ACL and CoPP

The nv unset commands remove the configuration you set with the equivalent nv set commands. This guide only describes an nv unset command if it differs from the nv set command.


nv set system acl mode

Configures the Access Control list (ACL) mode; atomic or non-atomic. The default setting is atomic mode.

Atomic mode limits the number of ACL rules that you can configure. To increase the number of configurable ACL rules, configure the switch to operate in nonatomic mode, which offers better scaling because all TCAM resources actively impact traffic. With atomic updates, half of the hardware resources are on standby and do not actively impact traffic.

Incremental nonatomic updates are table based, so they do not interrupt network traffic when you install new rules.

Version History

Introduced in Cumulus Linux 5.3.0

Example

cumulus@switch:~$ nv set system acl mode non-atomic

nv set acl <acl-id> rule <rule-id> action deny

Configures a deny action to deny packets.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action deny

nv set acl <acl-id> rule <rule-id> action dest-nat translate-ip

Configures a static NAT rule to match a destination IP address and translate the IP address to a public IP address.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action dest-nat translate-ip 10.0.0.1

nv set acl <acl-id> rule <rule-id> action dest-nat translate-port

Configures a static PAT rule to match a destination IP address together with the layer 4 port and translate the IP address and port to a public IP address and port.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action dest-nat translate-port 5000

nv set acl <acl-id> rule <rule-id> action erspan dest-ip

Configures the ERSPAN destination IP address.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action erspan dest-ip 10.10.10.3

nv set acl <acl-id> rule <rule-id> action erspan source-ip

Configures the ERSPAN source IP address.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action erspan source-ip 10.10.10.10

nv set acl <acl-id> rule <rule-id> action erspan ttl

Configures the ERSPAN Time to Live (TTL). You can specify a value between 1 and 255.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action erspan ttl 200

nv set acl <acl-id> rule <rule-id> action log level

Configures the log level for the specified ACL rule. You can set a value between 0 and 7.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action log level 5

nv set acl <acl-id> rule <rule-id> action log log-prefix <prefix>

Configures logging for packets with a specific prefix.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.
<prefix> The prefix with which you want to log matching packets.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action log log-prefix 10.10.10.1/32

nv set acl <acl-id> rule <rule-id> action log rate

Configures the number of logs per minute you want to generate for the specified ACL rule. You can set a value between 1 and 50000.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action log rate 30000

nv set acl <acl-id> rule <rule-id> action permit

Configures a permit action to permit packets.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action permit

nv set acl <acl-id> rule <rule-id> action police burst

Configures quality of service for traffic on the data plane. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the police burst rate; the number of packets or kilobytes (KB) allowed to arrive sequentially. You can specify a value between 1 and 2147483647.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action police burst 1000

nv set acl <acl-id> rule <rule-id> action police class

Configures quality of service for traffic on the data plane. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the police action class. You can specify an integer between 0 and 7.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action police class 5

nv set acl <acl-id> rule <rule-id> action police mode

Configures quality of service for traffic on the data plane. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the traffic mode. You can specify packet, kbps, mbps or gbps.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action police mode mbps

nv set acl <acl-id> rule <rule-id> action police rate

Configures quality of service for traffic on the data plane. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the policing rate. You can specify a value between 1 and 2147483647.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action police rate 2000

nv set acl <acl-id> rule <rule-id> action recent

Configures the ACL rule to be the most recent.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action recent

nv set acl <acl-id> rule <rule-id> action set class

Modifies the class value for packet classification.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action set class 3

nv set acl <acl-id> rule<rule-id> action set cos

Configures the 802.1p CoS value to modify in the packet.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action set cos 6

nv set acl <acl-id> rule <rule-id> action set dscp

Configures the DSCP value to modify in the packet.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action set dscp af12

nv set acl <acl-id> rule <rule-id> action source-nat translate-ip

Configures a NAT action rule to translate a source IP address.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set acl acl_3 rule 1 action source-nat translate-ip 172.30.58.80

nv show acl <acl-id> rule <rule-id> action source-nat translate-ip <range-id> to <ipv4>

Configures a dynamic NAT action rule to translate a source IP address range to a public address.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set acl acl_1 rule 1 action source-nat translate-ip 172.30.58.0 to 172.30.58.80

nv set acl <acl-id> rule <rule-id> action source-nat translate-port

Configures a NAT action rule to translate a source IP port.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.7.0

Example

cumulus@switch:~$ nv set acl acl_2 rule 1 action source-nat translate-port 1024-1200

nv set acl <acl-id> rule <rule-id> action span <interface-name>

Configures the SPAN session for the specified interface.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.
<interface-name> The interface name.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 action span swp1

nv set acl <acl-id> rule <rule-id> match ip connection-state

Configures the connection state (control-plane only) you want to match. You can set the value to established, related, new, or invalid.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip connection-state related

nv set acl <acl-id> rule <rule-id> match ip dest-ip <ip-address-id>

Configures the destination IP address you want to match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.
<ip-address-id> The destination IP address.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip dest-ip 10.0.15.8/32

nv set acl <acl-id> rule <rule-id> match ip dscp

Configures the DSCP value you want to match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip dscp af13

nv set acl <acl-id> rule <rule-id> match ip ecn ip-ect

Configures the ACL to match on the ECT bit. The ECT codepoints negotiate if the connection is ECN capable by setting one of the two bits to 1. Routers also use the ECT bit to indicate that they are experiencing congestion by setting both the ECT codepoints to 1.

