    !!! ACL rules allowing incoming tcp/57411 for the eda-discovery grpc server
    acl {
        acl-filter cpm type ipv4 {
            statistics-per-entry true
            entry 10 {
                description "Accept incoming ICMP unreachable messages"
                match {
                    ipv4 {
                        protocol icmp
                        icmp {
                            type dest-unreachable
                        }
                    }
                }
                action {
                    accept {
                        rate-limit {
                            system-cpu-policer icmp
                        }
                    }
                }
            }
            entry 20 {
                description "Accept incoming ICMP time-exceeded messages"
                match {
                    ipv4 {
                        protocol icmp
                        icmp {
                            type time-exceeded
                        }
                    }
                }
                action {
                    accept {
                        rate-limit {
                            system-cpu-policer icmp
                        }
                    }
                }
            }
            entry 40 {
                description "Accept incoming ICMP echo messages"
                match {
                    ipv4 {
                        protocol icmp
                        icmp {
                            type echo
                        }
                    }
                }
                action {
                    accept {
                        rate-limit {
                            system-cpu-policer icmp
                        }
                    }
                }
            }
            entry 50 {
                description "Accept incoming ICMP echo-reply messages"
                match {
                    ipv4 {
                        protocol icmp
                        icmp {
                            type echo-reply
                        }
                    }
                }
                action {
                    accept {
                        rate-limit {
                            system-cpu-policer icmp
                        }
                    }
                }
            }
            entry 60 {
                description "Accept incoming SSH when the other host initiates the TCP connection"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 22
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 70 {
                description "Accept incoming SSH when this router initiates the TCP connection"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 22
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 88 {
                description "Containerlab-added rule: Accept incoming Telnet when the other host initiates the TCP connection"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 23
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 98 {
                description "Containerlab-added rule: Accept incoming Telnet when this router initiates the TCP connection"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 23
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 100 {
                description "Accept incoming TACACS+ when the other host initiates the TCP connection"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 49
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 110 {
                description "Accept incoming TACACS+ when this router initiates the TCP connection"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 49
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 120 {
                description "Accept incoming DNS response messages"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 53
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 130 {
                description "Accept incoming DHCP messages targeted for BOOTP/DHCP client"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 68
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 158 {
                description "Containerlab-added rule: Accept incoming HTTP(JSON-RPC) when the other host initiates the TCP connection"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 80
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 160 {
                description "Accept incoming HTTP(JSON-RPC) when this router initiates the TCP connection"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 80
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 170 {
                description "Accept incoming NTP messages from servers"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 123
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 180 {
                description "Accept incoming SNMP GET/GETNEXT messages from servers"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 161
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 190 {
                description "Accept incoming BGP when the other router initiates the TCP connection"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 179
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 200 {
                description "Accept incoming BGP when this router initiates the TCP connection"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 179
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 210 {
                description "Accept incoming HTTPS(JSON-RPC) when the other host initiates the TCP connection"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 443
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 220 {
                description "Accept incoming HTTPS(JSON-RPC) when this router initiates the TCP connection"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 443
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 230 {
                description "Accept incoming single-hop BFD session messages"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 3784
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 240 {
                description "Accept incoming multi-hop BFD session messages"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 4784
