Control Plane Security Operational Commands
Show Commands
This section describes operational commands available to verify various control-plane security features.
Verifying ACLs
The show acl command allows to verify protocol ACLs as well as user-defined ACLs.
Syntax:
| Option | Description |
|---|---|
|
Displays all ACL details |
|
Displays the details for a single ACL |
Example 1: Protocol ACL with Control-Plane Security enabled
supervisor@rtbrick>: op> show acl detail
Rule: lldp.ifp-0/0/1.trap.rule
ACL type: l2
Ordinal: -
Match:
Attachment point: ifp-0/0/1
Direction: ingress
Destination MAC: 01:80:c2:00:00:0e
Action:
Redirect to CPU: True
Policer profile name: _DEFAULT_POLICER_50_MB
Result:
Trap ID: LLDP
<...>
Rule: radius-srv1-v4-auth-trap
ACL type: l3v4
Ordinal: -
Match:
Source L4 port: 1812
IP protocol: UDP
Action:
Redirect to CPU: True
Policer profile name: _DEFAULT_POLICER_20_MB
Result:
Trap ID: Radius
<...>
Example 2: ACL for Inband Management with Source Prefix List
supervisor@rtbrick>: op> show acl detail
<...>
Rule: ifm.inband.mgmt.lo-0/0/0/0.ssh.client.v4.trap.rule.1
ACL type: l3v4
Ordinal: 1 Priority: 50
Match:
Direction: ingress
Destination IPv4 address: 192.0.2.1
Source IPv4 address: 10.10.10.1
Source L4 port: 22
IP protocol: tcp
IP TOS: 64
Action:
Redirect to CPU: True
Policer profile name: inband-global
Result:
Trap ID: inband
ACL Handle: 97
<...>
Example 3: User-defined ACL to Protect "my IP"
supervisor@rtbrick>: op> show acl rule myip-discard
Rule: myip-discard
ACL type: l3v4
Ordinal: 300005 Priority: 2000
Match:
Direction: ingress
Destination IPv4 prefix: 192.0.2.1/32
Action:
Stats enabled: True
Drop: True
Result:
Trap ID: user-defined
ACL Handle: 108
<...>
Verifying ACL Counters
The show acl statistics command displays information about the ACL packet counters. The counters are useful to verify if the ACL rules actually match, and if potentially malicious traffic gets dropped.
Syntax:
Example 1: ACL statistics information
supervisor@rtbrick>: op> show acl statistics
ACL Units Total Accepted Dropped
lldp.ifp-0/0/12.trap.rule Packets - - -
Bytes - - -
lldp.ifp-0/0/16.trap.rule Packets - - -
Bytes - - -
lldp.ifp-0/0/27.trap.rule Packets - - -
Bytes - - -
lldp.ifp-0/0/53.trap.rule Packets - - -
Bytes - - -
default_bgp_l4_trap_12::2_12::1_dst Packets 12 12 0
Bytes 1353 1353 0
default_bgp_l4_trap_12::2_12::1_src Packets 12 12 0
Bytes 1353 1353 0
default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst Packets 12 12 0
Bytes 1353 1353 0
default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst Packets - - -
Bytes - - -
default_bgp_l4_trap_12.0.0.2_12.0.0.1_src Packets 12 12 0
Bytes 1353 1353 0
default_bgp_l4_trap_12.0.0.2_12.0.0.1_src Packets - - -
Bytes - - -
<...>
Example 2: Display ACL statistics information for a specified ACL
supervisor@rtbrick>: op> show acl default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst statistics
ACL Units Total Accepted Dropped
default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst Packets 20 20 0
Bytes 1917 1917 0
default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst Packets - - -
Bytes - - -
Verifying Control Plane Policers
This command allows to view the policers created by the control-plane security feature.
Syntax:
| Option | Description |
|---|---|
|
Displays all policers, including those created by the control-plane security feature. |
|
Displays information about a specified policer. |
|
Displays all policer counters. |
Example 1: Display information of all policers created by the control-plane security feature.
supervisor@rtbrick>: op> show qos policer Policer: _DEFAULT_POLICER_100_MB Active: True, Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 100000 100000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - - Policer: _DEFAULT_POLICER_1_MB Active: True, Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 1000 1000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - - Policer: _DEFAULT_POLICER_20_MB Active: True, Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 20000 20000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - - Policer: _DEFAULT_POLICER_250_MB Active: True, Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 250000 250000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - - Policer: _DEFAULT_POLICER_500_MB Active: True, Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 500000 500000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - - Policer: _DEFAULT_POLICER_50_MB Active: True, Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 50000 50000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - - Policer: _DEFAULT_POLICER_5_MB Active: True, Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 5000 5000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - -
Example 2: Display information of a specific policer
supervisor@rtbrick>: op> show qos policer _DEFAULT_POLICER_50_MB Policer: _DEFAULT_POLICER_50_MB Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(Kbits) PBS(Kbits) Max CIR(Kbps) Max PIR(Kbps) 1 50000 50000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - -
Example 3: Display policer counters
supervisor@rtbrick>: op> show qos policer counter
Interface Level Units Total Received Dropped
ipv6_ll_prefix_acl 1 Packets 48 48 0
Bytes 6383 6383 0
ipv6_mcast_ff01_prefix_acl 1 Packets 48 48 0
Bytes 6383 6383 0
ipv6_mcast_ff02_prefix_acl 1 Packets 48 48 0
Bytes 6383 6383 0
pppoed_ifp-0/1/28_1-3500-1-35 1 Packets 48 48 0
Bytes 6383 6383 0
pppoed_ifp-0/1/28_1-3500-1-35 1 Packets 48 48 0
Bytes 6383 6383 0
pppoed_ifp-0/1/30_1-3500-1-35 1 Packets 48 48 0
Bytes 6383 6383 0
pppoed_ifp-0/1/30_1-3500-1-35 1 Packets 48 48 0
Bytes 6383 6383 0
<...>
| This view displays multiple rules, such as the four PPPoE rules, all referencing the same policer. This shared reference explains why they exhibit identical counter values, as they point to a single policer instance. |
Example 4: Display trap statistics
supervisor@rtbrick>: op> show trap statistics
Trap Statistics Type: rpf
Statistics ID: 1
Counters:
Forward-Packets: 0
Forward-Bytes: 0
Drop-Packets: 0
Drop-Bytes: 0
Trap Statistics Type: mtu_irpp
Statistics ID: 2
Counters:
Forward-Packets: 0
Forward-Bytes: 0
Drop-Packets: 0
Drop-Bytes: 0
Trap Statistics Type: ttl1
Statistics ID: 3
Counters:
Forward-Packets: 0
Forward-Bytes: 0
Drop-Packets: 0
Drop-Bytes: 0
Trap Statistics Type: dhcp
Statistics ID: 4
Counters:
Forward-Packets: 0
Forward-Bytes: 0
Drop-Packets: 0
Drop-Bytes: 0
Trap Statistics Type: mpls_unknown_label
Statistics ID: 6
Counters:
Forward-Packets: 0
Forward-Bytes: 0
Drop-Packets: 0
Drop-Bytes: 0