DNOS ACL CLI reference — families, config hierarchy, interface binding, global ACLs, show commands, and TCAM verification. Use when working with access-lists, ACLs, KBP/TCAM resources, or packet filtering on DNOS.
| Family | Config keyword | KBP/TCAM slot | Key size |
|---|---|---|---|
| IPv4 | ipv4 | KBP-1 (ingress/global), L4-L6 (egress) | 320 / 160 bits |
| IPv6 | ipv6 | KBP-2 (ingress/global), L8-L9 (egress) | 480 / 320 bits |
| Ethernet | eth | KBP-5 | 160 bits |
| Control-plane IPv4 | (CP-ACLv4) | KBP-3 | 320 bits |
| Control-plane IPv6 | (CP-ACLv6) | KBP-4 | 480 bits |
TCAM "Used by" labels: I-ACLv4, I-ACLv6 (ingress), G-ACLv4, G-ACLv6 (global), E-ACLv4, E-ACLv6 (egress), , (control-plane), (ingress ethernet).
CP-ACLv4CP-ACLv6I-ACLethconfigure
access-lists ipv4 <NAME> rule <INDEX> allow|deny [protocol <proto>] [packet-length <range>]
access-lists ipv6 <NAME> rule <INDEX> allow|deny
access-lists eth <NAME> rule <INDEX> allow|deny [ether-type <value>]
commit
end
65000 for a catch-all allow.default-icmp allow + default deny appended.Inside configure mode — use direction in:
interfaces <INTF> access-list ipv4|ipv6|eth <NAME> direction in
Examples with sub-interfaces:
interfaces ge400-0/0/4 access-list ipv6 MY_V6_ACL direction in
interfaces ge10-0/0/32.100 access-list eth DROP_CFM direction in
Global ACLs live under forwarding-options — NOT under access-lists:
configure
forwarding-options
global-access-list in ipv4|ipv6 <NAME>
top
commit
end
Remove with:
configure
no forwarding-options global-access-list in ipv4|ipv6 <NAME>
commit
end
configure
no interfaces <INTF> access-list ipv4|ipv6|eth <NAME>
top
no access-lists ipv4|ipv6|eth <NAME>
commit
end
| Command | Purpose |
|---|---|
show access-lists | no-more | All ACLs (ipv4 + ipv6 + eth) |
show access-lists ipv4|ipv6|eth [NAME] | no-more | Filter by family or name |
show access-lists counters | no-more | Hit counters per rule |
show access-lists counters <INTF> | no-more | Per-interface counters |
show access-lists global-acl | no-more | Show global ACL bindings |
show access-lists management | no-more | Management interface ACLs |
show config access-lists | no-more | Running config for ACLs |
show config | include global-access-list | no-more | Verify global ACL binding in config |
show system npu-resources | no-more
Look at the Access-Lists TCAM utilization section. Key columns:
I-ACLv6: N, G-ACLv6: M — must NEVER be negativessh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(host, username='dnroot', password='dnroot', timeout=15,
look_for_keys=False, allow_agent=False)
chan = ssh.invoke_shell(width=400, height=1000)
DNOS CLI requires an interactive shell (invoke_shell), not exec_command.