NVIDIA MLNX-OS User Manual v3.11.1014
v8.2.2200

Control Plane Policing (CoPP)

Control Plane Policing or Policies (CoPP) ensures the CPU and control plane are not over-utilized which is essential for the robustness of the switch. CoPP limits the number of control plane packets.

This software implements several CoPP mechanisms:

  • ACLs may be used to limit the rate of packets or bytes of a certain type, including L3 control packets (L2 control packets are forwarded to the CPU before the ACL)

  • Policers on traffic going to the CPU—these policers are configured by the operating system and cannot be modified by the user

  • IP filter tables limit the traffic to the CPU coming in from the management ports

IP table filtering is a mechanism that allows the user to apply actions to a specific control packet flow identified by a certain flow key.

This mechanism is used in order to protect switch control traffic against attacks. For example, it could allow traffic coming from a specific trusted management subnet only, block the SNMP UDP port from receiving traffic, and force ping rate to be lower than a specific threshold.
Each IP table rule is defined by key, priority, and action:

  • Key—the key is a combination of physical port and layer 3 parameters (e.g. SIP, DIP, SPORT, DPORT, etc.), and other fields. Each part of the key, can be set to a specific value or masked.

  • Priority—each rule in the IP table is assigned a priority, and the rule with the highest priority whose key matches the packet executes the action.

  • Action—the action describes the behavior of packets which match the key. The action type may be drop, accept, rate limit, etc.

An IP-table rule is bound to an IP interface that can be a management out-of-band interface, VLAN interface, or router port interface. Once bound, all traffic received (ingress rule) or transmitted (egress rule) in this direction is being verified with all bounded rules.

Once a match was found, the rule action is executed. If no match is found, the default policy of the chain shall apply.

Warning

IP table rules get a lower priority than ACL mechanism.

Warning

In the rare case that IP filter is used while the input policy is "drop" (i.e., ip filter chain input policy drop) and an NTP server or an InfiniBand switch with SM HA enabled is used, then the following rule needs to be added that allows src-ip 127.0.0.1 (which is a requirement for any clustered application (e.g., sm-ha) and NTP):

ip filter chain input rule append tail target accept dup-delete source-addr 127.0.0.1 /32

Configuring IP Table Filtering

Prerequisite for IPv6:

Copy
Copied!
            

switch (config) # ipv6 enable

To configure IPv4 table filtering:

  1. Select the policy that applies to the input/output chain (default is “accept”).

    Copy
    Copied!
                

    switch (config)# ip filter chain input policy drop switch (config)# ip filter chain output policy accept

  2. Append filtering rules to the list or set a specific rule number, select a target, and (optional) any additional filter conditions. For example:

    Copy
    Copied!
                

    switch (config) # ip filter chain input rule append tail target rate-limit 2 protocol udp switch (config) # ip filter chain input rule set 2 target drop protocol icmp in-intf mgmt1 switch (config) # ip filter chain output rule append tail target drop protocol icmp

  3. Enable IP table filtering.

    Copy
    Copied!
                

    switch (config) # ip filter enable

  4. Verify IP table filtering configuration.

    Copy
    Copied!
                

    switch (config) # show ip filter configured   Packet filtering for IPv4: enabled   IPv4 configuration: Chain 'input' Policy 'accept': Rule 1: Target : rate-limit 2 pps Protocol : udp Source : all Destination : all Interface : all State : any Other Filter: -   Rule 2: Target : drop Protocol : icmp Source : all Destination : all Interface : mgmt1 (ingress) State : any Other Filter: -   Chain 'output' Policy 'accept': Rule 1: Target : drop Protocol : icmp Source : all Destination : all Interface : all State : any Other Filter: -

Modifying IP Table Filtering

To modify IP table filtering configuration:

Copy
Copied!
            

switch (config) # ip filter chain input rule modify 3 target reject-with icmp6-adm-prohibited source-addr 10::0 /126

To delete an existing IP table filtering rule:

Copy
Copied!
            

switch (config) # no ip filter chain input rule 2

To delete all existing IP table filtering rules:

Copy
Copied!
            

switch (config) # no ip filter chain output rule all

To insert an IP table filtering rule in a chain:

Copy
Copied!
            

switch (config) # ip filter chain input rule 2 set target drop protocol tcp dest-port 22 in-intf mgmt1


Rate-Limit Rule Configuration

Using a rate-limit target allows to create a rule to limit the rate of certain traffic types. The limit is specified in packets per second (pps) and can be anywhere between 1-1000 pps. When enabled, the system takes the user specified rate and converts it into units of 1/10000 of a second. Therefore, any value greater than 100 can have a slight difference when the rule is displayed using the show command.

Unlike other rules which are a match type of rule, limiting packets should be followed by a rule that drops additional packets of the same “type”. Alternatively, this can be implicitly achieved by setting the chain policy to “drop” so that it drops packets not processed by matching rules. Otherwise, no effect of the rule is observed as the remaining traffic simply gets accepted.

