Firewall
The nv unset
commands remove the configuration you set with the equivalent nv set
commands. This guide only describes an nv unset
command if it differs from the nv set
command.
nv set acl acl-default-dos rule <rule-id> action deny
Configures a deny action for the firewall DoS rule to deny packets.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action deny
nv set acl acl-default-dos rule <rule-id> action dest-nat translate-ip <range-id>
Configures an IP address destination NAT for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
<range-id> |
The IPv4 range; for example, <ip-address> to <ip-address> |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action dest-nat translate-ip 172.30.58.0 to 172.30.58.80
nv set acl acl-default-dos rule <rule-id> action dest-nat translate-port <port-id>
Configures a port destination NAT firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
<port-id> |
The port ID or port range. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action dest-nat translate-port 22
nv set acl acl-default-dos rule <rule-id> action erspan dest-ip
Configures the ERSPAN destination IP address for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action erspan dest-ip 10.10.10.3
nv set acl acl-default-dos rule <rule-id> action erspan source-ip
Configures the ERSPAN source IP address for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action erspan dest-ip 10.10.10.10
nv set acl acl-default-dos rule <rule-id> action erspan ttl
Configures the ERSPAN Time to Live (TTL) for the firewall DoS rule. You can specify a value between 1 and 255.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action erspan ttl 200
nv set acl acl-default-dos rule <rule-id> action log level
Configures the log level for the firewall DoS rule. You can specify a value between 1 and 7.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action log level 5
nv set acl acl-default-dos rule <rule-id> action log log-prefix <prefix>
Configures logging for packets with a specific prefix for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
<prefix> |
The prefix with which you want to log matching packets. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action log log-prefix 10.10.10.1/32
nv set acl acl-default-dos rule <rule-id> action log rate
Configures the number of logs per minute you want to generate for the firewall DoS rule. You can set a value between 1 and 50000.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action log rate 30000
nv set acl acl-default-dos rule <rule-id> action permit
Configures a permit action to permit packets for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action permit
nv set acl acl-default-dos rule <rule-id> action police burst
Configures quality of service for traffic for the firewall DoS rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the police burst rate; the number of packets or kilobytes (KB) allowed to arrive sequentially. You can specify a value between 1 and 2147483647.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action police burst 1000
nv set acl acl-default-dos rule <rule-id> action police class
Configures quality of service for traffic for the firewall DoS rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the police action class. You can specify an integer between 0 and 7.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action police class 5
nv set acl acl-default-dos rule <rule-id> action police mode
Configures quality of service for traffic for the firewall DoS rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the traffic mode. You can specify packet, kbps, mbps or gbps.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action police mode mbps
nv set acl acl-default-dos rule <rule-id> action police rate
Configures quality of service for traffic for the firewall DoS rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the policing rate. You can specify a value between 1 and 2147483647.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action police rate 2000
nv set acl acl-default-dos rule <rule-id> action recent
Configures the firewall DoS rule to be the most recent.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action recent
nv set acl acl-default-dos rule <rule-id> action set class
Modifies the class value for packet classification for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action set class 3
nv set acl acl-default-dos rule <rule-id> action set cos
Configures the 802.1p CoS value to modify in the packet for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action set cos 6
nv set acl acl-default-dos rule <rule-id> action set dscp
Configures the DSCP value to modify in the packet for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action set dscp af12
nv set acl acl-default-dos rule <rule-id> action source-nat translate-ip <range-id>
Configures a dynamic NAT action DoS rule to translate a source IP address range to a public address.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
<range-id> |
The IP address range; for example, <ip-address> to <ip-address> . |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action source-nat translate-ip 172.30.58.0 to 172.30.58.80
nv set acl acl-default-dos rule <rule-id> action source-nat translate-port <port-id>
Configures a NAT action DoS rule to translate a source IP port.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
<port-id> |
The port number or range of ports (separated with a - ). |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action source-nat translate-port 1024-1200
nv set acl acl-default-dos rule <rule-id> action span <interface-id>
Configures the SPAN session for the specified interface for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
<interface-id> |
The interface name. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 action span swp1
nv set acl acl-default-dos rule <rule-id> match ip connection-state
Configures the connection state you want to match for the firewall DoS rule. You can set the value to established
, related
, new
, or invalid
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip connection-state related
nv set acl acl-default-dos rule <rule-id> match ip dest-ip <ip-address-id>
Configures the destination IP address you want to match for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
<ip-address-id> |
The destination IP address. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip dest-ip 10.0.15.8/32
nv set acl acl-default-dos rule <rule-id> match ip dscp
Configures the DSCP value you want to match for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip dscp af13
nv set acl acl-default-dos rule <rule-id> match ip ecn flags tcp-cwr
Configures the firewall DoS rule to match on the TCP Congestion Window Reduced Flag.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip ecn flags tcp-cwr
nv set acl acl-default-dos rule <rule-id> match ip ecn flags tcp-ece
Configures the firewall DoS rule to match on the TCP ECN Echo Flag.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip ecn flags tcp-ece
nv set acl acl-default-dos rule <rule-id> match ip ecn ip-ect
Configures the firewall DoS rule to match on the ECT bit. The ECT codepoints negotiate if the connection is ECN capable by setting one of the two bits to 1. Routers also use the ECT bit to indicate that they are experiencing congestion by setting both the ECT codepoints to 1.