By default, ECN rules match a packet with the bit set. You can reverse the match by using an explanation point (!).

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.3.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip ecn ip-ect

nv set acl <acl-id> rule <rule-id> match ip ecn tcp-cwr

Configures the ACL to match on the CWR bit (Window Reduced). The CWR bit notifies the other endpoint of the connection that it received and reacted to an ECE.

By default, ECN rules match a packet with the bit set. You can reverse the match by using an explanation point (!).

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.3.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip ecn tcp-cwr

nv set acl <acl-id> rule <rule-id> match ip ecn flags tcp-ece

Configures the ACL to match on the ECE bit. After an endpoint receives a packet with the CE bit set by a router, it sets the ECE bit in the returning ACK packet to notify the other endpoint that it needs to slow down.

By default, ECN rules match a packet with the bit set. You can reverse the match by using an explanation point (!).

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.3.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip ecn flags tcp-ece

nv set acl <acl-id> rule <rule-id> match ip fragment

Configures IP fragment packet match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip fragment 

nv set acl <acl-id> rule <rule-id> match ip hashlimit burst

Configures the hashlimit burst rate you want to match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip hashlimit burst 10

nv set acl <acl-id> rule <rule-id> match ip hashlimit destination-mask

Configures the hashlimit destination mask you want to match; the destination mask used to mask the source IP address.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip hashlimit destination-mask 32

nv set acl <acl-id> rule <rule-id> match ip hashlimit expire

Configures the hashlimit expire time (in milliseconds) you want to match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip hashlimit expire 1000

nv set acl <acl-id> rule <rule-id> match ip hashlimit mode

Configures the hashlimit mode you want to match. You can specify src-ip or dst-ip.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip hashlimit mode dst-ip

nv set acl <acl-id> rule <rule-id> match ip hashlimit name

Configures the hashlimit name you want to match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip hashlimit name NAME

nv set acl <acl-id> rule <rule-id> match ip hashlimit rate-above

Configures how much above the hashlimit rate you want to match. You can specify an <integer>/second <integer>/min, or <integer>/hour. The maximum rate is 1000000 per second.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip hashlimit rate-above 1000/min

nv set acl <acl-id> rule <rule-id> match ip hashlimit source-mask

Configures the hashlimit source mask you want to match; the source mask used to mask the source IP address.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip hashlimit source-mask 32

nv set acl <acl-id> rule <rule-id> match ip icmp-type

Configures the IP ICMP type you want to match. You can specify: dest-unreachable, echo-reply, echo-request, port-unreachable, time-exceeded, or an integer between 0 and 255.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip icmp-type dest-unreachable

nv set acl <acl-id> rule <rule-id> match ip icmpv6-type

Configures the IP ICMPv6 type you want to match. You can specify: router-solicitation, router-advertisement, neighbor-solicitation, neighbor-advertisement, or an integer between 0 and 255.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip icmpv6-type router-advertisement

nv set acl <acl-id> rule <rule-id> match ip protocol

Configures the IP protocol you want to match. You can specify tcp, udp, ospf, pim, icmp, icmpv6, or igmp.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip protocol tcp

nv set acl <acl-id> rule <rule-id> match ip recent-list action

Configures the recent list action you want to match. You can specify set or update.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip recent-list action update

nv set acl <acl-id> rule <rule-id> match ip recent-list hit-count

Configures the recent list hit count you want to match. You can specify a value between 1 and 4294967295.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip recent-list hit-count 2000

nv set acl <acl-id> rule <rule-id> match ip recent-list name

Configures the recent list name you want to match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip recent-list name list1

nv set acl <acl-id> rule <rule-id> match ip recent-list update-interval

Configures the recent list update interval you want to match. You can specify a value between 1 and 4294967295.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip recent-list update-interval 1000

nv set acl <acl-id> rule <rule-id> match ip source-ip <ip-address>

Configures the source IP address you want to match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.
<ip-address-id> The source IP address.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip source-ip 10.0.14.2/32

nv set acl <acl-id> rule <rule-id> match ip source-port

Configures the IP source port match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip source-port 22

nv set acl <acl-id> rule <rule-id> match ip tcp

Configures the IP TCP properties you want match.


