Control Plane Security Operational Commands

Show Commands

This section describes operational commands available to verify various control-plane security features.

Verifying ACLs

The show acl command allows to verify protocol ACLs as well as user-defined ACLs.

Syntax:

show acl <options>

Option Description

detail

Displays all ACL details

<acl-name>

Displays the details for a single ACL

Example 1: Protocol ACL with Control-Plane Security enabled

supervisor@rtbrick>LEAF01: op>  show acl detail

Rule: lldp.ifp-0/0/1.trap.rule
  ACL type: l2
  Ordinal: -
    Match:
      Attachment point: ifp-0/0/1
      Direction: ingress
      Destination MAC: 01:80:c2:00:00:0e
    Action:
      Redirect to CPU: True
      Policer profile name: _DEFAULT_POLICER_50_MB
    Result:
      Trap ID: LLDP
<...>
Rule: radius-srv1-v4-auth-trap
  ACL type: l3v4
  Ordinal: -
    Match:
      Source L4 port: 1812
      IP protocol: UDP
    Action:
      Redirect to CPU: True
      Policer profile name: _DEFAULT_POLICER_20_MB
    Result:
      Trap ID: Radius
<...>

Example 2: ACL for Inband Management with Source Prefix List

supervisor@rtbrick>LEAF01: op>  show acl detail

Rule: ifm.inband.mgmt.lo-0/0/0/1.ssh.client.v4.trap.rule.1
  ACL type: l3v4
  Ordinal: 1
    Match:
      Destination IPv4 address: 198.51.100.91
      Source IPv4 address: 198.51.100.92
      Source L4 port: 22
      IP protocol: TCP
    Action:
      Redirect to CPU: True
    Result:
      Trap ID: INBAND

Example 3: User-defined ACL to Protect "my IP"

supervisor@rtbrick>LEAF01: op> show acl Protect-CP-v4

Rule: Protect-CP-v4
  ACL type: l3v4
  Ordinal: 1
    Match:
      Direction: ingress
      Destination IPv4 prefix: 198.51.100.91/24
      Source IPv4 prefix: 198.51.100.90/24
      IP protocol: ICMP
    Action:
      Permit: True
    Result:
      Trap ID: User Defined
  Ordinal: 2
    Match:
      Direction: ingress
      Destination IPv4 prefix: 198.51.100.91/24
    Action:
      Drop: True
    Priority: 5
    Result:
      Trap ID: User Defined

Verifying ACL Counters

The "show acl statistics" command displays information about the ACL packet counters. The counters are useful to verify if the ACL rules actually match, and if potentially malicious traffic gets dropped.

Syntax:

show acl statistics

Example 1: ACL statistics information

supervisor@rtbrick>LEAF01: cfg> show acl statistics
ACL                                                                            Units      Total       Accepted    Dropped
lldp.ifp-0/0/12.trap.rule                                                      Packets    -           -           -
                                                                               Bytes      -           -           -
lldp.ifp-0/0/16.trap.rule                                                      Packets    -           -           -
                                                                               Bytes      -           -           -
lldp.ifp-0/0/27.trap.rule                                                      Packets    -           -           -
                                                                               Bytes      -           -           -
lldp.ifp-0/0/53.trap.rule                                                      Packets    -           -           -
                                                                               Bytes      -           -           -
default_bgp_l4_trap_12::2_12::1_dst                                            Packets    12          12          0
                                                                               Bytes      1353        1353        0
default_bgp_l4_trap_12::2_12::1_src                                            Packets    12          12          0
                                                                               Bytes      1353        1353        0
default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst                                      Packets    12          12          0
                                                                               Bytes      1353        1353        0
default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst                                      Packets    -           -           -
                                                                               Bytes      -           -           -
default_bgp_l4_trap_12.0.0.2_12.0.0.1_src                                      Packets    12          12          0
                                                                               Bytes      1353        1353        0
default_bgp_l4_trap_12.0.0.2_12.0.0.1_src                                      Packets    -           -           -
                                                                               Bytes      -           -           -
supervisor@rtbrick: cfg>

Example 2: Display ACL statistics information for the specified ACL

supervisor@rtbrick>LEAF01: cfg> show acl default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst statistics
ACL                                                                            Units      Total       Accepted    Dropped
default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst                                      Packets    20          20          0
                                                                               Bytes      1917        1917        0
default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst                                      Packets    -           -           -
                                                                               Bytes      -           -           -
supervisor@rtbrick>LEAF01: cfg>

Verifying Control Plane Policers

This command allows to view the policers created by the control-plane security feature.

