Security Commands
This chapter describes the Cisco NX-OS security commands available on the Cisco Nexus 3548 switch.
aaa accounting default
To configure authentication, authorization, and accounting (AAA) methods for accounting, use the aaa accounting default command. To revert to the default, use the no form of this command.
aaa accounting default { group { group-list } | local }
no aaa accounting default { group { group-list } | local }
Syntax Description
group |
Specifies that a server group be used for accounting. |
group-list |
Space-delimited list that specifies one or more configured RADIUS server groups. |
local |
Specifies that the local database be used for accounting. |
Command Default
The local database is the default.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
The group group-list method refers to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method or local method and they fail, the accounting authentication can fail.
Examples
This example shows how to configure any RADIUS server for AAA accounting:
switch# configure terminal
switch(config)# aaa accounting default group
Related Commands
|
|
aaa group server radius |
Configures AAA RADIUS server groups. |
radius-server host |
Configures RADIUS servers. |
show aaa accounting |
Displays AAA accounting status information. |
tacacs-server host |
Configures TACACS+ servers. |
aaa authentication login console
To configure authentication, authorization, and accounting (AAA) authentication methods for console logins, use the aaa authentication login console command. To revert to the default, use the no form of this command.
aaa authentication login console { group group-list } [ none ] | local | none }
no aaa authentication login console { group group-list [ none ] | local | none }
Syntax Description
group |
Specifies to use a server group for authentication. |
group-list |
Space-separated list of RADIUS or TACACS+ server groups. The list can include the following:
- radius for all configured RADIUS servers.
- tacacs+ for all configured TACACS+ servers.
- Any configured RADIUS or TACACS+ server group name.
|
none |
(Optional) Specifies to use the username for authentication. |
local |
(Optional) Specifies to use the local database for authentication. |
Command Default
The local database
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
The group radius, group tacacs+, and group group-list methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host or tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method or local method and they fail, the authentication can fail. If you specify the none method alone or after the group method, the authentication always succeeds.
Examples
This example shows how to configure the AAA authentication console login method:
switch# configure terminal
switch(config)# aaa authentication login console group radius
This example shows how to revert to the default AAA authentication console login method:
switch# configure terminal
switch(config)# no aaa authentication login console group radius
Related Commands
|
|
aaa group server |
Configures AAA server groups. |
radius-server host |
Configures RADIUS servers. |
show aaa authentication |
Displays AAA authentication information. |
tacacs-server host |
Configures TACACS+ servers. |
aaa authentication login default
To configure the default authentication, authorization, and accounting (AAA) authentication methods, use the aaa authentication login default command. To revert to the default, use the no form of this command.
aaa authentication login default { group group-list } [ none ] | local | none }
no aaa authentication login default { group group-list } [ none ] | local | none }
Syntax Description
group |
Specifies that a server group be used for authentication. |
group-list |
Space-separated list of RADIUS or TACACS+ server groups that can include the following:
- radius for all configured RADIUS servers.
- tacacs+ for all configured TACACS+ servers.
- Any configured RADIUS or TACACS+ server group name.
|
none |
(Optional) Specifies that the username be used for authentication. |
local |
(Optional) Specifies that the local database be used for authentication. |
Command Default
The local database
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
The group radius, group tacacs+, and group group-list methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host or tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method or local method and they fail, the authentication fails. If you specify the none method alone or after the group method, the authentication always succeeds.
Examples
This example shows how to configure the AAA authentication console login method:
switch# configure terminal
switch(config)# aaa authentication login default group radius
This example shows how to revert to the default AAA authentication console login method:
switch# configure terminal
switch(config)# no aaa authentication login default group radius
Related Commands
|
|
aaa group server |
Configures AAA server groups. |
radius-server host |
Configures RADIUS servers. |
show aaa authentication |
Displays AAA authentication information. |
tacacs-server host |
Configures TACACS+ servers. |
aaa authentication login error-enable
To configure that the authentication, authorization, and accounting (AAA) authentication failure message displays on the console, use the aaa authentication login error-enable command. To revert to the default, use the no form of this command.
aaa authentication login error-enable
no aaa authentication login error-enable
Syntax Description
This command has no arguments or keywords.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
When you log in, the login is processed by rolling over to the local user database if the remote AAA servers do not respond. In this situation, the following message is displayed if you have enabled the displaying of login failure messages:
Remote AAA servers unreachable; local authentication done.
Remote AAA servers unreachable; local authentication failed.
Examples
This example shows how to enable the display of AAA authentication failure messages to the console:
switch# configure terminal
switch(config)# aaa authentication login error-enable
This example shows how to disable the display of AAA authentication failure messages to the console:
switch# configure terminal
switch(config)# no aaa authentication login error-enable
Related Commands
|
|
show aaa authentication |
Displays the status of the AAA authentication failure message display. |
aaa authentication login mschap enable
To enable Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication at login, use the aaa authentication login mschap enable command. To revert to the default, use the no form of this command.
aaa authentication login mschap enable
no aaa authentication login mschap enable
Syntax Description
This command has no arguments or keywords.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to enable MS-CHAP authentication:
switch# configure terminal
switch(config)# aaa authentication login mschap enable
This example shows how to disable MS-CHAP authentication:
switch# configure terminal
switch(config)# no aaa authentication login mschap enable
Related Commands
|
|
show aaa authentication |
Displays the status of MS-CHAP authentication. |
aaa authorization commands default
To configure default authentication, authorization, and accounting (AAA) authorization methods for all EXEC commands, use the aaa authorization commands default command. To revert to the default, use the no form of this command.
aaa authorization commands default [ group group-list ] [ local | none ]
no aaa authorization commands default [ group group-list ] [ local | none ]
Syntax Description
group |
(Optional) Specifies to use a server group for authorization. |
group-list |
List of server groups. The list can include the following:
- tacacs+ for all configured TACACS+ servers.
- Any configured TACACS+ server group name.
The name can be a space-separated list of server groups, and a maximum of 127 characters. |
local |
(Optional) Specifies to use the local role-based database for authorization. |
none |
(Optional) Specifies to use no database for authorization. |
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
To use this command, you must enable the TACACS+ feature by using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.
If you specify the group method or local method and it fails, the authorization can fail. If you specify the none method alone or after the group method, the authorization always succeeds.
Examples
This example shows how to configure the default AAA authorization methods for EXEC commands:
switch# configure terminal
switch(config)# aaa authorization commands default group TacGroup local
This example shows how to revert to the default AAA authorization methods for EXEC commands:
switch# configure terminal
switch(config)# no aaa authorization commands default group TacGroup local
Related Commands
|
|
aaa authorization config-commands default |
Configures default AAA authorization methods for configuration commands. |
aaa server group |
Configures AAA server groups. |
feature tacacs+ |
Enables the TACACS+ feature. |
show aaa authorization |
Displays the AAA authorization configuration. |
tacacs-server host |
Configures a TACACS+ server. |
aaa authorization config-commands default
To configure the default authentication, authorization, and accounting (AAA) authorization methods for all configuration commands, use the aaa authorization config-commands default command. To revert to the default, use the no form of this command.
aaa authorization config-commands default [ group group-list ] [ local | none ]
no aaa authorization config-commands default [ group group-list ] [ local | none ]
Syntax Description
group |
(Optional) Specifies to use a server group for authorization. |
group-list |
List of server groups. The list can include the following:
- tacacs+ for all configured TACACS+ servers.
- Any configured TACACS+ server group name.
The name can be a space-separated list of server groups, and a maximum of 127 characters. |
local |
(Optional) Specifies to use the local role-based database for authorization. |
none |
(Optional) Specifies to use no database for authorization. |
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
To use this command, you must enable the TACACS+ feature by using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.
If you specify the group method or local method and it fails, the authorization can fail. If you specify the none method alone or after the group method, the authorization always succeeds.
Examples
This example shows how to configure the default AAA authorization methods for configuration commands:
switch# configure terminal
switch(config)# aaa authorization config-commands default group TacGroup local
This example shows how to revert to the default AAA authorization methods for configuration commands:
switch# configure terminal
switch(config)# no aaa authorization config-commands default group TacGroup local
Related Commands
|
|
aaa authorization commands default |
Configures default AAA authorization methods for EXEC commands. |
aaa server group |
Configures AAA server groups. |
feature tacacs+ |
Enables the TACACS+ feature. |
show aaa authorization |
Displays the AAA authorization configuration. |
tacacs-server host |
Configures a TACACS+ server. |
aaa group server radius
To create a RADIUS server group and enter RADIUS server group configuration mode, use the aaa group server radius command. To delete a RADIUS server group, use the no form of this command.
aaa group server radius group-name
no aaa group server radius group-name
Syntax Description
group-name |
RADIUS server group name. |
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to create a RADIUS server group and enter RADIUS server configuration mode:
switch# configure terminal
switch(config)# aaa group server radius RadServer
This example shows how to delete a RADIUS server group:
switch# configure terminal
switch(config)# no aaa group server radius RadServer
Related Commands
|
|
show aaa groups |
Displays server group information. |
aaa user default-role
To enable the default role assigned by the authentication, authorization, and accounting (AAA) server administrator for remote authentication, use the aaa user default-role command. To disable the default role, use the no form of this command.
aaa user default-role
no aaa user default-role
Syntax Description
This command has no arguments or keywords.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to enable the default role assigned by the AAA server administrator for remote authentication:
switch# configure terminal
switch(config)# aaa user default-role
This example shows how to disable the default role assigned by the AAA server administrator for remote authentication:
switch# configure terminal
switch(config)# no aaa user default-role
Related Commands
|
|
show aaa user default-role |
Displays the status of the default user for remote authentication. |
show aaa authentication |
Displays AAA authentication information. |
access-class
To restrict incoming and outgoing connections between a particular VTY (into a Cisco Nexus 3000 Series switch) and the addresses in an access list, use the access-class command. To remove access restrictions, use the no form of this command.
access-class access-list-name { in | out }
no access-class access-list-name { in | out }
Syntax Description
access-list-name |
Name of the IPv4 ACL class. The name can be a maximum of 64 alphanumeric characters. The name cannot contain a space or quotation mark. |
in |
Specifies that incoming connections be restricted between a particular Cisco Nexus 3000 Series switch and the addresses in the access list. |
out |
Specifies that outgoing connections be restricted between a particular Cisco Nexus 3000 Series switch and the addresses in the access list. |
Command Modes
Line configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
When you allow telnet or SSH to a Cisco device, you can secure access to the device by binding an access class to the VTYs.
To display the access lists for a particular terminal line, use the show line command.
Examples
This example shows how to configure an access class on a VTY line to restrict inbound packets:
switch# configure terminal
switch(config-line)# access-class ozi2 in
This example shows how to remove an access class that restricts inbound packets:
switch# configure terminal
switch(config-line)# no access-class ozi2 in
Related Commands
|
|
ip access-class |
Configures an IPv4 access class. |
show access-class |
Displays the access classes configured on the switch. |
show line |
Displays the access lists for a particular terminal line. |
show running-config aclmgr |
Displays the running configuration of ACLs. |
ssh |
Starts an SSH session using IPv4. |
telnet |
Starts a Telnet session using IPv4. |
action
To specify what the switch does when a packet matches a permit command in a VLAN access control list (VACL), use the action command. To remove an action command, use the no form of this command.
action { drop forward }
no action { drop forward }
Syntax Description
drop |
Specifies that the switch drops the packet. |
forward |
Specifies that the switch forwards the packet to its destination port. |
Command Modes
VLAN access-map configuration
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
The action command specifies the action that the device takes when a packet matches the conditions in the ACL specified by the match command.
Examples
This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map:
switch# configure terminal
switch(config)# vlan access-map vlan-map-01
switch(config-access-map)# match ip address ip-acl-01
switch(config-access-map)# action forward
switch(config-access-map)# statistics
switch(config-access-map)#
This example shows how to create a VLAN access map named vlan-map-03 in a switch profile, assign an IPv4 ACL named ip-acl-03 to the map, and specify that the switch drops packets matching the ACL:
Enter configuration commands, one per line. End with CNTL/Z.
switch(config-sync)# switch-profile s5010
Switch-Profile started, Profile ID is 1
switch(config-sync-sp)# vlan access-map vlan-map-03
switch(config-sync-sp-access-map)# match ip address ip-acl-03
switch(config-sync-sp-access-map)# action forward
switch(config-sync-sp-access-map)#
Related Commands
|
|
match |
Specifies an ACL for traffic filtering in a VLAN access map. |
show vlan access-map |
Displays all VLAN access maps or a VLAN access map. |
show vlan filter |
Displays information about how a VLAN access map is applied. |
statistics |
Enables statistics for an access control list or VLAN access map. |
vlan access-map |
Configures a VLAN access map. |
vlan filter |
Applies a VLAN access map to one or more VLANs. |
class (control plane policy map)
To specify a control plane class map for a control plane policy map, use the class command. To delete a control plane class map from a control plane policy map, use the no form of this command.
class { class-map-name [ insert-before class-map-name2 ]}
no class class-map-name
Syntax Description
class-map-name |
Name of the class map. The name is alphanumeric, case sensitive, and has a maximum of 64 characters. |
insert-before class-map-name2 |
(Optional) Inserts the control plane class map ahead of another control plane class map for the control plane policy map. The class map name is alphanumeric, case sensitive, and has a maximum of 64 characters. |
Command Modes
Control plane policy map configuration
Command History
|
|
6.0(2)A1(1) |
This command was introduced. |
Usage Guidelines
You must create the control plane class maps before you reference them in this command.
This command does not require a license.
Examples
This example shows how to configure a class map for a control plane policy map:
switch# configure terminal
switch(config)# policy-map type control-plane copp-system-policy-customized
switch(config-pmap)# class ClassMapA
This example shows how to configure a class map for a control plane policy map and insert it before an existing class map:
switch# configure terminal
switch(config)# policy-map type control-plane copp-system-policy-customized
switch(config-pmap)# class classMapB insert-before copp-stftp
This example shows how to delete a class map from a control plane policy map:
switch# configure terminal
switch(config)# policy-map type control-plane copp-system-policy-customized
switch(config-pmap)# no class ClassMapA
Related Commands
|
|
class-map type control-plane |
Creates or configures a control plane class map. |
police (policy map) |
Configures policing for a class map in a control plane policy map. |
policy-map type control-plane |
Specifies a control plane policy map and enters policy map configuration mode. |
show policy-map type control-plane |
Displays configuration information for control plane policy maps. |
class-map type control-plane
To create or specify a control plane class map and enter class map configuration mode, use the class-map type control-plane command. To delete a control plane class map, use the no form of this command.
class-map type control-plane [ match-any ] class-map-name
no class-map type control-plane [ match-any ] class-map-name
Syntax Description
match-any |
(Optional) Specifies to match any match conditions in the class map. |
class-map-name |
Name of the class map. The name is alphanumeric and case-sensitive. The maximum length is 64 characters. |
Command Default
match-any
Command Modes
Global configuration mode
Command History
|
|
6.0(2)A1(1) |
This command was introduced. |
Usage Guidelines
You cannot use match-any or class-default as names for control plane class maps.
You can delete only dynamic class-maps of type control-plane. You cannot delete static class-maps of type control-plane.
This command does not require a license.
Examples
This example shows how to specify a control plane class map and enter class map configuration mode:
switch# configure terminal
switch(config)# class-map type control-plane ClassMapA
This example shows how to delete a control plane class map:
switch# configure terminal
switch(config)# no class-map type control-plane ClassMapA
Related Commands
|
|
match access-group |
Matches traffic with a specified access control list (ACL) group. |
show class-map type control-plane |
Displays control plane policy map configuration information. |
clear access-list counters
To clear the counters for all IPv4 access control lists (ACLs) or a single IPv4 ACL, use the clear access-list counters command.
clear access-list counters [ access-list-name ]
Syntax Description
access-list-name |
(Optional) Name of the IPv4 ACL whose counters the switch clears. The name can be a maximum of 64 alphanumeric characters. |
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to clear counters for all IPv4 ACLs:
switch# clear access-list counters
This example shows how to clear counters for an IPv4 ACL named acl-ipv4-01:
switch# clear access-list counters acl-ipv4-01
Related Commands
|
|
access-class |
Applies an IPv4 ACL to a VTY line. |
ip access-group |
Applies an IPv4 ACL to an interface. |
ip access-list |
Configures an IPv4 ACL. |
show access-lists |
Displays information about one or all IPv4and MAC ACLs. |
show ip access-lists |
Displays information about one or all IPv4 ACLs. |
clear accounting log
To clear the accounting log, use the clear accounting log command.
clear accounting log
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to clear the accounting log:
switch# clear accounting log
Related Commands
|
|
show accounting log |
Displays the accounting log contents. |
clear ip arp
To clear the Address Resolution Protocol (ARP) table and statistics, use the clear ip arp command.
clear ip arp [ vlan vlan-id [ force-delete | vrf { vrf-name | all | default | management }]]
Syntax Description
vlan vlan-id |
(Optional) Clears the ARP information for a specified VLAN. The range is from 1 to 4094, except for the VLANs reserved for internal use. |
force-delete |
(Optional) Clears the entries from ARP table without refresh. |
vrf |
(Optional) Specifies the virtual routing and forwarding (VRF) to clear from the ARP table. |
vrf-name |
VRF name. The name can be a maximum of 32 alphanumeric characters and is case sensitive. |
all |
Specifies that all VRF entries be cleared from the ARP table. |
default |
Specifies that the default VRF entry be cleared from the ARP table. |
management |
Specifies that the management VRF entry be cleared from the ARP table. |
Command Modes
Any command mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to clear the ARP table statistics:
This example shows how to clear the ARP table statistics for VLAN 10 with the VRF vlan-vrf:
switch# clear ip arp vlan 10 vrf vlan-vrf
Related Commands
|
|
show ip arp |
Displays the ARP configuration status. |
control-plane
To enter control-plane configuration mode, which allows users to associate attributes that are associated with the control plane of the device, use the control-plane command.
control-plane
Syntax Description
This command has no arguments or keywords.
Command Modes
Global configuration mode
Command History
|
|
6.0(2)A1(1) |
This command was introduced. |
Usage Guidelines
After you use the control-plane command, you can associate a service policy to police all traffic that is destined to the control plane.
Examples
This example shows how to enter the control plane configuration mode:
switch# configure terminal
switch(config)# control-plane
Related Commands
|
|
service-policy (control-plane) |
Attaches a policy map to a control plane for aggregate control plane services. |
show policy-map type control-plane |
Displays the configuration of a class or all classes for the policy map of a control plane. |
deadtime
To configure the dead-time interval for a RADIUS or TACACS+ server group, use the deadtime command. To revert to the default, use the no form of this command.
deadtime minutes
no deadtime minutes
Syntax Description
minutes |
Number of minutes for the interval. The range is from 0 to 1440 minutes. Setting the dead-time interval to 0 disables the timer. |
Command Default
0 minutes
Command Modes
RADlUS server group configuration
TACACS+ server group configuration
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS.
Examples
This example shows how to set the dead-time interval to 2 minutes for a RADIUS server group:
switch# configure terminal
switch(config)# aaa group server radius RadServer
switch(config-radius)# deadtime 2
This example shows how to set the dead-time interval to 5 minutes for a TACACS+ server group:
switch# configure terminal
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# deadtime 5
This example shows how to revert to the dead-time interval default:
switch# configure terminal
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# no deadtime 5
Related Commands
|
|
aaa group server |
Configures AAA server groups. |
feature tacacs+ |
Enables TACACS+. |
radius-server host |
Configures a RADIUS server. |
show radius-server groups |
Displays RADIUS server group information. |
show tacacs-server groups |
Displays TACACS+ server group information. |
tacacs-server host |
Configures a TACACS+ server. |
deny (IPv4)
To create an IPv4 access control list (ACL) rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
General Syntax
[ sequence-number ] deny protocol source destination {[ dscp dscp ] | [ precedence precedence ]} [ fragments ] [ time-range time-range-name ]
no deny protocol source destination {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
no sequence-number
Internet Control Message Protocol
[ sequence-number ] deny icmp source destination [ icmp-message ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
Internet Group Management Protocol
[ sequence-number ] deny igmp source destination [ igmp-message ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
Internet Protocol v4
[ sequence-number ] deny ip source destination {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
Transmission Control Protocol
[ sequence-number ] deny tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ] [ flags ] [ established ]
User Datagram Protocol
[ sequence-number ] deny udp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
Syntax Description
sequence-number |
(Optional) Sequence number of the deny command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
protocol |
Name or number of the protocol of packets that the rule matches. Valid numbers are from 0 to 255. Valid protocol names are the following keywords:
- ahp —Specifies that the rule applies to authentication header protocol (AHP) traffic only.
- eigrp —Specifies that the rule applies to Enhanced Interior Gateway Routing Protocol (EIGRP) traffic only.
- esp —Specifies that the rule applies to IP Encapsulation Security Payload (ESP) traffic only.
- icmp —Specifies that the rule applies to ICMP traffic only. When you use this keyword, the icmp-message argument is available, in addition to the keywords that are available for all valid values of the protocol argument.
- igmp —Specifies that the rule applies to IGMP traffic only. When you use this keyword, the igmp-type argument is available, in addition to the keywords that are available for all valid values of the protocol argument.
