** \| **monitoring** \| **forwarding** } \] \| **policy** *NAME* \[ **interface** { **Ethernet** *ID* \| **PortChannel** *ID* \| **Vlan** *ID* \| **Switch** \] } | +| Syntax | SONiC# **show service-policy** { **interface** { **Ethernet** *ID* \| **PortChannel** *ID* \| **Vlan** *ID* \| **Switch** } \[ **type** { **qos** \| **monitoring** \| **forwarding** } \] \| **policy-map** *NAME* \[ **interface** { **Ethernet** *ID* \| **PortChannel** *ID* \| **Vlan** *ID* \| **Switch** \] }

SONiC# **clear counters service-policy** { **interface** { **Ethernet** *ID* \| **PortChannel** *ID* \| **Vlan** *ID* \| **Switch** } \[ **type** { **qos** \| **monitoring** \| **forwarding** } \] \| **policy-map** *NAME* \[ **interface** { **Ethernet** *ID* \| **PortChannel** *ID* \| **Vlan** *ID* \| **Switch** \] } | | Arguments | *ID*: Number of Ethernet or PortChannel or Vlan
*NAME*: Name of the policy applied. | | Change history | SONiC 3.1 - Introduced | @@ -1823,7 +1825,7 @@ Options: | CLI Type | CLI Syntax | | -------- | ---------- | -| Sonic-CLI | SONiC# show service-policy policy mon_policy_0 | +| Sonic-CLI | SONiC# show service-policy policy-map mon_policy_0 | | Click-CLI (Deprecated) | root@sonic:~# show service-policy policy mon_policy_0 | | Sample Output | Ethernet0
  Policy mon_policy_0 Type monitoring at ingress
  Description:
    Flow fields_class_3 at priority 996 (Active)
      Description:
      mirror-session ERSPAN_DestIP_60.1.1.2
      Packet matches: 0 frames 0 bytes
    Flow fields_class_2 at priority 997 (Active)
      Description:
      mirror-session ERSPAN_DestIP_50.1.1.2
      Packet matches: 0 frames 0 bytes
    Flow fields_class_1 at priority 998 (Active)
      Description:
      mirror-session ERSPAN_DestIP_60.1.1.2
      Packet matches: 0 frames 0 bytes
    Flow fields_class_0 at priority 999 (Active)
      Description:
      mirror-session ERSPAN_DestIP_50.1.1.2
      Packet matches: 0 frames 0 bytes | @@ -1896,12 +1898,10 @@ Total 9 TCAM slices of 9 allocated. Each slice has 256 entries l2-acl 160bit(1) 1x512 MAC ACLs ipv4-acl 160bit(1) 0x0 IPv4 ACLs ipv6-acl 320bit(2) 0x0 IPv6 ACLs - ip-acl 320bit(2) 0x0 IPv4 and IPv6 ACLs l2-fbqos 160bit(1) 0x0 Flow based QoS using MAC ACL/fields ipv4-fbqos 160bit(1) 0x0 Flow based QoS using IPv4 ACL/fields ipv6-fbqos 320bit(2) 0x0 Flow based QoS using IPv6 ACL/fields l2ipv4-fbqos 320bit(2) 0x0 Flow based QoS using MAC and IPv4 ACL/fields - ip-fbqos 320bit(2) 0x0 Flow based QoS using IPv4 and IPv6 ACL/fields pfcwd 160bit(1) 0x0 PFC Watchdog ----------------------------------------------------------------------------------------------- Total 2 TCAM slices of 2 allocated. Each slice has 256 entries @@ -1955,12 +1955,10 @@ Total 9 TCAM slices of 9 allocated. Each slice has 256 entries l2-acl 160bit(1) 1x512 MAC ACLs ipv4-acl 160bit(1) 0x0 IPv4 ACLs ipv6-acl 320bit(2) 0x0 IPv6 ACLs - ip-acl 320bit(2) 0x0 IPv4 and IPv6 ACLs l2-fbqos 160bit(1) 0x0 Flow based QoS using MAC ACL/fields ipv4-fbqos 160bit(1) 0x0 Flow based QoS using IPv4 ACL/fields ipv6-fbqos 320bit(2) 0x0 Flow based QoS using IPv6 ACL/fields l2ipv4-fbqos 320bit(2) 0x0 Flow based QoS using MAC and IPv4 ACL/fields - ip-fbqos 320bit(2) 0x0 Flow based QoS using IPv4 and IPv6 ACL/fields pfcwd 160bit(1) 0x0 PFC Watchdog ----------------------------------------------------------------------------------------- Total 2 TCAM slices of 2 allocated. Each slice has 256 entries @@ -2002,9 +2000,8 @@ usage: tcamutil modify ingress [-h] [--startup] [-f] [--l2-acl SIZE] admin@Belgrade2:~$ sudo tcamutil modify egress --help usage: tcamutil modify egress [-h] [--startup] [-f] [--l2-acl SIZE] [--ipv4-acl SIZE] [--ipv6-acl SIZE] - [--ip-acl SIZE] [--l2-fbqos SIZE] - [--ipv4-fbqos SIZE] [--ipv6-fbqos SIZE] - [--l2ipv4-fbqos SIZE] [--ip-fbqos SIZE] + [--l2-fbqos SIZE] [--ipv4-fbqos SIZE] + [--ipv6-fbqos SIZE] [--l2ipv4-fbqos SIZE] optional arguments: -h, --help show this help message and exit @@ -2015,12 +2012,10 @@ optional arguments: --l2-acl SIZE MAC ACLs --ipv4-acl SIZE IPv4 ACLs --ipv6-acl SIZE IPv6 ACLs - --ip-acl SIZE IPv4 and IPv6 ACLs --l2-fbqos SIZE Flow based QoS using MAC ACL/fields --ipv4-fbqos SIZE Flow based QoS using IPv4 ACL/fields --ipv6-fbqos SIZE Flow based QoS using IPv6 ACL/fields --l2ipv4-fbqos SIZE Flow based QoS using MAC and IPv4 ACL/fields - --ip-fbqos SIZE Flow based QoS using IPv4 and IPv6 ACL/fields SIZE should be in format NumTablesxNumEntries if the feature supports multiple tables or NumEntries if the feature supports single table. Example 2x256 or @@ -2085,23 +2080,19 @@ tables or NumEntries if the feature supports single table. Example 2x256 or admin@sonic:~$ sudo tcamutil set allocation egress --help usage: tcamutil set allocation egress [-h] [--l2-acl SIZE] [--ipv4-acl SIZE] - [--ipv6-acl SIZE] [--ip-acl SIZE] - [--l2-fbqos SIZE] [--ipv4-fbqos SIZE] - [--ipv6-fbqos SIZE] - [--l2ipv4-fbqos SIZE] [--ip-fbqos SIZE] - [--startup] [-f] + [--ipv6-acl SIZE] [--l2-fbqos SIZE] + [--ipv4-fbqos SIZE] [--ipv6-fbqos SIZE] + [--l2ipv4-fbqos SIZE] [--startup] [-f] optional arguments: -h, --help show this help message and exit --l2-acl SIZE MAC ACLs --ipv4-acl SIZE IPv4 ACLs --ipv6-acl SIZE IPv6 ACLs - --ip-acl SIZE IPv4 and IPv6 ACLs --l2-fbqos SIZE Flow based QoS using MAC ACL/fields --ipv4-fbqos SIZE Flow based QoS using IPv4 ACL/fields --ipv6-fbqos SIZE Flow based QoS using IPv6 ACL/fields --l2ipv4-fbqos SIZE Flow based QoS using MAC and IPv4 ACL/fields - --ip-fbqos SIZE Flow based QoS using IPv4 and IPv6 ACL/fields --startup Modify startup config. (Requires reboot/config reload for changes to take effect). -f, --force Force TCAM allocation modification even when TCAM based @@ -2129,12 +2120,6 @@ SIZE should be in format NumTablesxNumEntries if the feature supports multiple tables or NumEntries if the feature supports single table. Example 2x256 or ``` -### 3.6.4 REST / gNMI / IS CLI API Support - -Flow based services does not support Rest / gNMI / IS CLIs. - -L2 ACLs doesn't support Rest / gNMI / IS CLIs. - # 4 Flow Diagrams ## 4.1 Create a Classifier @@ -2247,11 +2232,11 @@ The following example shows configuration for Policy to take QoS, Monitoring and ``` # Create classifier class0 SONiC(config)# classifier class0 match-type acl -SONiC(config-classifier)# match access-group ip l3_ACL_0 +SONiC(config-class-map)# match access-group ip l3_ACL_0 # Create classifier class1 SONiC(config)# classifier class1 match-type acl -SONiC(config-classifier)# match access-group mac l2_ACL_0 +SONiC(config-class-map)# match access-group mac l2_ACL_0 # ------------------------------------- # Create policy policy0 for QoS actions @@ -2259,13 +2244,13 @@ SONiC(config-classifier)# match access-group mac l2_ACL_0 SONiC(config)# policy policy0 type qos # Create flow using classifier class0 and set results -SONiC(config-policy)# class class0 priority 200 -SONiC(config-policy-flow)# set pcp 5 -SONiC(config-policy-flow)# set dscp 15 +SONiC(config-policy-map)# class class0 priority 200 +SONiC(config-policy-map-flow)# set pcp 5 +SONiC(config-policy-map-flow)# set dscp 15 # Create flow using classifier class0 and set results -SONiC(config-policy)# class class1 priority 100 -SONiC(config-policy-flow)# police cir 10mbps cbs 20MB pir 50mbps pbs 100MB +SONiC(config-policy-map)# class class1 priority 100 +SONiC(config-policy-map-flow)# police cir 10mbps cbs 20MB pir 50mbps pbs 100MB # -------------------------------------------- @@ -2274,20 +2259,20 @@ SONiC(config-policy-flow)# police cir 10mbps cbs 20MB pir 50mbps pbs 100MB SONiC(config)# policy policy1 type monitoring # Create flow using class1 and set results -SONiC(config-policy)# class class1 priority 100 -SONiC(config-policy-flow)# set mirror-sesion test_session +SONiC(config-policy-map)# class class1 priority 100 +SONiC(config-policy-map-flow)# set mirror-sesion test_session # ------------------------------------ # Create policy policy2 for Forwarding # ------------------------------------ SONiC(config)# policy policy2 type forwarding -SONiC(config-policy)# class class0 priority 100 -SONiC(config-policy-flow)# set ip next-hop 10.1.1.1 priority 900 -SONiC(config-policy-flow)# set ip next-hop 100.1.1.1 vrf default priority 800 -SONiC(config-policy-flow)# set ip next-hop 132.45.2.100 vrf VrfOrange priority 700 -SONiC(config-policy-flow)# set ip next-hop 100.10.20.30 -SONiC(config-policy-flow)# set interface null +SONiC(config-policy-map)# class class0 priority 100 +SONiC(config-policy-map-flow)# set ip next-hop 10.1.1.1 priority 900 +SONiC(config-policy-map-flow)# set ip next-hop 100.1.1.1 vrf default priority 800 +SONiC(config-policy-map-flow)# set ip next-hop 132.45.2.100 vrf VrfOrange priority 700 +SONiC(config-policy-map-flow)# set ip next-hop 100.10.20.30 +SONiC(config-policy-map-flow)# set interface null # ------------------------------------ From 6202d145dd4cb8f7c3e670edb77e508637347dfb Mon Sep 17 00:00:00 2001 From: Abhishek Dharwadkar Date: Tue, 6 Oct 2020 10:37:08 -0700 Subject: [PATCH 3/4] Update classifier CLI to use class-map keywork in sample configuration --- L24Services/ACL/ACLEnhancements.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/L24Services/ACL/ACLEnhancements.md b/L24Services/ACL/ACLEnhancements.md index 2890a0d9b5b3..e24f6cf90a77 100644 --- a/L24Services/ACL/ACLEnhancements.md +++ b/L24Services/ACL/ACLEnhancements.md @@ -2232,11 +2232,11 @@ The following example shows configuration for Policy to take QoS, Monitoring and ``` # Create classifier class0 -SONiC(config)# classifier class0 match-type acl +SONiC(config)# class-map class0 match-type acl SONiC(config-class-map)# match access-group ip l3_ACL_0 # Create classifier class1 -SONiC(config)# classifier class1 match-type acl +SONiC(config)# class-map class1 match-type acl SONiC(config-class-map)# match access-group mac l2_ACL_0 # ------------------------------------- From eb26d6c27ca0b7e5f45a6ef6570ea36ca5420d06 Mon Sep 17 00:00:00 2001 From: Abhishek Dharwadkar Date: Fri, 30 Oct 2020 14:48:09 -0700 Subject: [PATCH 4/4] Add PBR Overview --- L24Services/ACL/ACLEnhancements.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/L24Services/ACL/ACLEnhancements.md b/L24Services/ACL/ACLEnhancements.md index e24f6cf90a77..c4020b5f3c44 100644 --- a/L24Services/ACL/ACLEnhancements.md +++ b/L24Services/ACL/ACLEnhancements.md @@ -13,6 +13,7 @@ High level design document version 0.4 - **[1 Feature Overview](#1-feature-overview)** - [1.1 Access control Lists](#11-access-control-lists) - [1.2 Flow Based Services](#12-flow-based-services) + - [1.2.1 Forwarding flow based services](#121-forwarding-flow-based-services) - [1.3 Requirements](#13-requirements) - [1.3.1 Functional Requirements](#131-functional-requirements) - [1.3.2 Configuration and Management Requirements](#132-configuration-and-management-requirements) @@ -271,6 +272,9 @@ Example features might be: - This feature provides a common infrastructure service for such features. The common infrastructure service can itself use the SONiC ACL feature for packet match rule definition, or can use it's own UI for more sophisticated classifiers. +### 1.2.1 Forwarding flow based services +Forwarding policies allows the user to define a set of classification that when meet cause a packet to be forwarded to a predetermined next hop or interface bypassing the path determined by normal routing/forwarding. It is possible for the user to define multiple match and egress interface/next-hop specifications on the same policy. Forwarding policies can be applied to Switch or Routed traffic. For routing, traffic can be routed to the same VRF as that of ingress interface or a different VRF. + ## 1.3 Requirements ### 1.3.1 Functional Requirements