By default, ECN rules match a packet with the bit set. You can reverse the match by using an explanation point (!).
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip ecn ip-ect
nv set acl acl-default-dos rule <rule-id> match ip fragment
Configures IP fragment packet match for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip fragment
nv set acl acl-default-dos rule <rule-id> match ip hashlimit burst
Configures the hashlimit burst rate you want to match for the firewall DoS rule. You can specify a value between 1 and 4294967295.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip hashlimit burst 10
nv set acl acl-default-dos rule <rule-id> match ip hashlimit destination-mask
Configures the hashlimit destination mask you want to match for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip hashlimit destination-mask 32
nv set acl acl-default-dos rule <rule-id> match ip hashlimit expire
Configures the hashlimit expire time (in milliseconds) you want to match for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip hashlimit expire 1000
nv set acl acl-default-dos rule <rule-id> match ip hashlimit mode
Configures the hashlimit mode you want to match for the firewall DoS rule. You can specify src-ip
or dst-ip
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip hashlimit mode dst-ip
nv set acl acl-default-dos rule <rule-id> match ip hashlimit name
Configures the hashlimit name you want to match for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip hashlimit name SSH
nv set acl acl-default-dos rule <rule-id> match ip hashlimit rate-above
Configures how much above the hashlimit rate you want to match for the firewall DoS rule. You can specify an <integer>/second
, <integer>/min
, or <integer>/hour
. The maximum rate is 1000000/second
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip hashlimit rate-above 1000/min
nv set acl acl-default-dos rule <rule-id> match ip hashlimit source-mask
Configures the hashlimit source mask you want to match for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip hashlimit source-mask 32
nv set acl acl-default-dos rule <rule-id> match ip icmp-type
Configures the IP ICMP type you want to match for the firewall DoS rule. You can specify: dest-unreachable, echo-reply, echo-request, port-unreachable, time-exceeded, or an integer between 0 and 255.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip icmp-type dest-unreachable
nv set acl acl-default-dos rule <rule-id> match ip icmpv6-type
Configures the IP ICMPv6 type you want to match for the firewall DoS rule. You can specify router-solicitation
, router-advertisement
, neighbor-solicitation
, neighbor-advertisement
, or an integer between 0 and 255.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip icmpv6-type router-solicitation
nv set acl acl-default-dos rule <rule-id> match ip protocol
Configures the IP protocol you want to match for the firewall DoS rule. You can specify tcp
, udp
, ospf
, pim
, icmp
, icmpv6
, or igmp
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip protocol tcp
nv set acl acl-default-dos rule <rule-id> match ip recent-list action
Configures the IP recent list action you want to match for the firewall DoS rule. You can specify set
or update
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip recent-list action update
nv set acl acl-default-dos rule <rule-id> match ip recent-list hit-count
Configures the IP recent list hit count you want to match for the firewall DoS rule. You can specify a value between 1 and 4294967295.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip recent-list hit-count 2000
nv set acl acl-default-dos rule <rule-id> match ip recent-list name
Configures the IP recent list name you want to match for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip recent-list name list1
nv set acl acl-default-dos rule <rule-id> match ip recent-list update-interval
Configures the IP recent list update interval you want to match for the firewall DoS rule. You can specify a value between 1 and 4294967295
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip recent-list update-interval 1000
nv set acl acl-default-dos rule <rule-id> match ip source-ip
Configures the source IP address you want to match for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip source-ip 10.0.14.2/32
nv set acl acl-default-dos rule <rule-id> match ip tcp all-mss-except
Configures the firewall DoS rule to match all TCP maximum segment size (MSS) values except for the specified value.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip tcp all-mss-except 536
nv set acl acl-default-dos rule <rule-id> match ip tcp flags
Configures the IP TCP flag you want match in the packet for the firewall DoS rule. You can specify ack
, all
, fin
, none
, psh
, rst
, syn
, or urg
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip tcp flags syn
nv set acl acl-default-dos rule <rule-id> match ip tcp mask
Configures the IP TCP mask you want match in the packet for the firewall DoS rule. You can specify ack