- ip —Specifies that the rule applies to all IPv4 traffic. When you use this keyword, only the other keywords and arguments that apply to all IPv4 protocols are available. They include the following:
– dscp – fragments – log – precedence – time-range
- nos —Specifies that the rule applies to IP over IP encapsulation (KA9Q/NOS compatible) traffic only.
- ospf —Specifies that the rule applies to Open Shortest Path First (OSPF) routing protocol traffic only.
- pcp —Specifies that the rule applies to IP Payload Compression Protocol (IPComp) traffic only.
- pim —Specifies that the rule applies to IPv4 Protocol Independent Multicast (PIM) traffic only.
|
|
- tcp —Specifies that the rule applies to TCP traffic only. When you use this keyword, the flags and operator arguments and the portgroup and established keywords are available, in addition to the keywords that are available for all valid values of the protocol argument.
- udp —Specifies that the rule applies to UDP traffic only. When you use this keyword, the operator argument and the portgroup keyword are available, in addition to the keywords that are available for all valid values of the protocol argument.
|
source |
Source IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
destination |
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
dscp dscp |
(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:
- 0–63—The decimal equivalent of the 6 bits of the DSCP field. For example, if you specify 10, the rule matches only those packets that have the following bits in the DSCP field: 001010.
- af11 —Assured Forwarding (AF) class 1, low drop probability (001010)
- af12 —AF class 1, medium drop probability (001100)
- af13 —AF class 1, high drop probability (001110)
- af21 —AF class 2, low drop probability (010010)
- af22 —AF class 2, medium drop probability (010100)
- af23 —AF class 2, high drop probability (010110)
- af31 —AF class 3, low drop probability (011010)
- af32 —AF class 3, medium drop probability (011100)
- af33 —AF class 3, high drop probability (011110)
- af41 —AF class 4, low drop probability (100010)
- af42 —AF class 4, medium drop probability (100100)
- af43 —AF class 4, high drop probability (100110)
- cs1 —Class-selector (CS) 1, precedence 1 (001000)
- cs2 —CS2, precedence 2 (010000)
- cs3 —CS3, precedence 3 (011000)
- cs4 —CS4, precedence 4 (100000)
- cs5 —CS5, precedence 5 (101000)
- cs6 —CS6, precedence 6 (110000)
- cs7 —CS7, precedence 7 (111000)
- default —Default DSCP value (000000)
- ef —Expedited Forwarding (101110)
|
precedence precedence |
(Optional) Specifies that the rule matches only packets that have an IP Precedence field with the value specified by the precedence argument. The precedence argument can be a number or a keyword as follows:
- 0–7—Decimal equivalent of the 3 bits of the IP Precedence field. For example, if you specify 3, the rule matches only packets that have the following bits in the DSCP field: 011.
- critical —Precedence 5 (101)
- flash —Precedence 3 (011)
- flash-override —Precedence 4 (100)
- immediate —Precedence 2 (010)
- internet —Precedence 6 (110)
- network —Precedence 7 (111)
- priority —Precedence 1 (001)
- routine —Precedence 0 (000)
|
fragments |
(Optional) Specifies that the rule matches only those packets that are noninitial fragments. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. |
time-range time-range-name |
Note This keyword is not applicable to a deny rule in a switch profile. (Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command. |
icmp-message |
(Optional; IGMP only) Rule that matches only packets of the specified ICMP message type. This argument can be an integer from 0 to 255 or one of the keywords listed under “ICMP Message Types” in the “Usage Guidelines” section. |
igmp-message |
(Optional; IGMP only) Rule that matches only packets of the specified IGMP message type. The igmp-message argument can be the IGMP message number, which is an integer from 0 to 15. It can also be one of the following keywords:
- dvmrp —Distance Vector Multicast Routing Protocol
- host-query —Host query
- host-report —Host report
- pim —Protocol Independent Multicast
- trace —Multicast trace
|
operator port [ port ] |
(Optional; TCP and UDP only) Rule that matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see “TCP Port Names” and “UDP Port Names” in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
- eq —Matches only if the port in the packet is equal to the port argument.
- gt —Matches only if the port in the packet is greater than the port argument.
- lt —Matches only if the port in the packet is less than the port argument.
- neq —Matches only if the port in the packet is not equal to the port argument.
- range —Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument.
|
portgroup portgroup |
(Optional; TCP and UDP only) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument. Use the object-group ip port command to create and change IP port-group objects. |
flags |
(Optional; TCP only) Rule that matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords:
|
established |
(Optional; TCP only) Specifies that the rule matches only packets that belong to an established TCP connection. The switch considers TCP packets with the ACK or RST bits set to belong to an established connection. |
Command Default
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the switch assigns the rule a sequence number that is 10 greater than the last rule in the ACL.
Command Modes
IPv4 ACL configuration
IPv4 ACL in
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
When the switch applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
Source and Destination
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
- Address and network wildcard—You can use an IPv4 address followed by a network wildcard to specify a host or a network as a source or destination. The syntax is as follows:
IPv4-address network-wildcard
This example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
switch(config-acl)# deny tcp 192.168.67.0 0.0.0.255 any
- Address and variable-length subnet mask—You can use an IPv4 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:
This example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
switch(config-acl)# deny udp 192.168.67.0/24 any
- Host address—You can use the host keyword and an IPv4 address to specify a host as a source or destination. The syntax is as follows:
This syntax is equivalent to IPv4-address /32 and IPv4-address 0.0.0.0.
This example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:
switch(config-acl)# deny icmp host 192.168.67.132 any
- Any address—You can use the any keyword to specify that a source or destination is any IPv4 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.
ICMP Message Types
The icmp-message argument can be the ICMP message number, which is an integer from 0 to 255. It can also be one of the following keywords:
- administratively-prohibited —Administratively prohibited
- alternate-address —Alternate address
- conversion-error —Datagram conversion
- dod-host-prohibited —Host prohibited
- dod-net-prohibited —Net prohibited
- echo —Echo (ping)
- echo-reply —Echo reply
- general-parameter-problem —Parameter problem
- host-isolated —Host isolated
- host-precedence-unreachable —Host unreachable for precedence
- host-redirect —Host redirect
- host-tos-redirect —Host redirect for ToS
- host-tos-unreachable —Host unreachable for ToS
- host-unknown —Host unknown
- host-unreachable —Host unreachable
- information-reply —Information replies
- information-request —Information requests
- mask-reply —Mask replies
- mask-request —Mask requests
- mobile-redirect —Mobile host redirect
- net-redirect —Network redirect
- net-tos-redirect —Net redirect for ToS
- net-tos-unreachable —Network unreachable for ToS
- net-unreachable —Net unreachable
- network-unknown —Network unknown
- no-room-for-option —Parameter required but no room
- option-missing —Parameter required but not present
- packet-too-big —Fragmentation needed and DF set
- parameter-problem —All parameter problems
- port-unreachable —Port unreachable
- precedence-unreachable —Precedence cutoff
- protocol-unreachable —Protocol unreachable
- reassembly-timeout —Reassembly timeout
- redirect —All redirects
- router-advertisement —Router discovery advertisements
- router-solicitation —Router discovery solicitations
- source-quench —Source quenches
- source-route-failed —Source route failed
- time-exceeded —All time-exceeded messages
- timestamp-reply —Time-stamp replies
- timestamp-request —Time-stamp requests
- traceroute —Traceroute
- ttl-exceeded —TTL exceeded
- unreachable —All unreachables
TCP Port Names
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
- bgp —Border Gateway Protocol (179)
- chargen —Character generator (19)
- cmd —Remote commands (rcmd, 514)
- daytime —Daytime (13)
- discard —Discard (9)
- domain —Domain Name Service (53)
- drip —Dynamic Routing Information Protocol (3949)
- echo —Echo (7)
- exec —EXEC (rsh, 512)
- finger —Finger (79)
- ftp —File Transfer Protocol (21)
- ftp-data —FTP data connections (2)
- gopher —Gopher (7)
- hostname —NIC hostname server (11)
- ident —Ident Protocol (113)
- irc —Internet Relay Chat (194)
- klogin —Kerberos login (543)
- kshell —Kerberos shell (544)
- login —Login (rlogin, 513)
- lpd —Printer service (515)
- nntp —Network News Transport Protocol (119)
- pim-auto-rp —PIM Auto-RP (496)
- pop2 —Post Office Protocol v2 (19)
- pop3 —Post Office Protocol v3 (11)
- smtp —Simple Mail Transport Protocol (25)
- sunrpc —Sun Remote Procedure Call (111)
- tacacs —TAC Access Control System (49)
- talk —Talk (517)
- telnet —Telnet (23)
- time —Time (37)
- uucp —Unix-to-Unix Copy Program (54)
- whois —WHOIS/NICNAME (43)
- www —World Wide Web (HTTP, 8)
UDP Port Names
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
- biff —Biff (mail notification, comsat, 512)
- bootpc —Bootstrap Protocol (BOOTP) client (68)
- bootps —Bootstrap Protocol (BOOTP) server (67)
- discard —Discard (9)
- dnsix —DNSIX security protocol auditing (195)
- domain —Domain Name Service (DNS, 53)
- echo —Echo (7)
- isakmp —Internet Security Association and Key Management Protocol (5)
- mobile-ip —Mobile IP registration (434)
- nameserver —IEN116 name service (obsolete, 42)
- netbios-dgm —NetBIOS datagram service (138)
- netbios-ns —NetBIOS name service (137)
- netbios-ss —NetBIOS session service (139)
- non500-isakmp —Internet Security Association and Key Management Protocol (45)
- ntp —Network Time Protocol (123)
- pim-auto-rp —PIM Auto-RP (496)
- rip —Routing Information Protocol (router, in.routed, 52)
- snmp —Simple Network Management Protocol (161)
- snmptrap —SNMP Traps (162)
- sunrpc —Sun Remote Procedure Call (111)
- syslog —System Logger (514)
- tacacs —TAC Access Control System (49)
- talk —Talk (517)
- tftp —Trivial File Transfer Protocol (69)
- time —Time (37)
- who —Who service (rwho, 513)
- xdmcp —X Display Manager Control Protocol (177)
Examples
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules that deny all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network and a final rule that permits all other IPv4 traffic:
switch# configure terminal
switch(config)# ip access-list acl-lab-01
switch(config-acl)# deny tcp 10.23.0.0/16 10.176.0.0/16
switch(config-acl)# deny udp 10.23.0.0/16 10.176.0.0/16
switch(config-acl)# deny tcp 192.168.37.0/16 10.176.0.0/16
switch(config-acl)# deny udp 192.168.37.0/16 10.176.0.0/16
switch(config-acl)# permit ip any any
This example shows how to configure an IPv4 ACL named sp-acl with rules that deny all AHP and OSPF traffic from the 10.20.0.0 and 192.168.36.0 networks to the 10.172.0.0 network and a final rule that permits all other IPv4 traffic in a switch profile:
Enter configuration commands, one per line. End with CNTL/Z.
switch(config-sync)# switch-profile s5010
Switch-Profile started, Profile ID is 1
switch(config-sync-sp)# ip access-list sp-acl
switch(config-sync-sp-acl)# deny ahp 10.20.0.0/16 10.172.0.0/16
switch(config-sync-sp-acl)# deny ospf 10.20.0.0/16 10.172.0.0/16
switch(config-sync-sp-acl)# deny ahp 192.168.36.0/16 10.172.0.0/16
switch(config-sync-sp-acl)# deny ospf 192.168.36.0/16 10.172.0.0/16
switch(config-sync-sp-acl)# permit ip any any
switch(config-sync-sp-acl)#
Related Commands
|
|
ip access-list |
Configures an IPv4 ACL. |
permit (IPv4) |
Configures a permit rule in an IPv4 ACL. |
remark |
Configures a remark in an IPv4 ACL. |
show ip access-list |
Displays all IPv4 ACLs or one IPv4 ACL. |
show switch-profile |
Displays information about the switch profile and the configuration revision. |
switch-profile |
Creates and configures a switch profile. |
deny (MAC)
To create a MAC access control list (ACL) rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
[ sequence-number ] deny source destination [ protocol ] [ cos cos-value ] [ vlan VLAN-ID ]
no deny source destination [ protocol ] [ cos cos-value ] [ vlan VLAN-ID ]
no sequence-number
Syntax Description
sequence-number |
(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
source |
Source MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
destination |
Destination MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
protocol |
(Optional) Protocol number that the rule matches. Valid protocol numbers are 0x0 to 0xffff. For listings of valid protocol names, see “MAC Protocols” in the “Usage Guidelines” section. |
cos cos-value |
(Optional) Specifies that the rule matches only packets with an IEEE 802.1Q header that contains the Class of Service (CoS) value given in the cos-value argument. The cos-value argument can be an integer from 0 to 7. |
vlan VLAN-ID |
(Optional) Specifies that the rule matches only packets with an IEEE 802.1Q header that contains the VLAN ID given. The VLAN-ID argument can be an integer from 1 to 4094. |
Defaults
A newly created MAC ACL contains no rules.
If you do not specify a sequence number, the device assigns the rule a sequence number that is 10 greater than the last rule in the ACL.
Command Modes
MAC ACL configuration
Command History
|
|
6.0(2)A4(1) |
This command was introduced. |
Usage Guidelines
When the device applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
This command does not require a license.
Source and Destination
You can specify the source and destination arguments in one of two ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
- Address and mask—You can use a MAC address followed by a mask to specify a single address or a group of addresses. The syntax is as follows:
The following example specifies the source argument with the MAC address 00c0.4f03.0a72:
switch(config-acl)# deny 00c0.4f03.0a72 0000.0000.0000 any
The following example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:
switch(config-acl)# deny any 0060.3e00.0000 0000.0000.0000
- Any address—You can use the any keyword to specify that a source or destination is any MAC address. For examples of the use of the any keyword, see the examples in this section. Each of the examples shows how to specify a source or destination by using the any keyword.
MAC Protocols
The protocol argument can be the MAC protocol number or a keyword. The protocol number is a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:
- aarp —Appletalk ARP (0x80f3)
- appletalk —Appletalk (0x809b)
- decnet-iv —DECnet Phase IV (0x6003)
- diagnostic —DEC Diagnostic Protocol (0x6005)
- etype-6000 —EtherType 0x6000 (0x6000)
- etype-8042 —EtherType 0x8042 (0x8042)
- ip —Internet Protocol v4 (0x0800)
- lat —DEC LAT (0x6004)
- lavc-sca —DEC LAVC, SCA (0x6007)
- mop-console —DEC MOP Remote console (0x6002)
- mop-dump —DEC MOP dump (0x6001)
- vines-echo —VINES Echo (0x0baf)
Examples
This example shows how to configure a MAC ACL named mac-ip-filter with rules that permit any non-IPv4 traffic between two groups of MAC addresses:
switch# configure terminal
switch(config)# mac access-list mac-ip-filter
switch(config-mac-acl)# deny 00c0.4f00.0000 0000.00ff.ffff 0060.3e00.0000 0000.00ff.ffff ip
switch(config-mac-acl)# permit any any
Related Commands
|
|
mac access-list |
Configures a MAC ACL. |
permit (MAC) |
Configures a deny rule in a MAC ACL. |
remark |
Configures a remark in an ACL. |
show mac access-list |
Displays all MAC ACLs or one MAC ACL. |
statistics per-entry |
Enables collection of statistics for each entry in an ACL. |
description (user role)
To configure a description for a user role, use the description command. To revert to the default, use the no form of this command.
description text
no description
Syntax Description
text |
Text string that describes the user role. The maximum length is 128 alphanumeric characters. |
Command Modes
User role configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
You can include blank spaces in the user role description text.
Examples
This example shows how to configure the description for a user role:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# description User role for my user account.
This example shows how to remove the description from a user role:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# no description
Related Commands
|
|
show role |
Displays information about the user role configuration. |
enable
To enable a user to move to a higher privilege level after being prompted for a secret password, use the enable command.
enable level
Syntax Description
level |
Privilege level to which the user must log in. The only available level is 15. |
Command Default
Privilege level 15
Command Modes
EXEC configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
To use this command, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command.
Examples
This example shows how to enable the user to move to a higher privilege level after being prompted for a secret password:
Related Commands
|
|
enable secret |
Enables a secret password for a specific privilege level. |
feature privilege |
Enables the cumulative privilege of roles for command authorization on TACACS+ servers. |
show privilege |
Displays the current privilege level, username, and status of cumulative privilege support. |
username |
Enables a user to use privilege levels for authorization. |
enable secret
To enable a secret password for a specific privilege level, use the enable secret command. To disable the password, use the no form of this command.
enable secret [ 0 | 5 ] password [ all | priv-lvl priv-level ]
no enable secret [ 0 | 5 ] password [ all | priv-lvl priv-level ]
Syntax Description
0 |
(Optional) Specifies that the password is in clear text. |
5 |
(Optional) Specifies that the password is in encrypted format. |
password |
Password for user privilege escalation. It contains up to 64 alphanumeric, case-sensitive characters. |
all |
(Optional) Adds or removes all privilege level secrets. |
priv-lvl priv-level |
(Optional) Specifies the privilege level to which the secret belongs. The range is from 1 to 15. |
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
To use this command, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command.
Examples
This example shows how to enable a secret password for a specific privilege level:
switch# configure terminal
switch(config)# feature privilege
switch(config)# enable secret 5 def456 priv-lvl 15
switch(config)# username user2 priv-lvl 15
Related Commands
|
|
enable |
Enables the user to move to a higher privilege level after being prompted for a secret password. |
feature privilege |
Enables the cumulative privilege of roles for command authorization on TACACS+ servers. |
show privilege |
Displays the current privilege level, username, and status of cumulative privilege support. |
username |
Enables a user to use privilege levels for authorization. |
feature (user role feature group)
To configure a feature in a user role feature group, use the feature command. To delete a feature in a user role feature group, use the no form of this command.
feature feature-name
no feature feature-name
Syntax Description
feature-name |
Switch feature name as listed in the show role feature command output. |
Command Modes
User role feature group configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
Use the show role feature command to list the valid feature names to use in this command.
Examples
This example shows how to add features to a user role feature group:
switch# configure terminal
switch(config)# role feature-group name SecGroup
switch(config-role-featuregrp)# feature aaa
switch(config-role-featuregrp)# feature radius
switch(config-role-featuregrp)# feature tacacs
switch(config-role-featuregrp)#
This example shows how to remove a feature from a user role feature group:
switch# configure terminal
switch(config)# role feature-group name MyGroup
switch(config-role-featuregrp)# no feature callhome
switch(config-role-featuregrp)#
Related Commands
|
|
role feature-group name |
Creates or configures a user role feature group. |
show role feature-group |
Displays the user role feature groups. |
feature dhcp
To enable the Dynamic Host Configuration Protocol (DHCP) snooping feature on the device, use the feature dhcp command. To disable the DHCP snooping feature and remove all configuration related to DHCP snooping, use the no form of this command.
feature dhcp
no feature dhcp
Syntax Description
This command has no arguments or keywords.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
The DHCP snooping feature is disabled by default. DHCP snooping can be enabled or disabled on VLANs.
If you have not enabled the DHCP snooping feature, commands related to DCHP snooping are unavailable.
If you disable the DHCP snooping feature, the device discards all configuration related to DHCP snooping configuration, including the DHCP relay.
If you want to turn off DHCP snooping and preserve configuration related to DHCP snooping, disable DHCP snooping globally with the no ip dhcp snooping command.
Access-control list (ACL) statistics are not supported if the DHCP snooping feature is enabled.
Examples
This example shows how to enable DHCP snooping:
switch# configure terminal
switch(config)# feature dhcp
This example shows how to disable DHCP snooping:
switch# configure terminal
switch(config)# no feature dhcp
Related Commands
|
|
copy running-config startup-config |
Copies the running configuration to the startup configuration. |
ip dhcp snooping |
Globally enables DHCP snooping on the device. |
feature privilege
To enable the cumulative privilege of roles for command authorization on RADIUS and TACACS+ servers, use the feature privilege command. To disable the cumulative privilege of roles, use the no form of this command.
feature privilege
no feature privilege
Syntax Description
This command has no arguments or keywords.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
When the feature privilege command is enabled, privilege roles inherit the permissions of lower level privilege roles.
Examples
This example shows how to enable the cumulative privilege of roles:
switch# configure terminal
switch(config)# feature privilege
This example shows how to disable the cumulative privilege of roles:
switch# configure terminal
switch(config)# no feature privilege
Related Commands
|
|
enable |
Enables a user to move to a higher privilege level. |
enable secret priv-lvl |
Enables a secret password for a specific privilege level. |
show feature |
Displays the features enabled or disabled on the switch. |
show privilege |
Displays the current privilege level, username, and status of cumulative privilege support. |
username |
Enables a user to use privilege levels for authorization. |
feature tacacs+
To enable TACACS+, use the feature tacacs+ command. To disable TACACS+, use the no form of this command.
feature tacacs+
no feature tacacs+
Syntax Description
This command has no arguments or keywords.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
Note When you disable TACACS+, the Cisco NX-OS software removes the TACACS+ configuration.