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 250 {
                description "Accept incoming uBFD session messages"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 6784
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 260 {
                description "Accept incoming gRPC messages when the other host initiates the TCP connection"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 57400
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 270 {
                description "Accept incoming UDP traceroute messages"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        destination-port {
                            range {
                                start 33434
                                end 33464
                            }
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 290 {
                description "Accept incoming OSPF messages"
                match {
                    ipv4 {
                        protocol 89
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 300 {
                description "Accept incoming DHCP relay messages targeted for BOOTP/DHCP server"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 67
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 310 {
                description "Accept ICMP fragment packets"
                match {
                    ipv4 {
                        fragment true
                        protocol icmp
                    }
                }
                action {
                    accept {
                        rate-limit {
                            system-cpu-policer icmp
                        }
                    }
                }
            }
            entry 320 {
                description "Accept incoming LDP packets"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 646
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 330 {
                description "Accept incoming LDP packets with source-port 646"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 646
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 340 {
                description "Accept incoming LDP packets with destination-port 646"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 646
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 355 {
                description "Containerlab-added rule: Accept incoming gRPC over port 50052 for the eda-discovery gRPC server"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 50052
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 356 {
                description "Containerlab-added rule: Accept incoming gRPC over port 57410 for the eda-mgmt gRPC server"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 57410
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 357 {
                description "Containerlab-added rule: Accept incoming gRPC over port 57411 for the eda-mgmt gRPC server"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 57411
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 358 {
                description "Containerlab-added rule: Accept incoming gRPC over port 57401 for the insecure-mgmt gRPC server"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 57401
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 370 {
                description "Accept incoming IGMP packets"
                match {
                    ipv4 {
                        protocol igmp
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 380 {
                description "Accept incoming PIM packets"
                match {
                    ipv4 {
                        protocol pim
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 390 {
                description "Accept incoming RADIUS AAA packets"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        source-port {
                            range {
                                start 1812
                                end 1813
                            }
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 400 {
                description "Accept incoming SSH connections on the default NETCONF port 830"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 830
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 410 {
                description "Accept incoming PTP messages with destination-ports 319 and 320"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        destination-port {
                            range {
                                start 319
                                end 320
                            }
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 420 {
                description "Accept incoming PCEP packets with destination-port 4189"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 4189
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 430 {
                description "Accept incoming SBFD session messages"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 7784
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 440 {
                description "Accept incoming SBFD session messages"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 7784
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 450 {
                description "Accept incoming LSP MPLS Echo requests and replies"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 3503
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 460 {
                description "Accept incoming LSP MPLS Echo requests and replies"
                match {
                    ipv4 {
                        protocol udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 3503
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 470 {
                description "Accept incoming TWAMP Control connection"
                match {
                    ipv4 {
                        protocol tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 862
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 550 {
                description "Accept incoming VRRP Control packets"
                match {