, all
, fin
, none
, psh
, rst
, syn
, or urg
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip tcp mask ack
nv set acl acl-default-dos rule <rule-id> match ip tcp mss
Configures the TCP maximum segment size (MSS) you want match in the packet for the firewall DoS rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip tcp mss 536
nv set acl acl-default-dos rule <rule-id> match ip tcp state established
Configures the firewall DoS rule to match on the TCP established state.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip tcp state established
nv set acl acl-default-dos rule <rule-id> match ip ttl
Configures the firewall DoS rule to match on the IP TTL.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip ttl 100
nv set acl acl-default-dos rule <rule-id> match ip udp dest-port
Configures the firewall DoS rule to match on the specified IP UDP destination port. You can specify ANY
,bootps
, http
, ntp
, telnet
, bfd
, clag
, https
, pop3
, tftp
, bfd-echo
, dhcp-client
, imap2
, smtp
, bfd-multihop
, dhcp-server
, ldap
, snmp
, bgp
, domain
, ldaps
, snmp-trap
, bootpc
, ftp
, msdp
, or ssh
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip udp dest-port https
nv set acl acl-default-dos rule <rule-id> match ip udp source-port
Configures the firewall DoS rule to match on the specified IP UDP source port. You can specify ANY
,bootps
, http
, ntp
, telnet
, bfd
, clag
, https
, pop3
, tftp
, bfd-echo
, dhcp-client
, imap2
, smtp
, bfd-multihop
, dhcp-server
, ldap
, snmp
, bgp
, domain
, ldaps
, snmp-trap
, bootpc
, ftp
, msdp
, or ssh
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip udp source-port https
nv set acl acl-default-dos rule <rule-id> match mac dest-mac
Configures the firewall DoS rule to match on the specified destination MAC address.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match mac dest-mac any
nv set acl acl-default-dos rule <rule-id> match mac dest-mac-mask
Configures the firewall DoS rule to match on the specified destination MAC address mask.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match mac dest-mac-mask 00:00:00:00:00:12
nv set acl acl-default-dos rule <rule-id> match mac protocol
Configures the firewall DoS rule to match on the specified destination MAC protocol. You can specify ANY
, arp
, ipv4
, ipv6
, or a value between 0 and 255.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match mac protocol arp
nv set acl acl-default-dos rule <rule-id> match mac source-mac
Configures the firewall DoS rule to match on the specified source MAC address.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match mac source-mac any
nv set acl acl-default-dos rule <rule-id> match mac source-mac-mask
Configures the firewall DoS rule to match on the specified source MAC address mask.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match mac source-mac-mask any
nv set acl acl-default-dos rule <rule-id> match vlan
Configures the firewall DoS rule to match on the specified VLAN ID.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 match vlan 10
nv set acl acl-default-dos rule <rule-id> remark
Configures a remark (description) about deny or permit conditions in the firewall DoS rule. You must enclose multiple words in double quotes (").
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-dos rule 10 remark "The following line permits TCP packets"
nv set acl acl-default-whitelist rule <rule-id> action deny
Configures a deny action for the firewall whitelist rule to deny packets.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action deny
nv set acl acl-default-whitelist rule <rule-id> action dest-nat translate-ip <range-id>
Configures an IP address destination NAT for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
<range-id> |
The IPv4 range; for example, <ip-address> to <ip-address> |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action dest-nat translate-ip 172.30.58.0 to 172.30.58.80
nv set acl acl-default-whitelist rule <rule-id> action dest-nat translate-port <port-id>
Configures a port destination NAT for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
<port-id> |
The port ID or port range. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action dest-nat translate-port 22
nv set acl acl-default-whitelist rule <rule-id> action erspan dest-ip
Configures the ERSPAN destination IP address for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action erspan dest-ip 10.10.10.3
nv set acl acl-default-whitelist rule <rule-id> action erspan source-ip
Configures the ERSPAN source IP address for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action erspan source-ip 10.10.10.10
nv set acl acl-default-whitelist rule <rule-id> action erspan ttl
Configures the ERSPAN Time to Live (TTL) for the firewall whitelist rule. You can specify a value between 1 and 255.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action erspan ttl 200
nv set acl acl-default-whitelist rule <rule-id> action log
Configures logging for the firewall whitelist rule.