Examples
This example shows how to enable TACACS+:
switch# configure terminal
switch(config)# feature tacacs+
This example shows how to disable TACACS+:
switch# configure terminal
switch(config)# no feature tacacs+
Related Commands
|
|
show tacacs+ |
Displays TACACS+ information. |
show feature |
Displays whether or not TACACS+ is enabled on the switch. |
hardware profile tcam region
To change the size of the access control list (ACL) ternary content addressable memory (TCAM) regions in the hardware, use the hardware profile tcam region command. To revert to the default ACL TCAM size, use the no form of this command.
hardware profile tcam region { e-racl | e-vacl | ifacl | | | qos | racl | vacl | nat } tcam_size
no hardware profile tcam region { e-racl | e-vacl | ifacl | racl | vacl| nat } tcam_size
Syntax Description
e-racl |
Configures the size of the egress router ACL (ERACL) TCAM region. |
e-vacl |
Configures the size of the egress VLAN ACL (EVACL) TCAM region. |
ifacl |
Configures the size of the interface ACL (ifacl) TCAM region. |
qos |
Configures the size of the quality of service (QoS) TCAM region. |
racl |
Configures the size of the router ACL (RACL) TCAM region. |
vacl |
Configures the size of the VLAN ACL (VACL) TCAM region. |
nat |
Configures the size of the Network Address Translation entries. |
tcam_size |
TCAM size. The range is from 0 to 4096 entries. |
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
When you change the TCAM size, the new TCAM size is saved in the running configuration. To apply the new TCAM size, you must copy the running configuration of the switch to the startup configuration file (copy running-config startup-config command) and then reload (reload command) the switch.
Note Make sure that you set the VACL and EVACL size to the same value.
Table 1 lists the default TCAM size for each ACL region:
Table 1 Default, Minimum and Maximum Size for ACL TCAM Regions
|
|
|
|
SUP (ingress) |
112 |
48 |
16 |
PACL (ingress) |
400 |
0 |
16 |
VACL (ingress), VACL (egress) |
640 (ingress), 640 (egress) |
0 (ingress), 0 (egress) |
16 |
RACL (ingress) |
1536 |
0 |
16 |
QOS (ingress), QOS (egress) |
192 (ingress), 64 (egress) |
16 (ingress), 64 (egress) |
16 |
E-VACL (egress) |
640 |
0 |
16 |
E-RACL (egress) |
256 |
0 |
16 |
NAT |
256 |
0 |
16 |
Examples
This example shows how to change the size of the RACL TCAM region:
switch# configure terminal
switch(config)# hardware profile tcam region racl 256
[SUCCESS] New tcam size will be applicable only at boot time.
You need to 'copy run start' and 'reload'
switch(config)# copy running-config startup-config
WARNING: This command will reboot the system
Do you want to continue? (y/n) [n] y
This example shows the error message you see when you set the ACL TCAM value to a value other than 0 or 128 and then shows how to change the size of the ACL TCAM region and verify the changes:
switch(config)# show hardware profile tcam region
This example shows how to configure the TCAM VLAN ACLs on a switch profile:
Enter configuration commands, one per line. End with CNTL/Z.
switch(config-sync)# switch-profile s5010
Switch-Profile started, Profile ID is 1
switch(config-sync-sp)# hardware profile tcam region vacl 512
switch(config-sync-sp)# hardware profile tcam region e-vacl 512
Related Commands
|
|
copy running-config startup-config |
Copies the running configuration to the startup configuration file. |
reload |
Reloads the switch. |
show hardware profile tcam region |
Displays the TCAM sizes that will be applicable on the next reload of the switch. |
show running-config |
Displays the information for the running configuration. |
write erase |
Erases the configuration in persistent memory. |
hardware profile tcam syslog-threshold
To configure the syslog threshold for the ACL TCAM so that a syslog message is generated when the TCAM capacity reaches the specified percentage, use the hardware profile tcam syslog-threshold command. To reset the value to the default, use the no form of this command.
hardware profile tcam syslog-threshold percentage
no hardware profile tcam syslog-threshold
Syntax Description
percentage |
Percentage of the TCAM capacity. The range is from 1 to 100. The default value is 90 percent. |
Defaults
The ACL TCAM threshold is 90 percent.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
This command does not require a license.
Examples
This example shows how to set the syslog threshold to 20 percent for the ACL TCAM:
switch# configure terminal
switch(config)# hardware profile tcam syslog-threshold 20
Related Commands
|
|
copy running-config startup config |
Copies the running configuration to the startup configuration file. |
show running-config |
Displays the information for the running configuration. |
interface policy deny
To enter interface policy configuration mode for a user role, use the interface policy deny command. To revert to the default interface policy for a user role, use the no form of this command.
interface policy deny
no interface policy deny
Syntax Description
This command has no arguments or keywords.
Command Default
All interfaces
Command Modes
User role configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to enter interface policy configuration mode for a user role:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# interface policy deny
switch(config-role-interface)#
This example shows how to revert to the default interface policy for a user role:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# no interface policy deny
Related Commands
|
|
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |
ip access-class
To create or configure an IPv4 access class to restrict incoming or outgoing traffic on a virtual terminal line (VTY), use the ip access-class command. To remove the access class, use the no form of this command.
ip access-class access-list-name { in | out }
no ip access-class access-list-name { in | out }
Syntax Description
access-list-name |
Name of the IPv4 ACL class. The name can be a maximum of 64 characters. The name can contain characters, numbers, hyphens, and underscores. The name cannot contain a space or quotation mark. |
in |
Specifies that incoming connections be restricted between a particular Cisco Nexus 3000 Series switch and the addresses in the access list. |
out |
Specifies that outgoing connections be restricted between a particular Cisco Nexus 3000 Series switch and the addresses in the access list. |
Command Modes
Line configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to configure an IP access class on a VTY line to restrict inbound packets:
switch# configure terminal
switch(config-line)# ip access-class VTY_ACCESS in
This example shows how to remove an IP access class that restricts inbound packets:
switch(config-line)# no ip access-class VTY_ACCESS in
Related Commands
|
|
access-class |
Configures an access class for VTY. |
copy running-config startup-config |
Copies the running configuration to the startup configuration file. |
show line |
Displays the access lists for a particular terminal line. |
show running-config aclmgr |
Displays the running configuration of ACLs. |
show startup-config aclmgr |
Displays the startup configuration for ACLs. |
ssh |
Starts an SSH session using IPv4. |
telnet |
Starts a Telnet session using IPv4. |
ip access-group
To apply an IPv4 access control list (ACL) to a Layer 3 interface as a router ACL, use the ip access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip access-group access-list-name { in | out }
no ip access-group access-list-name { in | out }
Syntax Description
access-list-name |
Name of the IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
in |
Specifies that the ACL applies to inbound traffic. |
out |
Specifies that the ACL applies to outbound traffic. |
Command Modes
Interface configuration mode
Subinterface configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
By default, no IPv4 ACLs are applied to a Layer 3 routed interface.
You can use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface types:
- VLAN interfaces
- Layer 3 Ethernet interfaces
- Layer 3 Ethernet subinterfaces
- Layer 3 Ethernet port-channel interfaces and subinterfaces
- Loopback interfaces
- Management interfaces
You can also use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface types:
- Layer 2 Ethernet interfaces
- Layer 2 Ethernet port-channel interfaces
However, an ACL applied to a Layer 2 interface with the ip access-group command is inactive unless the port mode changes to routed (Layer 3) mode.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
This command does not require a license.
Examples
This example shows how to apply an IPv4 ACL named ip-acl-01 to the Layer 3 Ethernet interface 2/1:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# no switchport
switch(config-if)# ip access-group ip-acl-01 in
This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 2/1:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# no switchport
switch(config-if)# ip access-group ip-acl-01 in
switch(config-if)# no ip access-group ip-acl-01 in
Related Commands
|
|
ip access-list |
Configures an IPv4 ACL. |
show access-lists |
Displays all ACLs. |
show ip access-lists |
Shows either a specific IPv4 ACL or all IPv4 ACLs. |
show running-config interface |
Shows the running configuration of all interfaces or of a specific interface. |
ip access-list
To create an IPv4 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ip access-list command. To remove an IPv4 ACL, use the no form of this command.
ip access-list access-list-name
no ip access-list access-list-name
Syntax Description
access-list-name |
Name of the IPv4 ACL, which can be up to 64 alphanumeric characters long. The name cannot contain a space or quotation mark. |
Command Default
No IPv4 ACLs are defined by default.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
5.0(3)A1(1) |
Support was added to configure IP features in a switch profile. |
Usage Guidelines
Use IPv4 ACLs to filter IPv4 traffic.
When you use the ip access-list command, the switch enters IP access list configuration mode, where you can use the IPv4 deny and permit commands to configure rules for the ACL. If the specified ACL does not exist, the switch creates it when you enter this command.
Use the ip access-group command to apply the ACL to an interface.
Every IPv4 ACL has the following implicit rule as its last rule:
This implicit rule ensures that the switch denies unmatched IP traffic.
IPv4 ACLs do not include additional implicit rules to enable the neighbor discovery process. By default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Use the match-local-traffic option for all inbound and outbound traffic to or from the CPU.
Examples
This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01:
switch# configure terminal
switch(config)# ip access-list ip-acl-01
This example shows how to enter IP access list configuration mode for an IPv4 ACL named sp-acl in a switch profile:
Enter configuration commands, one per line. End with CNTL/Z.
switch(config-sync)# switch-profile s5010
Switch-Profile started, Profile ID is 1
switch(config-sync-sp)# ip access-list sp-acl
switch(config-sync-sp-acl)#
Related Commands
|
|
access-class |
Applies an IPv4 ACL to a VTY line. |
deny (IPv4) |
Configures a deny rule in an IPv4 ACL. |
ip access-group |
Applies an IPv4 ACL to an interface. |
permit (IPv4) |
Configures a permit rule in an IPv4 ACL. |
show ip access-lists |
Displays all IPv4 ACLs or a specific IPv4 ACL. |
show switch-profile |
Displays information about the switch profile and the configuration revision. |
switch-profile |
Creates and configures a switch profile. |
ip dhcp relay information option
To enable the device to insert and remove Option 82 information on DHCP packets forwarded by the relay agent, use the ip dhcp relay information option command. To globally disable this feature, use the no form of this command.
ip dhcp relay information option
no ip dhcp relay information option
Syntax Description
circuit-id format-type string |
Specifies to use the encoded string format instead of the default binary ifindex format for Option 82. |
Command Default
By default, Option 82 information insertion and removal is globally disabled.
Command Modes
Global configuration mode
Command History
|
|
6.0(2)A6(2) |
This command was introduced. |
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
The device preserves DHCP snooping configuration when you disable DHCP snooping with the no ip dhcp snooping command. Use the ip dhcp relay information option command to enable the DHCP relay agent to insert and remove Option 82 information on the packets that it forwards. The Option 82 information is in binary ifindex format by default. The no option disables this behavior.
Use the ip dhcp relay information sub-option circuit-id format-type string <> command to configure Option 82 to use the encoded string format instead of the default binary ifindex format. Use the show ip dhcp relay command to display the DHCP relay configuration.
Examples
This example shows how to globally enable DHCP smart relay:
switch# configure terminal
switch(config)# ip dhcp relay information option
switch(config)# ip dhcp relay information sub-option circuit-id format-type string
switch(config)# show ip dhcp relay
switch(config)# show running-config dhcp
switch(config)# copy running-config startup-config
Related Commands
|
|
feature dhcp |
Enables the DHCP snooping feature on the device. |
ip dhcp smart relay |
Enables DHCP smart relay globally. |
show running-config dhcp |
Displays DHCP snooping configuration. |
ip dhcp smart relay
To enable DHCP smart relay globally, use the ip dhcp smart relay command. To globally disable this feature, use the no form of this command.
ip dhcp smart relay
no ip dhcp smart relay
Syntax Description
This command has no arguments or keywords.
Command Default
By default, this feature is globally disabled.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
The device preserves DHCP snooping configuration when you disable DHCP snooping with the no ip dhcp snooping command.
Examples
This example shows how to globally enable DHCP smart relay:
switch# configure terminal
switch(config)# ip dhcp smart relay
Related Commands
|
|
feature dhcp |
Enables the DHCP snooping feature on the device. |
show ip dhcp relay |
Displays IP DHCP smart relay configuration. |
show running-config dhcp |
Displays DHCP snooping configuration. |
ip nat
To configure Network Address Translation (NAT) on an interface, use the ip nat command. To remove the NAT configuration, use the no form of this command.
ip nat {inside | outside} source static {inside-global-ip-address}{outside-global-ip-address}{tcp | udp} localaddr ip-address localport port-number globaladdr global-ip-address globalport global-port-number {add-route}
no ip nat {inside | outside} source static {inside- global-ip-address}{outside- global-ip-address}{tcp | udp} localaddr ip-address localport port-number globaladdr global-ip-address globalport global-port-number {add-route}
Syntax Description
inside |
Specifies the inside address translation. |
outside |
Specifies the outside address translation. |
source |
Specifies the source address translation. |
static |
Specifies the static to global mapping. |
inside-global-ip-address |
(Optional) Inside global local IP address. |
outside-global-ip-address |
(Optional) Ouside global local IP address. |
tcp |
(Optional) Specifies the Transmission Control Protocol (TCP). |
udp |
(Optional) Specifies the User Datagram Protocol (UDP). |
localaddr ip-address |
Specifies the local IP address. |
localport port-number |
Specifies the local port number. The range is from 1 to 65535. |
globaladdr |
Specifies the global IP address |
globalport global-port-number |
Specifies the local port number. The range is from 1 to 65535. |
add-route |
Adds a static route for the outside local address. |
Command Modes
Interface configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
Static NAT supports up to 1000 translations.
Note Only the packets that arrive on a marked interface are subject to translation.
The Cisco Nexus 3548 switch supports the following interfaces:
- Switched virtual interfaces (SVIs)
- Routed ports
- Layer 3 port channels
The Cisco Nexus 3548 switch does not support software translation. All translations are done in the hardware.
The Cisco Nexus 3548 switch does not support application layer translation. Layer 4 and other embedded IPs are not translated, including FTP, ICMP failures, IPsec, and HTTPs.
The Cisco Nexus 3548 switch cannot support NAT and VLAN access control lists (VACLs) that are configured on an interface at the same time.
Egress ACLs are applied to the original packets, not the the NAT translated packets.
The Cisco Nexus 3548 switch supports only default virtual routing and forwarding (VRF).
Examples
This example shows how to configure NAT on an interface:
switch# configure terminal
switch(config)# interface ethernet 1/5
switch(config-if)# ip nat outside source static 10.1.1.1 10.10.10.1 add-route
This example shows how to remove the NAT configuration from an interface:
switch# configure terminal
switch(config)# interface ethernet 1/5
switch(config-if)# no ip nat outside source static 10.1.1.1 10.10.10.1 add-route
Related Commands
|
|
show ip nat translations |
Displays the active NAT translations. |
ip port access-group
To apply an IPv4 access control list (ACL) to an interface as a port ACL, use the ip port access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip port access-group access-list-name in
no ip port access-group access-list-name in
Syntax Description
access-list-name |
Name of the IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters long. |
in |
Specifies that the ACL applies to inbound traffic. |
Command Modes
Interface configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
By default, no IPv4 ACLs are applied to an interface.
You can use the ip port access-group command to apply an IPv4 ACL as a port ACL to the following interface types:
- Layer 2 Ethernet interfaces
- Layer 2 EtherChannel interfaces
You can also apply an IPv4 ACL as a VLAN ACL. For more information, see the match command.
The switch applies port ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the switch without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply an IPv4 ACL named ip-acl-01 to Ethernet interface 1/2 as a port ACL:
switch# configure terminal
switch(config)# interface ethernet 1/2
switch(config-if)# ip port access-group ip-acl-01 in
This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 1/2:
switch# configure terminal
switch(config)# interface ethernet 1/2
switch(config-if)# no ip port access-group ip-acl-01 in
Related Commands
|
|
ip access-list |
Configures an IPv4 ACL. |
show access-lists |
Displays all ACLs. |
show ip access-lists |
Shows either a specific IPv4 ACL or all IPv4 ACLs. |
show running-config interface |
Shows the running configuration of all interfaces or of a specific interface. |
mac access-list
To create a MAC access control list (ACL) or to enter MAC access list configuration mode for a specific ACL, use the mac access-list command. To remove a MAC ACL, use the no form of this command.
mac access-list access-list-name
no mac access-list access-list-name
Syntax Description
access-list-name |
Name of the MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters long but cannot contain a space or a quotation mark. |
Command Modes
Global configuration
Command History
|
|
6.0(2)A4(1) |
This command was introduced. |
Usage Guidelines
No MAC ACLs are defined by default.
Use MAC ACLs to filter non-IP traffic. If you disable packet classification, you can use MAC ACLs to filter all traffic.
When you use the mac access-list command, the device enters MAC access list configuration mode, where you can use the MAC deny and permit commands to configure rules for the ACL. If the ACL specified does not exist, the device creates it when you enter this command.
Use the mac port access-group command to apply the ACL to an interface.
Every MAC ACL has the following implicit rule as its last rule:
This implicit rule ensures that the device denies the unmatched traffic, regardless of the protocol specified in the Layer 2 header of the traffic.
Use the statistics per-entry command to configure the device to record statistics for each rule in a MAC ACL. The device does not record statistics for implicit rules. To record statistics for packets that would match the implicit rule, you must explicitly configure a rule to deny the packets.
This command does not require a license.
Examples
This example shows how to enter MAC access list configuration mode for a MAC ACL named mac-acl-01:
switch# configure terminal
switch(config)# mac access-list mac-acl-01
Related Commands
|
|
deny (MAC) |
Configures a deny rule in a MAC ACL. |
mac port access-group |
Applies a MAC ACL to an interface. |
permit (MAC) |
Configures a permit rule in a MAC ACL. |
show mac access-lists |
Displays all MAC ACLs or a specific MAC ACL. |
statistics per-entry |
Enables collection of statistics for each entry in an ACL. |
mac packet-classify
To enable MAC packet classification on a VLAN interface, use the mac packet-classify command. To disable MAC packet classification, use the no form of this command.
mac packet-classify
no mac packet-classify
Syntax Description
This command has no arguments or keywords.
Command Modes
Interface configuration
Command History
|
|
6.0(2)A4(1) |
This command was introduced. |
Usage Guidelines
This command does not require a license.
MAC packet classification can be enabled only per VLAN interface.
MAC packet classification allows you to control whether a MAC ACL that is on a VLAN interface applies to all traffic entering the interface, including IP traffic, or to non-IP traffic only.
When MAC packet classification is enabled on a VLAN interface, a MAC ACL that is on the interface applies to all traffic entering the interface, including IP traffic.
When MAC packet classification is disabled on a VLAN interface, a MAC ACL that is on the interface applies only to non-IP traffic entering the interface.
Examples
This example shows how to enable MAC packet classification on a per VLAN basis:
switch# configure terminal
switch(config)# feature interface-vlan
switch(config)# interface vlan 50
switch(config-if)# mac packet-classify
switch(config-if)# show running-config interface vlan 50
!Command: show running-config interface Vlan50
!Time: Wed Aug 6 20:39:03 2014
Related Commands
|
|
ip port access-group |
Applies a IPv4 ACL to an interface as a port ACL. |
mac port access-group
To apply a MAC access control list (ACL) to an interface, use the mac port access-group command. To remove a MAC ACL from an interface, use the no form of this command.
mac port access-group access-list-name
no mac port access-group access-list-name
Syntax Description
access-list-name |
Name of the MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters long. |
Command Modes
Interface configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
By default, no MAC ACLs are applied to an interface.
MAC ACLs apply to non-IP traffic.
You can use the mac port access-group command to apply a MAC ACL as a port ACL to the following interface types:
- Layer 2 interfaces
- Layer 2 EtherChannel interfaces
You can also apply a MAC ACL as a VLAN ACL. For more information, see the match command.
The switch applies MAC ACLs only to inbound traffic. When the switch applies a MAC ACL, the switch checks packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the switch without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply a MAC ACL named mac-acl-01 to Ethernet interface 1/2:
switch# configure terminal
switch(config)# interface ethernet 1/2
switch(config-if)# mac port access-group mac-acl-01
This example shows how to remove a MAC ACL named mac-acl-01 from Ethernet interface 1/2:
switch# configure terminal
switch(config)# interface ethernet 1/2
switch(config-if)# no mac port access-group mac-acl-01
Related Commands
|
|
mac access-list |
Configures a MAC ACL. |
show access-lists |
Displays all ACLs. |
show mac access-lists |
Shows either a specific MAC ACL or all MAC ACLs. |
show running-config interface |
Shows the running configuration of all interfaces or of a specific interface. |
match
To specify an access control list (ACL) for traffic filtering in a VLAN access map, use the match command. To remove a match command from a VLAN access map, use the no form of this command.
match { ip | mac } address access-list-name
no match { ip | mac } address access-list-name
Syntax Description
ip |
Specifies an IPv4 ACL. |
mac |
Specifies a MAC ACL. |
address access-list-name |
Specifies the IPv4, or MAC address and the access list name. The name can be up to 64 alphanumeric, case-sensitive characters. |
Command Default
By default, the switch classifies traffic and applies IPv4 ACLs to IPv4 traffic and MAC ACLs to all other traffic.
Command Modes
VLAN access-map configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
You can specify only one match command per access map.