                    ipv4 {
                        protocol vrrp
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 1000 {
                description "Drop all else"
                action {
                    log true
                    drop {
                    }
                }
            }
        }
        acl-filter cpm type ipv6 {
            statistics-per-entry true
            entry 10 {
                description "Accept incoming ICMPv6 unreachable messages"
                match {
                    ipv6 {
                        next-header icmp6
                        icmp6 {
                            type dest-unreachable
                        }
                    }
                }
                action {
                    accept {
                        rate-limit {
                            system-cpu-policer icmp
                        }
                    }
                }
            }
            entry 20 {
                description "Accept incoming ICMPv6 packet-too-big messages"
                match {
                    ipv6 {
                        next-header icmp6
                        icmp6 {
                            type packet-too-big
                        }
                    }
                }
                action {
                    accept {
                        rate-limit {
                            system-cpu-policer icmp
                        }
                    }
                }
            }
            entry 30 {
                description "Accept incoming ICMPv6 time-exceeded messages"
                match {
                    ipv6 {
                        next-header icmp6
                        icmp6 {
                            type time-exceeded
                        }
                    }
                }
                action {
                    accept {
                        rate-limit {
                            system-cpu-policer icmp
                        }
                    }
                }
            }
            entry 50 {
                description "Accept incoming ICMPv6 echo-request messages"
                match {
                    ipv6 {
                        next-header icmp6
                        icmp6 {
                            type echo-request
                        }
                    }
                }
                action {
                    accept {
                        rate-limit {
                            system-cpu-policer icmp
                        }
                    }
                }
            }
            entry 60 {
                description "Accept incoming ICMPv6 echo-reply messages"
                match {
                    ipv6 {
                        next-header icmp6
                        icmp6 {
                            type echo-reply
                        }
                    }
                }
                action {
                    accept {
                        rate-limit {
                            system-cpu-policer icmp
                        }
                    }
                }
            }
            entry 70 {
                description "Accept incoming ICMPv6 router-advertisement messages"
                match {
                    ipv6 {
                        next-header icmp6
                        icmp6 {
                            type router-advertise
                        }
                    }
                }
                action {
                    accept {
                        rate-limit {
                            system-cpu-policer icmp
                        }
                    }
                }
            }
            entry 80 {
                description "Accept incoming ICMPv6 neighbor-solicitation messages"
                match {
                    ipv6 {
                        next-header icmp6
                        icmp6 {
                            type neighbor-solicit
                        }
                    }
                }
                action {
                    accept {
                        rate-limit {
                            system-cpu-policer icmp
                        }
                    }
                }
            }
            entry 90 {
                description "Accept incoming ICMPv6 neighbor-advertisement messages"
                match {
                    ipv6 {
                        next-header icmp6
                        icmp6 {
                            type neighbor-advertise
                        }
                    }
                }
                action {
                    accept {
                        rate-limit {
                            system-cpu-policer icmp
                        }
                    }
                }
            }
            entry 100 {
                description "Accept incoming SSH when the other host initiates the TCP connection"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 22
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 110 {
                description "Accept incoming SSH when this router initiates the TCP connection"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 22
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 128 {
                description "Containerlab-added rule: Accept incoming Telnet when the other host initiates the TCP connection"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 23
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 138 {
                description "Containerlab-added rule: Accept incoming Telnet when this router initiates the TCP connection"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 23
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 140 {
                description "Accept incoming TACACS+ when the other host initiates the TCP connection"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 49
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 150 {
                description "Accept incoming TACACS+ when this router initiates the TCP connection"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 49