Warning

Rate-limit is implemented with an average rate and a burst-limit. Rate values are specified in pps and take a range from 1-1000 pps. For rate values in the range 1-100, the burst value is set equal to the rate value. For rate values in the range 101-1000, the burst limit is set to 100.


IP Table Filtering Default Rules

IP table filtering is enabled and Firewall default IP filter rules are applied.

  • To reset/apply default rules on system, run the command “ip filter reset-to-default-rules

  • To enable IP Filter, run the command “ip filter enable”

  • To list the default firewall rules, run the command “show ip filter”

  • Note when touching a default rule (delete/move/modify) all IP Filter rules will be reflected on “show running-config”, to restore default rules, run the command “ip filter reset-to-default-rules”

  • Restoring factory default configuration will reset the default rules and enable the feature

Firewall Default Rules

Prerouting-Mangle Chain Rules

  • ip filter chain prerouting-mangle rule append tail target drop in-intf mgmt0 protocol tcp conntrack new tcp-op-mss mss-not-in-range 536:65535 not-dest-port 22

Input Chain Rules

  • ip filter chain input rule append tail target accept in-intf lo

  • ip filter chain input rule append tail target drop in-intf mgmt0 dest-addr 127.0.0.0 /8

  • ip filter chain input rule append tail target accept in-intf mgmt0 state established,related

  • ip filter chain input rule append tail target drop in-intf mgmt0 protocol tcp tcp-op syn match-not-syn state new

  • ip filter chain input rule append tail target drop in-intf mgmt0 fragment enable

  • ip filter chain input rule append tail target drop in-intf mgmt0 protocol tcp tcp-op flags all

  • ip filter chain input rule append tail target drop in-intf mgmt0 protocol tcp tcp-op flags none

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol tcp tcp-op flags reset rate-limit 2/second burst-limit 2",

  • ip filter chain input rule append tail target drop in-intf mgmt0 state invalid

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol tcp state new rate-limit 50/second burst-limit 50

  • ip filter chain input rule append tail target drop in-intf mgmt0 protocol tcp state new tcp-op syn match-not-syn not-dest-port 22

  • ip filter chain input rule append tail target drop in-intf mgmt0 recent name "portscan" recent rcheck-sec 86400

  • ip filter chain input rule append tail target none in-intf mgmt0 recent name portscan recent remove

  • ip filter chain input rule append tail target none in-intf mgmt0 protocol tcp dest-port 22 conntrack new recent set

  • ip filter chain input rule append tail target drop in-intf mgmt0 protocol tcp dest-port 22 conntrack new recent update-sec 60 recent hitcount 10

  • ip filter chain input rule append tail target none in-intf mgmt0 protocol tcp dest-port 443 conntrack new recent set

  • ip filter chain input rule append tail target drop in-intf mgmt0 protocol tcp dest-port 443 conntrack new recent update-sec 60 recent hitcount 10

  • ip filter chain input rule append tail target none in-intf mgmt0 protocol udp dest-port 161 conntrack new recent set

  • ip filter chain input rule append tail target drop in-intf mgmt0 protocol udp dest-port 161 conntrack new recent update-sec 60 recent hitcount 25

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol tcp conntrack new rate-limit 60/second burst-limit 20

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol tcp dest-port 22 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol tcp dest-port 443 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol tcp dest-port 179 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol udp dest-port 68 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol udp dest-port 122 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol udp dest-port 161 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol udp dest-port 6306 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol udp dest-port 69 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol udp dest-port 389 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol tcp dest-port 389 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol udp dest-port 1812-1813 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol udp dest-port 49 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol tcp dest-port 49 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol udp source-port 53 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol tcp source-port 53 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol udp dest-port 500 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol udp dest-port 4500 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol udp dest-port 1293 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol tcp dest-port 1293 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol udp dest-port 1707 conntrack new,established

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol tcp dest-port 1707 conntrack new,established

  • ip filter chain input rule append tail target accept protocol udp dest-port 3786 conntrack new,established in-intf lo

  • ip filter chain input rule append tail target accept protocol udp dest-port 33000 conntrack new,established in-intf lo

  • ip filter chain input rule append tail target accept in-intf mgmt0 protocol icmp

  • ip filter chain input rule append tail target accept dup-delete source-port 5353 dest-port 5353 in-intf mgmt0 protocol udp conntrack new,established

  • ip filter chain input rule append tail target logging in-intf mgmt0

Output Chain Rules

  • ip filter chain output rule append tail target drop out-intf mgmt0 state invalid

  • ip filter chain output rule append tail target accept out-intf mgmt0

Logging Chain Rules

  • ip filter chain logging rule append tail target nflog in-intf mgmt0 rate-limit 1/minute logging-options prefix "IPTables-Dropped-<Domain>: " logging-options group 3

  • ip filter chain logging rule append tail target drop in-intf mgmt0

ip filter enable | ipv6 filter enable

{ip | ipv6} filter enable

no {ip | ipv6} filter enable

Enables IP filtering.