Examples
This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map:
switch# configure terminal
switch(config)# vlan access-map vlan-map-01
switch(config-access-map)# match ip address ip-acl-01
switch(config-access-map)# action forward
switch(config-access-map)# statistics
switch(config-access-map)#
This example shows how to create a VLAN access map named vlan-map-03 in a switch profile, and assign an IPv4 ACL named ip-acl-03 to the map:
Enter configuration commands, one per line. End with CNTL/Z.
switch(config-sync)# switch-profile s5010
Switch-Profile started, Profile ID is 1
switch(config-sync-sp)# vlan access-map vlan-map-03
switch(config-sync-sp-access-map)# match ip address ip-acl-03
switch(config-sync-sp-access-map)#
Related Commands
|
|
action |
Specifies an action for traffic filtering in a VLAN access map. |
show vlan access-map |
Displays all VLAN access maps or a VLAN access map. |
show vlan filter |
Displays information about how a VLAN access map is applied. |
vlan access-map |
Configures a VLAN access map. |
vlan filter |
Applies a VLAN access map to one or more VLANs. |
show running-config switch-profile |
Displays the running configuration for a switch profile. |
match access-group
To identify a specified access control list (ACL) group as a match criteria for a class map, use the match access-group command. To remove an ACL match criteria from a class map, use the no form of this command.
match access-group name acl-name
no match access-group name acl-name
Syntax Description
name acl-name |
Matches on the characteristics in the ACL name specified. |
Command Modes
Class-map type qos configuration
Command History
|
|
6.0(2)A1(1) |
This command was introduced. |
Usage Guidelines
Note The permit and deny ACL keywords do not affect the matching of packets.
Examples
This example shows how to create a qos class map that matches characteristics of the ACL my_acl:
switch(
config)#
class-map class_acl
switch(config-cmap-qos)# match access-group name my_acl
Related Commands
|
|
show class-map |
Displays class maps. |
permit (IPv4)
To create an IPv4 access control list (ACL) rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
General Syntax
[ sequence-number ] permit protocol source destination {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
no permit protocol source destination {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
no sequence-number
Internet Control Message Protocol
[ sequence-number ] permit icmp source destination [ icmp-message ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
Internet Group Management Protocol
[ sequence-number ] permit igmp source destination [ igmp-message ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
Internet Protocol v4
[ sequence-number ] permit ip source destination {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
Transmission Control Protocol
[ sequence-number ] permit tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ] [ flags ] [ established ]
User Datagram Protocol
[ sequence-number ] permit udp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
Syntax Description
sequence-number |
(Optional) Sequence number of the permit command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
protocol |
Name or number of the protocol of packets that the rule matches. Valid numbers are from 0 to 255. Valid protocol names are the following keywords:
- ahp —Specifies that the rule applies to authentication header protocol (AHP) traffic only.
- eigrp —Specifies that the rule applies to Enhanced Interior Gateway Routing Protocol (EIGRP) traffic only.
- esp —Specifies that the rule applies to IP Encapsulation Security Payload (ESP) traffic only.
- icmp —Specifies that the rule applies to ICMP traffic only. When you use this keyword, the icmp-message argument is available, in addition to the keywords that are available for all valid values of the protocol argument.
- igmp —Specifies that the rule applies to IGMP traffic only. When you use this keyword, the igmp-type argument is available, in addition to the keywords that are available for all valid values of the protocol argument.
- ip —Specifies that the rule applies to all IPv4 traffic. When you use this keyword, only the other keywords and arguments that apply to all IPv4 protocols are available. They include the following:
– dscp – fragments – log – precedence – time-range
- nos —Specifies that the rule applies to IP over IP encapsulation (KA9Q/NOS compatible) traffic only.
- ospf — Specifies that the rule applies to Open Shortest Path First (OSPF) routing protocol traffic only.
- pcp —Specifies that the rule applies to IP Payload Compression Protocol (IPComp) traffic only.
- pim —Specifies that the rule applies to IPv4 Protocol Independent Multicast (PIM) traffic only.
|
|
- tcp —Specifies that the rule applies to TCP traffic only. When you use this keyword, the flags and operator arguments and the portgroup and established keywords are available, in addition to the keywords that are available for all valid values of the protocol argument.
- udp —Specifies that the rule applies to UDP traffic only. When you use this keyword, the operator argument and the portgroup keyword are available, in addition to the keywords that are available for all valid values of the protocol argument.
|
source |
Source IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
destination |
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
dscp dscp |
(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:
- 0–63—The decimal equivalent of the 6 bits of the DSCP field. For example, if you specify 10, the rule matches only those packets that have the following bits in the DSCP field: 001010.
- af11 —Assured Forwarding (AF) class 1, low drop probability (001010)
- af12 —AF class 1, medium drop probability (001100)
- af13 —AF class 1, high drop probability (001110)
- af21 —AF class 2, low drop probability (010010)
- af22 —AF class 2, medium drop probability (010100)
- af23 —AF class 2, high drop probability (010110)
- af31 —AF class 3, low drop probability (011010)
- af32 —AF class 3, medium drop probability (011100)
- af33 —AF class 3, high drop probability (011110)
- af41 —AF class 4, low drop probability (100010)
- af42 —AF class 4, medium drop probability (100100)
- af43 —AF class 4, high drop probability (100110)
- cs1 —Class-selector (CS) 1, precedence 1 (001000)
- cs2 —CS2, precedence 2 (010000)
- cs3 —CS3, precedence 3 (011000)
- cs4 —CS4, precedence 4 (100000)
- cs5 —CS5, precedence 5 (101000)
- cs6 —CS6, precedence 6 (110000)
- cs7 —CS7, precedence 7 (111000)
- default —Default DSCP value (000000)
- ef —Expedited Forwarding (101110)
|
precedence precedence |
(Optional) Specifies that the rule matches only packets that have an IP Precedence field with the value specified by the precedence argument. The precedence argument can be a number or a keyword as follows:
- 0–7—Decimal equivalent of the 3 bits of the IP Precedence field. For example, if you specify 3, the rule matches only packets that have the following bits in the DSCP field: 011.
- critical —Precedence 5 (101)
- flash —Precedence 3 (011)
- flash-override —Precedence 4 (100)
- immediate —Precedence 2 (010)
- internet —Precedence 6 (110)
- network —Precedence 7 (111)
- priority —Precedence 1 (001)
- routine —Precedence 0 (000)
|
fragments |
(Optional) Specifies that the rule matches only those packets that are noninitial fragments. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. |
time-range time-range-name |
(Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command. |
icmp-message |
(Optional; IGMP only) Rule that matches only packets of the specified ICMP message type. This argument can be an integer from 0 to 255 or one of the keywords listed under “ICMP Message Types” in the “Usage Guidelines” section. |
igmp-message |
(Optional; IGMP only) Rule that matches only packets of the specified IGMP message type. The igmp-message argument can be the IGMP message number, which is an integer from 0 to 15. It can also be one of the following keywords:
- dvmrp —Distance Vector Multicast Routing Protocol
- host-query —Host query
- host-report —Host report
- pim —Protocol Independent Multicast
- trace —Multicast trace
|
operator port [ port ] |
(Optional; TCP and UDP only) Rule that matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see “TCP Port Names” and “UDP Port Names” in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
- eq —Matches only if the port in the packet is equal to the port argument.
- gt —Matches only if the port in the packet is greater than the port argument.
- lt —Matches only if the port in the packet is less than the port argument.
- neq —Matches only if the port in the packet is not equal to the port argument.
- range —Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument.
|
portgroup portgroup |
(Optional; TCP and UDP only) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument. Use the object-group ip port command to create and change IP port-group objects. |
flags |
(Optional; TCP only) Rule that matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords:
|
established |
(Optional; TCP only) Specifies that the rule matches only packets that belong to an established TCP connection. The switch considers TCP packets with the ACK or RST bits set to belong to an established connection. |
Command Default
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
Command Modes
IPv4 ACL configuration mode
IPv4 ACL in
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
When the switch applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
Source and Destination
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
- Address and network wildcard—You can use an IPv4 address followed by a network wildcard to specify a host or a network as a source or destination. The syntax is as follows:
IPv4-address network-wildcard
This example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
switch(config-acl)# permit tcp 192.168.67.0 0.0.0.255 any
- Address and variable-length subnet mask—You can use an IPv4 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:
This example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
switch(config-acl)# permit udp 192.168.67.0/24 any
- Host address—You can use the host keyword and an IPv4 address to specify a host as a source or destination. The syntax is as follows:
This syntax is equivalent to IPv4-address /32 and IPv4-address 0.0.0.0.
This example shows how to specify the source argument with the host keyword and the 192.168.0.132 IPv4 address:
switch(config-acl)# permit icmp host 192.168.0.132 any
- Any address—You can use the any keyword to specify that a source or destination is any IPv4 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.
ICMP Message Types
The icmp-message argument can be the ICMP message number, which is an integer from 0 to 255. It can also be one of the following keywords:
- administratively-prohibited —Administratively prohibited
- alternate-address —Alternate address
- conversion-error —Datagram conversion
- dod-host-prohibited —Host prohibited
- dod-net-prohibited —Net prohibited
- echo —Echo (ping)
- echo-reply —Echo reply
- general-parameter-problem —Parameter problem
- host-isolated —Host isolated
- host-precedence-unreachable —Host unreachable for precedence
- host-redirect —Host redirect
- host-tos-redirect —Host redirect for ToS
- host-tos-unreachable —Host unreachable for ToS
- host-unknown —Host unknown
- host-unreachable —Host unreachable
- information-reply —Information replies
- information-request —Information requests
- mask-reply —Mask replies
- mask-request —Mask requests
- mobile-redirect —Mobile host redirect
- net-redirect —Network redirect
- net-tos-redirect —Net redirect for ToS
- net-tos-unreachable —Network unreachable for ToS
- net-unreachable —Net unreachable
- network-unknown —Network unknown
- no-room-for-option —Parameter required but no room
- option-missing —Parameter required but not present
- packet-too-big —Fragmentation needed and DF set
- parameter-problem —All parameter problems
- port-unreachable —Port unreachable
- precedence-unreachable —Precedence cutoff
- protocol-unreachable —Protocol unreachable
- reassembly-timeout —Reassembly timeout
- redirect —All redirects
- router-advertisement —Router discovery advertisements
- router-solicitation —Router discovery solicitations
- source-quench —Source quenches
- source-route-failed —Source route failed
- time-exceeded —All time-exceeded messages
- timestamp-reply —Time-stamp replies
- timestamp-request —Time-stamp requests
- traceroute —Traceroute
- ttl-exceeded —TTL exceeded
- unreachable —All unreachables
TCP Port Names
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
- bgp —Border Gateway Protocol (179)
- chargen —Character generator (19)
- cmd —Remote commands (rcmd, 514)
- daytime —Daytime (13)
- discard —Discard (9)
- domain —Domain Name Service (53)
- drip —Dynamic Routing Information Protocol (3949)
- echo —Echo (7)
- exec —EXEC (rsh, 512)
- finger —Finger (79)
- ftp —File Transfer Protocol (21)
- ftp-data —FTP data connections (2)
- gopher —Gopher (7)
- hostname —NIC hostname server (11)
- ident —Ident Protocol (113)
- irc —Internet Relay Chat (194)
- klogin —Kerberos login (543)
- kshell —Kerberos shell (544)
- login —Login (rlogin, 513)
- lpd —Printer service (515)
- nntp —Network News Transport Protocol (119)
- pim-auto-rp —PIM Auto-RP (496)
- pop2 —Post Office Protocol v2 (19)
- pop3 —Post Office Protocol v3 (11)
- smtp —Simple Mail Transport Protocol (25)
- sunrpc —Sun Remote Procedure Call (111)
- tacacs —TAC Access Control System (49)
- talk —Talk (517)
- telnet —Telnet (23)
- time —Time (37)
- uucp —Unix-to-Unix Copy Program (54)
- whois —WHOIS/NICNAME (43)
- www —World Wide Web (HTTP, 8)
UDP Port Names
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
- biff —Biff (mail notification, comsat, 512)
- bootpc —Bootstrap Protocol (BOOTP) client (68)
- bootps —Bootstrap Protocol (BOOTP) server (67)
- discard —Discard (9)
- dnsix —DNSIX security protocol auditing (195)
- domain —Domain Name Service (DNS, 53)
- echo —Echo (7)
- isakmp —Internet Security Association and Key Management Protocol (5)
- mobile-ip —Mobile IP registration (434)
- nameserver —IEN116 name service (obsolete, 42)
- netbios-dgm —NetBIOS datagram service (138)
- netbios-ns —NetBIOS name service (137)
- netbios-ss —NetBIOS session service (139)
- non500-isakmp —Internet Security Association and Key Management Protocol (45)
- ntp —Network Time Protocol (123)
- pim-auto-rp —PIM Auto-RP (496)
- rip —Routing Information Protocol (router, in.routed, 52)
- snmp —Simple Network Management Protocol (161)
- snmptrap —SNMP Traps (162)
- sunrpc —Sun Remote Procedure Call (111)
- syslog —System Logger (514)
- tacacs —TAC Access Control System (49)
- talk —Talk (517)
- tftp —Trivial File Transfer Protocol (69)
- time —Time (37)
- who —Who service (rwho, 513)
- xdmcp —X Display Manager Control Protocol (177)
Examples
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules permitting all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network:
switch# configure terminal
switch(config)# ip access-list acl-lab-01
switch(config-acl)# permit ip any host 10.176.0.0/16
switch(config-acl)# permit tcp 10.23.0.0/16 10.176.0.0/16
switch(config-acl)# permit udp 10.23.0.0/16 10.176.0.0/16
switch(config-acl)# permit tcp 192.168.37.0/16 10.176.0.0/16
switch(config-acl)# permit udp 192.168.37.0/16 10.176.0.0/16
This example shows how to configure an IPv4 ACL named sp-acl in a switch profile with rules that permit all AHP and OSPF traffic from the 10.20.0.0 and 192.168.36.0 networks to the 10.172.0.0 network:
Enter configuration commands, one per line. End with CNTL/Z.
switch(config-sync)# switch-profile s5010
Switch-Profile started, Profile ID is 1
switch(config-sync-sp)# ip access-list sp-acl
switch(config-sync-sp-acl)# permit ahp 10.20.0.0/16 10.172.0.0/16
switch(config-sync-sp-acl)# permit ospf 10.20.0.0/16 10.172.0.0/16
switch(config-sync-sp-acl)# permit ahp 192.168.36.0/16 10.172.0.0/16
switch(config-sync-sp-acl)# permit ospf 192.168.36.0/16 10.172.0.0/16
switch(config-sync-sp-acl)#
Related Commands
|
|
deny (IPv4) |
Configures a deny rule in an IPv4 ACL. |
ip access-list |
Configures an IPv4 ACL. |
remark |
Configures a remark in an ACL. |
show ip access-lists |
Displays all IPv4 ACLs or one IPv4 ACL. |
show switch-profile |
Displays information about the switch profile and the configuration revision. |
switch-profile |
Creates and configures a switch profile. |
permit (MAC)
To create a MAC ACL rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit source destination [ protocol ] [ cos cos-value ] [ vlan VLAN-ID ]
no permit source destination [ protocol ] [ cos cos-value ] [ vlan VLAN-ID ]
no sequence-number
Syntax Description
sequence-number |
(Optional) Sequence number of the permit command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
source |
Source MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
destination |
Destination MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
protocol |
(Optional) Protocol number that the rule matches. Valid protocol numbers are 0x0 to 0xffff. For listings of valid protocol names, see “MAC Protocols” in the “Usage Guidelines” section. |
cos cos-value |
(Optional) Specifies that the rule matches only packets with an IEEE 802.1Q header that contains the Class of Service (CoS) value given in the cos-value argument. The cos-value argument can be an integer from 0 to 7. |
vlan VLAN-ID |
(Optional) Specifies that the rule matches only packets with an IEEE 802.1Q header that contains the VLAN ID given. The VLAN-ID argument can be an integer from 1 to 4094. |
Command Modes
MAC ACL configuration
Command History
|
|
6.0(2)A4(1) |
This command was introduced. |
Usage Guidelines
A newly created MAC ACL contains no rules.
If you do not specify a sequence number, the device assigns a sequence number that is 10 greater than the last rule in the ACL.
When the device applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
This command does not require a license.
Source and Destination
You can specify the source and destination arguments in one of two ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
- Address and mask—You can use a MAC address followed by a mask to specify a single address or a group of addresses. The syntax is as follows:
The following example specifies the source argument with the MAC address 00c0.4f03.0a72:
switch(config-acl)# permit 00c0.4f03.0a72 0000.0000.0000 any
The following example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:
switch(config-acl)# permit any 0060.3e00.0000 0000.0000.0000
- Any address—You can use the any keyword to specify that a source or destination is any MAC address. For examples of the use of the any keyword, see the examples in this section. Each of the examples shows how to specify a source or destination by using the any keyword.
MAC Protocols
The protocol argument can be the MAC protocol number or a keyword. The protocol number is a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:
- aarp —Appletalk ARP (0x80f3)
- appletalk —Appletalk (0x809b)
- decnet-iv —DECnet Phase IV (0x6003)
- diagnostic —DEC Diagnostic Protocol (0x6005)
- etype-6000 —Ethertype 0x6000 (0x6000)
- etype-8042 —Ethertype 0x8042 (0x8042)
- ip —Internet Protocol v4 (0x0800)
- lat —DEC LAT (0x6004)
- lavc-sca —DEC LAVC, SCA (0x6007)
- mop-console —DEC MOP Remote console (0x6002)
- mop-dump —DEC MOP dump (0x6001)
- vines-echo —VINES Echo (0x0baf)
Examples
This example shows how to configure a MAC ACL named mac-filter with a rule that permits traffic between two groups of MAC addresses:
switch# configure terminal
switch(config)# mac access-list mac-filter
switch(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff 0060.3e00.0000 0000.00ff.ffff
Related Commands
|
|
deny (MAC) |
Configures a deny rule in a MAC ACL. |
mac access-list |
Configures a MAC ACL. |
remark |
Configures a remark in an ACL. |
statistics per-entry |
Enables collection of statistics for each entry in an ACL. |
show mac access-list |
Displays all MAC ACLs or one MAC ACL. |
permit interface
To add interfaces for a user role interface policy, use the permit interface command. To remove interfaces, use the no form of this command.
permit interface interface-list
no permit interface
Syntax Description
interface-list |
List of interfaces that the user role has permission to access. |
Command Default
All interfaces
Command Modes
Interface policy configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
For permit interface statements to work, you need to configure a command rule to allow interface access, as shown in the following example:
switch(config-role)# rule number permit command configure terminal ; interface *
Examples
This example shows how to configure a range of interfaces for a user role interface policy:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# interface policy deny
switch(config-role-interface)# permit interface ethernet 1/2 - 8
switch(config-role-interface)#
This example shows how to configure a list of interfaces for a user role interface policy:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# interface policy deny
switch(config-role-interface)# permit interface ethernet 1/1, ethernet 1/3, ethernet 1/5
switch(config-role-interface)#
This example shows how to remove an interface from a user role interface policy:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# interface policy deny
switch(config-role-interface)# no permit interface ethernet 1/2
switch(config-role-interface)#
Related Commands
|
|
interface policy deny |
Enters interface policy configuration mode for a user role. |
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |
permit vlan
To add VLANs for a user role VLAN policy, use the permit vlan command. To remove VLANs, use the no form of this command.
permit vlan vlan-list
no permit vlan
Syntax Description
vlan-list |
List of VLANs that the user role has permission to access. |
Command Default
All VLANs
Command Modes
VLAN policy configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
For permit vlan statements to work, you need to configure a command rule to allow VLAN access, as shown in the following example:
switch(config-role)# rule number permit command configure terminal ; vlan *
Examples
This example shows how to configure a range of VLANs for a user role VLAN policy:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# vlan policy deny
switch(config-role-vlan)# permit vlan 1-8
switch(config-role-vlan)#
This example shows how to configure a list of VLANs for a user role VLAN policy:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# vlan policy deny
switch(config-role-vlan)# permit vlan 1, 10, 12, 20
switch(config-role-vlan)#
This example shows how to remove a VLAN from a user role VLAN policy:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# vlan policy deny
switch(config-role-vlan)# no permit vlan 2
switch(config-role-vlan)#
Related Commands
|
|
vlan policy deny |
Enters VLAN policy configuration mode for a user role. |
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |
permit vrf
To add virtual routing and forwarding instances (VRFs) for a user role VRF policy, use the permit vrf command. To remove VRFs, use the no form of this command.
permit vrf vrf-list
no permit vrf
Syntax Description
vrf-list |
List of VRFs that the user role has permission to access. |
Command Modes
VRF policy configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to configure a range of VRFs for a user role VRF policy:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# vrf policy deny
switch(config-role-vrf)# permit vrf management
Related Commands
|
|
vrf policy deny |
Enters VRF policy configuration mode for a user role. |
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |
permit vsan
To permit access to a VSAN policy for a user role, use the permit vsan command. To revert to the default VSAN policy configuration for a user role, use the no form of this command.
permit vsan vsan-list
no permit vsan vsan-list
Syntax Description
vsan-list |
Range of VSANs accessible to a user role. The range is from 1 to 4093. You can separate the range using the following separators:
- , is a multirange separator; for example, 1-5, 10, 12, 100-201.
- - is a range separator; for example, 101-201.
|
Command Modes
User role configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
This command is enabled only after you deny a VSAN policy by using the vsan policy deny command.
