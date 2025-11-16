NVUE allows you to configure rate limit on traffic, so incoming packets drop if they exceed certain thresholds. NVUE provides two limiters to achieve it: recent-list and hashlimit.

Allows you to dynamically create a list of IP addresses and then match against that list in a few different ways, for example:

Copy Copied! admin @nvos :~$ nv set acl EXAMPLE2 type ipv4 admin @nvos :~$ admin @nvos :~$ nv set acl EXAMPLE2 rule 10 match ip tcp dest-port 22 admin @nvos :~$ nv set acl EXAMPLE2 rule 10 match ip protocol tcp admin @nvos :~$ nv set acl EXAMPLE2 rule 10 match ip recent-list action set admin @nvos :~$ nv set acl EXAMPLE2 rule 10 match ip recent-list name TCP-SSH-LIMIT admin @nvos :~$ admin @nvos :~$ nv set acl EXAMPLE2 rule 20 match ip tcp dest-port 22 admin @nvos :~$ nv set acl EXAMPLE2 rule 20 match ip protocol tcp admin @nvos :~$ nv set acl EXAMPLE2 rule 20 match ip recent-list action update admin @nvos :~$ nv set acl EXAMPLE2 rule 20 match ip recent-list update-interval 60 admin @nvos :~$ nv set acl EXAMPLE2 rule 20 match ip recent-list hit-count 100 admin @nvos :~$ nv set acl EXAMPLE2 rule 20 match ip recent-list name TCP-SSH-LIMIT admin @nvos :~$ nv set acl EXAMPLE2 rule 20 action deny admin @nvos :~$ admin @nvos :~$ nv set interface eth0 acl EXAMPLE2 inbound control-plane admin @nvos :~$ nv config apply

The above example, limits any source IP address sending more than 100 packets per 60-second interval to the switch, if it exceeds this rate all packets from this source IP address will be blocked.

Note Configuring the recent-list limiter consists of two consecutive rules, both rules should contain the same matching criteria (protocol tcp and dest-port 22 in the above example) and the name of the recent-list (TCP-SSH-LIMIT in the above example). The first rule is set to action 'set' The second rule is set to recent-list action 'update' and specified with the requested threshold using 'hit-count' and 'update-interval' (100 packets per 60-second interval in the above example) The second rule action is set to deny





Uses hash buckets to express a rate limiting match for a group of connections using a single rule. Grouping can be done per-hostgroup (source and/or destination address). It gives you the ability to express "Npackets per time quantum per group", for example:

Copy Copied! admin @nvos :~$ nv set acl EXAMPLE3 type ipv4 admin @nvos :~$ nv set acl EXAMPLE3 rule 10 match ip tcp dest-port 22 admin @nvos :~$ nv set acl EXAMPLE3 rule 10 match ip protocol tcp admin @nvos :~$ nv set acl EXAMPLE3 rule 10 match ip hashlimit name TCP-SSH-LIMIT admin @nvos :~$ nv set acl EXAMPLE3 rule 10 match ip hashlimit rate-above 5 /min admin @nvos :~$ nv set acl EXAMPLE3 rule 10 match ip hashlimit burst 2 admin @nvos :~$ nv set acl EXAMPLE3 rule 10 match ip hashlimit expire 3000 admin @nvos :~$ nv set acl EXAMPLE3 rule 10 match ip hashlimit mode src-ip admin @nvos :~$ nv set acl EXAMPLE3 rule 10 match ip hashlimit source-mask 32 admin @nvos :~$ nv set acl EXAMPLE3 rule 10 action deny admin @nvos :~$ nv set interface eth0 acl EXAMPLE2 inbound control-plane admin @nvos :~$ nv config apply

The above example, limits any source IP address sending more than 5 packets per minute to the switch with a burst of 2 packets, if it exceeds this rate all packets from this source IP address will be blocked for 3000 milliseconds as specified in the expire parameter and will be able to send again after this period.

Note Configuring the recent-list limiter can be configured in one single ACL rule. T he following parameters need to be configured for the hashlimit: name, rate-above, burst, expire and mode. The source-mask or destination-mask are optional.

The example rule below drops ingress IPv4 TCP packets when you set the SYN bit and reset the RST, ACK, and FIN bits. The rule applies inbound on interface eth0. After configuring this rule, you cannot establish new TCP sessions that originate from ingress mgmt port eth0. You can establish TCP sessions that originate from any other port.

Copy Copied! admin @nvos :~$ nv set acl EXAMPLE4 type ipv4 admin @nvos :~$ nv set acl EXAMPLE4 rule 20 match ip protocol tcp admin @nvos :~$ nv set acl EXAMPLE4 rule 20 match ip tcp flags syn admin @nvos :~$ nv set acl EXAMPLE4 rule 20 match ip tcp mask rst admin @nvos :~$ nv set acl EXAMPLE4 rule 20 match ip tcp mask syn admin @nvos :~$ nv set acl EXAMPLE4 rule 20 match ip tcp mask fin admin @nvos :~$ nv set acl EXAMPLE4 rule 20 match ip tcp mask ack admin @nvos :~$ nv set acl EXAMPLE4 rule 20 action deny admin @nvos :~$ nv set interface eth0 acl EXAMPLE4 inbound admin @nvos :~$ nv config apply

Run the following commands to control who can SSH into the switch. In the following example, 10.10.10.1/32 is the interface IP address (or loopback IP address) of the switch and 10.255.4.0/24 can SSH into the switch.