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 160 {
                description "Accept incoming DNS response messages"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 53
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 188 {
                description "Containerlab-added rule: Accept incoming HTTP(JSON-RPC) when the other host initiates the TCP connection"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 80
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 190 {
                description "Accept incoming HTTP(JSON-RPC) when this router initiates the TCP connection"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 80
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 200 {
                description "Accept incoming NTP messages from servers"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 123
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 210 {
                description "Accept incoming SNMP GET/GETNEXT messages from servers"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 161
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 220 {
                description "Accept incoming BGP when the other router initiates the TCP connection"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 179
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 230 {
                description "Accept incoming BGP when this router initiates the TCP connection"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 179
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 240 {
                description "Accept incoming HTTPS(JSON-RPC) when the other host initiates the TCP connection"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 443
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 250 {
                description "Accept incoming HTTPS(JSON-RPC) when this router initiates the TCP connection"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 443
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 260 {
                description "Accept incoming DHCPv6 client messages"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 546
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 270 {
                description "Accept incoming single-hop BFD session messages"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 3784
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 280 {
                description "Accept incoming multi-hop BFD session messages"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 4784
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 290 {
                description "Accept incoming uBFD session messages"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 6784
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 300 {
                description "Accept incoming gRPC messages when the other host initiates the TCP connection"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 57400
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 310 {
                description "Accept incoming UDP traceroute messages"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        destination-port {
                            range {
                                start 33434
                                end 33464
                            }
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 320 {
                description "Accept incoming IPV6 hop-in-hop messages"
                match {
                    ipv6 {
                        next-header 0
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 340 {
                description "Accept incoming OSPF messages"
                match {
                    ipv6 {
                        next-header 89
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 350 {
                description "Accept incoming DHCPv6 relay messages"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 547
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 365 {
                description "Containerlab-added rule: Accept incoming gRPC over port 50052 for the eda-discovery gRPC server"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 50052
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 366 {
                description "Containerlab-added rule: Accept incoming gRPC over port 57410 for the eda-mgmt gRPC server"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 57410
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 367 {
                description "Containerlab-added rule: Accept incoming gRPC over port 57411 for the eda-mgmt gRPC server"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 57411
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 368 {
                description "Containerlab-added rule: Accept incoming gRPC over port 57401 for the insecure-mgmt gRPC server"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 57401
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 380 {
                description "Accept incoming MLDv1 report messages"
                match {
                    ipv6 {
                        next-header icmp6
                        icmp6 {
                            type mld-report
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 390 {
                description "Accept incoming MLDv2 report messages"
                match {
                    ipv6 {
                        next-header icmp6
                        icmp6 {
                            type mld-v2
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 400 {
                description "Accept incoming MLDv1 done messages"
                match {
                    ipv6 {
                        next-header icmp6
                        icmp6 {
                            type mld-done
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 410 {
                description "Accept incoming MLD query messages"
                match {
                    ipv6 {
                        next-header icmp6
                        icmp6 {
                            type mld-query