Examples
This example shows how to permit access to a VSAN policy for a user role:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# vsan policy deny
switch(config-role-vsan)# permit vsan 10, 12, 100-104
switch(config-role-vsan)#
Related Commands
|
|
vsan policy deny |
Denies access to a VSAN policy for a user. |
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |
police (policy map)
To configure traffic policing for a class map in a control plane policy map, use the police command.
police { rate | cir rate }
Syntax Description
rate |
Average rate in packets per second (pps). The range is from 0 to 20480. |
cir |
Specifies the Committed Information Rate (CIR), in Kbps. |
Command Modes
Control plane policy map configuration mode
Command History
|
|
6.0(2)A1(1) |
This command was introduced. |
Usage Guidelines
This command does not require a license.
Examples
This example shows how to configure traffic policing in a control plane policy map with the average rate at 200 packets per second:
switch# configure terminal
switch(config)# policy-map type control-plane copp-system-policy-customized
switch(config-pmap)# class ClassMapA
switch(config-pmap-c)# police 200
Related Commands
|
|
class (policy map) |
Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode. |
show policy-map type control-plane |
Displays configuration information for control plane policy maps. |
policy-map type control-plane
To enter the control plane policy map configuration mode, use the policy-map type control-plane command.
policy-map type control-plane policy-map-name
Syntax Description
policy-map-name |
Name of the default control plane policy map. The name is alphanumeric, case sensitive, and has a maximum of 64 characters. |
Command Modes
Global configuration mode
Command History
|
|
6.0(2)A1(1) |
This command was introduced. |
Usage Guidelines
In Cisco Nexus 3000 Series switches, you cannot create a user-defined Control Plane Policing (CoPP) policy map. The switch software includes a default control plane policy map, copp-system-policy-default, and one customized policy map, copp-system-policy-customized. You cannot add or remove classes from the default control-plane policy map. You can, however, add or remove classes to or from the copp-system-policy-customized control-plane policy map.
If you attempt to create a control plane policy with a name other than the default, you will see the following error message:
ERROR: Policy-map create failed
This command does not require a license.
Examples
This example shows how to enter the control plane policy map configuration mode:
switch# configure terminal
switch(config)# policy-map type control-plane copp-system-policy-customized
This example shows the error message that appears when you create a control plane policy map other than the default control plane policy map:
switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
ERROR: Policy-map create failed
Related Commands
|
|
show policy-map type control-plane |
Displays configuration information for control plane policy maps. |
radius-server deadtime
To configure the dead-time interval for all RADIUS servers on a Cisco Nexus 3000 Series switch, use the radius-server deadtime command. To revert to the default, use the no form of this command.
radius-server deadtime minutes
no radius-server deadtime minutes
Syntax Description
minutes |
Number of minutes for the dead-time interval. The range is from 1 to 1440 minutes. |
Command Default
0 minutes
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
The dead-time interval is the number of minutes before the switch checks a RADIUS server that was previously unresponsive.
Note When the idle time interval is 0 minutes, periodic RADIUS server monitoring is not performed.
Examples
This example shows how to configure the global dead-time interval for all RADIUS servers to perform periodic monitoring:
switch# configure terminal
switch(config)# radius-server deadtime 5
This example shows how to revert to the default for the global dead-time interval for all RADIUS servers and disable periodic server monitoring:
switch# configure terminal
switch(config)# no radius-server deadtime 5
Related Commands
|
|
show radius-server |
Displays RADIUS server information. |
radius-server directed-request
To allow users to send authentication requests to a specific RADIUS server when logging in, use the radius-server directed request command. To revert to the default, use the no form of this command.
radius-server directed-request
no radius-server directed-request
Syntax Description
This command has no arguments or keywords.
Command Default
Sends the authentication request to the configured RADIUS server group.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
You can specify the username @ vrfname : hostname during login, where vrfname is the VRF to use and hostname is the name of a configured RADIUS server. The username is sent to the RADIUS server for authentication.
Examples
This example shows how to allow users to send authentication requests to a specific RADIUS server when logging in:
switch# configure terminal
switch(config)# radius-server directed-request
This example shows how to disallow users to send authentication requests to a specific RADIUS server when logging in:
switch# configure terminal
switch(config)# no radius-server directed-request
Related Commands
|
|
show radius-server directed-request |
Displays the directed request RADIUS server configuration. |
radius-server host
To configure RADIUS server parameters, use the radius-server host command. To revert to the default, use the no form of this command.
radius-server host { hostname | ipv4-address } [ key [ 0 | 7 ] shared-secret [ pac ]] [ accounting ] [ acct-port port-number ] [ auth-port port-number ] [ authentication ] [ retransmit count ] [ test { idle-time time | password password | username name }] [ timeout seconds [ retransmit count ]]
no radius-server host { hostname | ipv4-address } [ key [ 0 | 7 ] shared-secret [ pac ]] [ accounting ] [ acct-port port-number ] [ auth-port port-number ] [ authentication ] [ retransmit count ] [ test { idle-time time | password password | username name }] [ timeout seconds [ retransmit count ]]
Syntax Description
hostname |
RADIUS server Domain Name Server (DNS) name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters. |
ipv4-address |
RADIUS server IPv4 address in the A . B . C . D format. |
key |
(Optional) Configures the RADIUS server preshared secret key. |
0 |
(Optional) Configures a preshared key specified in clear text to authenticate communication between the RADIUS client and server. This is the default. |
7 |
(Optional) Configures a preshared key specified in encrypted text (indicated by 7) to authenticate communication between the RADIUS client and server. |
shared-secret |
Preshared key to authenticate communication between the RADIUS client and server. The preshared key can include any printable ASCII characters (white spaces are not allowed), is case sensitive, and has a maximum of 63 characters. |
pac |
(Optional) Enables the generation of Protected Access Credentials on the RADIUS Cisco ACS server for use with Cisco TrustSec. |
accounting |
(Optional) Configures accounting. |
acct-port port-number |
(Optional) Configures the RADIUS server port for accounting. The range is from 0 to 65535. |
auth-port port-number |
(Optional) Configures the RADIUS server port for authentication. The range is from 0 to 65535. |
authentication |
(Optional) Configures authentication. |
retransmit count |
(Optional) Configures the number of times that the switch tries to connect to a RADIUS server before reverting to local authentication. The range is from 1 to 5 times and the default is 1 time. |
test |
(Optional) Configures parameters to send test packets to the RADIUS server. |
idle-time time |
Specifies the time interval (in minutes) for monitoring the server. The range is from 1 to 1440 minutes. |
password password |
Specifies a user password in the test packets. The password is alphanumeric, case sensitive, and has a maximum of 32 characters. |
username name |
Specifies a username in the test packets. The is alphanumeric, not case sensitive, and has a maximum of 32 characters. |
timeout seconds |
Specifies the timeout (in seconds) between retransmissions to the RADIUS server. The default is 1 second and the range is from 1 to 60 seconds. |
Command Default
Accounting port: 1813
Authentication port: 1812
Accounting: enabled
Authentication: enabled
Retransmission count: 1
Idle-time: 0
Server monitoring: disabled
Timeout: 5 seconds
Test username: test
Test password: test
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
When the idle time interval is 0 minutes, periodic RADIUS server monitoring is not performed.
Examples
This example shows how to configure RADIUS server authentication and accounting parameters:
switch# configure terminal
switch(config)# radius-server host 192.168.2.3 key HostKey
switch(config)# radius-server host 192.168.2.3 auth-port 2003
switch(config)# radius-server host 192.168.2.3 acct-port 2004
switch(config)# radius-server host 192.168.2.3 accounting
switch(config)# radius-server host radius2 key 0 abcd
switch(config)# radius-server host radius3 key 7 1234
switch(config)# radius-server host 192.168.2.3 test idle-time 10
switch(config)# radius-server host 192.168.2.3 test username tester
switch(config)# radius-server host 192.168.2.3 test password 2B9ka5
Related Commands
|
|
show radius-server |
Displays RADIUS server information. |
radius-server key
To configure a RADIUS shared secret key, use the radius-server key command. To remove a configured shared secret, use the no form of this command.
radius-server key [ 0 | 7 ] shared-secret
no radius-server key [ 0 | 7 ] shared-secret
Syntax Description
0 |
(Optional) Configures a preshared key specified in clear text to authenticate communication between the RADIUS client and server. |
7 |
(Optional) Configures a preshared key specified in encrypted text to authenticate communication between the RADIUS client and server. |
shared-secret |
Preshared key used to authenticate communication between the RADIUS client and server. The preshared key can include any printable ASCII characters (white spaces are not allowed), is case sensitive, and has a maximum of 63 characters. |
Command Default
Clear text authentication
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
You must configure the RADIUS preshared key to authenticate the switch to the RADIUS server. The length of the key is restricted to 65 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all RADIUS server configurations on the switch. You can override this global key assignment by using the key keyword in the radius-server host command.
Examples
This example shows how to provide various scenarios to configure RADIUS authentication:
switch# configure terminal
switch(config)# radius-server key AnyWord
switch(config)# radius-server key 0 AnyWord
switch(config)# radius-server key 7 public pac
Related Commands
|
|
show radius-server |
Displays RADIUS server information. |
radius-server retransmit
To specify the number of times that the switch should try a request with a RADIUS server, use the radius-server retransmit command. To revert to the default, use the no form of this command.
radius-server retransmit count
no radius-server retransmit count
Syntax Description
count |
Number of times that the switch tries to connect to a RADIUS server before reverting to local authentication. The range is from 1 to 5 times. |
Command Default
1 retransmission
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to configure the number of retransmissions to RADIUS servers:
switch# configure terminal
switch(config)# radius-server retransmit 3
This example shows how to revert to the default number of retransmissions to RADIUS servers:
switch# configure terminal
switch(config)# no radius-server retransmit 3
Related Commands
|
|
show radius-server |
Displays RADIUS server information. |
radius-server timeout
To specify the time between retransmissions to the RADIUS servers, use the radius-server timeout command. To revert to the default, use the no form of this command.
radius-server timeout seconds
no radius-server timeout seconds
Syntax Description
seconds |
Number of seconds between retransmissions to the RADIUS server. The range is from 1 to 60 seconds. |
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to configure the timeout interval:
switch# configure terminal
switch(config)# radius-server timeout 30
This example shows how to revert to the default interval:
switch# configure terminal
switch(config)# no radius-server timeout 30
Related Commands
|
|
show radius-server |
Displays RADIUS server information. |
remark
To enter a comment into an IPv4 or MAC access control list (ACL), use the remark command. To remove a remark command, use the no form of this command.
[ sequence-number ] remark remark
no { sequence-number | remark remark }
Syntax Description
sequence-number |
(Optional) Sequence number of the remark command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to remarks and rules. |
remark |
Text of the remark. This argument can be up to 100 characters. |
Command Default
No ACL contains a remark by default.
Command Modes
ARP ACL configuration mode
IPv4 ACL configuration mode
IPv4 ACL in
MAC ACL configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
The remark argument can be up to 100 characters. If you enter more than 100 characters for the remark argument, the switch accepts the first 100 characters and drops any additional characters.
Examples
This example shows how to create a remark in an IPv4 ACL and display the results:
switch# configure terminal
switch(config)# ip access-list acl-ipv4-01
switch(config-acl)# 100 remark this ACL denies the marketing department access to the lab
switch(config-acl)# show access-list acl-ipv4-01
This example shows how to create a remark in an IPv4 ACL in a switch profile:
Enter configuration commands, one per line. End with CNTL/Z.
switch(config-sync)# switch-profile s5010
Switch-Profile started, Profile ID is 1
switch(config-sync-sp)# ip access-list sp-acl
switch(config-sync-sp-acl)# 30 remark this ACL permits TCP access to the Accounting team
switch(config-sync-sp-acl)#
Related Commands
|
|
arp access-list |
Configures an ARP ACL. |
ip access-list |
Configures an IPv4 ACL. |
show access-list |
Displays all ACLs or one ACL. |
show switch-profile |
Displays information about the switch profile and the configuration revision. |
switch-profile |
Creates and configures a switch profile. |
resequence
To reassign sequence numbers to all rules in an access control list (ACL) or a time range, use the resequence command.
resequence access-list-type access-list access-list-name starting-number increment
resequence time-range time-range-name starting-number increment
Syntax Description
access-list-type |
Type of the ACL. Valid values for this argument are the following keywords:
Note This ACL type is not applicable to switch profiles.
|
access-list access-list-name |
Specifies the name of the ACL. The ACL name can be a maximum of 64 alphanumeric characters. |
time-range time-range-name |
Specifies the name of the time range. Note This keyword is not applicable to switch profiles. |
starting-number |
Sequence number for the first rule in the ACL or time range. The range is from 1 to 4294967295. |
increment |
Number that the switch adds to each subsequent sequence number. The range is from 1 to 4294967295. |
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
The resequence command allows you to reassign sequence numbers to the rules of an ACL or time range. The new sequence number for the first rule is determined by the starting-number argument. Each additional rule receives a new sequence number determined by the increment argument. If the highest sequence number would exceed the maximum possible sequence number, then no sequencing occurs and the following message appears:
ERROR: Exceeded maximum sequence number.
The maximum sequence number is 4294967295.
Examples
This example shows how to resequence an IPv4 ACL named ip-acl-01 with a starting sequence number of 100 and an increment of 10, using the show ip access-lists command to verify sequence numbering before and after the use of the resequence command:
switch# configure terminal
switch(config)# show ip access-lists ip-acl-01
7 permit tcp 128.0.0/16 any eq www
10 permit udp 128.0.0/16 any
13 permit icmp 128.0.0/16 any eq echo
switch(config)# resequence ip access-list ip-acl-01 100 10
switch(config)# show ip access-lists ip-acl-01
100 permit tcp 128.0.0/16 any eq www
110 permit udp 128.0.0/16 any
120 permit icmp 128.0.0/16 any eq echo
This example shows how to resequence an IPv4 ACL named sp-acl in a switch profile with a starting sequence number of 30 and an increment of 5:
Enter configuration commands, one per line. End with CNTL/Z.
switch(config-sync)# switch-profile s5010
Switch-Profile started, Profile ID is 1
switch(config-sync-sp)# resequence ip access-list sp-acl 30 5
Related Commands
|
|
arp access-list |
Configures an ARP ACL. |
ip access-list |
Configures an IPv4 ACL. |
show access-lists |
Displays all ACLs or a specific ACL. |
role feature-group name
To create or specify a user role feature group and enter user role feature group configuration mode, use the role feature-group name command. To delete a user role feature group, use the no form of this command.
role feature-group name group-name
no role feature-group name group-name
Syntax Description
group-name |
User role feature group name. The group-name has a maximum length of 32 characters and is a case-sensitive, alphanumeric character string. |
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to create a user role feature group and enter user role feature group configuration mode:
switch# configure terminal
switch(config)# role feature-group name MyGroup
switch(config-role-featuregrp)#
This example shows how to remove a user role feature group:
switch# configure terminal
switch(config)# no role feature-group name MyGroup
Related Commands
|
|
feature-group name |
Specifies or creates a user role feature group and enters user role feature group configuration mode. |
show role feature-group |
Displays the user role feature groups. |
role name
To create or specify a user role and enter user role configuration mode, use the role name command. To delete a user role, use the no form of this command.
role name { role-name | default-role | privilege-role }
no role name { role-name | default-role | privilege-role }
Syntax Description
role-name |
User role name. The role-name has a maximum length of 16 characters and is a case-sensitive, alphanumeric character string. |
default-role |
Specifies the default user role name. |
privilege-role |
Privilege user role, which can be one of the following:
- priv-0
- priv-1
- priv-2
- priv-3
- priv-4
- priv-5
- priv-6
- priv-7
- priv-8
- priv-9
- priv-10
- priv-11
- priv-12
- priv-13
|
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
A Cisco Nexus 3000 Series switch provides the following default user roles:
- Network Administrator—Complete read-and-write access to the entire switch
- Complete read access to the entire switch
You cannot change or remove the default user roles.
To view the privilege level roles, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command. Privilege roles inherit the permissions of lower level privilege roles.
Examples
This example shows how to create a user role and enter user role configuration mode:
switch# configure terminal
switch(config)# role name MyRole
This example shows how to create a privilege 1 user role and enter user role configuration mode:
switch# configure terminal
switch(config)# role name priv-1
This example shows how to remove a user role:
switch# configure terminal
switch(config)# no role name MyRole
Related Commands
|
|
feature privilege |
Enables cumulative privilege of roles for command authorization on TACACS+ servers. |
rule |
Configures rules for user roles. |
show role |
Displays the user roles. |
rule
To configure rules for a user role, use the rule command. To delete a rule, use the no form of this command.
rule number { deny | permit } { command command-string | { read | read-write } [ feature feature-name | feature-group group-name ]}
no rule number
Syntax Description
number |
Sequence number for the rule. The switch applies the rule with the highest value first and then the rest in descending order. |
deny |
Denies access to commands or features. |
permit |
Permits access to commands or features. |
command command-string |
Specifies a command string. The command string can be a maximum of 128 characters and can contain spaces. |
read |
Specifies read access. |
read-write |
Specifies read and write access. |
feature feature-name |
(Optional) Specifies a feature name. Use the show role feature command to list the switch feature names. |
feature-group group-name |
(Optional) Specifies a feature group. |
Command Modes
User role configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
You can configure up to 256 rules for each role.
The rule number that you specify determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.
Deny rules cannot be added to any privilege roles, except the privilege 0 (priv-0) role.
Examples
This example shows how to add rules to a user role:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# rule 1 deny command clear users
switch(config-role)# rule 1 permit read-write feature-group L3
This example shows how to add rules to a user role with privilege 0:
switch# configure terminal
switch(config)# role name priv-0
switch(config-role)# rule 1 deny command clear users
This example shows how to remove a rule from a user role:
switch# configure terminal
switch(config)# role MyRole
switch(config-role)# no rule 10
Related Commands
|
|
role name |
Creates or specifies a user role name and enters user role configuration mode. |
show role |
Displays the user roles. |
server
To add a server to a RADIUS or TACACS+ server group, use the server command. To delete a server from a server group, use the no form of this command.
server { ipv4-address | hostname }
no server { ipv4-address | hostname }
Syntax Description
ipv4-address |
Server IPv4 address in the A.B.C.D format. |
hostname |
Server name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters. |
Command Modes
RADlUS server group configuration mode
TACACS+ server group configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
You can configure up to 64 servers in a server group.
Use the aaa group server radius command to enter RADIUS server group configuration mode or aaa group server tacacs+ command to enter TACACS+ server group configuration mode.
If the server is not found, use the radius-server host command or tacacs-server host command to configure the server.
Note You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to add a server to a RADIUS server group:
switch# configure terminal
switch(config)# aaa group server radius RadServer
switch(config-radius)# server 192.168.1.1
This example shows how to delete a server from a RADIUS server group:
switch# configure terminal
switch(config)# aaa group server radius RadServer
switch(config-radius)# no server 192.168.1.1
This example shows how to add a server to a TACACS+ server group:
switch# configure terminal
switch(config)# feature tacacs+
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# server 192.168.2.2
This example shows how to delete a server from a TACACS+ server group:
switch# configure terminal
switch(config)# feature tacacs+
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# no server 192.168.2.2
Related Commands
|
|
aaa group server |
Configures AAA server groups. |
feature tacacs+ |
Enables TACACS+. |
radius-server host |
Configures a RADIUS server. |
show radius-server groups |
Displays RADIUS server group information. |
show tacacs-server groups |
Displays TACACS+ server group information. |
tacacs-server host |
Configures a TACACS+ server. |
service-policy
To attach a policy map to an interface, use the service-policy command. To remove a service-policy from an interface, use the no form of this command.
service-policy { input | type { qos input | queuing { input | output }}} policy-map-name
no service-policy { input | type { qos input | queuing { input | output }}} policy-map-name
Syntax Description
input |
Applies this policy map to packets coming into this interface. |
type |
Specifies whether the policy map is of type qos or queuing. |
qos |
Specifies a policy map of type qos. |
queuing |
Specifies a policy map of type queuing. |
output |
Applies this policy map to packets going out of this interface. |
policy-map-name |
Name of the policy map to attach to this interface. Only one policy map can be attached to the input and one to the output of a given interface for each of the policy type qos and queuing. The policy map name can be a maximum of 40 alphanumeric characters. |
Command Modes
Interface configuration mode
Subinterface configuration mode
Vlan configuration mode
Command History
|
|
6.0(2)A1(1) |
This command was introduced. |
Usage Guidelines
You can attach one ingress and one egress type queuing policy map to an interface of type port, and port channel. Only one policy map can be attached to the input of a given interface for each of the policy type qos and queuing.