nv set acl acl-default-whitelist rule <rule-id> action log level
Configures the log level for the firewall whitelist rule. You can specify a value between 1 and 7.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action log level 5
nv set acl acl-default-whitelist rule <rule-id> action log log-prefix <prefix>
Configures logging for packets with a specific prefix for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
<prefix> |
The prefix with which you want to log matching packets. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action log log-prefix 10.10.10.1/32
nv set acl acl-default-whitelist rule <rule-id> action log rate
Configures the number of logs per minute you want to generate for the firewall whitelist rule. You can set a value between 1 and 50000.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action log rate 30000
nv set acl acl-default-whitelist rule <rule-id> action permit
Configures a permit action to permit packets for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action permit
nv set acl acl-default-whitelist rule <rule-id> action police burst
Configures quality of service for traffic for the firewall whitelist rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the police burst rate; the number of packets or kilobytes (KB) allowed to arrive sequentially. You can specify a value between 1 and 2147483647.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action police burst 1000
nv set acl acl-default-whitelist rule <rule-id> action police class
Configures quality of service for traffic for the firewall whitelist rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the police action class. You can specify an integer between 0 and 7.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action police class 5
nv set acl acl-default-whitelist rule <rule-id> action police mode
Configures quality of service for traffic for the firewall whitelist rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the traffic mode. You can specify packet
, kbps
, mbps
, or gbps
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action police mode mbps
nv set acl acl-default-whitelist rule <rule-id> action police rate
Configures quality of service for traffic for the firewall whitelist rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the policing rate. You can specify a value between 1 and 2147483647.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action police rate 2000
nv set acl acl-default-whitelist rule <rule-id> action recent
Configures the firewall whitelist rule to be the most recent.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action recent
nv set acl acl-default-whitelist rule <rule-id> action set class
Modifies the class value for packet classification for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action set class 3
nv set acl acl-default-whitelist rule <rule-id> action set cos
Configures the 802.1p CoS value to modify in the packet for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action set cos 6
nv set acl acl-default-whitelist rule <rule-id> action set dscp
Configures the DSCP value to modify in the packet for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action set dscp af12
nv set acl acl-default-whitelist rule <rule-id> action source-nat translate-ip <range-id>
Configures a dynamic NAT action whitelist rule to translate a source IP address range to a public address.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
<range-id> |
The IP address range; for example, <ip-address> to <ip-address> . |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action source-nat translate-ip 172.30.58.0 to 172.30.58.80
nv set acl acl-default-whitelist rule <rule-id> action source-nat translate-port <port-id>
Configures a NAT action whitelist rule to translate a source IP port.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
<port-id> |
The port number or range of ports (separated with a - ). |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action source-nat translate-port 1024-1200
nv set acl acl-default-whitelist rule <rule-id> action span <interface-id>
Configures the SPAN session for the specified interface for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
<interface-id> |
The interface name. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action span swp1
nv set acl acl-default-whitelist rule <rule-id> match ip connection-state
Configures the connection state you want to match for the firewall whitelist rule. You can set the value to established
, related
, new
, or invalid
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip connection-state related
nv set acl acl-default-whitelist rule <rule-id> match ip dest-ip <ip-address-id>
Configures the destination IP address you want to match for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
<ip-address-id> |
The destination IP address. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip dest-ip 10.0.15.8/32
nv set acl acl-default-whitelist rule <rule-id> match ip dscp
Configures the DSCP value you want to match for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip dscp af13
nv set acl acl-default-whitelist rule <rule-id> match ip ecn flags tcp-cwr
Configures the firewall whitelist rule to match on the TCP Congestion Window Reduced Flag.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip ecn flags tcp-cwr
nv set acl acl-default-whitelist rule <rule-id> match ip ecn flags tcp-ece
Configures the firewall whitelist rule to match on the TCP ECN Echo Flag.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip ecn flags tcp-ece
nv set acl acl-default-whitelist rule <rule-id> match ip ecn ip-ect
Configures the firewall whitelist rule to match on the ECT bit. The ECT codepoints negotiate if the connection is ECN capable by setting one of the two bits to 1. Routers also use the ECT bit to indicate that they are experiencing congestion by setting both the ECT codepoints to 1.
By default, ECN rules match a packet with the bit set. You can reverse the match by using an explanation point (!).
