ACL and CoPP
nv show acl
Shows the configured ACL rules on the switch.
In Cumulus Linux 5.9, you must run the nv show acl --rev=applied command to see the output.
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show acl
type Summary
-------- ---- --------
EXAMPLE1 ipv4 rule: 10
nv show acl acl-default-dos
Shows the firewall DoS rules on the switch.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv show acl acl-default-dos
applied pending
---- ------- -------
type ipv4 ipv4
rule
=======
Number Summary
------ ----------------------------------------
30 match.ip.protocol: tcp
40 match.ip.protocol: tcp
41 match.ip.protocol: tcp
42 match.ip.protocol: tcp
50
60 match.ip.protocol: tcp
70 match.ip.protocol: tcp
80 match.ip.protocol: tcp
90 match.ip.protocol: tcp
match.ip.tcp.all-mss-except: 536-65535
100 match.ip.recent-list.action: set
match.ip.tcp.dest-port: 22
110 match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.update-interval: 60
match.ip.tcp.dest-port: 22
120 match.ip.hashlimit.burst: 2
match.ip.hashlimit.expire: 30000
match.ip.hashlimit.mode: src-ip
match.ip.hashlimit.name: TCPRST
match.ip.hashlimit.rate-above: 5/min
match.ip.hashlimit.source-mask: 32
match.ip.protocol: tcp
130 match.ip.hashlimit.burst: 30
match.ip.hashlimit.expire: 30000
match.ip.hashlimit.mode: src-ip
match.ip.hashlimit.name: TCPGENERAL
match.ip.hashlimit.rate-above: 50/second
match.ip.hashlimit.source-mask: 32
match.ip.protocol: tcp
nv show acl acl-default-dos rule <rule-id>
Shows information about the specified firewall DoS rule on the switch.
Command Syntax
| Syntax | Description |
|---|---|
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@leaf01:mgmt:~$ nv show acl acl-default-dos rule 120
applied pending
----------------- ------- -------
match
ip
protocol tcp tcp
hashlimit
name TCPRST TCPRST
rate-above 5/min 5/min
burst 2 2
source-mask 32 32
expire 30000 30000
mode src-ip src-ip
nv show acl acl-default-whitelist
Shows the firewall whitelist rules on the switch.
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv show acl acl-default-whitelist
applied pending
---- ------- -------
type ipv4 ipv4
rule
=======
Number Summary
------ -------------------------------------------------
5 match.ip.protocol: tcp
match.ip.tcp.dest-port: ssh
10 match.ip.protocol: tcp
match.ip.tcp.dest-port: bgp
15 match.ip.protocol: tcp
match.ip.tcp.dest-port: ldap
20 match.ip.protocol: tcp
match.ip.tcp.dest-port: 8765
25 match.ip.protocol: tcp
match.ip.tcp.dest-port: https
30 match.ip.protocol: tcp
match.ip.tcp.dest-port: clag
35 match.ip.protocol: tcp
match.ip.tcp.source-port: 49
40 match.ip.protocol: udp
match.ip.udp.dest-port: dhcp-client
45 match.ip.protocol: udp
match.ip.udp.dest-port: dhcp-server
50 match.ip.protocol: udp
match.ip.udp.dest-port: ntp
55 match.ip.protocol: udp
match.ip.udp.dest-port: 323
60 match.ip.protocol: udp
match.ip.udp.dest-port: snmp
65 match.ip.protocol: udp
match.ip.udp.dest-port: tftp
70 match.ip.protocol: udp
match.ip.udp.dest-port: ldap
73 match.ip.udp.source-port: 3020
74 match.ip.udp.source-port: 3022
75 match.ip.protocol: udp
match.ip.udp.source-port: 1812
80 match.ip.protocol: udp
match.ip.udp.source-port: 1813
85 match.ip.protocol: udp
match.ip.udp.dest-port: 6343
90 match.ip.protocol: udp
match.ip.udp.dest-port: 6344
95 match.ip.protocol: udp
match.ip.udp.dest-port: 514
100 match.ip.protocol: udp
match.ip.udp.dest-port: bfd
105 match.ip.protocol: udp
match.ip.udp.dest-port: bfd-multihop
110 match.ip.protocol: udp
match.ip.udp.dest-port: 4789
115 match.ip.protocol: udp
match.ip.udp.dest-port: 319
120 match.ip.protocol: udp
match.ip.udp.dest-port: 320
125 match.ip.protocol: tcp
match.ip.tcp.dest-port: 9339
130 match.ip.protocol: tcp
match.ip.tcp.dest-port: 31980
match.ip.tcp.dest-port: 31982
135 match.ip.protocol: tcp
match.ip.tcp.dest-port: 639
140 match.ip.protocol: udp
match.ip.udp.source-port: 53
145 match.ip.protocol: tcp
match.ip.tcp.dest-port: 9999
150 match.ip.protocol: ospf
155 match.ip.protocol: pim
160 match.ip.protocol: vrrp
165 match.ip.protocol: igmp
170 match.ip.protocol: icmp
175 match.ip.protocol: udp
match.ip.udp.dest-port: clag
9999 Log Level: 5
action.log.log-prefix: IPTables-Dropped:
Log Rate: 1
nv show acl acl-default-whitelist rule <rule-id>
Shows information about the specified firewall whitelist rule on the switch.
