This knowledge base has moved to the documentation site. Please visit the knowledge base here for the most up to date content. This site is no longer maintained.

Cumulus Linux vs Cisco IOS Access-Lists




The user already knows Cisco IOS format, and wants translation of ACLs to iptables for use with Cumulus Linux and cl-acltool (iptables->hardware ASIC converter).

Please refer to the netfilter documentation for more information. Nixcraft is also a great resource for learning Linux and iptables, check out their article here. In addition to the man pages, Debian also has great documentation here.

You can find the Cisco Configuration Guide used to interpret their commands here.


ACL / iptables Syntax Rules

IOS Standard Syntax

access-list <number> {permit | deny} <protocol> <source> [<ports>] <destination> [<ports>] [<options>]


 access-list 10 permit tcp eq www

IOS Extended Syntax (including NX-OS)

ip access-list extended  {<number> | <name>}
  [<sequence>] {permit | deny} <protocol> <source> [<ports>]<destination> [<ports>] [<options>]


ip access-list extended allow_http
  10 permit tcp eq www

iptables (Netfilter)

 iptables -A {FORWARD | INPUT | OUTPUT} -j {ACCEPT | DROP | POLICE | SPAN | ERSPAN} | -p <protocol> -s <source> --sport [<ports>] -d destination> --dport [<ports>] [<options>]


iptables -A FORWARD -j ACCEPT -p tcp -s -d --dport 80

*remember to put this in a flat file under /etc/cumulus/acl/policy.d/ and push into hardware via the cl-acltool command.

**the ordering does not matter in iptables, however the suggested format above matches closely to IOS syntax to make it easier to memorize 



ACL-iptables Translation Table

Cumulus Linux Cisco Systems IOS
iptables -A FORWARD -j DROP -i swp1 -p icmp --icmp-type echo-request

Description: Blocks icmp echo requests on the specified switchport (swp1 for Cumulus Linux and Gigabit Ethernet 0/0 on Cisco)

ip access-list extended block_icmp
deny icmp any any echo interface g0/0 ip access-group block_icmp in

iptables -A INPUT -j DROP -p tcp -s --dport 22 

Description: Blocks SSH traffic from the specified subnet ( to the switch itself (destination is the switch, i.e. an IP address that is assigned to the switch). For the Cisco device, the subnet(s) that you want to protect are specified, which is indicated by the subnet. Using this particular method, each interface would need to have the access-list tied to it. For Cumulus, the INPUT chain indicates all subnets that the switch has configured on it (control plane). 

ip access-list extended block_ssh
  deny tcp eq 22
interface g0/0
  ip access-group block_ssh in
iptables -A FORWARD -j ACCEPT -p udp -s --dport 123

Description: Allows NTP traffic to transit the switch (UDP port 123). The Cumulus Linux example applies this to all switchports, while the Cisco example is only applying this to the Gigabit 0/0 interface.

ip access-list extended allow_ntp
  permit udp any eq ntp
interface g0/0
  ip access-group allow_ntp in

Flat File Configuration

For persistent configuration of the iptables rules, create a .rules file, in /etc/cumulus/acl/policy.d/. An example file is shown below.

cumulus@switch$ cat /etc/cumulus/acl/policy.d/sean.rules
-A FORWARD -j ACCEPT -p udp -s --dport 123
-A INPUT -j DROP -p tcp -s --dport 22
-A FORWARD -j ACCEPT -p tcp -s -d --dport 80
-A FORWARD -j DROP -i swp1 -p icmp --icmp-type echo-request

See Also


This support portal has moved

Cumulus Networks is now part of the NVIDIA Networking Business Unit! The NVIDIA Cumulus Global Support Services (GSS) team has merged its operations with the NVIDIA Mellanox support services team.

You can access NVIDIA Cumulus support content from the Mellanox support portal.

You open and update new cases on the Mellanox support portal. Any previous cases that have been closed have been migrated to the Mellanox support portal.

Cases that are still open on the Cumulus portal will continue to be managed on the Cumulus portal. Once these cases close, they will be moved to the Mellanox support portal.

Powered by Zendesk