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip ecn ip-ect
nv set acl acl-default-whitelist rule <rule-id> match ip fragment
Configures IP fragment packet match for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip fragment
nv set acl acl-default-whitelist rule <rule-id> match ip hashlimit burst
Configures the hashlimit burst rate you want to match for the firewall whitelist rule. You can specify a value between 1 and 4294967295.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip hashlimit burst 10
nv set acl acl-default-whitelist rule <rule-id> match ip hashlimit destination-mask
Configures the hashlimit destination mask you want to match for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip hashlimit destination-mask 32
nv set acl acl-default-whitelist rule <rule-id> match ip hashlimit expire
Configures the hashlimit expire time (in milliseconds) you want to match for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip hashlimit expire 1000
nv set acl acl-default-whitelist rule <rule-id> match ip hashlimit mode
Configures the hashlimit mode you want to match for the firewall whitelist rule. You can specify src-ip
or dst-ip
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip hashlimit mode dst-ip
nv set acl acl-default-whitelist rule <rule-id> match ip hashlimit name
Configures the hashlimit name you want to match for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip hashlimit name SSH
nv set acl acl-default-whitelist rule <rule-id> match ip hashlimit rate-above
Configures how much above the hashlimit rate you want to match for the firewall whitelist rule. You can specify an <integer>/second
, <integer>/min
, or <integer>/hour
. The maximum rate is 1000000/second
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip hashlimit rate-above 1000/min
nv set acl acl-default-whitelist rule <rule-id> match ip hashlimit source-mask
Configures the hashlimit source mask you want to match for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip hashlimit source-mask 32
nv set acl acl-default-whitelist rule <rule-id> match ip icmp-type
Configures the IP ICMP type you want to match for the firewall whitelist rule. You can specify: dest-unreachable, echo-reply, echo-request, port-unreachable, time-exceeded, or an integer between 0 and 255.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip icmp-type dest-unreachable
nv set acl acl-default-whitelist rule <rule-id> match ip icmpv6-type
Configures the IP ICMPv6 type you want to match for the firewall whitelist rule. You can specify router-solicitation
, router-advertisement
, neighbor-solicitation
, neighbor-advertisement
, or an integer between 0 and 255.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip icmpv6-type router-solicitation
nv set acl acl-default-whitelist rule <rule-id> match ip protocol
Configures the IP protocol you want to match for the firewall whitelist rule. You can specify tcp
, udp
, ospf
, pim
, icmp
, icmpv6
, or igmp
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip protocol tcp
nv set acl acl-default-whitelist rule <rule-id> match ip recent-list action
Configures the IP recent list action you want to match for the firewall whitelist rule. You can specify set
or update
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip recent-list action update
nv set acl acl-default-whitelist rule <rule-id> match ip recent-list hit-count
Configures the IP recent list hit count you want to match for the firewall whitelist rule. You can specify a value between 1 and 4294967295.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip recent-list hit-count 2000
nv set acl acl-default-whitelist rule <rule-id> match ip recent-list name
Configures the IP recent list name you want to match for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip recent-list name list1
nv set acl acl-default-whitelist rule <rule-id> match ip recent-list update-interval
Configures the IP recent list update interval you want to match for the firewall whitelist rule. You can specify a value between 1 and 4294967295
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip recent-list update-interval 1000
nv set acl acl-default-whitelist rule <rule-id> match ip source-ip
Configures the source IP address you want to match for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip source-ip 10.0.14.2/32
nv set acl acl-default-whitelist rule <rule-id> match ip tcp all-mss-except
Configures the firewall whitelist rule to match all TCP maximum segment size (MSS) values except for the specified value.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip tcp all-mss-except 536
nv set acl acl-default-whitelist rule <rule-id> match ip tcp flags
Configures the IP TCP flag you want match in the packet for the firewall whitelist rule. You can specify ack
, all
, fin
, none
, psh
, rst
, syn
, or urg
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip tcp flags syn
nv set acl acl-default-whitelist rule <rule-id> match ip tcp mask
Configures the IP TCP mask you want match in the packet for the firewall whitelist rule. You can specify ack
, all
, fin
, none
, psh
, rst
, syn
, or urg
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip tcp mask ack
nv set acl acl-default-whitelist rule <rule-id> match ip tcp mss
Configures the TCP maximum segment size (MSS) you want match in the packet for the firewall whitelist rule.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip tcp mss 536