nv set acl <acl-id> rule <rule-id> match ip tcp all-mss-except

Configures the switch to match all TCP maximum segment size (MSS) values except for the specified value.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp all-mss-except 536

nv set acl <acl-id> rule <rule-id> match ip tcp dest-port

Configures the switch to match the TCP destination port. You can specify ANY, bootpc, bootps, clag, dhcp-client, dhcp-server, domain, ftp, http, https, imap2, ldap, ldaps, ntp, msdp, pop3, smtp, snmp snmp-trap, ssh, telnet, tftp, bgp, bfd, bfd-echo, bfd-multihop, or a value between 0 and 65535.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp dest-port ANY

nv set acl <acl-id> rule <rule-id> match ip tcp flags

Configures the IP TCP flag you want match in the packet. You can specify: ack, all, fin, none, psh, rst, syn, or urg.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp flags syn

nv set acl <acl-id> rule <rule-id> match ip tcp mask

Configures the IP TCP mask you want to match in the packet. You can specify: ack, all, fin, none, psh, rst, syn, or urg.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp mask ack

nv set acl <acl-id> rule <rule-id> match ip tcp mss

Configures the specified TCP maximum segment size (MSS) value you want to match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp mss 536

nv set acl <acl-id> rule <rule-id> match ip tcp source-port

Configures the switch to match the TCP source port. You can specify ANY, bootpc, bootps, clag, dhcp-client, dhcp-server, domain, ftp, http, https, imap2, ldap, ldaps, ntp, msdp, pop3, smtp, snmp snmp-trap, ssh, telnet, tftp, bgp, bfd, bfd-echo, bfd-multihop, or a value between 0 and 65535.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp source-port ANY

nv set acl <acl-id> rule <rule-id> match ip tcp state established

Configures the TCP established state you want to match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match ip tcp state established

nv set acl <acl-id> rule <rule-id> match mac dest-mac <mac-address>

Configures the destination MAC address you want to match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.
<mac-address> The destination MAC address.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match mac dest-mac any

nv set acl <acl-id> rule <rule-id> match mac dest-mac-mask <mac>

Configures the destination MAC address mask you want to match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.
<mac> The destination MAC address mask.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match mac dest-mac-mask 00:00:00:00:00:12

nv set acl <acl-id> rule <rule-id> match mac protocol

Configures the MAC protocol you want to match. You can specify ANY, arp, ipv4, or ipv6, or a value between 0 and 255.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match mac protocol ipv4

nv set acl <acl-id> rule <rule-id> match mac source-mac <source-mac>

Configures the source MAC address you want to match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.
<source-mac> The source MAC address.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match mac source-mac any

nv set acl <acl-id> rule <rule-id> match mac source-mac-mask <source-mac-mask>

Configures the source MAC address mask you want to match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.
<source-mac-mask> The source MAC address mask.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match mac source-mac-mask 00:00:00:00:00:12

nv set acl <acl-id> rule <rule-id> match mac vlan <vlan-id>

Configures the VLAN ID to match.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.
<vlan-id> The VLAN name.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 match mac vlan 10

nv set acl <acl-id> rule <rule-id> remark

Configures an ACL rule remark (description) about deny or permit conditions in the rule. You must enclose multiple words in double quotes (").

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.4.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 rule 10 remark "The following line permits TCP packets"

nv set acl <acl-id> type

Configures the ACL rule type. You can specify ipv4, ipv6 or mac.

You must run this command when configuring other ACL settings.

Command Syntax

Syntax Description
<acl-id> The ACL name.
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set acl EXAMPLE1 type ipv4

nv set interface <interface-id> acl <acl-id> inbound

Configures the ACL rule to apply in the inbound direction.

Command Syntax

Syntax Description
<interface-id> The interface you want to configure.
<acl-id> The ACL name.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set interface swp1 acl EXAMPLE1 inbound

nv set interface <interface-id> acl <acl-id> inbound control-plane

Configures the ACL rule to apply to a control plane interface in the inbound direction.

Command Syntax

Syntax Description
<interface-id> The interface you want to configure.
<acl-id> The ACL name.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set interface swp1 acl EXAMPLE1 inbound control-plane

nv set interface <interface-id> acl <acl-id> outbound

Configures the ACL rule to apply in the outbound direction.

Command Syntax

Syntax Description
<interface-id> The interface you want to configure.
<acl-id> The ACL name.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set interface swp1 acl EXAMPLE1 outbound 

nv set interface <interface-id> acl <acl-id> outbound control-plane

Configures the ACL rule to apply to a control plane interface in the outbound direction.

Command Syntax

Syntax Description
<interface-id> The interface you want to configure.
<acl-id> The ACL name.

Version History

Introduced in Cumulus Linux 5.0.0

Example

cumulus@switch:~$ nv set interface swp1 acl EXAMPLE1 outbound control-plane

nv set system control-plane acl <acl-id>

Configures a control plane ACL to apply a single rule for all packets forwarded to the CPU regardless of the source interface or destination interface on the switch. Control plane ACLs allow you to regulate traffic forwarded to applications on the switch with more granularity than traps and to configure ACLs to block SSH from specific addresses or subnets.


nv set system control-plane acl <acl-id> inbound

Configures an inbound ACL.

Command Syntax

Syntax Description
<acl-id> The ACL name.

Version History

Introduced in Cumulus Linux 5.5.0

Example

cumulus@switch:~$ nv set system control-plane acl ACL1 inbound

nv set system control-plane acl <acl-id> outbound

Configures an outbound control plane ACL.

Command Syntax

Syntax Description
<acl-id> The ACL name.

Version History

Introduced in Cumulus Linux 5.5.0

Example

cumulus@switch:~$ nv set system control-plane acl ACL1 outbound