The no form of the command disables IP filtering.

Syntax Description

N/A

Default

ip Enabled

ip6 Disabled

Configuration Mode

config

History

3.5.1000

3.10.3000 IP Filter is enabled by default

Example

switch (config) # ip filter enable

Related Commands

Notes

It is recommended to run this command only after configuring all of the IP table filter parameters.


ip filter chain policy | ipv6 filter chain policy

{ip | ipv6} filter chain <chain_name> policy {accept | drop}

no {ip | ipv6} filter chain <chain_name> policy

Configures default policy for a specific chain (if no rule matches this default policy action shall apply).

The no form of the command resets default policy for a specific chain.

Syntax Description

chain_name

Selects a chain for which to add or modify a filter:

  • input – input chain or ingress interfaces

  • output – output chain or egress interfaces

accept

Accepts all traffic by default for this chain

drop

Drops all traffic by default for this chain

Default

Accept for input and output chains

Configuration Mode

config

History

3.5.1000

Example

switch (config) # ipv6 filter chain input policy accept

Related Commands

Notes


ip filter chain rule target | ipv6 filter chain rule target

{ip | ipv6} filter chain <chain_name> rule <oper> target <target> [<param>]

no {ip | ipv6} filter chain <chain_name> rule {<number> | all}

Inserts rule before specified rule number.

The no form of the command deletes rule for a specific chain.

Syntax Description

chain_name

A chain to which to add or modify a filter:

  • input – input chain or ingress interfaces

  • output – output chain or egress interfaces

rule

  • append tail – appends operation to the bottom of operation list

  • insert <oper_num> – inserts operation at specified position (existing operation at that position moves back in the list)

  • modify <oper_num> – modifies existing operation at specified position. Only the parameters specified in this invocation are altered; everything else is left untouched.

  • move <oper_num1> to <oper_num2> – moves one operation to another place in the operation list

  • set <oper_num> – sets operation at specified position (overwrites existing)

target

  • accept – allows the packets that match the rule into the management plane

  • drop – drops packets that match the rule

  • rate-limit – allows with rate limiting in packets per sec (PPS)

  • reject-with – drops the packet and replies with an ICMP error message

param

  • comment <text> – specifies description string for this rule (60 chars max)

  • dest-addr <ip> – IP matching a specific destination address or address range. A specific IPv4 address can be provided or an entire subnet by giving an address along with netmask in dot notation or as a CIDR notation (e.g.

    /24).

  • not-dest-addr <ip> – IP not matching a specific destination address range

  • dest-port <port(s)> – matching a specific destination port or port range

  • not-dest-port <port(s)> – port not matching a specific destination port or port range

  • dup-delete – deletes any preexisting duplicates of this rule

  • in-intf – interface matching a specific inbound interface

  • not-in-intf <if_name> – interface not matching a specific inbound interface

  • out-intf <if_name> – matches a specific outbound interface

  • not-out-intf <if_name> – interface not matching a specific outbound interface

param4 (cont.)

  • protocol <if_name> – matches a specific protocol

  • tcp

  • udp

  • icmp

  • all

  • not-protocol <protocol> – does not match a specific protocol

  • tcp

  • udp

  • icmp

  • all

  • source-addr <ip> – matches a specific source address range

  • not-source-addr <ip> – does not match a specific source address range

  • source-port <port(s)> – matches a specific source port or port range

  • not-source-port <port(s)> – does not match a specific source port or port range

  • state – matches packets in a particular state. Possible values:

  • established – packet associated with an established connection which has seen traffic in both directions

  • related – packet that starts a new connection but is related to an existing connection

  • new – packet that starts a new, unrelated connection

  • A combination can be entered separated by commas

Default

N/A

Configuration Mode

config

History

3.5.1000

Example

switch (config) # ipv6 filter enable chain input rule append tail target drop state related protocol all dup-delete

Related Commands

Notes

  • The source and destination ports may each be either a single number, or a range specified as “<low>-<high>”. For example: “10-20” would specify ports 10 through 20 (inclusive).

  • The port parameter only works in conjunction with TCP and UDP

  • Setting a “positive” rule removes any corresponding “not-” rules, and vice-versa

  • The “state” parameter is a classification of the packet relative to existing connections

  • If TCP or UDP are selected for the “protocol” parameter, source and/or destination ports may be specified. If ICMP is selected, these options are either ignored, or an error is produced.


ip filter options include-bridges

{ip | ipv6} filter options include-bridges

no {ip | ipv6} filter options include-bridges

Applies IP filters to bridges

Syntax Description

N/A

Default

Disabled

Configuration Mode

config

History

3.5.1000

Example

switch (config) # ip filter options include-bridges

Related Commands

Notes


ip filter reset-to-default-rules

ip filter reset-to-default-rules

Deletes all configured IP filter rules and add the default rules defined in the user manual under section "IP Table Filtering Default Rules", above.