Syntax:

show qos policer <options>

Option Description

-

Displays all policers created by the control-plane security feature

<policer-name>

Displays information about the specified policer

counter

Displays all policer counters

Example 1: Display information of all policers created by the control-plane security feature

supervisor@rtbrick>LEAF01: cfg> show qos policer
Policer: _DEFAULT_POLICER_100_MB
Active: True, Type: two-rate-three-color, Levels: 1, Flags: -
  Level    CIR(Kbps)      PIR(Kbps)      CBS(KB)        PBS(KB)        Max CIR(Kbps)  Max PIR(Kbps)
  1        100000         100000         33000          33000          -              -
  2        -              -              -              -              -              -
  3        -              -              -              -              -              -
  4        -              -              -              -              -              -
Policer: _DEFAULT_POLICER_1_MB
Active: True, Type: two-rate-three-color, Levels: 1, Flags: -
  Level    CIR(Kbps)      PIR(Kbps)      CBS(KB)        PBS(KB)        Max CIR(Kbps)  Max PIR(Kbps)
  1        1000           1000           33000          33000          -              -
  2        -              -              -              -              -              -
  3        -              -              -              -              -              -
  4        -              -              -              -              -              -
Policer: _DEFAULT_POLICER_20_MB
Active: True, Type: two-rate-three-color, Levels: 1, Flags: -
  Level    CIR(Kbps)      PIR(Kbps)      CBS(KB)        PBS(KB)        Max CIR(Kbps)  Max PIR(Kbps)
  1        20000          20000          33000          33000          -              -
  2        -              -              -              -              -              -
  3        -              -              -              -              -              -
  4        -              -              -              -              -              -
Policer: _DEFAULT_POLICER_250_MB
Active: True, Type: two-rate-three-color, Levels: 1, Flags: -
  Level    CIR(Kbps)      PIR(Kbps)      CBS(KB)        PBS(KB)        Max CIR(Kbps)  Max PIR(Kbps)
  1        250000         250000         33000          33000          -              -
  2        -              -              -              -              -              -
  3        -              -              -              -              -              -
  4        -              -              -              -              -              -
Policer: _DEFAULT_POLICER_500_MB
Active: True, Type: two-rate-three-color, Levels: 1, Flags: -
  Level    CIR(Kbps)      PIR(Kbps)      CBS(KB)        PBS(KB)        Max CIR(Kbps)  Max PIR(Kbps)
  1        500000         500000         33000          33000          -              -
  2        -              -              -              -              -              -
  3        -              -              -              -              -              -
  4        -              -              -              -              -              -
Policer: _DEFAULT_POLICER_50_MB
Active: True, Type: two-rate-three-color, Levels: 1, Flags: -
  Level    CIR(Kbps)      PIR(Kbps)      CBS(KB)        PBS(KB)        Max CIR(Kbps)  Max PIR(Kbps)
  1        50000          50000          33000          33000          -              -
  2        -              -              -              -              -              -
  3        -              -              -              -              -              -
  4        -              -              -              -              -              -
Policer: _DEFAULT_POLICER_5_MB
Active: True, Type: two-rate-three-color, Levels: 1, Flags: -
  Level    CIR(Kbps)      PIR(Kbps)      CBS(KB)        PBS(KB)        Max CIR(Kbps)  Max PIR(Kbps)
  1        5000           5000           33000          33000          -              -
  2        -              -              -              -              -              -
  3        -              -              -              -              -              -
  4        -              -              -              -              -              -
supervisor@rtbrick>LEAF01: cfg>

Example 2: Display information of a specific policer

supervisor@rtbrick>LEAF01: cfg> show qos policer Premium_Upstream_Hierarchical_Policer
Policer: Premium_Upstream_Hierarchical_Policer
Active: False, Type: two-rate-three-color, Levels: 4, Flags: color-blind
  Level    CIR(Kbps)      PIR(Kbps)      CBS(KB)        PBS(KB)        Max CIR(Kbps)  Max PIR(Kbps)
  1        1000           1200           1000           1000           -              -
  2        900            1000           1000           1000           -              -
  3        5000           5200           1000           1000           -              -
  4        6000           6200           1000           1000           -              -

Example 3: Display information of policer counter

supervisor@rtbrick>LEAF01: cfg> show qos policer counter
Interface                         Level  Units      Total            Received         Dropped
ipv6_ll_prefix_acl                1      Packets    48               48               0
                                         Bytes      6383             6383             0
ipv6_mcast_ff01_prefix_acl        1      Packets    48               48               0
                                         Bytes      6383             6383             0
ipv6_mcast_ff02_prefix_acl        1      Packets    48               48               0
                                         Bytes      6383             6383             0
ppp-0/1/28/72339069014638594      1      Packets    0                0                0
                                         Bytes      0                0                0
ppp-0/1/28/72339069014638594      2      Packets    0                0                0
                                         Bytes      0                0                0
ppp-0/1/28/72339069014638594      3      Packets    0                0                0
                                         Bytes      0                0                0
ppp-0/1/28/72339069014638594      4      Packets    0                0                0
                                         Bytes      0                0                0
pppoed_ifp-0/1/28_1-3500-1-35     1      Packets    48               48               0
                                         Bytes      6383             6383             0
pppoed_ifp-0/1/28_1-3500-1-35     1      Packets    48               48               0
                                         Bytes      6383             6383             0
pppoed_ifp-0/1/30_1-3500-1-35     1      Packets    48               48               0
                                         Bytes      6383             6383             0
pppoed_ifp-0/1/30_1-3500-1-35     1      Packets    48               48               0
                                         Bytes      6383             6383             0
The show qos policer counter command displays the policer-level counters for the subscribers. The packets that get dropped after the RPF check, are currently updated in the local.bcm.q2c.trap.stats table in FIBD.