Examples
This example shows how to attach a queuing policy map to the ingress packets of a Layer 2 port interface:
switch# configure terminal
switch(
config)#
interface ethernet 2/1
switch(config-if)# service-policy type queuing input my_input_q_policy
This example shows how to attach qos type policy maps to the incoming packets of a Layer 2 interface:
switch# configure terminal
switch(config)#
system qos
switch(config-sys-qos)# service-policy type qos input my_policy1
This example shows how to attach a qos type policy map named set-dscp to the incoming packets of a Layer 2 interface:
switch# configure terminal
switch(config)# policy-map type qos set-dscp
switch(config-pmap-qos)# class class-0
switch(config-pmap-c-qos)# set dscp ef
switch(config-pmap-c-qos)# exit
switch(config-pmap-qos)# class class-1-2
switch(config-pmap-c-qos)# set precedence 4
switch(config-pmap-c-qos)# exit
switch(config-pmap-qos)# exit
switch(config)#
interface ethernet 2/1
switch(config-if)# service-policy type qos input set-dscp
This example shows how to attach a queuing policy map to a Layer 3 interface:
switch# configure terminal
switch(
config)#
interface ethernet 1/5
switch(config-if)# no switchport
switch(config-if)# service-policy type queuing input my_input_q_policy
Related Commands
|
|
no switchport |
Configures an interface as a Layer 3 routed interface. |
show policy-map interface brief |
Displays all interfaces and VLANs with attached service policies in a brief format. |
system qos |
Configures a system policy. |
show aaa accounting
To display authentication, authorization, and accounting (AAA) accounting configuration, use the show aaa accounting command.
show aaa accounting
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the configuration of the accounting log:
switch# show aaa accounting
Related Commands
|
|
aaa accounting default |
Configures AAA methods for accounting. |
show aaa authentication
To display authentication, authorization, and accounting (AAA) authentication configuration information, use the show aaa authentication command.
show aaa authentication login [ error-enable | mschap ]
Syntax Description
login |
Displays the authentication login information. |
error-enable |
(Optional) Displays the authentication login error message enable configuration. |
mschap |
(Optional) Displays the authentication login Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) enable configuration. |
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the configured authentication parameters:
switch# show aaa authentication
This example shows how to display the authentication login error enable configuration:
switch# show aaa authentication login error-enable
This example shows how to display the authentication login MS-CHAP configuration:
switch# show aaa authentication login mschap
Related Commands
|
|
aaa authentication |
Configures AAA authentication methods. |
show aaa authorization
To display AAA authorization configuration information, use the show aaa authorization command.
show aaa authorization [ all ]
Syntax Description
all |
(Optional) Displays configured and default values. |
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the configured authorization methods:
switch# show aaa authorization
Related Commands
|
|
aaa authorization commands default |
Configures default AAA authorization methods for EXEC commands. |
aaa authorization config-commands default |
Configures default AAA authorization methods for configuration commands. |
show aaa groups
To display authentication, authorization, and accounting (AAA) server group configuration, use the show aaa groups command.
show aaa groups
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display AAA group information:
Related Commands
|
|
aaa group server radius |
Creates a RADIUS server group. |
show aaa user
To display the status of the default role assigned by the authentication, authorization, and accounting (AAA) server administrator for remote authentication, use the show aaa user command.
show aaa user default-role
Syntax Description
default-role |
Displays the status of the default AAA role. |
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the status of the default role assigned by the AAA server administrator for remote authentication:
switch# show aaa user default-role
Related Commands
|
|
aaa user default-role |
Configures the default user for remote authentication. |
show aaa authentication |
Displays AAA authentication information. |
show access-lists
To display all IPv4 and MAC access control lists (ACLs) or a specific ACL, use the show access-lists command.
show access-lists [ access-list-name ]
Syntax Description
access-list-name |
(Optional) Name of an ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
Command Default
The switch shows all ACLs unless you use the access-list-name argument to specify an ACL.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display all IPv4 and MAC ACLs on the switch that runs Cisco NX-OS Release 5.0(3)A1(1):
switch# show access-lists
IP access list copp-system-acl-icmp
IP access list copp-system-acl-igmp
IP access list copp-system-acl-ntp
10 permit udp any any eq ntp
20 permit udp any eq ntp any
IP access list copp-system-acl-ping
10 permit icmp any any echo
20 permit icmp any any echo-reply
IP access list copp-system-acl-routingproto1
10 permit tcp any gt 1024 any eq bgp
20 permit tcp any eq bgp any gt 1024
30 permit udp any any eq rip
40 permit tcp any gt 1024 any eq 639
50 permit tcp any eq 639 any gt 1024
Related Commands
|
|
ip access-list |
Configures an IPv4 ACL. |
show ip access-lists |
Displays all IPv4 ACLs or a specific IPv4 ACL. |
show accounting log
To display the accounting log contents, use the show accounting log command.
show accounting log [ size | all ] [ start-time year month day HH : MM : SS ] [ end-time year month day HH : MM : SS ]
Syntax Description
size |
(Optional) Amount of the log to display in bytes. The range is from 0 to 250000. |
all |
(Optional) Specifies to display the entire accounting log. |
start-time year month day HH : MM : SS |
(Optional) Specifies a start time. The year argument is in yyyy format. The month is the three-letter English abbreviation. The day argument range is from 1 to 31. The HH : MM : SS argument is in standard 24-hour format. |
end-time year month day HH : MM : SS |
(Optional) Specifies an end time. The year argument is in yyyy format. The month is the three-letter English abbreviation. The day argument range is from 1 to 31. The HH : MM : SS argument is in standard 24-hour format. |
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the entire accounting log on a switch that runs Cisco NX-OS Release 5.0(3)A1(1):
switch# show accounting log all
Thu Aug 4 04:57:42 2011:type=update:id=console0:user=admin:cmd=configure termin
al ; interface Ethernet1/9 ; shutdown (REDIRECT)
Thu Aug 4 04:57:42 2011:type=update:id=console0:user=admin:cmd=configure termin
al ; interface Ethernet1/9 ; shutdown (SUCCESS)
Thu Aug 4 04:57:42 2011:type=update:id=console0:user=admin:cmd=configure termin
al ; interface Ethernet1/9 ; shutdown (SUCCESS)
Thu Aug 4 04:57:42 2011:type=update:id=console0:user=admin:cmd=configure termin
al ; interface Ethernet1/9 ; no shutdown (REDIRECT)
Thu Aug 4 04:57:42 2011:type=update:id=console0:user=admin:cmd=configure termin
al ; interface Ethernet1/9 ; no shutdown (SUCCESS)
Thu Aug 4 04:57:42 2011:type=update:id=console0:user=admin:cmd=configure termin
al ; interface Ethernet1/9 ; no shutdown (SUCCESS)
Thu Aug 4 04:57:42 2011:type=update:id=console0:user=admin:cmd=configure termin
al ; interface Ethernet1/9 ; shutdown (REDIRECT)
Thu Aug 4 04:57:42 2011:type=update:id=console0:user=admin:cmd=configure termin
al ; interface Ethernet1/9 ; shutdown (SUCCESS)
This example shows how to display 400 bytes of the accounting log on a switch that runs Cisco NX-OS Release 5.0(3)A1(1):
switch# show accounting log 400
BLR-QSP-4(config-sync-sp)# show accounting log 400
Mon Aug 8 09:03:22 2011:type=update:id=console0:user=admin:cmd=setup (SUCCESS)
Tue Aug 9 06:19:03 2011:type=start:id=72.163.138.89@pts/0:user=admin:cmd=
Tue Aug 9 08:16:37 2011:type=start:id=console0:user=admin:cmd=
Tue Aug 9 08:17:21 2011:type=update:id=console0:user=admin:cmd=configure sync (
Tue Aug 9 08:17:25 2011:type=update:id=console0:user=admin:cmd=configure sync ;
switch-profile s1 ; switch-profile s1 (SUCCESS)
This example shows how to display the accounting log starting at 16:00:00 on August 4, 2011:
switch# show accounting log start-time 2011 Aug 4 16:00:00
Fri Aug 5 04:03:55 2011:type=start:id=10.22.27.55@pts/3:user=admin:cmd=
Fri Aug 5 05:01:28 2011:type=stop:id=10.22.27.55@pts/3:user=admin:cmd=shell ter
minated because of telnet closed
Fri Aug 5 06:07:32 2011:type=start:id=console0:user=admin:cmd=
Fri Aug 5 06:11:27 2011:type=update:id=console0:user=admin:cmd=Erasing startup
Fri Aug 5 06:11:27 2011:type=update:id=console0:user=admin:cmd=write erase (SUC
Mon Aug 8 06:02:20 2011:type=update:id=console0:user=root:cmd=enabled (null)
Mon Aug 8 06:02:20 2011:type=update:id=console0:user=root:cmd=configure termina
l ; password strength-check (SUCCESS)
Mon Aug 8 06:02:20 2011:type=update:id=console0:user=root:cmd=updated v3 user :
Mon Aug 8 06:02:20 2011:type=update:id=console0:user=root:cmd=configure termina
l ; username admin password ******** role network-admin (SUCCESS)
Mon Aug 8 06:03:20 2011:type=update:id=console0:user=root:cmd=community public
This example shows how to display the accounting log starting at 15:59:59 on February 1, 2008 and ending at 16:00:00 on February 29, 2008:
switch# show accounting log start-time 2008 Feb 1 15:59:59 end-time 2008 Feb 29 16:00:00
Related Commands
|
|
clear accounting log |
Clears the accounting log. |
show arp access-lists
To display all ARP access control lists (ACLs) or a specific ARP ACL, use the show arp access-lists command.
show arp access-lists [ access-list-name ]
Syntax Description
access-list-name |
(Optional) Name of an ARP ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
Command Modes
Any command mode
Command History
|
|
6.0(2)A1(1) |
This command was introduced. |
Usage Guidelines
The device shows all ARP ACLs, unless you use the access-list-name argument to specify an ACL.
This command does not require a license.
Examples
This example shows how to display all ARP ACLs on a switch:
switch# show arp access-lists
This example shows how to display an ARP ACL named arp-permit-all:
switch# show arp access-lists arp-permit-all
Related Commands
|
|
arp access-list |
Configures an ARP ACL. |
show class-map type control-plane
To display control plane class map information, use the show class-map type control-plane command.
show class-map type control-plane [ class-map-name ]
Syntax Description
class-map-name |
(Optional) Name of the control plane class map. The name is alphanumeric and case sensitive. The maximum length is 64 characters. |
Command Modes
Any command mode
Command History
|
|
6.0(2)A1(1) |
This command was introduced. |
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display control plane class map information:
switch# show class-map type control-plane
class-map type control-plane match-any copp-system-class-arp
class-map type control-plane match-any copp-system-class-bgp
class-map type control-plane match-any copp-system-class-bridging
class-map type control-plane match-any copp-system-class-cdp
class-map type control-plane match-any copp-system-class-default
Related Commands
|
|
class-map type control-plane |
Creates or configures a control plane class map. |
show hardware profile tcam region
To display the access control list (ACL) ternary content addressable memory (TCAM) sizes that will be applicable after you reload the switch, use the show hardware profile tcam region command.
show hardware profile tcam region
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
Use this command to see the new TCAM sizes you configured on the switch using the hardware profile tcam region command that will be applied after you reload the switch.
To see the current ACL TCAM sizes configured on the switch, use the show platform afm info tcam asic-id region {| e-racl | e-vacl | ifacl | qos | racl | rbacl | sup | vacl | nat } command.
Examples
This example shows how to display the new TCAM entries:
switch# show hardware profile tcam region
Related Commands
|
|
show platform afm info tcam |
Displays the current TCAM information. |
hardware profile tcam region |
Configures the sizes of the TCAM entries. |
show ip access-lists
To display all IPv4 access control lists (ACLs) or a specific IPv4 ACL, use the show ip access-lists command.
show ip access-lists [ access-list-name ]
Syntax Description
access-list-name |
(Optional) Name of an IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
Command Default
The switch shows all IPv4 ACLs unless you use the access-list-name argument to specify an ACL.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
By default, this command displays the IPv4 ACLs configured on the switch. The command displays the statistics information for an IPv4 ACL only if the IPv4 ACL is applied to the management (mgmt0) interface. If the ACL is applied to a switch virtual interface (SVI) or in a QoS class map, the command does not display any statistics information.
Examples
This example shows how to display all IPv4 ACLs on a switch that runs Cisco NX-OS release 5.0(3)A1(1):
switch# show ip access-lists
IP access list copp-system-acl-icmp
IP access list copp-system-acl-igmp
IP access list copp-system-acl-ntp
10 permit udp any any eq ntp
20 permit udp any eq ntp any
IP access list copp-system-acl-ping
10 permit icmp any any echo
20 permit icmp any any echo-reply
IP access list copp-system-acl-routingproto1
10 permit tcp any gt 1024 any eq bgp
20 permit tcp any eq bgp any gt 1024
30 permit udp any any eq rip
40 permit tcp any gt 1024 any eq 639
50 permit tcp any eq 639 any gt 1024
Related Commands
|
|
ip access-list |
Configures an IPv4 ACL. |
show access-lists |
Displays all ACLs or a specific ACL. |
show ip nat translations
To display the active translations on a Cisco Nexus 3000 Series, use the show ip nat translations command.
show ip nat translations [verbose]
Syntax Description
verbose |
(Optional) Specifies to display additional information. |
Command Modes
Any command mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the active translations on a Cisco Nexus 3000 Series switch:
switch# show ip nat translations
Pro Inside global Inside local Outside local Outside global
--- --- 1.1.1.2:124 1.1.1.1:123
1.1.1.2:124 1.1.1.1:123 --- ---
35.48.35.48:250 20.1.9.2:63 --- ---
Related Commands
|
|
ip nat |
Configures Network Address Translation (NAT) on an interface. |
show ip verify source
To display the IP-to-MAC address bindings, use the show ip verify source command.
show ip verify source [ interface { ethernet slot / port | port-channel channel-number }]
Syntax Description
interface |
(Optional) Specifies that the output is limited to IP-to-MAC address bindings for a particular interface. |
ethernet slot / port |
(Optional) Specifies that the output is limited to bindings for the Ethernet interface given. The slot number is from 1 to 255, and the port number is from 1 to 128. |
port-channel channel-number |
(Optional) Specifies that the output is limited to bindings for the port-channel interface given. Valid port-channel numbers are from 1 to 4096. |
Command Modes
Any command mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the IP-to-MAC address bindings on the switch:
switch# show ip verify source
Related Commands
|
|
show running-config dhcp |
Displays DHCP snooping configuration. |
show mac access-lists
To display all MAC access control lists (ACLs) or a specific MAC ACL, use the show mac access-lists command.
show mac access-lists [ access-list-name ] [ summary ]
Syntax Description
access-list-name |
(Optional) Name of a MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
summary |
(Optional) Specifies that the command displays information about the ACL rather than the ACL configuration. For more information, see the “Usage Guidelines” section. |
Command Modes
Any command mode
Command History
|
|
6.0(2)A4(1) |
This command was introduced. |
Usage Guidelines
The device shows all MAC ACLs, unless you use the access-list-name argument to specify an ACL.
If you do not specify an ACL name, the device lists ACLs alphabetically by the ACL names.
The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:
- Whether per-entry statistics are configured for the ACL.
- The number of rules in the ACL configuration. This number does not reflect how many entries that the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.
- The interfaces that the ACL is configured on.
- The interfaces that the ACL is active on.
The show mac access-lists command displays statistics for each entry in an ACL if the following conditions are both true:
- The ACL configuration contains the statistics per-entry command.
- The ACL is applied to an interface that is administratively up.
This command does not require a license.
Examples
This example shows how to use the show mac access-lists command to show all MAC ACLs on a device with a single MAC ACL:
switch# show mac access-lists
MAC access list mac-filter
This example shows how to use the show mac access-lists command to display a MAC ACL named mac-lab-filter, including per-entry statistics:
switch# show mac access-lists mac-lab-filter
MAC access list mac-lab-filter
10 permit 0600.ea5f.22ff 0000.0000.0000 any [match=820421]
20 permit 0600.050b.3ee3 0000.0000.0000 any [match=732]
This example shows how to use the show mac access-lists command with the summary keyword to display information about a MAC ACL named mac-lab-filter, such as which interfaces the ACL is applied to and active on:
switch# show mac access-lists mac-lab-filter summary
Configured on interfaces:
Ethernet2/3 - ingress (Port ACL)
Ethernet2/3 - ingress (Port ACL)
Related Commands
|
|
mac access-list |
Configures a MAC ACL. |
show access-lists |
Displays all ACLs or a specific ACL. |
show ip access-lists |
Displays all IPv4 ACLs or a specific IPv4 ACL. |
show ipv6 access-lists |
Displays all IPv6 ACLs or a specific IPv6 ACL. |
show platform afm info tcam
To display the platform-dependent access control list (ACL) Feature Manager (AFM) ternary content addressable memory (TCAM) driver information, use the show platform afm info tcam command.
show platform afm info tcam asic-id {{ bcm-entry | entry } low-tcam-index high-tcam-index | region { arpacl | e-racl | e-vacl | ifacl | qos | racl | rbacl | span | sup | vacl }}
Syntax Description
asic-id |
Global ASIC ID. The range is from 0 to 64. |
bcm-entry |
Displays BRCM TCAM entries within a range. |
entry |
Displays TCAM entries within a range. |
low-tcam-index |
Low TCAM index. The range is from 0 to 4095. |
high-tcam-index |
High TCAM index. The range is from 0 to 4095. |
region |
Displays TCAM information for a region. |
arpacl |
Displays TCAM information for an Address Resolution Protocol (ARP) ACL (ARPACL) region. |
e-racl |
Displays TCAM information for an egress router ACL (ERACL) region. |
e-vacl |
Displays TCAM information for an egress VLAN ACL (EVACL) region. |
ifacl |
Displays TCAM information for an interface ACL (IFACL) region. |
qos |
Displays TCAM information for a quality of service (QoS) region. |
racl |
Displays TCAM information for a router ACL (RACL) region. |
rbacl |
Displays TCAM information for a role based ACL (RBACL) region. |
span |
Displays TCAM information for a Switched Port Analyzer (SPAN) region. |
sup |
Displays TCAM information for a supervisor region. |
vacl |
Displays TCAM information for a VLAN ACL region. |
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the TCAM entries for the range 1 to 2 for ASIC ID 1:
switch# show platform afm info tcam 1 entry 1 2
TCAM entries in the range of 1 and 2 for asic id 1:
K-keyType, L-label, B-bindcheck, DH-L2DA, CT-cdceTrnst
L(IF-ifacl V-vacl Q-qos R-rbacl)
[1]> K:IP (255/0) IN v4 L-[V-0/0 ] [1] SA:00000000/00000000
[1] L3Pr:ff/6 L4d:ffff/17(23)
[1]-> prio:6 PERMIT [1] Result: Copy to CPU, code (1) [1] Result: C
[2]> K:IP (255/0) IN v4 L-[V-0/0 ] [2] SA:00000000/00000000
[2] L3Pr:ff/6 L4d:ffff/50(80)
[2]-> prio:6 PERMIT [2] Result: Copy to CPU, code (1) [2] Result: C
This example shows how to display the TCAM entries for an interface ACL region:
switch# show platform afm info tcam 1 region nat
nat tcam TCAM configuration for asic id 0:
[ sup tcam]: range 0 - 15
[ vacl tcam]: range 512 - 1151
[ ifacl tcam]: range 16 - 511
[ qos tcam]: range 3840 - 4095
[ rbacl tcam]: range 0 - 0
[ span tcam]: range 0 - 0
[ racl tcam]: range 2048 - 3583
[ e-racl tcam]: range 3584 - 3839
[ e-vacl tcam]: range 1152 - 1791
[ qoslbl tcam]: range 0 - 0
[ ipsg tcam]: range 0 - 0
[ arpacl tcam]: range 0 - 0
[ ipv6-racl tcam]: range 0 - 0
[ipv6-e-racl tcam]: range 0 - 0
[ ipv6-sup tcam]: range 0 - 0
[ ipv6-qos tcam]: range 0 - 0
[ nat tcam]: range 1792 - 2047 *
TCAM [nat tcam]: [v:1, size:256, start:1792 end:2047]
Related Commands
|
|
show tech-support |
Displays information for Cisco technical support. |
show policy-map interface control-plane
To display the control-plane policy maps applied to interfaces, use the show policy-map interface control-plane command.
show policy-map interface control-plane
Syntax Description
This command has no arguments or keywords.
Command Modes
Any command mode
Command History
|
|
6.0(2)A1(1) |
This command was introduced. |
Examples
This example shows how to display assigned control-plane policy maps:
switch# show policy-map interface control-plane
service-policy input: copp-system-policy-default
class-map copp-system-class-igmp (match-any)
police cir 1024 kbps, bc 65535 bytes
conformed 0 bytes; action: transmit
violated 0 bytes; action: drop
class-map copp-system-class-pim-hello (match-any)
police cir 1024 kbps, bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes; action: drop
class-map copp-system-class-bridging (match-any)
police cir 20000 kbps, bc 4800000 bytes
conformed 0 bytes; action: transmit
violated 0 bytes; action: drop
class-map copp-system-class-arp (match-any)
Related Commands
|
|
policy-map |
Creates or modifies a policy map. |
show policy-map |
Displays policy maps. |
show policy-map type control-plane
To display control plane policy map information, use the show policy-map type control-plane command.
show policy-map type control-plane [ expand ] [ name policy-map-name ]
Syntax Description
expand |
(Optional) Displays expanded control plane policy map information. |
name policy-map-name |
(Optional) Specifies the name of the control plane policy map. The name is case sensitive and can be a maximum of 64 alphanumeric characters. |
Command Modes
Any command mode
Command History
|
|
6.0(2)A1(1) |
This command was introduced. |
Usage Guidelines
This command does not require a license.