Command Syntax
| Syntax | Description |
|---|---|
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv show acl acl-default-whitelist rule 150
applied pending
------------ ------- -------
match
ip
protocol ospf ospf
nv show acl <acl-id>
Shows the specified ACL configuration.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show acl EXAMPLE1
operational applied
---- ----------- -------
type ipv4
rule
=======
nv show acl <acl-id> rule
Shows the rules for the specified ACL.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show acl EXAMPLE1 rule
Number Summary
------ --------------------------------
10 match.ip.dest-ip: 10.0.15.8/32
match.ip.dest-port: ANY
match.ip.protocol: tcp
match.ip.source-ip: 10.0.14.2/32
match.ip.source-port: ANY
nv show acl <acl-id> rule <rule-id>
Shows configuration information about the ACL with the specified rule number.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show acl EXAMPLE1 rule 10
operational applied
----------------- ------------ ------------
match
ip
dest-ip 10.0.15.8/32 10.0.15.8/32
protocol tcp tcp
source-ip 10.0.14.2/32 10.0.14.2/32
[dest-port] ANY ANY
[source-port] ANY ANY
nv show acl <acl-id> rule <rule-id> action
Shows the action for the specified ACL rule.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show acl EXAMPLE1 rule 10 action
operational applied
----------- -------
permit
nv show acl <acl-id> rule <rule-id> action erspan
Shows the ERSPAN session for the specified ACL rule.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show acl EXAMPLE1 rule 10 action erspan
operational applied pending
--- ----------- ------- -------
ttl 200
nv show acl <acl-id> rule <rule-id> action police
Shows policing of matched packets and bytes for the specified ACL rule.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The ACL rule number. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show acl EXAMPLE1 rule 10 action police
operational applied
----- ----------- -------
burst 200
mode packet
rate 400
nv show acl <acl-id> rule <rule-id> action recent
Shows the recent action for the ACL rule.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv show acl acl-default-whitelist rule 73 action recent
nv show acl <acl-id> rule <rule-id> match
Shows the ACL match criteria for the specified ACL rule.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show acl EXAMPLE1 rule 10 match
operational applied
---------- ----------- -------
ip
protocol tcp
nv show acl <acl-id> rule <rule-id> match ip
Shows the IPv4 or IPv6 match criteria for the specified ACL rule.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show acl EXAMPLE1 rule 10 match ip
operational applied
----------- ----------- -------
protocol tcp
[dest-port] 200
nv show acl <acl-id> rule <rule-id> match ip connection-state
Shows the connection state for the match IP ACL rule.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv show acl acl-default-whitelist rule 73 match ip connection-state
applied
-----------
new
established
nv show acl <acl-id> rule <rule-id> match ip ecn flags
Shows the ECN protocol flag match criteria for the specified ACL rule.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.2.0
Example
cumulus@switch:~$ nv show acl EXAMPLE1 rule 10 match ip ecn flags
operational applied
----------- -------
tcp-cwr
tcp-ece
tcp-cwr
tcp-ece
nv show acl <acl-id> rule <rule-id> match ip hashlimit
Shows the hash limit for the match IP ACL rule.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv show acl acl-default-whitelist rule 73 match ip hashlimit
nv show acl <acl-id> rule <rule-id> match ip recent-list
Shows the recent list for the match IP ACL rule.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.9.0
Example
cumulus@switch:~$ nv show acl acl-default-whitelist rule 73 match ip recent-list
nv show acl <acl-id> rule <rule-id> match ip tcp flags
Shows TCP flag match criteria for the specified ACL rule.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show acl EXAMPLE1 rule 10 match ip tcp flags
operational applied
----------- -------
syn
nv show acl <acl-id> rule <rule-id> match ip tcp mask
Shows TCP protocol flag mask match criteria for the specified ACL rule.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show acl EXAMPLE1 rule 10 match ip tcp mask
operational applied
----------- -------
syn
nv show acl <acl-id> rule <rule-id> match mac
Shows MAC address match criteria for the specified ACL rule.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show acl EXAMPLE1 rule 10 match mac
operational applied
--------------- ----------- -----------------
dest-mac 08:9e:01:ce:e2:04
dest-mac-mask ff:ff:ff:ff:ff:ff
source-mac 00:00:00:00:00:12
source-mac-mask ff:ff:ff:ff:ff:ff
nv show interface <interface-id> acl
Shows the ACLs on the specified interface. You use ACLs to match packets and take actions.