nv set acl acl-default-whitelist rule <rule-id> match ip tcp state established
Configures the firewall whitelist rule to match on the TCP established state.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip tcp state established
nv set acl acl-default-whitelist rule <rule-id> match ip ttl
Configures the firewall whitelist rule to match on the IP TTL.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip ttl 100
nv set acl acl-default-whitelist rule <rule-id> match ip udp dest-port
Configures the firewall whitelist rule to match on the specified IP UDP destination port. You can specify ANY
,bootps
, http
, ntp
, telnet
, bfd
, clag
, https
, pop3
, tftp
, bfd-echo
, dhcp-client
, imap2
, smtp
, bfd-multihop
, dhcp-server
, ldap
, snmp
, bgp
, domain
, ldaps
, snmp-trap
, bootpc
, ftp
, msdp
, or ssh
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip udp dest-port https
nv set acl acl-default-whitelist rule <rule-id> match ip udp source-port
Configures the firewall whitelist rule to match on the specified IP UDP source port. You can specify ANY
,bootps
, http
, ntp
, telnet
, bfd
, clag
, https
, pop3
, tftp
, bfd-echo
, dhcp-client
, imap2
, smtp
, bfd-multihop
, dhcp-server
, ldap
, snmp
, bgp
, domain
, ldaps
, snmp-trap
, bootpc
, ftp
, msdp
, or ssh
.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip udp source-port https
nv set acl acl-default-whitelist rule <rule-id> match mac dest-mac
Configures the firewall whitelist rule to match on the specified destination MAC address.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match mac dest-mac any
nv set acl acl-default-whitelist rule <rule-id> match mac dest-mac-mask
Configures the firewall whitelist rule to match on the specified destination MAC address mask.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match mac dest-mac-mask 00:00:00:00:00:12
nv set acl acl-default-whitelist rule <rule-id> match mac protocol
Configures the firewall whitelist rule to match on the specified destination MAC protocol. You can specify ANY
, arp
, ipv4
, ipv6
, or a value between 0 and 255.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
——— | ————– |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match mac protocol arp
nv set acl acl-default-whitelist rule <rule-id> match mac source-mac
Configures the firewall whitelist rule to match on the specified source MAC address.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match mac source-mac any
nv set acl acl-default-whitelist rule <rule-id> match mac source-mac-mask
Configures the firewall whitelist rule to match on the specified source MAC address mask.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match mac source-mac-mask any
nv set acl acl-default-whitelist rule <rule-id> match vlan
Configures the firewall whitelist rule to match on the specified VLAN ID.
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match vlan 10
nv set acl acl-default-whitelist rule <rule-id> remark
Configures a remark (description) about deny or permit conditions in the firewall whitelist rule. You must enclose multiple words in double quotes (").
Command Syntax
Syntax | Description |
---|---|
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 remark "The following line permits TCP packets"
nv set system control-plane acl acl-default-dos inbound
Enables or disables the Cumulus Linux default Dos firewall rules that protect the switch control plane and CPU from DOS attacks. Cumulus Linux provides firewall DoS rules to:
- Allow only internal traffic to the loopback interfaces.
- Accept already established connections and outbound traffic.
- Set the - allow option to color the packets from a specific interface. Used when different policies - need to be applied for different eth interfaces.
- Drop packets if the first TCP segment is not SYN.
- Drop fragmented IP packets.
- Drop Christmas tree packets; packets with all TCP flags set.
- Drop NULL packets.
- Drop invalid packets.
- Drop strange MSS values.
- Provide brute-force protection.
- Drop packets with routing Header Type 0.
- Drop packets with a hop limit greater than 1.
- Limit excessive TCP reset packets.
- Protect against SYN flood.
- Rate limit new TCP connections for each IP address.
- Log all remaining packets, then drop them.
In Cumulus Linux 5.8 and earlier, the set of default firewall rules are more open; Cumulus Linux accepts packets from all addresses and protocols. Cumulus Linux 5.9 and later provides a set of default firewall rules that allows only specific addresses and ports, and drops packets that are disallowed.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv unset system control-plane acl acl-default-dos inbound
nv set system control-plane acl acl-default-whitelist inbound
Enables or disables the Cumulus Linux default whitelist firewall rules that specify the services or application ports enabled on the switch. Cumulus Linux provides firewall whitelist rules to enable TCP ports and UDP ports.
In Cumulus Linux 5.8 and earlier, the set of default firewall rules are more open; Cumulus Linux accepts packets from all addresses and protocols. Cumulus Linux 5.9 and later provides a set of default firewall rules that allows only specific addresses and ports, and drops packets that are disallowed.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv unset system control-plane acl acl-default-whitelist inbound