Examples
This example shows how to display control plane policy map information:
switch# show policy-map type control-plane
policy-map type control-plane copp-system-policy-customized
class copp-system-class-igmp
police cir 1024 kbps bc 65535 bytes
class copp-system-class-pim-hello
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-bridging
police cir 20000 kbps bc 4800000 bytes
class copp-system-class-arp
police cir 1024 kbps bc 3600000 bytes
class copp-system-class-dhcp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-mgmt
police cir 12000 kbps bc 4800000 bytes
class copp-system-class-lacp
police cir 1024 kbps bc 4800000 bytes
class copp-system-class-lldp
police cir 2048 kbps bc 4800000 bytes
class copp-system-class-udld
police cir 2048 kbps bc 4800000 bytes
This example shows how to display control plane policy map information in expanded format:
switch# show policy-map type control-plane expand
Related Commands
|
|
policy-map type control-plane |
Creates or configures a control plane policy map. |
show privilege
To show the current privilege level, username, and status of cumulative privilege support, use the show privileg e command.
show privilege
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
When the feature privilege command is enabled, privilege roles inherit the permissions of lower level privilege roles.
Examples
This example shows how to view the current privilege level, username, and status of cumulative privilege support:
Related Commands
|
|
enable |
Enables a user to move to a higher privilege level. |
enable secret priv-lvl |
Enables a secret password for a specific privilege level. |
feature privilege |
Enables the cumulative privilege of roles for command authorization on RADIUS and TACACS+ servers. |
username |
Enables a user to use privilege levels for authorization. |
show radius-server
To display RADIUS server information, use the show radius-server command.
show radius-server [ hostname | ipv4-address ] [ directed-request | groups [ group-name ] | sorted | statistics hostname | ipv4-address ]
Syntax Description
hostname |
(Optional) RADIUS server Domain Name Server (DNS) name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters. |
ipv4-address |
(Optional) RADIUS server IPv4 address in the A. B. C. D format. |
directed-request |
(Optional) Displays the directed request configuration. |
groups |
(Optional) Displays information about the configured RADIUS server groups. |
group-name |
RADIUS server group. |
sorted |
(Optional) Displays sorted-by-name information about the RADIUS servers. |
statistics |
(Optional) Displays RADIUS statistics for the RADIUS servers. A hostname or IP address is required. |
Command Default
Displays the global RADIUS server configuration.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
RADIUS preshared keys are not visible in the show radius-server command output. Use the show running-config radius command to display the RADIUS preshared keys.
Examples
This example shows how to display information for all RADIUS servers:
switch# show radius-server
This example shows how to display information for a specified RADIUS server:
switch# show radius-server 192.168.1.1
This example shows how to display the RADIUS directed request configuration:
switch# show radius-server directed-request
This example shows how to display information for RADIUS server groups:
switch# show radius-server groups
This example shows how to display information for a specified RADIUS server group:
switch# show radius-server groups RadServer
This example shows how to display sorted information for all RADIUS servers:
switch# show radius-server sorted
This example shows how to display statistics for a specified RADIUS servers:
switch# show radius-server statistics 192.168.1.1
Related Commands
|
|
show running-config radius |
Displays the RADIUS information in the running configuration file. |
show role
To display the user role configuration, use the show role command.
show role [ name role-name ]
Syntax Description
name role-name |
(Optional) Displays information for a specific user role name. |
Command Default
Displays information for all user roles.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display information for a specific user role:
switch# show role name MyRole
This example shows how to display information for all user roles:
Related Commands
|
|
role name |
Configures user roles. |
show role feature
To display the user role features, use the show role feature command.
show role feature [ detail | name feature-name ]
Syntax Description
detail |
(Optional) Displays detailed information for all features. |
name feature-name |
(Optional) Displays detailed information for a specific feature. The name can be a maximum of 16 alphanumeric characters and is case sensitive. |
Command Default
Displays a list of user role feature names.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the user role features:
switch# show role feature
This example shows how to display detailed information all the user role features:
switch# show role feature detail
This example shows how to display detailed information for a specific user role feature named arp:
switch# show role feature name arp
Related Commands
|
|
role feature-group |
Configures feature groups for user roles. |
rule |
Configures rules for user roles. |
show role feature-group
To display the user role feature groups, use the show role feature-group command.
show role feature-group [ detail | name group-name ]
Syntax Description
detail |
(Optional) Displays detailed information for all feature groups. |
name group-name |
(Optional) Displays detailed information for a specific feature group. |
Command Default
Displays a list of user role feature groups.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the user role feature groups:
switch# show role feature-group
This example shows how to display detailed information about all the user role feature groups:
switch# show role feature-group detail
This example shows how to display information for a specific user role feature group:
switch# show role feature-group name SecGroup
Related Commands
|
|
role feature-group |
Configures feature groups for user roles. |
rule |
Configures rules for user roles. |
show running-config aaa
To display authentication, authorization, and accounting (AAA) configuration information in the running configuration, use the show running-config aaa command.
show running-config aaa [ all ]
Syntax Description
all |
(Optional) Displays configured and default information. |
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the configured AAA information in the running configuration:
switch# show running-config aaa
Related Commands
|
|
copy running-config startup-config |
Copies the running system configuration to the startup configuration file. |
show running-config aclmgr
To display the access control list (ACL) configuration in the running configuration, use the show running-config aclmgr command.
show running-config aclmgr [ all ]
Syntax Description
all |
(Optional) Displays configured and default information. |
Command Modes
Any command mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the ACL running configuration on a switch that runs Cisco NX-OS Release 5.0(3)A1(1):
switch# show running-config aclmgr
!Command: show running-config aclmgr
!Time: Tue Aug 23 06:28:15 2011
ip access-list copp-system-acl-eigrp
10 permit eigrp any 224.0.0.10/32
ip access-list copp-system-acl-icmp
ip access-list copp-system-acl-igmp
ip access-list copp-system-acl-ntp
10 permit udp any any eq ntp
20 permit udp any eq ntp any
ip access-list copp-system-acl-pimreg
This example shows how to display only the VTY running configuration:
switch# show running-config aclmgr | begin vty
Related Commands
|
|
access-class |
Configures access classes for VTY. |
control-plane |
Enters the control-plane configuration mode. |
copy running-config startup-config |
Copies the running configuration to the startup configuration file. |
ip access-class |
Configures IPv4 access classes for VTY. |
show startup-config aclmgr |
Displays the ACL startup configuration. |
show running-config arp
To display the Address Resolution Protocol (ARP) configuration in the running configuration, use the show running-config arp command.
show running-config arp [ all ]
Syntax Description
all |
(Optional) Displays configured and default information. |
Command Modes
Any command mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the ARP configuration:
switch# show running-config arp
This example shows how to display the ARP configuration with the default information:
switch# show running-config arp all
Related Commands
|
|
copy running-config startup-config |
Copies the running configuration to the startup configuration file. |
ip arp event-history errors |
Logs ARP debug events into the event history buffer. |
ip arp timeout |
Configures an ARP timeout. |
show startup-config arp |
Displays the ARP startup configuration. |
show running-config dhcp
To display the Dynamic Host Configuration Protocol (DHCP) snooping configuration in the running configuration, use the show running-config dhcp command.
show running-config dhcp [ all ]
Syntax Description
all |
(Optional) Displays configured and default information. |
Command Modes
Any command mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
Examples
This example shows how to display the DHCP snooping configuration:
switch# show running-config dhcp
This example shows how to display the DHCP snooping configuration with the default information:
switch# show running-config dhcp all
Related Commands
|
|
copy running-config startup-config |
Copies the running configuration to the startup configuration. |
feature dhcp |
Enables the DHCP snooping feature on the device. |
ip dhcp snooping |
Globally enables DHCP snooping on the device. |
show ip dhcp snooping |
Displays general information about DHCP snooping. |
show startup-config dhcp |
Displays the DHCP startup configuration. |
show running-config radius
To display RADIUS server information in the running configuration, use the show running-config radius command.
show running-config radius [ all ]
Syntax Description
all |
(Optional) Displays default RADIUS configuration information. |
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display information for RADIUS in the running configuration:
switch# show running-config radius
Related Commands
|
|
show radius-server |
Displays RADIUS information. |
show running-config security
To display user account, Secure Shell (SSH) server, and Telnet server information in the running configuration, use the show running-config security command.
show running-config security [ all ]
Syntax Description
all |
(Optional) Displays default user account, SSH server, and Telnet server configuration information. |
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display user account, SSH server, and Telnet server information in the running configuration:
switch# show running-config security
Related Commands
|
|
copy running-config startup-config |
Copies the running system configuration to the startup confguration file. |
show ssh key
To display the Secure Shell (SSH) server key, use the show ssh key command.
show ssh key
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
This command is available only when SSH is enabled using the ssh server enable command.
Examples
This example shows how to display the SSH server key:
Related Commands
|
|
ssh server key |
Configures the SSH server key. |
show ssh server
To display the Secure Shell (SSH) server status, use the show ssh server command.
show ssh server
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the SSH server status:
Related Commands
|
|
ssh server enable |
Enables the SSH server. |
show startup-config aaa
To display authentication, authorization, and accounting (AAA) configuration information in the startup configuration, use the show startup-config aaa command.
show startup-config aaa
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the AAA information in the startup configuration:
switch# show startup-config aaa
Related Commands
|
|
copy running-config startup-config |
Copies the running system configuration to the startup confguration file. |
show startup-config aclmgr
To display the access control list (ACL) configuration in the startup configuration, use the show startup-config aclmgr command.
show startup-config aclmgr [ all ]
Syntax Description
all |
(Optional) Displays configured and default information. |
Command Modes
Any command mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the ACL startup configuration:
switch# show startup-config aclmgr
!Command: show startup-config aclmgr
!Time: Tue Aug 23 07:16:55 2011
!Startup config saved at: Sat Aug 20 04:58:59 2011
ip access-list copp-system-acl-eigrp
10 permit eigrp any 224.0.0.10/32
ip access-list copp-system-acl-icmp
ip access-list copp-system-acl-igmp
ip access-list copp-system-acl-ntp
10 permit udp any any eq ntp
20 permit udp any eq ntp any
ip access-list copp-system-acl-pimreg
ip access-list copp-system-acl-ping
10 permit icmp any any echo
20 permit icmp any any echo-reply
This example shows how to display only the VTY startup configuration:
switch# show startup-config aclmgr | begin vty
Related Commands
|
|
copy running-config startup-config |
Copies the running configuration to the startup configuration file. |
show running-config aclmgr |
Displays the ACL running configuration. |
show startup-config arp
To display the Address Resolution Protocol (ARP) configuration in the startup configuration, use the show startup-config arp command.
show startup-config arp [ all ]
Syntax Description
all |
(Optional) Displays configured and default information. |
Command Modes
Any command mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the ARP startup configuration:
switch# show startup-config arp
Related Commands
|
|
copy running-config startup-config |
Copies the running configuration to the startup configuration file. |
ip arp event-history errors |
Logs ARP debug events into the event history buffer. |
ip arp timeout |
Configures an ARP timeout. |
show running-config arp |
Displays the ARP running configuration. |
show startup-config dhcp
To display the Dynamic Host Configuration Protocol (DHCP) snooping configuration in the startup configuration, use the show running-config dhcp command.
show running-config dhcp [ all ]
Syntax Description
all |
(Optional) Displays configured and default information. |
Command Modes
Any command mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
Examples
This example shows how to display the DHCP snooping configuration in the startup configuration file:
switch# show startup-config dhcp
Related Commands
|
|
copy running-config startup-config |
Copies the running configuration to the startup configuration. |
feature dhcp |
Enables the DHCP snooping feature on the device. |
show running-config dhcp |
Displays the DHCP running configuration. |
show startup-config radius
To display RADIUS configuration information in the startup configuration, use the show startup-config radius command.
show startup-config radius
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the RADIUS information in the startup configuration:
switch# show startup-config radius
Related Commands
|
|
copy running-config startup-config |
Copies the running system configuration to the startup confguration file. |
show startup-config security
To display user account, Secure Shell (SSH) server, and Telnet server configuration information in the startup configuration, use the show startup-config security command.
show startup-config security
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the user account, SSH server, and Telnet server information in the startup configuration:
switch# show startup-config security
Related Commands
|
|
copy running-config startup-config |
Copies the running system configuration to the startup confguration file. |
show tacacs-server
To display TACACS+ server information, use the show tacacs-server command.
show tacacs-server [ hostname | ip4-address ] [ directed-request | groups | sorted | statistics ]
Syntax Description
hostname |
(Optional) TACACS+ server Domain Name Server (DNS) name. The maximum character size is 256. |
ipv4-address |
(Optional) TACACS+ server IPv4 address in the A. B. C. D format. |
directed-request |
(Optional) Displays the directed request configuration. |
groups |
(Optional) Displays information about the configured TACACS+ server groups. |
sorted |
(Optional) Displays sorted-by-name information about the TACACS+ servers. |
statistics |
(Optional) Displays TACACS+ statistics for the TACACS+ servers. |
Command Default
Displays the global TACACS+ server configuration.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
TACACS+ preshared keys are not visible in the show tacacs-server command output. Use the show running-config tacacs+ command to display the TACACS+ preshared keys.
You must use the feature tacacs+ command before you can display TACACS+ information.
Examples
This example shows how to display information for all TACACS+ servers:
switch# show tacacs-server
This example shows how to display information for a specified TACACS+ server:
switch# show tacacs-server 192.168.2.2
This example shows how to display the TACACS+ directed request configuration:
switch# show tacacs-server directed-request
This example shows how to display information for TACACS+ server groups:
switch# show tacacs-server groups
This example shows how to display information for a specified TACACS+ server group:
switch# show tacacs-server groups TacServer
This example shows how to display sorted information for all TACACS+ servers:
switch# show tacacs-server sorted
This example shows how to display statistics for a specified TACACS+ server:
switch# show tacacs-server statistics 192.168.2.2
Related Commands
|
|
show running-config tacacs+ |
Displays the TACACS+ information in the running configuration file. |
show telnet server
To display the Telnet server status, use the show telnet server command.
show telnet server
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display the Telnet server status:
switch# show telnet server
Related Commands
|
|
telnet server enable |
Enables the Telnet server. |
show user-account
To display information about the user accounts on the switch, use the show user-account command.
show user-account [ name ]
Syntax Description
name |
(Optional) Information about the specified user account only. |
Command Default
Displays information about all the user accounts defined on the switch.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display information about all the user accounts defined on the switch:
switch# show user-account
This example shows how to display information about a specific user account:
switch# show user-account admin
Related Commands
|
|
copy running-config startup-config |
Copies the running system configuration to the startup confguration file. |
show users
To display the users currently logged on the switch, use the show users command.
show users
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display all the users currently logged on the switch:
Related Commands
|
|
clear user |
Logs out a specific user. |
username |
Creates and configures a user account. |
show vlan access-list
To display the contents of the IPv4 access control list (ACL) or MAC ACL associated with a specific VLAN access map, use the show vlan access-list command.
show vlan access-list map-name
Syntax Description
map-name |
VLAN access list to show. |
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
For the specified VLAN access map, the switch displays the access map name and the contents of the ACL associated with the map.
Examples
This example shows how to display the contents of the ACL associated with the specified VLAN access map:
switch# show vlan access-list vlan1map
Related Commands
|
|
ip access-list |
Creates or configures an IPv4 ACL. |
show access-lists |
Displays information about how a VLAN access map is applied. |
show ip access-lists |
Displays all IPv4 ACLs or a specific IPv4 ACL. |
vlan access-map |
Configures a VLAN access map. |
show vlan access-map
To display all VLAN access maps or a VLAN access map, use the show vlan access-map command.
show vlan access-map [ map-name ]
Syntax Description
map-name |
(Optional) VLAN access map to show. |
Command Default
The switch shows all VLAN access maps, unless you use the map-name argument to select a specific access map.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
For each VLAN access map displayed, the switch shows the access map name, the ACL specified by the match command, and the action specified by the action command.
Use the show vlan filter command to see which VLANs have a VLAN access map applied to them.
Examples
This example shows how to display a specific VLAN access map:
switch# show vlan access-map vlan1map
This example shows how to display all VLAN access maps:
switch# show vlan access-map
Related Commands
|
|
action |
Specifies an action for traffic filtering in a VLAN access map. |
match |
Specifies an ACL for traffic filtering in a VLAN access map. |
show vlan filter |
Displays information about how a VLAN access map is applied. |
vlan access-map |
Configures a VLAN access map. |
vlan filter |
Applies a VLAN access map to one or more VLANs. |
show vlan filter
To display information about instances of the vlan filter command, including the VLAN access map and the VLAN IDs affected by the command, use the show vlan filter command.
show vlan filter [ access-map map-name | vlan vlan-id ]
Syntax Description
access-map map-name |
(Optional) Limits the output to VLANs that the specified access map is applied to. |
vlan vlan-id |
(Optional) Limits the output to access maps that are applied to the specified VLAN only. |
Command Default
All instances of VLAN access maps applied to a VLAN are displayed, unless you use the access-map keyword and specify an access map or you use the vlan keyword and specify a VLAN ID.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to display all VLAN access map information on the switch:
Related Commands
|
|
action |
Specifies an action for traffic filtering in a VLAN access map. |
match |
Specifies an ACL for traffic filtering in a VLAN access map. |
show vlan access-map |
Displays all VLAN access maps or a VLAN access map. |
vlan access-map |
Configures a VLAN access map. |
vlan filter |
Applies a VLAN access map to one or more VLANs. |
ssh
To create a Secure Shell (SSH) session using IPv4, use the ssh command.
ssh [ username @]{ ipv4-address | hostname } [ vrf { vrf-name | default | management }]
Syntax Description
username |
(Optional) Username for the SSH session. The username is not case sensitive and has a maximum of 64 characters. |
ipv4-address |
IPv4 address of the remote host. |
hostname |
Hostname of the remote host. The hostname is case sensitive and has a maximum of 64 characters. |
vrf vrf-name |
(Optional) Specifies the virtual routing and forwarding (VRF) name to use for the SSH session. The name can be a maximum of 32 alphanumeric characters. |
default |
Specifies the default VRF. |
management |
Specifies the management VRF. |
Command Default
Default VRF
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
The switch supports SSH version 1 and 2.
Examples
This example shows how to start an SSH session using IPv4:
switch# ssh 192.168.1.1 vrf management
Related Commands
|
|
clear ssh session |
Clears SSH sessions. |
ssh server enable |
Enables the SSH server. |
ssh key
To create a Secure Shell (SSH) server key, use the ssh key command. To remove the SSH server key, use the no form of this command.
ssh key { dsa [ force ] | rsa [ length [ force ]]}
no ssh key [ dsa | rsa ]
Syntax Description
dsa |
Specifies the Digital System Algorithm (DSA) SSH server key. |
force |
(Optional) Forces the generation of a DSA SSH key even if previous ones are present. |
rsa |
Specifies the Rivest, Shamir, and Adelman (RSA) public-key cryptography SSH server key. |
length |
(Optional) Number of bits to use when creating the SSH server key. The range is from 768 to 2048. |
Command Default
1024-bit length
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
The Cisco NX-OS software supports SSH version 1 and 2.
If you want to remove or replace an SSH server key, you must first disable the SSH server using the no ssh server enable command.
Examples
This example shows how to create an SSH server key using RSA with the default key length:
switch# configure terminal
switch(config)# ssh key rsa
This example shows how to create an SSH server key using RSA with a specified key length:
switch# configure terminal
switch(config)# ssh key rsa 768
This example shows how to replace an SSH server key using DSA with the force option:
switch# configure terminal
switch(config)# no ssh server enable
switch(config)# ssh key dsa force
switch(config)# ssh server enable
This example shows how to remove the DSA SSH server key:
switch# configure terminal
switch(config)# no ssh server enable
switch(config)# no ssh key dsa
switch(config)# ssh server enable
This example shows how to remove all SSH server keys:
switch# configure terminal
switch(config)# no ssh server enable
switch(config)# no ssh key
switch(config)# ssh server enable
Related Commands
|
|
show ssh key |
Displays the SSH server key information. |
ssh server enable |
Enables the SSH server. |
ssh server enable
To enable the Secure Shell (SSH) server, use the ssh server enable command. To disable the SSH server, use the no form of this command.
ssh server enable
no ssh server enable
Syntax Description
This command has no arguments or keywords.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
The switch supports SSH version 1 and 2.
Examples
This example shows how to enable the SSH server:
switch(config)# ssh server enable
This example shows how to disable the SSH server:
switch(config)# no ssh server enable
Related Commands
|
|
show ssh server |
Displays the SSH server key information. |
statistics per-entry
To start recording statistics for how many packets are permitted or denied by each entry in an IP, a MAC access control list (ACL), or a VLAN access-map entry, use the statistics per-entry command. To stop recording per-entry statistics, use the no form of this command.
statistics per-entry
no statistics per-entry
Syntax Description
This command has no arguments or keywords.
Command Modes
IPv6 access-list configuration
MAC access-list configuration
VLAN access-map configuration mode
Switch profile VLAN access-map configuration mode
Command History
|
|
6.0(2)A4(1) |
Support for MAC access-list was introduced. |
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
Statistics are not supported if the DHCP snooping feature is enabled.