Command Syntax
| Syntax | Description |
|---|---|
<interface-id> |
The interface on which the ACL operates. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show interface swp1 acl
ACL Name Rule ID In Packets In Bytes Out Packets Out Bytes
-------- ------- ---------- -------- ----------- ---------
EXAMPLE1 10 0 0
nv show interface <interface-id> acl <acl-id>
Shows information about a specific ACL on the specified interface. You use ACLs to match packets and take actions.
Command Syntax
| Syntax | Description |
|---|---|
<interface-id> |
The interface on which the ACL operates. |
<acl-id> |
The ACL name. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show interface swp1 acl EXAMPLE1
Statistics
=============
Rule In Packet In Byte Out Packet Out Byte Summary
---- --------- ------- ---------- -------- -----------------------
10 0 0 Bytes match.ip.dest-port: 200
match.ip.protocol: tcp
nv show interface <interface-id> acl <acl-id> inbound
Shows information about the ACL applied for inbound traffic on the specified interface.
Command Syntax
| Syntax | Description |
|---|---|
<interface-id> |
The interface on which the ACL operates. |
<acl-id> |
The ACL name. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show interface swp1 acl EXAMPLE1 inbound
nv show interface <interface-id> acl <acl-id> inbound control-plane
Shows information about the ACL applied for the control plane on the specified interface.
Command Syntax
| Syntax | Description |
|---|---|
<interface-id> |
The interface on which the ACL operates. |
<acl-id> |
The ACL name. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show interface swp1 acl EXAMPLE1 inbound control-plane
nv show interface <interface-id> acl <acl-id> statistics
Shows statistics for a specific ACL on the specified interface.
Command Syntax
| Syntax | Description |
|---|---|
<interface-id> |
The interface on which the ACL operates. |
<acl-id> |
The ACL name. |
Version History
Introduced in Cumulus Linux 5.2.0
Example
cumulus@switch:~$ nv show interface swp1 acl EXAMPLE1 statistics
Rule In Packet In Byte Out Packet Out Byte Summary
---- --------- ------- ---------- -------- -----------------------
10 0 0 Bytes match.ip.dest-port: 200
match.ip.protocol: tcp
nv show interface <interface-id> acl <acl-id> statistics <rule-id>
Shows statistics for a specific ACL rule on the specified interface.
Command Syntax
| Syntax | Description |
|---|---|
<interface-id> |
The interface on which the ACL operates. |
<acl-id> |
The ACL name. |
Version History
Introduced in Cumulus Linux 5.2.0
Example
cumulus@switch:~$ nv show interface swp1 acl EXAMPLE1 statistics 10
operational applied
--------------- ----------- -------
match
ip
protocol tcp
[dest-port] 200
outbound
byte 0 Bytes
packet 0
nv show interface acl-statistics
Shows ACL statistics for all interfaces.
Version History
Introduced in Cumulus Linux 5.2.0
Example
cumulus@switch:~$ nv show interface acl-statistics
Interface ACL Name Rule ID In Packets In Bytes Out Packets Out Bytes
--------- -------- ------- ---------- -------- ----------- ---------
swp1 EXAMPLE1 10 0 0 Bytes
nv show system acl
Shows the ACL mode setting; atomic or non-atomic
Version History
Introduced in Cumulus Linux 5.3.0
Example
cumulus@switch:~$ nv show system acl
applied
---- -------
mode atomic
nv show system control-plane
Shows the control plane configuration.
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show system control-plane
trap
=======
policer
==========
Policer State Policer Rate Policer Burst Summary
------------- ----- ------------ ------------- -------------------
acl-log on 100 100 Policer CBS: 7
Policer CIR: 100
Policer Id: 6
To CPU Bytes: 0
To CPU Pkts: 0
Trap Group: 18
Violated Packets: 0
arp on 800 800 Policer CBS: 10
Policer CIR: 800
Policer Id: 9
To CPU Bytes: 0
To CPU Pkts: 0
Trap Group: 13
Violated Packets: 0
bfd on 2000 2000 Policer CBS: 11
Policer CIR: 2000
Policer Id: 10
To CPU Bytes: 0
To CPU Pkts: 0
Trap Group: 17
Violated Packets: 0
bgp on 2000 2000 Policer CBS: 11
...
nv show system control-plane acl
Shows the control plane ACLs configured on the switch. You use control plane ACLs to apply a single rule for all packets forwarded to the CPU regardless of the source interface or destination interface on the switch. Control plane ACLs allow you to regulate traffic forwarded to applications on the switch with more granularity than traps and to configure ACLs to block SSH from specific addresses or subnets.