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 420 {
                description "Accept incoming PIM messages"
                match {
                    ipv6 {
                        next-header pim
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 430 {
                description "Accept incoming RADIUS AAA messages"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        source-port {
                            range {
                                start 1812
                                end 1813
                            }
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 440 {
                description "Accept incoming SSH connections on the default NETCONF port 830"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 830
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 450 {
                description "Accept incoming PTP messages with destination-ports 319 and 320"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        destination-port {
                            range {
                                start 319
                                end 320
                            }
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 460 {
                description "Accept incoming PCEP packets with destination-port 4189"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 4189
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 470 {
                description "Accept incoming SBFD session messages"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 7784
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 480 {
                description "Accept incoming SBFD session messages"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 7784
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 490 {
                description "Accept incoming LDP packets"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 646
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 500 {
                description "Accept incoming LDP packets with source-port 646"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 646
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 510 {
                description "Accept incoming LDP packets with destination-port 646"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 646
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 520 {
                description "Accept incoming TWAMP Control connection"
                match {
                    ipv6 {
                        next-header tcp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 862
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 530 {
                description "Accept incoming LSP MPLS Echo requests and replies"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        destination-port {
                            operator eq
                            value 3503
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 540 {
                description "Accept incoming LSP MPLS Echo requests and replies"
                match {
                    ipv6 {
                        next-header udp
                    }
                    transport {
                        source-port {
                            operator eq
                            value 3503
                        }
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 550 {
                description "Accept incoming VRRP Control packets"
                match {
                    ipv6 {
                        next-header vrrp
                    }
                }
                action {
                    accept {
                    }
                }
            }
            entry 1000 {
                description "Drop all else"
                action {
                    log true
                    drop {
                    }
                }
            }
        }
        policers {
            system-cpu-policer icmp {
                entry-specific false
                peak-packet-rate 1000
                max-packet-burst 1000
            }
        }
    }
    interface ethernet-1/1 {
        admin-state enable
        subinterface 0 {
            ipv4 {
                admin-state enable
                address 10.0.1.9/31 {
                }
            }
        }
    }
    interface ethernet-1/2 {
        admin-state enable
        subinterface 0 {
            ipv4 {
                admin-state enable
                address 10.0.2.9/31 {
                }
            }
        }
    }
    interface ethernet-1/3 {
        admin-state enable
        subinterface 0 {
            ipv4 {
                admin-state enable
                address 10.0.3.9/31 {
                }
            }
        }
    }
    interface ethernet-1/4 {
        admin-state enable
    }
    interface mgmt0 {
        admin-state enable
        subinterface 0 {
            admin-state enable
            ipv4 {
                admin-state enable
                dhcp-client {
                }
            }
            ipv6 {
                admin-state enable
                dhcp-client {
                }
            }
        }
    }
    interface system0 {
        admin-state enable
        subinterface 0 {
            ipv4 {
                admin-state enable
                address 10.255.1.5/32 {
                }
            }
        }
    }
    system {
        management {
            openconfig {
                admin-state enable
            }
        }
        control-plane-traffic {
            input {
                acl {
                    acl-filter cpm type ipv4 {
                    }
                    acl-filter cpm type ipv6 {
                    }
                }
            }
        }
        aaa {
            authentication {
                idle-timeout 7200
                authentication-method [
                    local
                ]
                admin-user {
                    ssh-key [
                        "<REDACTED-SSH-KEY>"
                    ]
                }
                linuxadmin-user {