Syntax Description

N/A

Default

N/A

Configuration Mode

config

History

3.10.3000

Example

switch (config) # ip filter reset-to-default-rules

Related Commands

Notes


show ip filter

show ip filter

Displays IPv4 filtering state.

Syntax Description

N/A

Default

N/A

Configuration Mode

config

History

3.6.6000

Example

switch (config) # show ip filter

Packet filtering for IPv4: enabled

Active IPv4 filtering rules (omitting any not from configuration):

Chain 'input' Policy 'accept':

Rule 1:

Target : accept

Protocol : all

Source : all

Destination : 1.1.1.0/24

Interface : all

State : any

Other Filter: -

Chain 'output' Policy 'accept':

Rule 1:

Target : reject-with icmp-net-unreachable

Protocol : tcp

Source : all

Destination : all

Interface : all

State : any

Other Filter: dest-port 1000

Related Commands

Notes


show ip filter all

show ip filter all

Displays IPv4 filtering state (including un-configured rules).

Syntax Description

N/A

Default

N/A

Configuration Mode

config

History

3.6.6000

Example

switch (config) # show ip filter all

Destination : 1.1.1.0/24

Interface : all

State : any

Other Filter: -

Chain 'output' Policy 'accept':

Rule 1:

Target : reject-with icmp-net-unreachable

Protocol : tcp

Source : all

Destination : all

Interface : all

State : any

Other Filter: dest-port 1000

Related Commands

Notes


show ip filter configured

show ip filter configured

Displays IPv4 filtering configuration.

Syntax Description

N/A

Default

N/A

Configuration Mode

config

History

3.6.6000

Example

switch (config) # show ip filter configured 

Packet filtering for IPv4: enabled

IPv4 configuration:

Chain 'input' Policy 'accept':

Rule 1:

Target : accept

Protocol : all

Source : all

Destination : 1.1.1.0/24

Interface : all

State : any

Other Filter: -

Chain 'output' Policy 'accept':

Rule 1:

Target : reject-with icmp-net-unreachable

Protocol : tcp

Source : all

Destination : all

Interface : all

State : any

Other Filter: dest-port 1000

Related Commands

Notes


show ipv6 filter

show ipv6 filter

Displays IPv6 filtering state.

Syntax Description

N/A

Default

N/A

Configuration Mode

config

History

3.6.6000

Example

switch (config) # show ipv6 filter 

Packet filtering for IPv6: enables

Active IPv6 filtering rules (omitting any not from configuration):

Chain 'input' Policy 'accept':

Rule 1:

Target : accept

Protocol : all

Source : all

Destination : 1.1.1.0/24

Interface : all

State : any

Other Filter: -

Chain 'output' Policy 'accept':

Rule 1:

Target : reject-with icmp-net-unreachable

Protocol : tcp

Source : all

Destination : all

Interface : all

State : any

Other Filter: dest-port 1000

Related Commands

Notes


show ipv6 filter all

show ipv6 filter all

Displays IPv6 filtering state (including un-configured rules).

Syntax Description

N/A

Default

N/A

Configuration Mode

config

History

3.6.6000

Example

switch (config) # show ipv6 filter all 

Packet filtering for IPv6: enables

All active IPv6 filtering rules:

Chain 'input' Policy 'accept':

Rule 1:

Target : accept

Protocol : all

Source : all

Destination : 1.1.1.0/24

Interface : all

State : any

Other Filter: -

Chain 'output' Policy 'accept':

Rule 1:

Target : reject-with icmp-net-unreachable

Protocol : tcp

Source : all

Destination : all

Interface : all

State : any

Other Filter: dest-port 1000

Related Commands

Notes


show ipv6 filter configured

show ipv6 filter configured

Displays IPv6 filtering configuration.

Syntax Description

N/A

Default

N/A

Configuration Mode

config

History

3.6.6000

Example

switch (config) # show ipv6 filter configured 

Packet filtering for IPv6: enables

IPv6 configuration:

Chain 'input' Policy 'accept':

Rule 1:

Target : accept

Protocol : all

Source : all

Destination : 1.1.1.0/24

Interface : all

State : any

Other Filter: -

Chain 'output' Policy 'accept':

Rule 1:

Target : reject-with icmp-net-unreachable

Protocol : tcp

Source : all

Destination : all

Interface : all

State : any

Other Filter: dest-port 1000

Related Commands

Notes


© Copyright 2023, NVIDIA. Last updated on Nov 9, 2023.