Copy Copied! admin @nvos :~$ nv set acl example2 type ipv4 admin @nvos :~$ nv set acl example2 rule 10 match ip source-ip 10.255 . 4.0 / 24 admin @nvos :~$ nv set acl example2 rule 10 match ip dest-ip 10.10 . 10.1 / 32 admin @nvos :~$ nv set acl example2 rule 10 action permit admin @nvos :~$ nv set acl example2 rule 20 match ip source-ip ANY admin @nvos :~$ nv set acl example2 rule 20 match ip dest-ip 10.10 . 10.1 / 32 admin @nvos :~$ nv set acl example2 rule 20 action deny admin @nvos :~$ nv set interface eth0 acl example2 inbound admin @nvos :~$ nv config apply

ECN allows end-to-end notification of network congestion without dropping packets. You can add ECN rules to match on the ECE, CWR, and ECT flags in the TCP IPv4 header.

By default, ECN rules match a packet with the bit set. You can reverse the match by using an explanation point (!).

After an endpoint receives a packet with the CE bit set by a router, it sets the ECE bit in the returning ACK packet to notify the other endpoint that it needs to slow down.

To match on the ECE bit:

Copy Copied! admin @nvos :~$ nv set acl example2 type ipv4 admin @nvos :~$ nv set acl example2 rule 10 match ip protocol tcp admin @nvos :~$ nv set acl example2 rule 10 match ip ecn flags tcp-ece admin @nvos :~$ nv set acl example2 rule 10 action permit admin @nvos :~$ nv set interface eth0 acl example2 inbound admin @nvos :~$ nv config apply

The CWR bit notifies the other endpoint of the connection that it received and reacted to an ECE.

To match on the CWR bit:

Copy Copied! admin @nvos :~$ nv set acl example2 type ipv4 admin @nvos :~$ nv set acl example2 rule 10 match ip protocol tcp admin @nvos :~$ nv set acl example2 rule 10 match ip ecn flags tcp-cwr admin @nvos :~$ nv set acl example2 rule 10 action permit admin @nvos :~$ nv set interface eth0 acl example2 inbound admin @nvos :~$ nv config apply

The ECT codepoints negotiate if the connection is ECN capable by setting one of the two bits to 1. Routers also use the ECT bit to indicate that they are experiencing congestion by setting both the ECT codepoints to 1.

To match on the ECT bit:

Copy Copied! admin @nvos :~$ nv set acl example2 type ipv4 admin @nvos :~$ nv set acl example2 rule 10 match ip protocol tcp admin @nvos :~$ nv set acl example2 rule 10 match ip ecn ip-ect 1 admin @nvos :~$ nv set acl example2 rule 10 action permit admin @nvos :~$ nv set interface eth0 acl example2 inbound admin @nvos :~$ nv config apply

The following examples use the mangle table to modify the packet as it transits the switch. DSCP is in decimal notation in the examples below.

To set SSH as high priority traffic:

Copy Copied! admin @nvos :~$ nv set acl EXAMPLE1 type ipv4 admin @nvos :~$ nv set acl EXAMPLE1 rule 10 match ip protocol tcp admin @nvos :~$ nv set acl EXAMPLE1 rule 10 match ip tcp dest-port 22 admin @nvos :~$ nv set acl EXAMPLE1 rule 10 action set dscp 46 admin @nvos :~$ nv set interface eth0 acl EXAMPLE1 inbound admin @nvos :~$ nv config apply

To set everything coming in swp1 as AF13:

Copy Copied! admin @nvos :~$ nv set acl EXAMPLE1 type ipv4 admin @nvos :~$ nv set acl EXAMPLE1 rule 10 action set dscp 14 admin @nvos :~$ nv set interface eth0 acl EXAMPLE1 inbound admin @nvos :~$ nv config apply

To set Packets destined for 10.0.100.27 as best effort:

Copy Copied! admin @nvos :~$ nv set acl EXAMPLE1 type ipv4 admin @nvos :~$ nv set acl EXAMPLE1 rule 10 match ip dest-ip 10.0 . 100.27 / 32 admin @nvos :~$ nv set acl EXAMPLE1 rule 10 action set dscp 0 admin @nvos :~$ nv set interface eth0 acl EXAMPLE1 inbound admin @nvos :~$ nv config apply

To use a range of ports for TCP traffic:

Copy Copied! admin @nvos :~$ nv set acl EXAMPLE1 type ipv4 admin @nvos :~$ nv set acl EXAMPLE1 rule 10 match ip protocol tcp admin @nvos :~$ nv set acl EXAMPLE1 rule 10 match ip source-ip 10.0 . 0.17 / 32 admin @nvos :~$ nv set acl EXAMPLE1 rule 10 match ip tcp source-port 10000 : 20000 admin @nvos :~$ nv set acl EXAMPLE1 rule 10 match ip dest-ip 10.0 . 100.27 / 32 admin @nvos :~$ nv set acl EXAMPLE1 rule 10 match ip tcp dest-port 10000 : 20000 admin @nvos :~$ nv set acl EXAMPLE1 rule 10 action set dscp 34 admin @nvos :~$ nv set interface eth0 acl EXAMPLE1 inbound admin @nvos :~$ nv config apply

Note To specify all ports on the switch in NVUE (swp+ in an iptables rule), you must set the range of interfaces on the switch as in the examples above ( nv set interface swp1-48 ). This command creates as many rules in the /etc/cumulus/acl/policy.d/50_nvue.rules file as the number of interfaces in the range you specify.