                    password $y$j9T$XvJnmFLaz/uudk.SUG0.J0$K4un1F9/0nyiPJmBAPKhWooaRb7bKSkeItXyVnnlTSC
                    ssh-key [
                        "<REDACTED-SSH-KEY>"
                    ]
                }
            }
            server-group local {
                type local
            }
        }
        ssh-server mgmt {
            admin-state enable
            network-instance mgmt
            use-credentialz true
        }
        ssh-server mgmt-netconf {
            admin-state enable
            network-instance mgmt
            port 830
            disable-shell true
        }
        lldp {
            admin-state enable
        }
        tls {
            server-profile clab-profile {
                key $aes1$ATC9nGpTSCuNUm8=$k6eYboQ9TKuILFp76WugkoOPNs/AWwyXQxLOnPCYiiDUtht2vQU/KXvbUMNoNFuS+IAkAhtiz7IGnMbEXFDmmRKjLmN+XoRnuOz9B/oazBL5MVx3lcHXiitAF4tj6+ElrhjsGTIFEFEZux5qlnEslwF4/mc8w5GppPCjvjd2AQnJ2uzFZsoyFq8p8fvSwS6UNNeV8gr9Xr/5NDq6ZqjjsOxt7ocDKC9UeW/V48FIicobAl0ILjqdVqIoClE4a+5xrUBYdevNf1PbIMpCpXLOOXHrllQiUEckhz5HSOgMZ0Q1QuOWVbJ+SpGFaGM1POhzCBcmDzMSsmcGB7w3EOSUWfxOgWjw0H4BRz9GaZO/TXqJ/xo2wy/dsn8cb7cH7oGF7UIzWHBejdjw0q8kbhBV+r6auqF9TkPOYWccsbeLwy7xa7/rblfSgmvdG/w30rOt6vYchD+KkMbXzMsh5trU5ySDzMxHEs8Arx7E+FdSwfo9b7Bx1yP8IjdSbdqTGhJfLs9rdq2z+2FvC3QyMInbswakygNLGKip19KcKbXF7rWGqAOm5Mw4uhQkSOW0Xz5Pqu3JEagXRbtpj1033evsrL63W0VrzV8otjZyitz8jXvaf1aU3tP03Sb7Qv1k8e4Gk0gzhbgxIGVEMSHl3PpwLWOihEu/Dm/8oyasb4a1s7vFibT9Ze37uXsecPnMWrH0CFt5cBuNX2KoKfEWHim9Fdft5WbDnucvU3qVBPByP1BEPIlozhgS3ACHO1qsljikl9vmMmmiWbPHHqNkoslAtRmz8qDijzSwq3i1nvrSZ0rBNYcoIb8cMifqKSkcy72sI+iqAU8GZf4bzpQCetx+4w261tz+0lXa80+wK/fPm/uWmvxfgk9l0DeTjgmvuGK0bfO1IpaGE3mT59o7LjqC61BBaHuIwlnNyYtGL40AKZ+YqcgdZ5rQAIQ7U4GceF+fpZBmZBf7c0MOIf1gxV+t5pDCJg+ZVjeO84w5R/gt9/PokzZXIoWDf5ENoYGDVeHYCxNAhfHdeSWsYjOM5OTNBJgcjYhE4ZliQyF6h7Uk+HytTVIu65GK3qxTDJYbpie//MVKH/7yVqKxrHe+vMmIKaXhcFK+B/mFqbUWEUZRZ3LwQbnsFiKPW2OwxoIxjlp0JNdpwLknaQueA1OwtN/PZXNyVjH5ObXfgoKrpxVmnJebgveTzxLn/bFy6Zmp5l1JMjIeRfrjGscNrsO23PGONxWlKPD5z/wm6bj71ASvWhDieIRru805WrMXvVe0en9nBPCW2pSVtQOZ0Uznz3VU2BnXLJ9JSRhg+tvPTj7kITF8tCzQJPK/6KYoQb5TGyKj76/vmhO4YaCcLbfxItHuGRmQDQ4Ch7Qby3bbSTauRhRdNzZEh2FgiV2yTPAxNfp58q+NoNGxgp4yQbTN5J16/SyHeQqNo27vTbbQIatdCWTnrVGaXUeGzmNnhaarbba/pdExwgquIL8GGiswJmUNRcoaEI202NQlYjc0xVi4Fg1aS3EEV7UF3E/RTc6yLYgsmugjHC3uy0Fmq79xp59dk8w4ZY1lU/avHPvARc2XezQt/eslRFVgIo9aq6rTCARTs9DqwKyrgZq9PcZUYL13SiVcIOlODiSqbP2Y+p62QrOUCU819fVVLxF7hy2AFpwI9abV/4hGdoZG+mpDghKvv4350/e5Sooc9+QhjN4PFTftjUNNIINFesBnlXdMMIgHyb7k9SM52UWbsVbdPOgLSvMetaioFQEFptr+Jm8lpS1vATft4wROBaNo4kzu7b3/nsCrSbRUVIbm1Uxvr8OQbkRt1W+WCfh9cy2is0tGqXGdalmPSii8G7KdIeWkWvWopwCPRwKnaI3Cc0zVMLHKFYUE1LfKScNxMHb76Ua14lfz7bACq96AqaVfgtebPU2EiBQ18gCC48IQwutqgOk8G6jSh/G+3flTUz1j3lcIdYtmp87atkzINFsek9OILSyAH/l76s8p+Y6CFLXyLlODD1IlFkrVPZWLW0ov19sIXYk/ygMEdqUMIURKHRKfNDlAAWVtZ9QdEwr0q5CmAGGwq1ByRHtK/xuikry6O/kHwjRsE97vTe21SUhawjdaezeezpAxj8+0JZf/ajR09wcEIE2MmwfncYCEciqc5tJvksdatobZUGFRtuhGJ6urAt5iMVVk8p1ctlMhJoMNPUaiIrg7sbYkFu3QbvgO8KmGDejF4m5gvRTF1/hId1PFL7td
                certificate "-----BEGIN CERTIFICATE-----
<REDACTED-CERTIFICATE>
-----END CERTIFICATE-----
"
                authenticate-client false
            }
        }
        grpc-server eda-discovery {
            admin-state enable
            rate-limit 65535
            session-limit 1024
            metadata-authentication true
            default-tls-profile true
            network-instance mgmt
            port 50052
            services [
                gnmi
                gnsi
            ]
        }
        grpc-server eda-insecure-mgmt {
            admin-state enable
            rate-limit 65535
            session-limit 1024
            metadata-authentication true
            port 57411
            services [
                gnmi
                gnoi
                gnsi
            ]
        }
        grpc-server eda-mgmt {
            ### Unable to retrieve TLS profile 'EDA'
            admin-state enable
            rate-limit 65535
            session-limit 1024
            metadata-authentication true
            tls-profile EDA
            network-instance mgmt
            port 57410
            services [
                gnmi
                gnoi
                gnsi
            ]
        }
        grpc-server insecure-mgmt {
            admin-state enable
            rate-limit 65000
            network-instance mgmt
            port 57401
            trace-options [
                request
                response
                common
            ]
            services [
                gnmi
                gnoi
                gnsi
                gribi
                p4rt
            ]
            unix-socket {
                admin-state enable
            }
        }
        grpc-server mgmt {
            admin-state enable
            rate-limit 65000
            tls-profile clab-profile
            network-instance mgmt
            trace-options [
                request
                response
                common
            ]
            services [
                gnmi
                gnoi
                gnsi
                gribi
                p4rt
            ]
            unix-socket {
                admin-state enable
            }
        }
        json-rpc-server {
            admin-state enable
            network-instance mgmt {
                http {
                    admin-state enable
                }
                https {
                    admin-state enable
                    tls-profile clab-profile
                }
            }
        }
        dns {
            network-instance mgmt
            server-list [
                192.168.65.7
            ]
        }
        snmp {
            access-group SNMPv2-RO-Community {
                security-level no-auth-no-priv
                community-entry RO-Community {
                    community $aes1$AWBpAhWLuP1acG8=$A6lGNrYiHPX93kJSaDly/g==
                }
            }
            network-instance mgmt {
                admin-state enable
            }
        }
        banner {
            login-banner "................................................................