Version History
Introduced in Cumulus Linux 5.5.0
Example
cumulus@switch:~$ nv show system control-plane acl
ACL Name Rule ID In Packets In Bytes Out Packets Out Bytes
--------- ------- ---------- -------- ----------- ---------
ACL1 1 0 0 0 0
65535 0 0 0 0
ACL2 1 0 0 0 0
65535 0 0 0 0
nv show system control-plane acl <acl-id>
Shows information about the specified control plane ACL.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
Version History
Introduced in Cumulus Linux 5.5.0
Example
cumulus@switch:~$ nv show system control-plane acl ACL1
nv show system control-plane acl <acl-id> statistics
Shows statistics for the specified control plane ACL.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
Version History
Introduced in Cumulus Linux 5.5.0
Example
cumulus@switch:~$ nv show system control-plane acl ACL1 statistics
Rule In Packet In Byte Out Packet Out Byte Summary
---- --------- ------- ---------- -------- ---------------------------
1 0 0 Bytes 0 0 Bytes match.ip.dest-ip: 9.1.2.3
2 0 0 Bytes 0 0 Bytes match.ip.source-ip: 7.8.2.3
nv show system control-plane acl <acl-id> statistics <rule-id>
Shows statistics for the specified control plane ACL rule.
Command Syntax
| Syntax | Description |
|---|---|
<acl-id> |
The ACL name. |
<rule-id> |
The rule number. |
Version History
Introduced in Cumulus Linux 5.5.0
Example
cumulus@switch:~$ nv show system control-plane acl ACL1 statistics 2
nv show system control-plane policer
Shows control plane policer configuration.
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show system control-plane policer
Policer State Policer Rate Policer Burst Summary
------------- ----- ------------ ------------- -------------------
acl-log on 100 100 Policer CBS: 7
Policer CIR: 100
Policer Id: 6
To CPU Bytes: 0
To CPU Pkts: 0
Trap Group: 18
Violated Packets: 0
arp on 800 800 Policer CBS: 10
Policer CIR: 800
Policer Id: 9
To CPU Bytes: 0
To CPU Pkts: 0
Trap Group: 13
Violated Packets: 0
bfd on 2000 2000 Policer CBS: 11
...
nv show system control-plane policer <policer-id>
Shows configuration information for a specific control plane policer. The policer can be: acl-log, arp, bfd, bgp, brief, catch-all, clag, dhcp, eapol, icmp6-def-mld, icmp6-neigh, icmp-def, igmp, ip2me, l3-local, lacp, lldp-ptp, nat, pim-ospf-rip, rpvst, span-cpu, ssh, stp, or unknown-ipmc.
Command Syntax
| Syntax | Description |
|---|---|
<policer-id> |
The policer ID. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show system control-plane policer bfd
operational applied
--------------- ----------- -------
burst 2000
rate 2000
state on
statistics
policer-cbs 11
policer-cir 2000
policer-id 10
to-cpu-bytes 0
to-cpu-pkts 0
trap-group-id 17
violated-pkts 0
nv show system control-plane policer <policer-id> statistics
Shows statistics for a specific control plane policer. The policer can be: acl-log, arp, bfd, bgp, brief, catch-all, clag, dhcp, eapol, icmp6-def-mld, icmp6-neigh, icmp-def, igmp, ip2me, l3-local, lacp, lldp-ptp, nat, pim-ospf-rip, rpvst, span-cpu, ssh, stp, or unknown-ipmc.
Command Syntax
| Syntax | Description |
|---|---|
<policer-id> |
The policer ID. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show system control-plane policer bfd statistics
operational applied
------------- ----------- -------
policer-cbs 11
policer-cir 2000
policer-id 10
to-cpu-bytes 0
to-cpu-pkts 0
trap-group-id 17
violated-pkts 0
nv show system control-plane trap
Shows the control plane trap configuration.
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show system control-plane trap
nv show system control-plane trap <trap-id>
Shows specific control plane trap configuration.
Command Syntax
| Syntax | Description |
|---|---|
<trap-id> |
The trap ID. |
Version History
Introduced in Cumulus Linux 5.0.0
Example
cumulus@switch:~$ nv show system control-plane trap l3-mtu-err
operational applied
----- ----------- -------
state off off