Control Plane Security Operational Commands
Show Commands
This section describes operational commands available to verify various control-plane security features.
Verifying ACLs
The show acl command allows to verify protocol ACLs as well as user-defined ACLs.
Syntax:
show acl <options>
| Option | Description |
|---|---|
detail |
Displays all ACL details |
<acl-name> |
Displays the details for a single ACL |
Example 1: Protocol ACL with Control-Plane Security enabled
supervisor@rtbrick>LEAF01: op> show acl detail
Rule: lldp.ifp-0/0/1.trap.rule
ACL type: l2
Ordinal: -
Match:
Attachment point: ifp-0/0/1
Direction: ingress
Destination MAC: 01:80:c2:00:00:0e
Action:
Redirect to CPU: True
Policer profile name: _DEFAULT_POLICER_50_MB
Result:
Trap ID: LLDP
<...>
Rule: radius-srv1-v4-auth-trap
ACL type: l3v4
Ordinal: -
Match:
Source L4 port: 1812
IP protocol: UDP
Action:
Redirect to CPU: True
Policer profile name: _DEFAULT_POLICER_20_MB
Result:
Trap ID: Radius
<...>
Example 2: ACL for Inband Management with Source Prefix List
supervisor@rtbrick>LEAF01: op> show acl detail
Rule: ifm.inband.mgmt.lo-0/0/0/1.ssh.client.v4.trap.rule.1
ACL type: l3v4
Ordinal: 1
Match:
Destination IPv4 address: 198.51.100.91
Source IPv4 address: 198.51.100.92
Source L4 port: 22
IP protocol: TCP
Action:
Redirect to CPU: True
Result:
Trap ID: INBAND
Example 3: User-defined ACL to Protect "my IP"
supervisor@rtbrick>LEAF01: op> show acl Protect-CP-v4
Rule: Protect-CP-v4
ACL type: l3v4
Ordinal: 1
Match:
Direction: ingress
Destination IPv4 prefix: 198.51.100.91/24
Source IPv4 prefix: 198.51.100.90/24
IP protocol: ICMP
Action:
Permit: True
Result:
Trap ID: User Defined
Ordinal: 2
Match:
Direction: ingress
Destination IPv4 prefix: 198.51.100.91/24
Action:
Drop: True
Priority: 5
Result:
Trap ID: User Defined
Verifying ACL Counters
The "show acl statistics" command displays information about the ACL packet counters. The counters are useful to verify if the ACL rules actually match, and if potentially malicious traffic gets dropped.
Syntax:
show acl statistics
Example 1: ACL statistics information
supervisor@rtbrick>LEAF01: cfg> show acl statistics
ACL Units Total Accepted Dropped
lldp.ifp-0/0/12.trap.rule Packets - - -
Bytes - - -
lldp.ifp-0/0/16.trap.rule Packets - - -
Bytes - - -
lldp.ifp-0/0/27.trap.rule Packets - - -
Bytes - - -
lldp.ifp-0/0/53.trap.rule Packets - - -
Bytes - - -
default_bgp_l4_trap_12::2_12::1_dst Packets 12 12 0
Bytes 1353 1353 0
default_bgp_l4_trap_12::2_12::1_src Packets 12 12 0
Bytes 1353 1353 0
default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst Packets 12 12 0
Bytes 1353 1353 0
default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst Packets - - -
Bytes - - -
default_bgp_l4_trap_12.0.0.2_12.0.0.1_src Packets 12 12 0
Bytes 1353 1353 0
default_bgp_l4_trap_12.0.0.2_12.0.0.1_src Packets - - -
Bytes - - -
supervisor@rtbrick: cfg>
Example 2: Display ACL statistics information for the specified ACL
supervisor@rtbrick>LEAF01: cfg> show acl default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst statistics
ACL Units Total Accepted Dropped
default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst Packets 20 20 0
Bytes 1917 1917 0
default_bgp_l4_trap_12.0.0.2_12.0.0.1_dst Packets - - -
Bytes - - -
supervisor@rtbrick>LEAF01: cfg>
Verifying Control Plane Policers
This command allows to view the policers created by the control-plane security feature.
Syntax:
show qos policer <options>
| Option | Description |
|---|---|
- |
Displays all policers created by the control-plane security feature |
<policer-name> |
Displays information about the specified policer |
counter |
Displays all policer counters |
Example 1: Display information of all policers created by the control-plane security feature
supervisor@rtbrick>LEAF01: cfg> show qos policer Policer: _DEFAULT_POLICER_100_MB Active: True, Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 100000 100000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - - Policer: _DEFAULT_POLICER_1_MB Active: True, Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 1000 1000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - - Policer: _DEFAULT_POLICER_20_MB Active: True, Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 20000 20000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - - Policer: _DEFAULT_POLICER_250_MB Active: True, Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 250000 250000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - - Policer: _DEFAULT_POLICER_500_MB Active: True, Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 500000 500000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - - Policer: _DEFAULT_POLICER_50_MB Active: True, Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 50000 50000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - - Policer: _DEFAULT_POLICER_5_MB Active: True, Type: two-rate-three-color, Levels: 1, Flags: - Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 5000 5000 33000 33000 - - 2 - - - - - - 3 - - - - - - 4 - - - - - - supervisor@rtbrick>LEAF01: cfg>
Example 2: Display information of a specific policer
supervisor@rtbrick>LEAF01: cfg> show qos policer Premium_Upstream_Hierarchical_Policer Policer: Premium_Upstream_Hierarchical_Policer Active: False, Type: two-rate-three-color, Levels: 4, Flags: color-blind Level CIR(Kbps) PIR(Kbps) CBS(KB) PBS(KB) Max CIR(Kbps) Max PIR(Kbps) 1 1000 1200 1000 1000 - - 2 900 1000 1000 1000 - - 3 5000 5200 1000 1000 - - 4 6000 6200 1000 1000 - -
Example 3: Display information of policer counter
supervisor@rtbrick>LEAF01: cfg> show qos policer counter
Interface Level Units Total Received Dropped
ipv6_ll_prefix_acl 1 Packets 48 48 0
Bytes 6383 6383 0
ipv6_mcast_ff01_prefix_acl 1 Packets 48 48 0
Bytes 6383 6383 0
ipv6_mcast_ff02_prefix_acl 1 Packets 48 48 0
Bytes 6383 6383 0
ppp-0/1/28/72339069014638594 1 Packets 0 0 0
Bytes 0 0 0
ppp-0/1/28/72339069014638594 2 Packets 0 0 0
Bytes 0 0 0
ppp-0/1/28/72339069014638594 3 Packets 0 0 0
Bytes 0 0 0
ppp-0/1/28/72339069014638594 4 Packets 0 0 0
Bytes 0 0 0
pppoed_ifp-0/1/28_1-3500-1-35 1 Packets 48 48 0
Bytes 6383 6383 0
pppoed_ifp-0/1/28_1-3500-1-35 1 Packets 48 48 0
Bytes 6383 6383 0
pppoed_ifp-0/1/30_1-3500-1-35 1 Packets 48 48 0
Bytes 6383 6383 0
pppoed_ifp-0/1/30_1-3500-1-35 1 Packets 48 48 0
Bytes 6383 6383 0
The show qos policer counter command displays the policer-level counters for the subscribers. The packets that get dropped after the RPF check, are currently updated in the local.bcm.q2c.trap.stats table in FIBD.
|