:                  Welcome to Nokia SR Linux!                  :
:              Open Network OS for the NetOps era.             :
:                                                              :
:    This is a freely distributed official container image.    :
:                      Use it - Share it                       :
:                                                              :
: Get started: https://learn.srlinux.dev                       :
: Container:   https://go.srlinux.dev/container-image          :
: Docs:        https://doc.srlinux.dev/24-10                   :
: Rel. notes:  https://doc.srlinux.dev/rn24-10-3               :
: YANG:        https://yang.srlinux.dev/v24.10.3               :
: Discord:     https://go.srlinux.dev/discord                  :
: Contact:     https://go.srlinux.dev/contact-sales            :
................................................................
"
        }
        logging {
            buffer messages {
                rotate 3
                size 10000000
                facility local6 {
                    priority {
                        match-above informational
                    }
                }
            }
            buffer system {
                facility auth {
                    priority {
                        match-above warning
                    }
                }
                facility cron {
                    priority {
                        match-above warning
                    }
                }
                facility daemon {
                    priority {
                        match-above warning
                    }
                }
                facility ftp {
                    priority {
                        match-above warning
                    }
                }
                facility kern {
                    priority {
                        match-above warning
                    }
                }
                facility lpr {
                    priority {
                        match-above warning
                    }
                }
                facility mail {
                    priority {
                        match-above warning
                    }
                }
                facility news {
                    priority {
                        match-above warning
                    }
                }
                facility syslog {
                    priority {
                        match-above warning
                    }
                }
                facility user {
                    priority {
                        match-above warning
                    }
                }
                facility uucp {
                    priority {
                        match-above warning
                    }
                }
                facility local0 {
                    priority {
                        match-above warning
                    }
                }
                facility local1 {
                    priority {
                        match-above warning
                    }
                }
                facility local2 {
                    priority {
                        match-above warning
                    }
                }
                facility local3 {
                    priority {
                        match-above warning
                    }
                }
                facility local4 {
                    priority {
                        match-above warning
                    }
                }
                facility local5 {
                    priority {
                        match-above warning
                    }
                }
                facility local7 {
                    priority {
                        match-above warning
                    }
                }
            }
            file messages {
                rotate 3
                size 10000000
                facility local6 {
                    priority {
                        match-above warning
                    }
                }
            }
        }
        netconf-server mgmt {
            admin-state enable
            ssh-server mgmt-netconf
        }
    }
    network-instance default {
        type default
        admin-state enable
        interface ethernet-1/1.0 {
        }
        interface ethernet-1/2.0 {
        }
        interface ethernet-1/3.0 {
        }
        interface system0.0 {
        }
        protocols {
            bgp {
                autonomous-system 65005
                router-id 10.255.1.5
                afi-safi evpn {
                    admin-state enable
                }
                afi-safi ipv4-unicast {
                    admin-state enable
                }
                group overlay {
                    peer-as 65199
                    afi-safi evpn {
                        admin-state enable
                    }
                    afi-safi ipv4-unicast {
                        admin-state disable
                    }
                    local-as {
                        as-number 65199
                    }
                    transport {
                        local-address 10.255.1.5
                    }
                }
                group underlay-spines {
                    export-policy [
                        accept-all
                    ]
                    import-policy [
                        accept-all
                    ]
                }
                neighbor 10.0.1.8 {
                    peer-as 65100
                    peer-group underlay-spines
                }
                neighbor 10.0.2.8 {
                    peer-as 65100
                    peer-group underlay-spines
                }
                neighbor 10.0.3.8 {
                    peer-as 65100
                    peer-group underlay-spines
                }
                neighbor 10.255.0.1 {
                    description spine1-RR
                    peer-group overlay
                }
                neighbor 10.255.0.2 {
                    description spine2-RR
                    peer-group overlay
                }
            }
        }
    }
    network-instance mgmt {
        type ip-vrf
        admin-state enable
        description "Management network instance"
        interface mgmt0.0 {
        }
        protocols {
            linux {
                import-routes true
                export-routes true
                export-neighbors true
            }
        }
    }
    routing-policy {
        policy accept-all {
            default-action {
                policy-result accept
            }
        }
    }