Examples
This example shows how to start recording per-entry statistics for a MAC access list called acl-mac-01:
switch# configure terminal
switch(config)# mac access-list acl-mac-01
switch(config-mac-acl)# statistics per-entry
This example shows how to start recording per-entry statistics for a VLAN access map named vlan-map-01:
switch# configure terminal
switch(config)# vlan access-map vlan-map-01
switch(config-access-map)# statistics per-entry
switch(config-access-map)#
This example shows how to start recording per-entry statistics for a VLAN access map named vlan-map-03 in a switch profile:
Enter configuration commands, one per line. End with CNTL/Z.
switch(config-sync)# switch-profile s5010
Switch-Profile started, Profile ID is 1
switch(config-sync-sp)# vlan access-map vlan-map-03
switch(config-sync-sp-access-map)# statistics per-entry
switch(config-sync-sp-access-map)#
This example shows how to stop recording per-entry statistics for a VLAN access map named vlan-map-03 in a switch profile:
Enter configuration commands, one per line. End with CNTL/Z.
switch(config-sync)# switch-profile s5010
Switch-Profile started, Profile ID is 1
switch(config-sync-sp)# vlan access-map vlan-map-03
switch(config-sync-sp-access-map)# no statistics per-entry
switch(config-sync-sp-access-map)#
Related Commands
|
|
deny (IPv4) |
Configures a deny rule in an IPv4 ACL. |
permit (IPv4) |
Configures a permit rule in an IPv4 ACL. |
show running-config switch-profile |
Displays the running configuration for a switch profile. |
switch-profile |
Creates or configures a switch profile. |
storm-control level
To set the suppression level for traffic storm control, use the storm-control level command. To turn off the suppression mode or revert to the default, use the no form of this command.
storm-control { broadcast | multicast | unicast } level percentage [. fraction ]
no storm-control { broadcast | multicast | unicast } level
Syntax Description
broadcast |
Specifies the broadcast traffic. |
multicast |
Specifies the multicast traffic. |
unicast |
Specifies the unicast traffic. |
level percentage |
Specifies the percentage of the suppression level. The range is from 0 to 100 percent. |
fraction |
(Optional) Fraction of the suppression level. The range is from 0 to 99. |
Command Default
All packets are passed.
Command Modes
Interface configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
Enter the storm-control level command to enable traffic storm control on the interface, configure the traffic storm-control level, and apply the traffic storm-control level to all traffic storm-control modes that are enabled on the interface.
The period (.) is required when you enter the fractional-suppression level.
The suppression level is a percentage of the total bandwidth. A threshold value of 100 percent means that no limit is placed on traffic. A threshold value of 0 or 0.0 (fractional) percent means that all specified traffic is blocked on a port.
Use the show interfaces counters storm-control command to display the discard count.
Use one of the following methods to turn off suppression for the specified traffic type:
- Set the level to 100 percent for the specified traffic type.
- Use the no form of this command.
Examples
This example shows how to enable suppression of broadcast traffic and set the suppression threshold level:
switch# configure terminal
switch(config)# interface ethernet 1/5
switch(config-if)# storm-control broadcast level 30
This example shows how to disable the suppression mode for multicast traffic:
switch# configure terminal
switch(config)# interface ethernet 1/5
switch(config-if)# no storm-control multicast level
Related Commands
|
|
show interface |
Displays the storm-control suppression counters for an interface. |
show running-config |
Displays the configuration of the interface. |
tacacs-server deadtime
To set a periodic time interval where a nonreachable (nonresponsive) TACACS+ server is monitored for responsiveness, use the tacacs-server deadtime command. To disable the monitoring of the nonresponsive TACACS+ server, use the no form of this command.
tacacs-server deadtime minutes
no tacacs-server deadtime minutes
Syntax Description
time |
Time interval in minutes. The range is from 1 to 1440. |
Command Default
0 minutes
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
Setting the time interval to zero disables the timer. If the dead-time interval for an individual TACACS+ server is greater than zero (0), that value takes precedence over the value set for the server group.
When the dead-time interval is 0 minutes, TACACS+ server monitoring is not performed unless the TACACS+ server is part of a server group and the dead-time interval for the group is greater than 0 minutes.
You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to configure the dead-time interval and enable periodic monitoring:
switch# configure terminal
switch(config)# tacacs-server deadtime 10
This example shows how to revert to the default dead-time interval and disable periodic monitoring:
switch# configure terminal
switch(config)# no tacacs-server deadtime 10
Related Commands
|
|
deadtime |
Sets a dead-time interval for monitoring a nonresponsive RADIUS or TACACS+ server group. |
feature tacacs+ |
Enables TACACS+. |
show tacacs-server |
Displays TACACS+ server information. |
tacacs-server directed-request
To allow users to send authentication requests to a specific TACACS+ server when logging in, use the tacacs-server directed request command. To revert to the default, use the no form of this command.
tacacs-server directed-request
no tacacs-server directed-request
Syntax Description
This command has no arguments or keywords.
Command Default
Sends the authentication request to the configured TACACS+ server groups.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
During login, the user can specify the username@vrfname : hostname, where vrfname is the VRF to use and hostname is the name of a configured TACACS+ server. The username is sent to the server name for authentication.
Examples
This example shows how to allow users to send authentication requests to a specific TACACS+ server when logging in:
switch# configure terminal
switch(config)# tacacs-server directed-request
This example shows how to disallow users to send authentication requests to a specific TACACS+ server when logging in:
switch# configure terminal
switch(config)# no tacacs-server directed-request
Related Commands
|
|
feature tacacs+ |
Enables TACACS+. |
show tacacs-server directed request |
Displays a directed request TACACS+ server configuration. |
tacacs-server host
To configure TACACS+ server host parameters, use the tacacs-server host command. To revert to the defaults, use the no form of this command.
tacacs-server host { hostname | ipv4-address } [ key [ 0 | 7 ] shared-secret ] [ port port-number ] [ test { idle-time time | password password | username name }] [ timeout seconds ]
no tacacs-server host { hostname | ipv4-address } [ key [ 0 | 7 ] shared-secret ] [ port port-number ] [ test { idle-time time | password password | username name }] [ timeout seconds ]
Syntax Description
hostname |
TACACS+ server Domain Name Server (DNS) name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters. |
ipv4-address |
TACACS+ server IPv4 address in the A. B. C. D format. |
key |
(Optional) Configures the TACACS+ server's shared secret key. |
0 |
(Optional) Configures a preshared key specified in clear text (indicated by 0) to authenticate communication between the TACACS+ client and server. This is the default. |
7 |
(Optional) Configures a preshared key specified in encrypted text (indicated by 7) to authenticate communication between the TACACS+ client and server. |
shared-secret |
Preshared key to authenticate communication between the TACACS+ client and server. The preshared key is alphanumeric, case sensitive, and has a maximum of 63 characters. |
port port-number |
(Optional) Configures a TACACS+ server port for authentication. The range is from 1 to 65535. |
test |
(Optional) Configures parameters to send test packets to the TACACS+ server. |
idle-time time |
(Optional) Specifies the time interval (in minutes) for monitoring the server. The time range is 1 to 1440 minutes. |
password password |
(Optional) Specifies a user password in the test packets. The password is alphanumeric, case sensitive, and has a maximum of 32 characters. |
username name |
(Optional) Specifies a user name in the test packets. The username is alphanumeric, case sensitive, and has a maximum of 32 characters. |
timeout seconds |
(Optional) Configures a TACACS+ server timeout period (in seconds) between retransmissions to the TACACS+ server. The range is from 1 to 60 seconds. |
Command Default
Idle time: disabled.
Server monitoring: disabled.
Timeout: 1 second.
Test username: test.
Test password: test.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.
Examples
This example shows how to configure TACACS+ server host parameters:
switch# configure terminal
switch(config)# tacacs-server host 192.168.2.3 key HostKey
switch(config)# tacacs-server host tacacs2 key 0 abcd
switch(config)# tacacs-server host tacacs3 key 7 1234
switch(config)# tacacs-server host 192.168.2.3 test idle-time 10
switch(config)# tacacs-server host 192.168.2.3 test username tester
switch(config)# tacacs-server host 192.168.2.3 test password 2B9ka5
Related Commands
|
|
feature tacacs+ |
Enables TACACS+. |
show tacacs-server |
Displays TACACS+ server information. |
tacacs-server key
To configure a global TACACS+ shared secret key, use the tacacs-server key command. To remove a configured shared secret, use the no form of this command.
tacacs-server key [ 0 | 7 ] shared-secret
no tacacs-server key [ 0 | 7 ] shared-secret
Syntax Description
0 |
(Optional) Configures a preshared key specified in clear text to authenticate communication between the TACACS+ client and server. This is the default. |
7 |
(Optional) Configures a preshared key specified in encrypted text to authenticate communication between the TACACS+ client and server. |
shared-secret |
Preshared key to authenticate communication between the TACACS+ client and server. The preshared key is alphanumeric, case sensitive, and has a maximum of 63 characters. |
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
You must configure the TACACS+ preshared key to authenticate the switch to the TACACS+ server. The length of the key is restricted to 65 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all TACACS+ server configurations on the switch. You can override this global key assignment by using the key keyword in the tacacs-server host command.
You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to display configure TACACS+ server shared keys:
switch# configure terminal
switch(config)# tacacs-server key AnyWord
switch(config)# tacacs-server key 0 AnyWord
switch(config)# tacacs-server key 7 public
Related Commands
|
|
feature tacacs+ |
Enables TACACS+. |
show tacacs-server |
Displays TACACS+ server information. |
tacacs-server timeout
To specify the time between retransmissions to the TACACS+ servers, use the tacacs-server timeout command. To revert to the default, use the no form of this command.
tacacs-server timeout seconds
no tacacs-server timeout seconds
Syntax Description
seconds |
Seconds between retransmissions to the TACACS+ server. The valid range is 1 to 60 seconds. |
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to configure the TACACS+ server timeout value:
switch# configure terminal
switch(config)# tacacs-server timeout 3
This example shows how to revert to the default TACACS+ server timeout value:
switch# configure terminal
switch(config)# no tacacs-server timeout 3
Related Commands
|
|
feature tacacs+ |
Enables TACACS+. |
show tacacs-server |
Displays TACACS+ server information. |
telnet
To create a Telnet session using IPv4 on a Cisco Nexus 3000 Series switch, use the telnet command.
telnet { ipv4-address | hostname } [ port-number ] [ vrf { vrf-name | default | management }]
Syntax Description
ipv4-address |
IPv4 address of the remote switch. |
hostname |
Hostname of the remote switch. The name is alphanumeric, case sensitive, and has a maximum of 64 characters. |
port-number |
(Optional) Port number for the Telnet session. The range is from 1 to 65535. |
vrf vrf-name |
(Optional) Specifies the virtual routing and forwarding (VRF) name to use for the Telnet session. The name is case sensitive and can be a maximum of 32 alphanumeric characters. |
default |
Specifies the default VRF. |
management |
Specifies the management VRF. |
Command Default
Port 23 is the default port.
Command Modes
EXEC mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
This command does not require a license.
Examples
This example shows how to start a Telnet session using IPv4:
switch# telnet 192.168.1.1 vrf management
Related Commands
|
|
clear line |
Clears Telnet sessions. |
telnet server enable |
Enables the Telnet server. |
telnet server enable
To enable the Telnet server, use the telnet server enable command. To disable the Telnet server, use the no form of this command.
telnet server enable
no telnet server enable
Syntax Description
This command has no arguments or keywords.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to enable the Telnet server:
switch(config)# telnet server enable
This example shows how to disable the Telnet server:
switch(config)# no telnet server enable
Related Commands
|
|
show telnet server |
Displays the Telnet server status. |
use-vrf
To specify a virtual routing and forwarding (VRF) instance for a RADIUS or TACACS+ server group, use the use-vrf command. To remove the VRF instance, use the no form of this command.
use-vrf { vrf-name | default | management }
no use-vrf { vrf-name | default | management }
Syntax Description
vrf-name |
VRF instance name. The name is case sensitive and can be a maximum of 32 alphanumeric characters. |
default |
Specifies the default VRF. |
management |
Specifies the management VRF. |
Command Modes
RADlUS server group configuration mode
TACACS+ server group configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
You can configure only one VRF instance for a server group.
Use the aaa group server radius command RADIUS server group configuration mode or the aaa group server tacacs+ command to enter TACACS+ server group configuration mode.
If the server is not found, use the radius-server host command or tacacs-server host command to configure the server.
You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to specify a VRF instance for a RADIUS server group:
switch# configure terminal
switch(config)# aaa group server radius RadServer
switch(config-radius)# use-vrf management
This example shows how to specify a VRF instance for a TACACS+ server group:
switch# configure terminal
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# use-vrf management
This example shows how to remove the VRF instance from a TACACS+ server group:
switch# configure terminal
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# no use-vrf management
Related Commands
|
|
aaa group server |
Configures AAA server groups. |
feature tacacs+ |
Enables TACACS+. |
radius-server host |
Configures a RADIUS server. |
show radius-server groups |
Displays RADIUS server information. |
show tacacs-server groups |
Displays TACACS+ server information. |
tacacs-server host |
Configures a TACACS+ server. |
vrf |
Configures a VRF instance. |
username
To create and configure a user account, use the username command. To remove a user account, use the no form of this command.
username user-id [ expire date ] [ password { 0 | 5 } password ] [ role role-name ] [ priv-lvl level ]
username user-id sshkey { key | filename filename }
no username user-id
Syntax Description
user-id |
User identifier for the user account. The user-id argument is a case-sensitive, alphanumeric character string with a maximum length of 28 characters. Note The Cisco NX-OS software does not allowed the “#” and “@” characters in the user-id argument text string. |
expire date |
(Optional) Specifies the expire date for the user account. The format for the date argument is YYYY-MM-DD. |
password |
(Optional) Specifies a password for the account. The default is no password. |
0 |
Specifies that the password that follows should be in clear text. This is the default mode. |
5 |
Specifies that the password that follows should be encrypted. |
password |
Password for the user (clear text). The password can be a maximum of 64 characters. Note Clear text passwords cannot contain dollar signs ($) or spaces anywhere in the password. Also, they cannot include these special characters at the beginning of the password: quotation marks (“ or ‘), vertical bars (|), or right angle brackets (>). |
role role-name |
(Optional) Specifies the role which the user is to be assigned to. Valid values are as follows:
- default-role —User role
- network-admin —System configured role
- network-operator —System configured role
- priv-0 —Privilege role
- priv-1 —Privilege role
- priv-2 —Privilege role
- priv-3 —Privilege role
- priv-4 —Privilege role
- priv-5 —Privilege role
- priv-6 —Privilege role
- priv-7 —Privilege role
- priv-8 —Privilege role
- priv-9 —Privilege role
|
|
- priv-10 —Privilege role
- priv-11 —Privilege role
- priv-12 —Privilege role
- priv-13 —Privilege role
- priv-14 —Privilege role
- priv-15 —Privilege role
- vdc-admin —System configured role
- vdc-operator —System configured role
|
priv-lvl level |
(Optional) Specifies the privilege level to assign the user. Valid values are from 0 to 15. |
sshkey |
(Optional) Specifies an SSH key for the user account. |
key |
SSH key string. |
filename filename |
Specifies the name of a file that contains the SSH key string. |
Command Default
No expiration date, password, or SSH key.
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
The switch accepts only strong passwords. The characteristics of a strong password include the following:
- At least eight characters long
- Does not contain many consecutive characters (such as “abcd”)
- Does not contain many repeating characters (such as “aaabbb”)
- Does not contain dictionary words
- Does not contain proper names
- Contains both uppercase and lowercase characters
- Contains numbers
Caution
If you do not specify a password for the user account, the user might not be able to log in to the account.
You must enable the cumulative privilege roles for TACACS+ server using the feature privilege command to see the priv-lvl keyword.
Examples
This example shows how to create a user account with a password:
switch# configure terminal
switch(config)# username user1 password Ci5co321
This example shows how to configure the SSH key for a user account:
switch# configure terminal
switch(config)# username user1 sshkey file bootflash:key_file
This example shows how to configure the privilege level for a user account:
switch# configure terminal
switch(config)# username user1 priv-lvl 15
Related Commands
|
|
feature privilege |
Enables the cumulative privilege of roles for command authorization on TACACS+ servers. |
show privilege |
Displays the current privilege level, username, and status of cumulative privilege support for a user. |
show user-account |
Displays the user account configuration. |
vlan access-map
To create a new VLAN access map or to configure an existing VLAN access map, use the vlan access-map command. To remove a VLAN access map, use the no form of this command.
vlan access-map map-name
no vlan access-map map-name
Syntax Description
map-name |
Name of the VLAN access map that you want to create or configure. The name can be up to 64 alphanumeric, case-sensitive characters. |
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
Each VLAN access map can include one match command and one action command.
Examples
This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map:
switch# configure terminal
switch(config)# vlan access-map vlan-map-01
switch(config-access-map)# match ip address ip-acl-01
switch(config-access-map)# action forward
switch(config-access-map)# statistics
switch(config-access-map)#
This example shows how to create a VLAN access map named vlan-map-03 in a switch profile:
switch# configure terminal
switch(config-sync)# switch-profile s5010
switch(config-sync-sp)# vlan access-map vlan-map-03
switch(config-sync-sp-access-map)#
Related Commands
|
|
action |
Specifies an action for traffic filtering in a VLAN access map. |
match |
Specifies an ACL for traffic filtering in a VLAN access map. |
show vlan access-map |
Displays all VLAN access maps or a VLAN access map. |
show vlan filter |
Displays information about how a VLAN access map is applied. |
vlan filter |
Applies a VLAN access map to one or more VLANs. |
vlan filter
To apply a VLAN access map to one or more VLANs, use the vlan filter command. To unapply a VLAN access map, use the no form of this command.
vlan filter map-name vlan-list VLAN-list
no vlan filter map-name [ vlan-list VLAN-list ]
Syntax Description
map-name |
Name of the VLAN access map that you want to create or configure. |
vlan-list VLAN-list |
Specifies the ID of one or more VLANs whose traffic the VLAN access map filters. Use a hyphen (-) to separate the beginning and ending IDs of a range of VLAN IDs; for example, use 70-100. Use a comma (,) to separate individual VLAN IDs and ranges of VLAN IDs; for example, use 20,70-100,142. Note When you use the no form of this command, the VLAN-list argument is optional. If you omit this argument, the switch removes the access map from all VLANs where the access map is applied. |
Command Modes
Global configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
You can apply a VLAN access map to one or more VLANs.
You can apply only one VLAN access map to a VLAN.
The no form of this command enables you to unapply a VLAN access map from all or part of the VLAN list that you specified when you applied the access map. To unapply an access map from all VLANs where it is applied, you can omit the VLAN-list argument. To unapply an access map from a subset of the VLANs where it is currently applied, use the VLAN-list argument to specify the VLANs where the access map should be removed.
Examples
This example shows how to apply a VLAN access map named vlan-map-01 to VLANs 20 through 45:
switch# configure terminal
switch(config)# vlan filter vlan-map-01 20-45
This example shows how to apply a VLAN access map named vlan-map-03 to VLANs 12 through 20:
Enter configuration commands, one per line. End with CNTL/Z.
switch(config-sync)# switch-profile s5010
Switch-Profile started, Profile ID is 1
switch(config-sync-sp)# vlan filter vlan-map-03 12-20
Related Commands
|
|
action |
Specifies an action for traffic filtering in a VLAN access map. |
match |
Specifies an ACL for traffic filtering in a VLAN access map. |
show running-config switch-profile |
Displays the running configuration for a switch profile. |
show vlan access-map |
Displays all VLAN access maps or a VLAN access map. |
show vlan filter |
Displays information about how a VLAN access map is applied. |
vlan access-map |
Configures a VLAN access map. |
vlan policy deny
To enter VLAN policy configuration mode for a user role, use the vlan policy deny command. To revert to the default VLAN policy for a user role, use the no form of this command.
vlan policy deny
no vlan policy deny
Syntax Description
This command has no arguments or keywords.
Command Default
All VLANs
Command Modes
User role configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to enter VLAN policy configuration mode for a user role:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# vlan policy deny
switch(config-role-vlan)#
This example shows how to revert to the default VLAN policy for a user role:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# no vlan policy deny
Related Commands
|
|
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |
vrf policy deny
To configure the deny access to a virtual forwarding and routing instance (VRF) policy for a user role, use the vrf policy deny command. To revert to the default VRF policy configuration for a user role, use the no form of this command.
vrf policy deny
no vrf policy deny
Syntax Description
This command has no arguments or keywords.
Command Modes
User role configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Examples
This example shows how to enter VRF policy configuration mode for a user role:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# vrf policy deny
This example shows how to revert to the default VRF policy for a user role:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# no vrf policy deny
Related Commands
|
|
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |
vsan policy deny
To configure the deny access to a VSAN policy for a user role, use the vsan policy deny command. To revert to the default VSAN policy configuration for a user role, use the no form of this command.
vsan policy deny
no vsan policy deny
Syntax Description
This command has no arguments or keywords.
Command Modes
User role configuration mode
Command History
|
|
5.0(3)A1(1) |
This command was introduced. |
Usage Guidelines
To permit access to the VSAN policy, use the permit vsan command.
Examples
This example shows how to deny access to a VSAN policy for a user role:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# vsan policy deny
switch(config-role-vsan)#
This example shows how to revert to the default VSAN policy configuration for a user role:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# vsan policy deny
switch(config-role-vsan)# no vsan policy deny
Related Commands
|
|
permit vsan |
Configures permit access to a VSAN policy for a user. |
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |