- aaa accounting default
- aaa authentication login console
- aaa authentication login default
- aaa authentication login error-enable
- aaa authentication login mschap enable
- aaa authorization commands default
- aaa authorization config-commands default
- aaa group server radius
- aaa user default-role
- access-class
- action
- class (control plane policy map)
- class-map type control-plane
- clear access-list counters
- clear accounting log
- clear ip arp
- control-plane
- deadtime
- deny (IPv4)
- deny (MAC)
- description (user role)
- enable
- enable secret
- feature (user role feature group)
- feature dhcp
- feature privilege
- feature tacacs+
- hardware profile tcam region
- hardware profile tcam syslog-threshold
- interface policy deny
- ip access-class
- ip access-group
- ip access-list
- ip dhcp relay information option
- ip dhcp smart relay
- ip nat
- ip port access-group
- mac access-list
- mac packet-classify
- mac port access-group
- match
- match access-group
- permit (IPv4)
- permit (MAC)
- permit interface
- permit vlan
- permit vrf
- permit vsan
- police (policy map)
- policy-map type control-plane
- radius-server deadtime
- radius-server directed-request
- radius-server host
- radius-server key
- radius-server retransmit
- radius-server timeout
- remark
- resequence
- role feature-group name
- role name
- rule
- server
- service-policy
- show aaa accounting
- show aaa authentication
- show aaa authorization
- show aaa groups
- show aaa user
- show access-lists
- show accounting log
- show arp access-lists
- show class-map type control-plane
- show hardware profile tcam region
- show ip access-lists
- show ip nat translations
- show ip verify source
- show mac access-lists
- show platform afm info tcam
- show policy-map interface control-plane
- show policy-map type control-plane
- show privilege
- show radius-server
- show role
- show role feature
- show role feature-group
- show running-config aaa
- show running-config aclmgr
- show running-config arp
- show running-config dhcp
- show running-config radius
- show running-config security
- show ssh key
- show ssh server
- show startup-config aaa
- show startup-config aclmgr
- show startup-config arp
- show startup-config dhcp
- show startup-config radius
- show startup-config security
- show tacacs-server
- show telnet server
- show user-account
- show users
- show vlan access-list
- show vlan access-map
- show vlan filter
- ssh
- ssh key
- ssh server enable
- statistics per-entry
- storm-control level
- tacacs-server deadtime
- tacacs-server directed-request
- tacacs-server host
- tacacs-server key
- tacacs-server timeout
- telnet
- telnet server enable
- use-vrf
- username
- vlan access-map
- vlan filter
- vlan policy deny
- vrf policy deny
- vsan policy deny
Security Commands
This chapter describes the Cisco NX-OS security commands available on the Cisco Nexus 3548 switch.
aaa accounting default
To configure authentication, authorization, and accounting (AAA) methods for accounting, use the aaa accounting default command. To revert to the default, use the no form of this command.
aaa accounting default { group { group-list } | local }
no aaa accounting default { group { group-list } | local }
Syntax Description
Space-delimited list that specifies one or more configured RADIUS server groups. |
|
Command Default
Command Modes
Command History
|
|
Usage Guidelines
The group group-list method refers to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method or local method and they fail, the accounting authentication can fail.
Examples
This example shows how to configure any RADIUS server for AAA accounting:
Related Commands
|
|
---|---|
aaa authentication login console
To configure authentication, authorization, and accounting (AAA) authentication methods for console logins, use the aaa authentication login console command. To revert to the default, use the no form of this command.
aaa authentication login console { group group-list } [ none ] | local | none }
no aaa authentication login console { group group-list [ none ] | local | none }
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
The group radius, group tacacs+, and group group-list methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host or tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method or local method and they fail, the authentication can fail. If you specify the none method alone or after the group method, the authentication always succeeds.
Examples
This example shows how to configure the AAA authentication console login method:
This example shows how to revert to the default AAA authentication console login method:
Related Commands
|
|
---|---|
aaa authentication login default
To configure the default authentication, authorization, and accounting (AAA) authentication methods, use the aaa authentication login default command. To revert to the default, use the no form of this command.
aaa authentication login default { group group-list } [ none ] | local | none }
no aaa authentication login default { group group-list } [ none ] | local | none }
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
The group radius, group tacacs+, and group group-list methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host or tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method or local method and they fail, the authentication fails. If you specify the none method alone or after the group method, the authentication always succeeds.
Examples
This example shows how to configure the AAA authentication console login method:
This example shows how to revert to the default AAA authentication console login method:
Related Commands
|
|
---|---|
aaa authentication login error-enable
To configure that the authentication, authorization, and accounting (AAA) authentication failure message displays on the console, use the aaa authentication login error-enable command. To revert to the default, use the no form of this command.
aaa authentication login error-enable
no aaa authentication login error-enable
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
When you log in, the login is processed by rolling over to the local user database if the remote AAA servers do not respond. In this situation, the following message is displayed if you have enabled the displaying of login failure messages:
Examples
This example shows how to enable the display of AAA authentication failure messages to the console:
This example shows how to disable the display of AAA authentication failure messages to the console:
Related Commands
|
|
---|---|
Displays the status of the AAA authentication failure message display. |
aaa authentication login mschap enable
To enable Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication at login, use the aaa authentication login mschap enable command. To revert to the default, use the no form of this command.
aaa authentication login mschap enable
no aaa authentication login mschap enable
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to enable MS-CHAP authentication:
This example shows how to disable MS-CHAP authentication:
Related Commands
|
|
---|---|
aaa authorization commands default
To configure default authentication, authorization, and accounting (AAA) authorization methods for all EXEC commands, use the aaa authorization commands default command. To revert to the default, use the no form of this command.
aaa authorization commands default [ group group-list ] [ local | none ]
no aaa authorization commands default [ group group-list ] [ local | none ]
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
To use this command, you must enable the TACACS+ feature by using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.
If you specify the group method or local method and it fails, the authorization can fail. If you specify the none method alone or after the group method, the authorization always succeeds.
Examples
This example shows how to configure the default AAA authorization methods for EXEC commands:
This example shows how to revert to the default AAA authorization methods for EXEC commands:
Related Commands
|
|
---|---|
Configures default AAA authorization methods for configuration commands. |
|
aaa authorization config-commands default
To configure the default authentication, authorization, and accounting (AAA) authorization methods for all configuration commands, use the aaa authorization config-commands default command. To revert to the default, use the no form of this command.
aaa authorization config-commands default [ group group-list ] [ local | none ]
no aaa authorization config-commands default [ group group-list ] [ local | none ]
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
To use this command, you must enable the TACACS+ feature by using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.
If you specify the group method or local method and it fails, the authorization can fail. If you specify the none method alone or after the group method, the authorization always succeeds.
Examples
This example shows how to configure the default AAA authorization methods for configuration commands:
This example shows how to revert to the default AAA authorization methods for configuration commands:
Related Commands
|
|
---|---|
Configures default AAA authorization methods for EXEC commands. |
|
aaa group server radius
To create a RADIUS server group and enter RADIUS server group configuration mode, use the aaa group server radius command. To delete a RADIUS server group, use the no form of this command.
aaa group server radius group-name
no aaa group server radius group-name
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to create a RADIUS server group and enter RADIUS server configuration mode:
This example shows how to delete a RADIUS server group:
Related Commands
|
|
---|---|
aaa user default-role
To enable the default role assigned by the authentication, authorization, and accounting (AAA) server administrator for remote authentication, use the aaa user default-role command. To disable the default role, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Examples
This example shows how to enable the default role assigned by the AAA server administrator for remote authentication:
This example shows how to disable the default role assigned by the AAA server administrator for remote authentication:
Related Commands
|
|
---|---|
Displays the status of the default user for remote authentication. |
|
access-class
To restrict incoming and outgoing connections between a particular VTY (into a Cisco Nexus 3000 Series switch) and the addresses in an access list, use the access-class command. To remove access restrictions, use the no form of this command.
access-class access-list-name { in | out }
no access-class access-list-name { in | out }
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
When you allow telnet or SSH to a Cisco device, you can secure access to the device by binding an access class to the VTYs.
To display the access lists for a particular terminal line, use the show line command.
Examples
This example shows how to configure an access class on a VTY line to restrict inbound packets:
This example shows how to remove an access class that restricts inbound packets:
Related Commands
|
|
---|---|
action
To specify what the switch does when a packet matches a permit command in a VLAN access control list (VACL), use the action command. To remove an action command, use the no form of this command.
Syntax Description
Specifies that the switch forwards the packet to its destination port. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
The action command specifies the action that the device takes when a packet matches the conditions in the ACL specified by the match command.
Examples
This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map:
This example shows how to create a VLAN access map named vlan-map-03 in a switch profile, assign an IPv4 ACL named ip-acl-03 to the map, and specify that the switch drops packets matching the ACL:
Related Commands
class (control plane policy map)
To specify a control plane class map for a control plane policy map, use the class command. To delete a control plane class map from a control plane policy map, use the no form of this command.
class { class-map-name [ insert-before class-map-name2 ]}
Syntax Description
Command Default
Command Modes
Control plane policy map configuration
Command History
|
|
Usage Guidelines
You must create the control plane class maps before you reference them in this command.
Examples
This example shows how to configure a class map for a control plane policy map:
This example shows how to configure a class map for a control plane policy map and insert it before an existing class map:
This example shows how to delete a class map from a control plane policy map:
Related Commands
class-map type control-plane
To create or specify a control plane class map and enter class map configuration mode, use the class-map type control-plane command. To delete a control plane class map, use the no form of this command.
class-map type control-plane [ match-any ] class-map-name
no class-map type control-plane [ match-any ] class-map-name
Syntax Description
(Optional) Specifies to match any match conditions in the class map. |
|
Name of the class map. The name is alphanumeric and case-sensitive. The maximum length is 64 characters. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
You cannot use match-any or class-default as names for control plane class maps.
You can delete only dynamic class-maps of type control-plane. You cannot delete static class-maps of type control-plane.
Examples
This example shows how to specify a control plane class map and enter class map configuration mode:
This example shows how to delete a control plane class map:
Related Commands
|
|
---|---|
Matches traffic with a specified access control list (ACL) group. |
|
Displays control plane policy map configuration information. |
clear access-list counters
To clear the counters for all IPv4 access control lists (ACLs) or a single IPv4 ACL, use the clear access-list counters command.
clear access-list counters [ access-list-name ]
Syntax Description
(Optional) Name of the IPv4 ACL whose counters the switch clears. The name can be a maximum of 64 alphanumeric characters. |
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to clear counters for all IPv4 ACLs:
This example shows how to clear counters for an IPv4 ACL named acl-ipv4-01:
Related Commands
|
|
---|---|
clear accounting log
To clear the accounting log, use the clear accounting log command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to clear the accounting log:
Related Commands
|
|
---|---|
clear ip arp
To clear the Address Resolution Protocol (ARP) table and statistics, use the clear ip arp command.
clear ip arp [ vlan vlan-id [ force-delete | vrf { vrf-name | all | default | management }]]
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to clear the ARP table statistics:
This example shows how to clear the ARP table statistics for VLAN 10 with the VRF vlan-vrf:
Related Commands
|
|
---|---|
control-plane
To enter control-plane configuration mode, which allows users to associate attributes that are associated with the control plane of the device, use the control-plane command.
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
After you use the control-plane command, you can associate a service policy to police all traffic that is destined to the control plane.
Examples
This example shows how to enter the control plane configuration mode:
Related Commands
|
|
---|---|
Attaches a policy map to a control plane for aggregate control plane services. |
|
Displays the configuration of a class or all classes for the policy map of a control plane. |
deadtime
To configure the dead-time interval for a RADIUS or TACACS+ server group, use the deadtime command. To revert to the default, use the no form of this command.
Syntax Description
Number of minutes for the interval. The range is from 0 to 1440 minutes. Setting the dead-time interval to 0 disables the timer. |
Command Default
Command Modes
RADlUS server group configuration
TACACS+ server group configuration
Command History
|
|
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS.
Examples
This example shows how to set the dead-time interval to 2 minutes for a RADIUS server group:
This example shows how to set the dead-time interval to 5 minutes for a TACACS+ server group:
This example shows how to revert to the dead-time interval default:
Related Commands
|
|
---|---|
deny (IPv4)
To create an IPv4 access control list (ACL) rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
[ sequence-number ] deny protocol source destination {[ dscp dscp ] | [ precedence precedence ]} [ fragments ] [ time-range time-range-name ]
no deny protocol source destination {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
Internet Control Message Protocol
[ sequence-number ] deny icmp source destination [ icmp-message ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
Internet Group Management Protocol
[ sequence-number ] deny igmp source destination [ igmp-message ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
[ sequence-number ] deny ip source destination {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
[ sequence-number ] deny tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ] [ flags ] [ established ]
[ sequence-number ] deny udp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
Syntax Description
Command Default
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the switch assigns the rule a sequence number that is 10 greater than the last rule in the ACL.
Command Modes
IPv4 ACL configuration
IPv4 ACL in
Command History
|
|
Usage Guidelines
When the switch applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
- Address and network wildcard—You can use an IPv4 address followed by a network wildcard to specify a host or a network as a source or destination. The syntax is as follows:
This example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
- Address and variable-length subnet mask—You can use an IPv4 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:
This example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
- Host address—You can use the host keyword and an IPv4 address to specify a host as a source or destination. The syntax is as follows:
This syntax is equivalent to IPv4-address /32 and IPv4-address 0.0.0.0.
This example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:
- Any address—You can use the any keyword to specify that a source or destination is any IPv4 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.
The icmp-message argument can be the ICMP message number, which is an integer from 0 to 255. It can also be one of the following keywords:
- administratively-prohibited —Administratively prohibited
- alternate-address —Alternate address
- conversion-error —Datagram conversion
- dod-host-prohibited —Host prohibited
- dod-net-prohibited —Net prohibited
- echo —Echo (ping)
- echo-reply —Echo reply
- general-parameter-problem —Parameter problem
- host-isolated —Host isolated
- host-precedence-unreachable —Host unreachable for precedence
- host-redirect —Host redirect
- host-tos-redirect —Host redirect for ToS
- host-tos-unreachable —Host unreachable for ToS
- host-unknown —Host unknown
- host-unreachable —Host unreachable
- information-reply —Information replies
- information-request —Information requests
- mask-reply —Mask replies
- mask-request —Mask requests
- mobile-redirect —Mobile host redirect
- net-redirect —Network redirect
- net-tos-redirect —Net redirect for ToS
- net-tos-unreachable —Network unreachable for ToS
- net-unreachable —Net unreachable
- network-unknown —Network unknown
- no-room-for-option —Parameter required but no room
- option-missing —Parameter required but not present
- packet-too-big —Fragmentation needed and DF set
- parameter-problem —All parameter problems
- port-unreachable —Port unreachable
- precedence-unreachable —Precedence cutoff
- protocol-unreachable —Protocol unreachable
- reassembly-timeout —Reassembly timeout
- redirect —All redirects
- router-advertisement —Router discovery advertisements
- router-solicitation —Router discovery solicitations
- source-quench —Source quenches
- source-route-failed —Source route failed
- time-exceeded —All time-exceeded messages
- timestamp-reply —Time-stamp replies
- timestamp-request —Time-stamp requests
- traceroute —Traceroute
- ttl-exceeded —TTL exceeded
- unreachable —All unreachables
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
- bgp —Border Gateway Protocol (179)
- chargen —Character generator (19)
- cmd —Remote commands (rcmd, 514)
- daytime —Daytime (13)
- discard —Discard (9)
- domain —Domain Name Service (53)
- drip —Dynamic Routing Information Protocol (3949)
- echo —Echo (7)
- exec —EXEC (rsh, 512)
- finger —Finger (79)
- ftp —File Transfer Protocol (21)
- ftp-data —FTP data connections (2)
- gopher —Gopher (7)
- hostname —NIC hostname server (11)
- ident —Ident Protocol (113)
- irc —Internet Relay Chat (194)
- klogin —Kerberos login (543)
- kshell —Kerberos shell (544)
- login —Login (rlogin, 513)
- lpd —Printer service (515)
- nntp —Network News Transport Protocol (119)
- pim-auto-rp —PIM Auto-RP (496)
- pop2 —Post Office Protocol v2 (19)
- pop3 —Post Office Protocol v3 (11)
- smtp —Simple Mail Transport Protocol (25)
- sunrpc —Sun Remote Procedure Call (111)
- tacacs —TAC Access Control System (49)
- talk —Talk (517)
- telnet —Telnet (23)
- time —Time (37)
- uucp —Unix-to-Unix Copy Program (54)
- whois —WHOIS/NICNAME (43)
- www —World Wide Web (HTTP, 8)
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
- biff —Biff (mail notification, comsat, 512)
- bootpc —Bootstrap Protocol (BOOTP) client (68)
- bootps —Bootstrap Protocol (BOOTP) server (67)
- discard —Discard (9)
- dnsix —DNSIX security protocol auditing (195)
- domain —Domain Name Service (DNS, 53)
- echo —Echo (7)
- isakmp —Internet Security Association and Key Management Protocol (5)
- mobile-ip —Mobile IP registration (434)
- nameserver —IEN116 name service (obsolete, 42)
- netbios-dgm —NetBIOS datagram service (138)
- netbios-ns —NetBIOS name service (137)
- netbios-ss —NetBIOS session service (139)
- non500-isakmp —Internet Security Association and Key Management Protocol (45)
- ntp —Network Time Protocol (123)
- pim-auto-rp —PIM Auto-RP (496)
- rip —Routing Information Protocol (router, in.routed, 52)
- snmp —Simple Network Management Protocol (161)
- snmptrap —SNMP Traps (162)
- sunrpc —Sun Remote Procedure Call (111)
- syslog —System Logger (514)
- tacacs —TAC Access Control System (49)
- talk —Talk (517)
- tftp —Trivial File Transfer Protocol (69)
- time —Time (37)
- who —Who service (rwho, 513)
- xdmcp —X Display Manager Control Protocol (177)
Examples
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules that deny all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network and a final rule that permits all other IPv4 traffic:
This example shows how to configure an IPv4 ACL named sp-acl with rules that deny all AHP and OSPF traffic from the 10.20.0.0 and 192.168.36.0 networks to the 10.172.0.0 network and a final rule that permits all other IPv4 traffic in a switch profile:
Related Commands
|
|
---|---|
Displays information about the switch profile and the configuration revision. |
|
deny (MAC)
To create a MAC access control list (ACL) rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
[ sequence-number ] deny source destination [ protocol ] [ cos cos-value ] [ vlan VLAN-ID ]
no deny source destination [ protocol ] [ cos cos-value ] [ vlan VLAN-ID ]
Syntax Description
Defaults
A newly created MAC ACL contains no rules.
If you do not specify a sequence number, the device assigns the rule a sequence number that is 10 greater than the last rule in the ACL.
Command Modes
Command History
|
|
Usage Guidelines
When the device applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
This command does not require a license.
You can specify the source and destination arguments in one of two ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
- Address and mask—You can use a MAC address followed by a mask to specify a single address or a group of addresses. The syntax is as follows:
The following example specifies the source argument with the MAC address 00c0.4f03.0a72:
The following example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:
- Any address—You can use the any keyword to specify that a source or destination is any MAC address. For examples of the use of the any keyword, see the examples in this section. Each of the examples shows how to specify a source or destination by using the any keyword.
The protocol argument can be the MAC protocol number or a keyword. The protocol number is a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:
- aarp —Appletalk ARP (0x80f3)
- appletalk —Appletalk (0x809b)
- decnet-iv —DECnet Phase IV (0x6003)
- diagnostic —DEC Diagnostic Protocol (0x6005)
- etype-6000 —EtherType 0x6000 (0x6000)
- etype-8042 —EtherType 0x8042 (0x8042)
- ip —Internet Protocol v4 (0x0800)
- lat —DEC LAT (0x6004)
- lavc-sca —DEC LAVC, SCA (0x6007)
- mop-console —DEC MOP Remote console (0x6002)
- mop-dump —DEC MOP dump (0x6001)
- vines-echo —VINES Echo (0x0baf)
Examples
This example shows how to configure a MAC ACL named mac-ip-filter with rules that permit any non-IPv4 traffic between two groups of MAC addresses:
Related Commands
|
|
---|---|
description (user role)
To configure a description for a user role, use the description command. To revert to the default, use the no form of this command.
Syntax Description
Text string that describes the user role. The maximum length is 128 alphanumeric characters. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
You can include blank spaces in the user role description text.
Examples
This example shows how to configure the description for a user role:
This example shows how to remove the description from a user role:
Related Commands
|
|
---|---|
enable
To enable a user to move to a higher privilege level after being prompted for a secret password, use the enable command.
Syntax Description
Privilege level to which the user must log in. The only available level is 15. |
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
To use this command, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command.
Examples
This example shows how to enable the user to move to a higher privilege level after being prompted for a secret password:
Related Commands
|
|
---|---|
Enables the cumulative privilege of roles for command authorization on TACACS+ servers. |
|
Displays the current privilege level, username, and status of cumulative privilege support. |
|
enable secret
To enable a secret password for a specific privilege level, use the enable secret command. To disable the password, use the no form of this command.
enable secret [ 0 | 5 ] password [ all | priv-lvl priv-level ]
no enable secret [ 0 | 5 ] password [ all | priv-lvl priv-level ]
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
To use this command, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command.
Examples
This example shows how to enable a secret password for a specific privilege level:
Related Commands
feature (user role feature group)
To configure a feature in a user role feature group, use the feature command. To delete a feature in a user role feature group, use the no form of this command.
Syntax Description
Switch feature name as listed in the show role feature command output. |
Command Default
Command Modes
User role feature group configuration mode
Command History
|
|
Usage Guidelines
Use the show role feature command to list the valid feature names to use in this command.
Examples
This example shows how to add features to a user role feature group:
This example shows how to remove a feature from a user role feature group:
Related Commands
|
|
---|---|
feature dhcp
To enable the Dynamic Host Configuration Protocol (DHCP) snooping feature on the device, use the feature dhcp command. To disable the DHCP snooping feature and remove all configuration related to DHCP snooping, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
The DHCP snooping feature is disabled by default. DHCP snooping can be enabled or disabled on VLANs.
If you have not enabled the DHCP snooping feature, commands related to DCHP snooping are unavailable.
If you disable the DHCP snooping feature, the device discards all configuration related to DHCP snooping configuration, including the DHCP relay.
If you want to turn off DHCP snooping and preserve configuration related to DHCP snooping, disable DHCP snooping globally with the no ip dhcp snooping command.
Access-control list (ACL) statistics are not supported if the DHCP snooping feature is enabled.
Examples
This example shows how to enable DHCP snooping:
This example shows how to disable DHCP snooping:
Related Commands
|
|
---|---|
Copies the running configuration to the startup configuration. |
|
feature privilege
To enable the cumulative privilege of roles for command authorization on RADIUS and TACACS+ servers, use the feature privilege command. To disable the cumulative privilege of roles, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
When the feature privilege command is enabled, privilege roles inherit the permissions of lower level privilege roles.
Examples
This example shows how to enable the cumulative privilege of roles:
This example shows how to disable the cumulative privilege of roles:
Related Commands
|
|
---|---|
Displays the current privilege level, username, and status of cumulative privilege support. |
|
feature tacacs+
To enable TACACS+, use the feature tacacs+ command. To disable TACACS+, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
Note When you disable TACACS+, the Cisco NX-OS software removes the TACACS+ configuration.
Examples
This example shows how to enable TACACS+:
This example shows how to disable TACACS+:
Related Commands
|
|
---|---|
hardware profile tcam region
To change the size of the access control list (ACL) ternary content addressable memory (TCAM) regions in the hardware, use the hardware profile tcam region command. To revert to the default ACL TCAM size, use the no form of this command.
hardware profile tcam region { e-racl | e-vacl | ifacl | | | qos | racl | vacl | nat } tcam_size
no hardware profile tcam region { e-racl | e-vacl | ifacl | racl | vacl| nat } tcam_size
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
When you change the TCAM size, the new TCAM size is saved in the running configuration. To apply the new TCAM size, you must copy the running configuration of the switch to the startup configuration file (copy running-config startup-config command) and then reload (reload command) the switch.
Note Make sure that you set the VACL and EVACL size to the same value.
Table 1 lists the default TCAM size for each ACL region:
|
|
|
|
---|---|---|---|
Examples
This example shows how to change the size of the RACL TCAM region:
This example shows the error message you see when you set the ACL TCAM value to a value other than 0 or 128 and then shows how to change the size of the ACL TCAM region and verify the changes:
This example shows how to configure the TCAM VLAN ACLs on a switch profile:
Related Commands
|
|
---|---|
Copies the running configuration to the startup configuration file. |
|
Displays the TCAM sizes that will be applicable on the next reload of the switch. |
|
hardware profile tcam syslog-threshold
To configure the syslog threshold for the ACL TCAM so that a syslog message is generated when the TCAM capacity reaches the specified percentage, use the hardware profile tcam syslog-threshold command. To reset the value to the default, use the no form of this command.
hardware profile tcam syslog-threshold percentage
no hardware profile tcam syslog-threshold
Syntax Description
Percentage of the TCAM capacity. The range is from 1 to 100. The default value is 90 percent. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to set the syslog threshold to 20 percent for the ACL TCAM:
Related Commands
|
|
---|---|
Copies the running configuration to the startup configuration file. |
|
interface policy deny
To enter interface policy configuration mode for a user role, use the interface policy deny command. To revert to the default interface policy for a user role, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to enter interface policy configuration mode for a user role:
This example shows how to revert to the default interface policy for a user role:
Related Commands
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
ip access-class
To create or configure an IPv4 access class to restrict incoming or outgoing traffic on a virtual terminal line (VTY), use the ip access-class command. To remove the access class, use the no form of this command.
ip access-class access-list-name { in | out }
no ip access-class access-list-name { in | out }
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Examples
This example shows how to configure an IP access class on a VTY line to restrict inbound packets:
This example shows how to remove an IP access class that restricts inbound packets:
Related Commands
|
|
---|---|
Copies the running configuration to the startup configuration file. |
|
ip access-group
To apply an IPv4 access control list (ACL) to a Layer 3 interface as a router ACL, use the ip access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip access-group access-list-name { in | out }
no ip access-group access-list-name { in | out }
Syntax Description
Name of the IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
|
---|---|
Command Default
Command Modes
Interface configuration mode
Subinterface configuration mode
Command History
|
|
---|---|
Usage Guidelines
By default, no IPv4 ACLs are applied to a Layer 3 routed interface.
You can use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface types:
- VLAN interfaces
- Layer 3 Ethernet interfaces
- Layer 3 Ethernet subinterfaces
- Layer 3 Ethernet port-channel interfaces and subinterfaces
- Loopback interfaces
- Management interfaces
You can also use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface types:
However, an ACL applied to a Layer 2 interface with the ip access-group command is inactive unless the port mode changes to routed (Layer 3) mode.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply an IPv4 ACL named ip-acl-01 to the Layer 3 Ethernet interface 2/1:
This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 2/1:
Related Commands
|
|
---|---|
Shows the running configuration of all interfaces or of a specific interface. |
ip access-list
To create an IPv4 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ip access-list command. To remove an IPv4 ACL, use the no form of this command.
ip access-list access-list-name
no ip access-list access-list-name
Syntax Description
Name of the IPv4 ACL, which can be up to 64 alphanumeric characters long. The name cannot contain a space or quotation mark. |
Command Default
Command Modes
Command History
|
|
Support was added to configure IP features in a switch profile. |
Usage Guidelines
Use IPv4 ACLs to filter IPv4 traffic.
When you use the ip access-list command, the switch enters IP access list configuration mode, where you can use the IPv4 deny and permit commands to configure rules for the ACL. If the specified ACL does not exist, the switch creates it when you enter this command.
Use the ip access-group command to apply the ACL to an interface.
Every IPv4 ACL has the following implicit rule as its last rule:
This implicit rule ensures that the switch denies unmatched IP traffic.
IPv4 ACLs do not include additional implicit rules to enable the neighbor discovery process. By default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Use the match-local-traffic option for all inbound and outbound traffic to or from the CPU.
Examples
This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01:
This example shows how to enter IP access list configuration mode for an IPv4 ACL named sp-acl in a switch profile:
Related Commands
|
|
---|---|
Displays information about the switch profile and the configuration revision. |
|
ip dhcp relay information option
To enable the device to insert and remove Option 82 information on DHCP packets forwarded by the relay agent, use the ip dhcp relay information option command. To globally disable this feature, use the no form of this command.
ip dhcp relay information option
no ip dhcp relay information option
Syntax Description
Specifies to use the encoded string format instead of the default binary ifindex format for Option 82. |
Command Default
By default, Option 82 information insertion and removal is globally disabled.
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
The device preserves DHCP snooping configuration when you disable DHCP snooping with the no ip dhcp snooping command. Use the ip dhcp relay information option command to enable the DHCP relay agent to insert and remove Option 82 information on the packets that it forwards. The Option 82 information is in binary ifindex format by default. The no option disables this behavior.
Use the ip dhcp relay information sub-option circuit-id format-type string <> command to configure Option 82 to use the encoded string format instead of the default binary ifindex format. Use the show ip dhcp relay command to display the DHCP relay configuration.
Examples
This example shows how to globally enable DHCP smart relay:
Related Commands
|
|
---|---|
ip dhcp smart relay
To enable DHCP smart relay globally, use the ip dhcp smart relay command. To globally disable this feature, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
The device preserves DHCP snooping configuration when you disable DHCP snooping with the no ip dhcp snooping command.
Examples
This example shows how to globally enable DHCP smart relay:
Related Commands
|
|
---|---|
ip nat
To configure Network Address Translation (NAT) on an interface, use the ip nat command. To remove the NAT configuration, use the no form of this command.
ip nat {inside | outside} source static {inside-global-ip-address}{outside-global-ip-address}{tcp | udp} localaddr ip-address localport port-number globaladdr global-ip-address globalport global-port-number {add-route}
no ip nat {inside | outside} source static {inside- global-ip-address}{outside- global-ip-address}{tcp | udp} localaddr ip-address localport port-number globaladdr global-ip-address globalport global-port-number {add-route}
Syntax Description
(Optional) Specifies the Transmission Control Protocol (TCP). |
|
Specifies the local port number. The range is from 1 to 65535. |
|
Specifies the local port number. The range is from 1 to 65535. |
|
Command Default
Command Modes
Command History
|
|
Usage Guidelines
Static NAT supports up to 1000 translations.
Note Only the packets that arrive on a marked interface are subject to translation.
The Cisco Nexus 3548 switch supports the following interfaces:
The Cisco Nexus 3548 switch does not support software translation. All translations are done in the hardware.
The Cisco Nexus 3548 switch does not support application layer translation. Layer 4 and other embedded IPs are not translated, including FTP, ICMP failures, IPsec, and HTTPs.
The Cisco Nexus 3548 switch cannot support NAT and VLAN access control lists (VACLs) that are configured on an interface at the same time.
Egress ACLs are applied to the original packets, not the the NAT translated packets.
The Cisco Nexus 3548 switch supports only default virtual routing and forwarding (VRF).
Examples
This example shows how to configure NAT on an interface:
This example shows how to remove the NAT configuration from an interface:
Related Commands
|
|
---|---|
ip port access-group
To apply an IPv4 access control list (ACL) to an interface as a port ACL, use the ip port access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip port access-group access-list-name in
no ip port access-group access-list-name in
Syntax Description
Name of the IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters long. |
|
Command Default
Command Modes
Command History
|
|
Usage Guidelines
By default, no IPv4 ACLs are applied to an interface.
You can use the ip port access-group command to apply an IPv4 ACL as a port ACL to the following interface types:
You can also apply an IPv4 ACL as a VLAN ACL. For more information, see the match command.
The switch applies port ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the switch without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply an IPv4 ACL named ip-acl-01 to Ethernet interface 1/2 as a port ACL:
This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 1/2:
Related Commands
|
|
---|---|
Shows the running configuration of all interfaces or of a specific interface. |
mac access-list
To create a MAC access control list (ACL) or to enter MAC access list configuration mode for a specific ACL, use the mac access-list command. To remove a MAC ACL, use the no form of this command.
mac access-list access-list-name
no mac access-list access-list-name
Syntax Description
Name of the MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters long but cannot contain a space or a quotation mark. |
Defaults
Command Modes
Command History
|
|
Usage Guidelines
No MAC ACLs are defined by default.
Use MAC ACLs to filter non-IP traffic. If you disable packet classification, you can use MAC ACLs to filter all traffic.
When you use the mac access-list command, the device enters MAC access list configuration mode, where you can use the MAC deny and permit commands to configure rules for the ACL. If the ACL specified does not exist, the device creates it when you enter this command.
Use the mac port access-group command to apply the ACL to an interface.
Every MAC ACL has the following implicit rule as its last rule:
This implicit rule ensures that the device denies the unmatched traffic, regardless of the protocol specified in the Layer 2 header of the traffic.
Use the statistics per-entry command to configure the device to record statistics for each rule in a MAC ACL. The device does not record statistics for implicit rules. To record statistics for packets that would match the implicit rule, you must explicitly configure a rule to deny the packets.
Examples
This example shows how to enter MAC access list configuration mode for a MAC ACL named mac-acl-01:
Related Commands
|
|
---|---|
mac packet-classify
To enable MAC packet classification on a VLAN interface, use the mac packet-classify command. To disable MAC packet classification, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
This command does not require a license.
MAC packet classification can be enabled only per VLAN interface.
MAC packet classification allows you to control whether a MAC ACL that is on a VLAN interface applies to all traffic entering the interface, including IP traffic, or to non-IP traffic only.
When MAC packet classification is enabled on a VLAN interface, a MAC ACL that is on the interface applies to all traffic entering the interface, including IP traffic.
When MAC packet classification is disabled on a VLAN interface, a MAC ACL that is on the interface applies only to non-IP traffic entering the interface.
Examples
This example shows how to enable MAC packet classification on a per VLAN basis:
Related Commands
|
|
---|---|
mac port access-group
To apply a MAC access control list (ACL) to an interface, use the mac port access-group command. To remove a MAC ACL from an interface, use the no form of this command.
mac port access-group access-list-name
no mac port access-group access-list-name
Syntax Description
Name of the MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters long. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
By default, no MAC ACLs are applied to an interface.
MAC ACLs apply to non-IP traffic.
You can use the mac port access-group command to apply a MAC ACL as a port ACL to the following interface types:
You can also apply a MAC ACL as a VLAN ACL. For more information, see the match command.
The switch applies MAC ACLs only to inbound traffic. When the switch applies a MAC ACL, the switch checks packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the switch without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply a MAC ACL named mac-acl-01 to Ethernet interface 1/2:
This example shows how to remove a MAC ACL named mac-acl-01 from Ethernet interface 1/2:
Related Commands
|
|
---|---|
Shows the running configuration of all interfaces or of a specific interface. |
match
To specify an access control list (ACL) for traffic filtering in a VLAN access map, use the match command. To remove a match command from a VLAN access map, use the no form of this command.
match { ip | mac } address access-list-name
no match { ip | mac } address access-list-name
Syntax Description
Specifies the IPv4, or MAC address and the access list name. The name can be up to 64 alphanumeric, case-sensitive characters. |
Command Default
By default, the switch classifies traffic and applies IPv4 ACLs to IPv4 traffic and MAC ACLs to all other traffic.
Command Modes
VLAN access-map configuration mode
Command History
|
|
Usage Guidelines
Examples
This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map:
This example shows how to create a VLAN access map named vlan-map-03 in a switch profile, and assign an IPv4 ACL named ip-acl-03 to the map:
Related Commands
|
|
---|---|
Specifies an action for traffic filtering in a VLAN access map. |
|
Displays information about how a VLAN access map is applied. |
|
match access-group
To identify a specified access control list (ACL) group as a match criteria for a class map, use the match access-group command. To remove an ACL match criteria from a class map, use the no form of this command.
match access-group name acl-name
no match access-group name acl-name
Syntax Description
Command Default
Command Modes
Class-map type qos configuration
Command History
|
|
Usage Guidelines
Note The permit and deny ACL keywords do not affect the matching of packets.
Examples
This example shows how to create a qos class map that matches characteristics of the ACL my_acl:
switch(
config)#
class-map class_acl
Related Commands
|
|
---|---|
permit (IPv4)
To create an IPv4 access control list (ACL) rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit protocol source destination {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
no permit protocol source destination {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
Internet Control Message Protocol
[ sequence-number ] permit icmp source destination [ icmp-message ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
Internet Group Management Protocol
[ sequence-number ] permit igmp source destination [ igmp-message ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
[ sequence-number ] permit ip source destination {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
[ sequence-number ] permit tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ] [ flags ] [ established ]
[ sequence-number ] permit udp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] {[ dscp dscp ] | [ precedence precedence ]} [ fragments ][ time-range time-range-name ]
Syntax Description
Command Default
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
Command Modes
IPv4 ACL configuration mode
IPv4 ACL in
Command History
|
|
Usage Guidelines
When the switch applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
- Address and network wildcard—You can use an IPv4 address followed by a network wildcard to specify a host or a network as a source or destination. The syntax is as follows:
This example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
- Address and variable-length subnet mask—You can use an IPv4 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:
This example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
- Host address—You can use the host keyword and an IPv4 address to specify a host as a source or destination. The syntax is as follows:
This syntax is equivalent to IPv4-address /32 and IPv4-address 0.0.0.0.
This example shows how to specify the source argument with the host keyword and the 192.168.0.132 IPv4 address:
- Any address—You can use the any keyword to specify that a source or destination is any IPv4 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.
The icmp-message argument can be the ICMP message number, which is an integer from 0 to 255. It can also be one of the following keywords:
- administratively-prohibited —Administratively prohibited
- alternate-address —Alternate address
- conversion-error —Datagram conversion
- dod-host-prohibited —Host prohibited
- dod-net-prohibited —Net prohibited
- echo —Echo (ping)
- echo-reply —Echo reply
- general-parameter-problem —Parameter problem
- host-isolated —Host isolated
- host-precedence-unreachable —Host unreachable for precedence
- host-redirect —Host redirect
- host-tos-redirect —Host redirect for ToS
- host-tos-unreachable —Host unreachable for ToS
- host-unknown —Host unknown
- host-unreachable —Host unreachable
- information-reply —Information replies
- information-request —Information requests
- mask-reply —Mask replies
- mask-request —Mask requests
- mobile-redirect —Mobile host redirect
- net-redirect —Network redirect
- net-tos-redirect —Net redirect for ToS
- net-tos-unreachable —Network unreachable for ToS
- net-unreachable —Net unreachable
- network-unknown —Network unknown
- no-room-for-option —Parameter required but no room
- option-missing —Parameter required but not present
- packet-too-big —Fragmentation needed and DF set
- parameter-problem —All parameter problems
- port-unreachable —Port unreachable
- precedence-unreachable —Precedence cutoff
- protocol-unreachable —Protocol unreachable
- reassembly-timeout —Reassembly timeout
- redirect —All redirects
- router-advertisement —Router discovery advertisements
- router-solicitation —Router discovery solicitations
- source-quench —Source quenches
- source-route-failed —Source route failed
- time-exceeded —All time-exceeded messages
- timestamp-reply —Time-stamp replies
- timestamp-request —Time-stamp requests
- traceroute —Traceroute
- ttl-exceeded —TTL exceeded
- unreachable —All unreachables
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
- bgp —Border Gateway Protocol (179)
- chargen —Character generator (19)
- cmd —Remote commands (rcmd, 514)
- daytime —Daytime (13)
- discard —Discard (9)
- domain —Domain Name Service (53)
- drip —Dynamic Routing Information Protocol (3949)
- echo —Echo (7)
- exec —EXEC (rsh, 512)
- finger —Finger (79)
- ftp —File Transfer Protocol (21)
- ftp-data —FTP data connections (2)
- gopher —Gopher (7)
- hostname —NIC hostname server (11)
- ident —Ident Protocol (113)
- irc —Internet Relay Chat (194)
- klogin —Kerberos login (543)
- kshell —Kerberos shell (544)
- login —Login (rlogin, 513)
- lpd —Printer service (515)
- nntp —Network News Transport Protocol (119)
- pim-auto-rp —PIM Auto-RP (496)
- pop2 —Post Office Protocol v2 (19)
- pop3 —Post Office Protocol v3 (11)
- smtp —Simple Mail Transport Protocol (25)
- sunrpc —Sun Remote Procedure Call (111)
- tacacs —TAC Access Control System (49)
- talk —Talk (517)
- telnet —Telnet (23)
- time —Time (37)
- uucp —Unix-to-Unix Copy Program (54)
- whois —WHOIS/NICNAME (43)
- www —World Wide Web (HTTP, 8)
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
- biff —Biff (mail notification, comsat, 512)
- bootpc —Bootstrap Protocol (BOOTP) client (68)
- bootps —Bootstrap Protocol (BOOTP) server (67)
- discard —Discard (9)
- dnsix —DNSIX security protocol auditing (195)
- domain —Domain Name Service (DNS, 53)
- echo —Echo (7)
- isakmp —Internet Security Association and Key Management Protocol (5)
- mobile-ip —Mobile IP registration (434)
- nameserver —IEN116 name service (obsolete, 42)
- netbios-dgm —NetBIOS datagram service (138)
- netbios-ns —NetBIOS name service (137)
- netbios-ss —NetBIOS session service (139)
- non500-isakmp —Internet Security Association and Key Management Protocol (45)
- ntp —Network Time Protocol (123)
- pim-auto-rp —PIM Auto-RP (496)
- rip —Routing Information Protocol (router, in.routed, 52)
- snmp —Simple Network Management Protocol (161)
- snmptrap —SNMP Traps (162)
- sunrpc —Sun Remote Procedure Call (111)
- syslog —System Logger (514)
- tacacs —TAC Access Control System (49)
- talk —Talk (517)
- tftp —Trivial File Transfer Protocol (69)
- time —Time (37)
- who —Who service (rwho, 513)
- xdmcp —X Display Manager Control Protocol (177)
Examples
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules permitting all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network:
This example shows how to configure an IPv4 ACL named sp-acl in a switch profile with rules that permit all AHP and OSPF traffic from the 10.20.0.0 and 192.168.36.0 networks to the 10.172.0.0 network:
Related Commands
|
|
---|---|
Displays information about the switch profile and the configuration revision. |
|
permit (MAC)
To create a MAC ACL rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit source destination [ protocol ] [ cos cos-value ] [ vlan VLAN-ID ]
no permit source destination [ protocol ] [ cos cos-value ] [ vlan VLAN-ID ]
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
A newly created MAC ACL contains no rules.
If you do not specify a sequence number, the device assigns a sequence number that is 10 greater than the last rule in the ACL.
When the device applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
This command does not require a license.
You can specify the source and destination arguments in one of two ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
- Address and mask—You can use a MAC address followed by a mask to specify a single address or a group of addresses. The syntax is as follows:
The following example specifies the source argument with the MAC address 00c0.4f03.0a72:
The following example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:
- Any address—You can use the any keyword to specify that a source or destination is any MAC address. For examples of the use of the any keyword, see the examples in this section. Each of the examples shows how to specify a source or destination by using the any keyword.
The protocol argument can be the MAC protocol number or a keyword. The protocol number is a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:
- aarp —Appletalk ARP (0x80f3)
- appletalk —Appletalk (0x809b)
- decnet-iv —DECnet Phase IV (0x6003)
- diagnostic —DEC Diagnostic Protocol (0x6005)
- etype-6000 —Ethertype 0x6000 (0x6000)
- etype-8042 —Ethertype 0x8042 (0x8042)
- ip —Internet Protocol v4 (0x0800)
- lat —DEC LAT (0x6004)
- lavc-sca —DEC LAVC, SCA (0x6007)
- mop-console —DEC MOP Remote console (0x6002)
- mop-dump —DEC MOP dump (0x6001)
- vines-echo —VINES Echo (0x0baf)
Examples
This example shows how to configure a MAC ACL named mac-filter with a rule that permits traffic between two groups of MAC addresses:
Related Commands
|
|
---|---|
permit interface
To add interfaces for a user role interface policy, use the permit interface command. To remove interfaces, use the no form of this command.
permit interface interface-list
Syntax Description
List of interfaces that the user role has permission to access. |
Command Default
Command Modes
Interface policy configuration mode
Command History
|
|
Usage Guidelines
For permit interface statements to work, you need to configure a command rule to allow interface access, as shown in the following example:
Examples
This example shows how to configure a range of interfaces for a user role interface policy:
This example shows how to configure a list of interfaces for a user role interface policy:
This example shows how to remove an interface from a user role interface policy:
Related Commands
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
permit vlan
To add VLANs for a user role VLAN policy, use the permit vlan command. To remove VLANs, use the no form of this command.
Syntax Description
Command Default
Command Modes
VLAN policy configuration mode
Command History
|
|
Usage Guidelines
For permit vlan statements to work, you need to configure a command rule to allow VLAN access, as shown in the following example:
Examples
This example shows how to configure a range of VLANs for a user role VLAN policy:
This example shows how to configure a list of VLANs for a user role VLAN policy:
This example shows how to remove a VLAN from a user role VLAN policy:
Related Commands
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
permit vrf
To add virtual routing and forwarding instances (VRFs) for a user role VRF policy, use the permit vrf command. To remove VRFs, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to configure a range of VRFs for a user role VRF policy:
Related Commands
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
permit vsan
To permit access to a VSAN policy for a user role, use the permit vsan command. To revert to the default VSAN policy configuration for a user role, use the no form of this command.
Syntax Description
Range of VSANs accessible to a user role. The range is from 1 to 4093. |
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
This command is enabled only after you deny a VSAN policy by using the vsan policy deny command.
Examples
This example shows how to permit access to a VSAN policy for a user role:
Related Commands
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
police (policy map)
To configure traffic policing for a class map in a control plane policy map, use the police command.
Syntax Description
Average rate in packets per second (pps). The range is from 0 to 20480. |
|
Command Default
Command Modes
Control plane policy map configuration mode
Command History
|
|
Usage Guidelines
Examples
This example shows how to configure traffic policing in a control plane policy map with the average rate at 200 packets per second:
Related Commands
policy-map type control-plane
To enter the control plane policy map configuration mode, use the policy-map type control-plane command.
policy-map type control-plane policy-map-name
Syntax Description
Name of the default control plane policy map. The name is alphanumeric, case sensitive, and has a maximum of 64 characters. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
In Cisco Nexus 3000 Series switches, you cannot create a user-defined Control Plane Policing (CoPP) policy map. The switch software includes a default control plane policy map, copp-system-policy-default, and one customized policy map, copp-system-policy-customized. You cannot add or remove classes from the default control-plane policy map. You can, however, add or remove classes to or from the copp-system-policy-customized control-plane policy map.
If you attempt to create a control plane policy with a name other than the default, you will see the following error message:
Examples
This example shows how to enter the control plane policy map configuration mode:
This example shows the error message that appears when you create a control plane policy map other than the default control plane policy map:
Related Commands
|
|
---|---|
Displays configuration information for control plane policy maps. |
radius-server deadtime
To configure the dead-time interval for all RADIUS servers on a Cisco Nexus 3000 Series switch, use the radius-server deadtime command. To revert to the default, use the no form of this command.
radius-server deadtime minutes
no radius-server deadtime minutes
Syntax Description
Number of minutes for the dead-time interval. The range is from 1 to 1440 minutes. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
The dead-time interval is the number of minutes before the switch checks a RADIUS server that was previously unresponsive.
Note When the idle time interval is 0 minutes, periodic RADIUS server monitoring is not performed.
Examples
This example shows how to configure the global dead-time interval for all RADIUS servers to perform periodic monitoring:
This example shows how to revert to the default for the global dead-time interval for all RADIUS servers and disable periodic server monitoring:
Related Commands
|
|
---|---|
radius-server directed-request
To allow users to send authentication requests to a specific RADIUS server when logging in, use the radius-server directed request command. To revert to the default, use the no form of this command.
radius-server directed-request
no radius-server directed-request
Syntax Description
Command Default
Sends the authentication request to the configured RADIUS server group.
Command Modes
Command History
|
|
Usage Guidelines
You can specify the username @ vrfname : hostname during login, where vrfname is the VRF to use and hostname is the name of a configured RADIUS server. The username is sent to the RADIUS server for authentication.
Examples
This example shows how to allow users to send authentication requests to a specific RADIUS server when logging in:
This example shows how to disallow users to send authentication requests to a specific RADIUS server when logging in:
Related Commands
|
|
---|---|
radius-server host
To configure RADIUS server parameters, use the radius-server host command. To revert to the default, use the no form of this command.
radius-server host { hostname | ipv4-address } [ key [ 0 | 7 ] shared-secret [ pac ]] [ accounting ] [ acct-port port-number ] [ auth-port port-number ] [ authentication ] [ retransmit count ] [ test { idle-time time | password password | username name }] [ timeout seconds [ retransmit count ]]
no radius-server host { hostname | ipv4-address } [ key [ 0 | 7 ] shared-secret [ pac ]] [ accounting ] [ acct-port port-number ] [ auth-port port-number ] [ authentication ] [ retransmit count ] [ test { idle-time time | password password | username name }] [ timeout seconds [ retransmit count ]]
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
When the idle time interval is 0 minutes, periodic RADIUS server monitoring is not performed.
Examples
This example shows how to configure RADIUS server authentication and accounting parameters:
Related Commands
|
|
---|---|
radius-server key
To configure a RADIUS shared secret key, use the radius-server key command. To remove a configured shared secret, use the no form of this command.
radius-server key [ 0 | 7 ] shared-secret
no radius-server key [ 0 | 7 ] shared-secret
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
You must configure the RADIUS preshared key to authenticate the switch to the RADIUS server. The length of the key is restricted to 65 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all RADIUS server configurations on the switch. You can override this global key assignment by using the key keyword in the radius-server host command.
Examples
This example shows how to provide various scenarios to configure RADIUS authentication:
Related Commands
|
|
---|---|
radius-server retransmit
To specify the number of times that the switch should try a request with a RADIUS server, use the radius-server retransmit command. To revert to the default, use the no form of this command.
radius-server retransmit count
no radius-server retransmit count
Syntax Description
Number of times that the switch tries to connect to a RADIUS server before reverting to local authentication. The range is from 1 to 5 times. |
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to configure the number of retransmissions to RADIUS servers:
This example shows how to revert to the default number of retransmissions to RADIUS servers:
Related Commands
|
|
---|---|
radius-server timeout
To specify the time between retransmissions to the RADIUS servers, use the radius-server timeout command. To revert to the default, use the no form of this command.
no radius-server timeout seconds
Syntax Description
Number of seconds between retransmissions to the RADIUS server. The range is from 1 to 60 seconds. |
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to configure the timeout interval:
This example shows how to revert to the default interval:
Related Commands
|
|
---|---|
remark
To enter a comment into an IPv4 or MAC access control list (ACL), use the remark command. To remove a remark command, use the no form of this command.
[ sequence-number ] remark remark
no { sequence-number | remark remark }
Syntax Description
Command Default
Command Modes
ARP ACL configuration mode
IPv4 ACL configuration mode
IPv4 ACL in
MAC ACL configuration mode
Command History
|
|
Usage Guidelines
The remark argument can be up to 100 characters. If you enter more than 100 characters for the remark argument, the switch accepts the first 100 characters and drops any additional characters.
Examples
This example shows how to create a remark in an IPv4 ACL and display the results:
This example shows how to create a remark in an IPv4 ACL in a switch profile:
Related Commands
|
|
---|---|
Displays information about the switch profile and the configuration revision. |
|
resequence
To reassign sequence numbers to all rules in an access control list (ACL) or a time range, use the resequence command.
resequence access-list-type access-list access-list-name starting-number increment
resequence time-range time-range-name starting-number increment
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
The resequence command allows you to reassign sequence numbers to the rules of an ACL or time range. The new sequence number for the first rule is determined by the starting-number argument. Each additional rule receives a new sequence number determined by the increment argument. If the highest sequence number would exceed the maximum possible sequence number, then no sequencing occurs and the following message appears:
Examples
This example shows how to resequence an IPv4 ACL named ip-acl-01 with a starting sequence number of 100 and an increment of 10, using the show ip access-lists command to verify sequence numbering before and after the use of the resequence command:
This example shows how to resequence an IPv4 ACL named sp-acl in a switch profile with a starting sequence number of 30 and an increment of 5:
Related Commands
|
|
---|---|
role feature-group name
To create or specify a user role feature group and enter user role feature group configuration mode, use the role feature-group name command. To delete a user role feature group, use the no form of this command.
role feature-group name group-name
no role feature-group name group-name
Syntax Description
User role feature group name. The group-name has a maximum length of 32 characters and is a case-sensitive, alphanumeric character string. |
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to create a user role feature group and enter user role feature group configuration mode:
This example shows how to remove a user role feature group:
Related Commands
|
|
---|---|
Specifies or creates a user role feature group and enters user role feature group configuration mode. |
|
role name
To create or specify a user role and enter user role configuration mode, use the role name command. To delete a user role, use the no form of this command.
role name { role-name | default-role | privilege-role }
no role name { role-name | default-role | privilege-role }
Syntax Description
User role name. The role-name has a maximum length of 16 characters and is a case-sensitive, alphanumeric character string. |
|
Command Default
Command Modes
Command History
|
|
Usage Guidelines
A Cisco Nexus 3000 Series switch provides the following default user roles:
- Network Administrator—Complete read-and-write access to the entire switch
- Complete read access to the entire switch
You cannot change or remove the default user roles.
To view the privilege level roles, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command. Privilege roles inherit the permissions of lower level privilege roles.
Examples
This example shows how to create a user role and enter user role configuration mode:
This example shows how to create a privilege 1 user role and enter user role configuration mode:
This example shows how to remove a user role:
Related Commands
|
|
---|---|
Enables cumulative privilege of roles for command authorization on TACACS+ servers. |
|
rule
To configure rules for a user role, use the rule command. To delete a rule, use the no form of this command.
rule number { deny | permit } { command command-string | { read | read-write } [ feature feature-name | feature-group group-name ]}
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
You can configure up to 256 rules for each role.
The rule number that you specify determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.
Deny rules cannot be added to any privilege roles, except the privilege 0 (priv-0) role.
Examples
This example shows how to add rules to a user role:
This example shows how to add rules to a user role with privilege 0:
This example shows how to remove a rule from a user role:
Related Commands
|
|
---|---|
Creates or specifies a user role name and enters user role configuration mode. |
|
server
To add a server to a RADIUS or TACACS+ server group, use the server command. To delete a server from a server group, use the no form of this command.
server { ipv4-address | hostname }
no server { ipv4-address | hostname }
Syntax Description
Server name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters. |
Command Default
Command Modes
RADlUS server group configuration mode
TACACS+ server group configuration mode
Command History
|
|
Usage Guidelines
You can configure up to 64 servers in a server group.
Use the aaa group server radius command to enter RADIUS server group configuration mode or aaa group server tacacs+ command to enter TACACS+ server group configuration mode.
If the server is not found, use the radius-server host command or tacacs-server host command to configure the server.
Note You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to add a server to a RADIUS server group:
This example shows how to delete a server from a RADIUS server group:
This example shows how to add a server to a TACACS+ server group:
This example shows how to delete a server from a TACACS+ server group:
Related Commands
|
|
---|---|
service-policy
To attach a policy map to an interface, use the service-policy command. To remove a service-policy from an interface, use the no form of this command.
service-policy { input | type { qos input | queuing { input | output }}} policy-map-name
no service-policy { input | type { qos input | queuing { input | output }}} policy-map-name
Syntax Description
Command Default
Command Modes
Interface configuration mode
Subinterface configuration mode
Vlan configuration mode
Command History
|
|
Usage Guidelines
You can attach one ingress and one egress type queuing policy map to an interface of type port, and port channel. Only one policy map can be attached to the input of a given interface for each of the policy type qos and queuing.
Examples
This example shows how to attach a queuing policy map to the ingress packets of a Layer 2 port interface:
switch(
config)#
interface ethernet 2/1
This example shows how to attach qos type policy maps to the incoming packets of a Layer 2 interface:
switch(config)#
system qos
This example shows how to attach a qos type policy map named set-dscp to the incoming packets of a Layer 2 interface:
switch(config)#
interface ethernet 2/1
This example shows how to attach a queuing policy map to a Layer 3 interface:
switch(
config)#
interface ethernet 1/5
Related Commands
|
|
---|---|
Displays all interfaces and VLANs with attached service policies in a brief format. |
|
show aaa accounting
To display authentication, authorization, and accounting (AAA) accounting configuration, use the show aaa accounting command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display the configuration of the accounting log:
Related Commands
|
|
---|---|
show aaa authentication
To display authentication, authorization, and accounting (AAA) authentication configuration information, use the show aaa authentication command.
show aaa authentication login [ error-enable | mschap ]
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display the configured authentication parameters:
This example shows how to display the authentication login error enable configuration:
This example shows how to display the authentication login MS-CHAP configuration:
Related Commands
|
|
---|---|
show aaa authorization
To display AAA authorization configuration information, use the show aaa authorization command.
show aaa authorization [ all ]
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Examples
This example shows how to display the configured authorization methods:
Related Commands
|
|
---|---|
Configures default AAA authorization methods for EXEC commands. |
|
Configures default AAA authorization methods for configuration commands. |
show aaa groups
To display authentication, authorization, and accounting (AAA) server group configuration, use the show aaa groups command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display AAA group information:
Related Commands
|
|
---|---|
show aaa user
To display the status of the default role assigned by the authentication, authorization, and accounting (AAA) server administrator for remote authentication, use the show aaa user command.
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Examples
This example shows how to display the status of the default role assigned by the AAA server administrator for remote authentication:
Related Commands
|
|
---|---|
show access-lists
To display all IPv4 and MAC access control lists (ACLs) or a specific ACL, use the show access-lists command.
show access-lists [ access-list-name ]
Syntax Description
(Optional) Name of an ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
Command Default
The switch shows all ACLs unless you use the access-list-name argument to specify an ACL.
Command Modes
Command History
|
|
Examples
This example shows how to display all IPv4 and MAC ACLs on the switch that runs Cisco NX-OS Release 5.0(3)A1(1):
Related Commands
|
|
---|---|
show accounting log
To display the accounting log contents, use the show accounting log command.
show accounting log [ size | all ] [ start-time year month day HH : MM : SS ] [ end-time year month day HH : MM : SS ]
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display the entire accounting log on a switch that runs Cisco NX-OS Release 5.0(3)A1(1):
This example shows how to display 400 bytes of the accounting log on a switch that runs Cisco NX-OS Release 5.0(3)A1(1):
This example shows how to display the accounting log starting at 16:00:00 on August 4, 2011:
This example shows how to display the accounting log starting at 15:59:59 on February 1, 2008 and ending at 16:00:00 on February 29, 2008:
Related Commands
|
|
---|---|
show arp access-lists
To display all ARP access control lists (ACLs) or a specific ARP ACL, use the show arp access-lists command.
show arp access-lists [ access-list-name ]
Syntax Description
(Optional) Name of an ARP ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
The device shows all ARP ACLs, unless you use the access-list-name argument to specify an ACL.
Examples
This example shows how to display all ARP ACLs on a switch:
This example shows how to display an ARP ACL named arp-permit-all:
Related Commands
|
|
---|---|
show class-map type control-plane
To display control plane class map information, use the show class-map type control-plane command.
show class-map type control-plane [ class-map-name ]
Syntax Description
(Optional) Name of the control plane class map. The name is alphanumeric and case sensitive. The maximum length is 64 characters. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to display control plane class map information:
Related Commands
|
|
---|---|
show hardware profile tcam region
To display the access control list (ACL) ternary content addressable memory (TCAM) sizes that will be applicable after you reload the switch, use the show hardware profile tcam region command.
show hardware profile tcam region
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Use this command to see the new TCAM sizes you configured on the switch using the hardware profile tcam region command that will be applied after you reload the switch.
To see the current ACL TCAM sizes configured on the switch, use the show platform afm info tcam asic-id region {| e-racl | e-vacl | ifacl | qos | racl | rbacl | sup | vacl | nat } command.
Examples
This example shows how to display the new TCAM entries:
Related Commands
|
|
---|---|
show ip access-lists
To display all IPv4 access control lists (ACLs) or a specific IPv4 ACL, use the show ip access-lists command.
show ip access-lists [ access-list-name ]
Syntax Description
(Optional) Name of an IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
Command Default
The switch shows all IPv4 ACLs unless you use the access-list-name argument to specify an ACL.
Command Modes
Command History
|
|
Usage Guidelines
By default, this command displays the IPv4 ACLs configured on the switch. The command displays the statistics information for an IPv4 ACL only if the IPv4 ACL is applied to the management (mgmt0) interface. If the ACL is applied to a switch virtual interface (SVI) or in a QoS class map, the command does not display any statistics information.
Examples
This example shows how to display all IPv4 ACLs on a switch that runs Cisco NX-OS release 5.0(3)A1(1):
Related Commands
|
|
---|---|
show ip nat translations
To display the active translations on a Cisco Nexus 3000 Series, use the show ip nat translations command.
show ip nat translations [verbose]
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display the active translations on a Cisco Nexus 3000 Series switch:
Related Commands
|
|
---|---|
Configures Network Address Translation (NAT) on an interface. |
show ip verify source
To display the IP-to-MAC address bindings, use the show ip verify source command.
show ip verify source [ interface { ethernet slot / port | port-channel channel-number }]
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display the IP-to-MAC address bindings on the switch:
Related Commands
|
|
---|---|
show mac access-lists
To display all MAC access control lists (ACLs) or a specific MAC ACL, use the show mac access-lists command.
show mac access-lists [ access-list-name ] [ summary ]
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
The device shows all MAC ACLs, unless you use the access-list-name argument to specify an ACL.
If you do not specify an ACL name, the device lists ACLs alphabetically by the ACL names.
The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:
- Whether per-entry statistics are configured for the ACL.
- The number of rules in the ACL configuration. This number does not reflect how many entries that the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.
- The interfaces that the ACL is configured on.
- The interfaces that the ACL is active on.
The show mac access-lists command displays statistics for each entry in an ACL if the following conditions are both true:
Examples
This example shows how to use the show mac access-lists command to show all MAC ACLs on a device with a single MAC ACL:
This example shows how to use the show mac access-lists command to display a MAC ACL named mac-lab-filter, including per-entry statistics:
This example shows how to use the show mac access-lists command with the summary keyword to display information about a MAC ACL named mac-lab-filter, such as which interfaces the ACL is applied to and active on:
Related Commands
|
|
---|---|
show platform afm info tcam
To display the platform-dependent access control list (ACL) Feature Manager (AFM) ternary content addressable memory (TCAM) driver information, use the show platform afm info tcam command.
show platform afm info tcam asic-id {{ bcm-entry | entry } low-tcam-index high-tcam-index | region { arpacl | e-racl | e-vacl | ifacl | qos | racl | rbacl | span | sup | vacl }}
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Examples
This example shows how to display the TCAM entries for the range 1 to 2 for ASIC ID 1:
This example shows how to display the TCAM entries for an interface ACL region:
Related Commands
|
|
---|---|
show policy-map interface control-plane
To display the control-plane policy maps applied to interfaces, use the show policy-map interface control-plane command.
show policy-map interface control-plane
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display assigned control-plane policy maps:
Related Commands
|
|
---|---|
show policy-map type control-plane
To display control plane policy map information, use the show policy-map type control-plane command.
show policy-map type control-plane [ expand ] [ name policy-map-name ]
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to display control plane policy map information:
This example shows how to display control plane policy map information in expanded format:
Related Commands
|
|
---|---|
show privilege
To show the current privilege level, username, and status of cumulative privilege support, use the show privileg e command.
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
When the feature privilege command is enabled, privilege roles inherit the permissions of lower level privilege roles.
Examples
This example shows how to view the current privilege level, username, and status of cumulative privilege support:
Related Commands
|
|
---|---|
Enables the cumulative privilege of roles for command authorization on RADIUS and TACACS+ servers. |
|
show radius-server
To display RADIUS server information, use the show radius-server command.
show radius-server [ hostname | ipv4-address ] [ directed-request | groups [ group-name ] | sorted | statistics hostname | ipv4-address ]
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
RADIUS preshared keys are not visible in the show radius-server command output. Use the show running-config radius command to display the RADIUS preshared keys.
Examples
This example shows how to display information for all RADIUS servers:
This example shows how to display information for a specified RADIUS server:
This example shows how to display the RADIUS directed request configuration:
This example shows how to display information for RADIUS server groups:
This example shows how to display information for a specified RADIUS server group:
This example shows how to display sorted information for all RADIUS servers:
This example shows how to display statistics for a specified RADIUS servers:
Related Commands
|
|
---|---|
Displays the RADIUS information in the running configuration file. |
show role
To display the user role configuration, use the show role command.
Syntax Description
(Optional) Displays information for a specific user role name. |
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display information for a specific user role:
This example shows how to display information for all user roles:
Related Commands
|
|
---|---|
show role feature
To display the user role features, use the show role feature command.
show role feature [ detail | name feature-name ]
Syntax Description
(Optional) Displays detailed information for a specific feature. The name can be a maximum of 16 alphanumeric characters and is case sensitive. |
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display the user role features:
This example shows how to display detailed information all the user role features:
This example shows how to display detailed information for a specific user role feature named arp:
Related Commands
|
|
---|---|
show role feature-group
To display the user role feature groups, use the show role feature-group command.
show role feature-group [ detail | name group-name ]
Syntax Description
(Optional) Displays detailed information for all feature groups. |
|
(Optional) Displays detailed information for a specific feature group. |
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display the user role feature groups:
This example shows how to display detailed information about all the user role feature groups:
This example shows how to display information for a specific user role feature group:
Related Commands
|
|
---|---|
show running-config aaa
To display authentication, authorization, and accounting (AAA) configuration information in the running configuration, use the show running-config aaa command.
show running-config aaa [ all ]
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display the configured AAA information in the running configuration:
Related Commands
|
|
---|---|
Copies the running system configuration to the startup configuration file. |
show running-config aclmgr
To display the access control list (ACL) configuration in the running configuration, use the show running-config aclmgr command.
show running-config aclmgr [ all ]
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Examples
This example shows how to display the ACL running configuration on a switch that runs Cisco NX-OS Release 5.0(3)A1(1):
This example shows how to display only the VTY running configuration:
Related Commands
|
|
---|---|
Copies the running configuration to the startup configuration file. |
|
show running-config arp
To display the Address Resolution Protocol (ARP) configuration in the running configuration, use the show running-config arp command.
show running-config arp [ all ]
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Examples
This example shows how to display the ARP configuration:
This example shows how to display the ARP configuration with the default information:
Related Commands
|
|
---|---|
Copies the running configuration to the startup configuration file. |
|
show running-config dhcp
To display the Dynamic Host Configuration Protocol (DHCP) snooping configuration in the running configuration, use the show running-config dhcp command.
show running-config dhcp [ all ]
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
Examples
This example shows how to display the DHCP snooping configuration:
This example shows how to display the DHCP snooping configuration with the default information:
Related Commands
|
|
---|---|
Copies the running configuration to the startup configuration. |
|
show running-config radius
To display RADIUS server information in the running configuration, use the show running-config radius command.
show running-config radius [ all ]
Syntax Description
(Optional) Displays default RADIUS configuration information. |
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display information for RADIUS in the running configuration:
Related Commands
|
|
---|---|
show running-config security
To display user account, Secure Shell (SSH) server, and Telnet server information in the running configuration, use the show running-config security command.
show running-config security [ all ]
Syntax Description
(Optional) Displays default user account, SSH server, and Telnet server configuration information. |
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display user account, SSH server, and Telnet server information in the running configuration:
Related Commands
|
|
---|---|
Copies the running system configuration to the startup confguration file. |
show ssh key
To display the Secure Shell (SSH) server key, use the show ssh key command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
This command is available only when SSH is enabled using the ssh server enable command.
Examples
This example shows how to display the SSH server key:
Related Commands
|
|
---|---|
show ssh server
To display the Secure Shell (SSH) server status, use the show ssh server command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display the SSH server status:
Related Commands
|
|
---|---|
show startup-config aaa
To display authentication, authorization, and accounting (AAA) configuration information in the startup configuration, use the show startup-config aaa command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display the AAA information in the startup configuration:
Related Commands
|
|
---|---|
Copies the running system configuration to the startup confguration file. |
show startup-config aclmgr
To display the access control list (ACL) configuration in the startup configuration, use the show startup-config aclmgr command.
show startup-config aclmgr [ all ]
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Examples
This example shows how to display the ACL startup configuration:
This example shows how to display only the VTY startup configuration:
Related Commands
|
|
---|---|
Copies the running configuration to the startup configuration file. |
|
show startup-config arp
To display the Address Resolution Protocol (ARP) configuration in the startup configuration, use the show startup-config arp command.
show startup-config arp [ all ]
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Examples
This example shows how to display the ARP startup configuration:
Related Commands
|
|
---|---|
Copies the running configuration to the startup configuration file. |
|
show startup-config dhcp
To display the Dynamic Host Configuration Protocol (DHCP) snooping configuration in the startup configuration, use the show running-config dhcp command.
show running-config dhcp [ all ]
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
Examples
This example shows how to display the DHCP snooping configuration in the startup configuration file:
Related Commands
|
|
---|---|
Copies the running configuration to the startup configuration. |
|
show startup-config radius
To display RADIUS configuration information in the startup configuration, use the show startup-config radius command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display the RADIUS information in the startup configuration:
Related Commands
|
|
---|---|
Copies the running system configuration to the startup confguration file. |
show startup-config security
To display user account, Secure Shell (SSH) server, and Telnet server configuration information in the startup configuration, use the show startup-config security command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display the user account, SSH server, and Telnet server information in the startup configuration:
Related Commands
|
|
---|---|
Copies the running system configuration to the startup confguration file. |
show tacacs-server
To display TACACS+ server information, use the show tacacs-server command.
show tacacs-server [ hostname | ip4-address ] [ directed-request | groups | sorted | statistics ]
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
TACACS+ preshared keys are not visible in the show tacacs-server command output. Use the show running-config tacacs+ command to display the TACACS+ preshared keys.
You must use the feature tacacs+ command before you can display TACACS+ information.
Examples
This example shows how to display information for all TACACS+ servers:
This example shows how to display information for a specified TACACS+ server:
This example shows how to display the TACACS+ directed request configuration:
This example shows how to display information for TACACS+ server groups:
This example shows how to display information for a specified TACACS+ server group:
This example shows how to display sorted information for all TACACS+ servers:
This example shows how to display statistics for a specified TACACS+ server:
Related Commands
|
|
---|---|
Displays the TACACS+ information in the running configuration file. |
show telnet server
To display the Telnet server status, use the show telnet server command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to display the Telnet server status:
Related Commands
|
|
---|---|
show user-account
To display information about the user accounts on the switch, use the show user-account command.
Syntax Description
(Optional) Information about the specified user account only. |
Command Default
Displays information about all the user accounts defined on the switch.
Command Modes
Command History
|
|
---|---|
Examples
This example shows how to display information about all the user accounts defined on the switch:
This example shows how to display information about a specific user account:
Related Commands
|
|
---|---|
Copies the running system configuration to the startup confguration file. |
show users
To display the users currently logged on the switch, use the show users command.
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Examples
This example shows how to display all the users currently logged on the switch:
Related Commands
|
|
---|---|
show vlan access-list
To display the contents of the IPv4 access control list (ACL) or MAC ACL associated with a specific VLAN access map, use the show vlan access-list command.
show vlan access-list map-name
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
For the specified VLAN access map, the switch displays the access map name and the contents of the ACL associated with the map.
Examples
This example shows how to display the contents of the ACL associated with the specified VLAN access map:
Related Commands
|
|
---|---|
Displays information about how a VLAN access map is applied. |
|
show vlan access-map
To display all VLAN access maps or a VLAN access map, use the show vlan access-map command.
show vlan access-map [ map-name ]
Syntax Description
Command Default
The switch shows all VLAN access maps, unless you use the map-name argument to select a specific access map.
Command Modes
Command History
|
|
Usage Guidelines
For each VLAN access map displayed, the switch shows the access map name, the ACL specified by the match command, and the action specified by the action command.
Use the show vlan filter command to see which VLANs have a VLAN access map applied to them.
Examples
This example shows how to display a specific VLAN access map:
This example shows how to display all VLAN access maps:
Related Commands
show vlan filter
To display information about instances of the vlan filter command, including the VLAN access map and the VLAN IDs affected by the command, use the show vlan filter command.
show vlan filter [ access-map map-name | vlan vlan-id ]
Syntax Description
(Optional) Limits the output to VLANs that the specified access map is applied to. |
|
(Optional) Limits the output to access maps that are applied to the specified VLAN only. |
Command Default
All instances of VLAN access maps applied to a VLAN are displayed, unless you use the access-map keyword and specify an access map or you use the vlan keyword and specify a VLAN ID.
Command Modes
Command History
|
|
Examples
This example shows how to display all VLAN access map information on the switch:
Related Commands
|
|
---|---|
Specifies an action for traffic filtering in a VLAN access map. |
|
Specifies an ACL for traffic filtering in a VLAN access map. |
|
ssh
To create a Secure Shell (SSH) session using IPv4, use the ssh command.
ssh [ username @]{ ipv4-address | hostname } [ vrf { vrf-name | default | management }]
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to start an SSH session using IPv4:
Related Commands
|
|
---|---|
ssh key
To create a Secure Shell (SSH) server key, use the ssh key command. To remove the SSH server key, use the no form of this command.
ssh key { dsa [ force ] | rsa [ length [ force ]]}
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
The Cisco NX-OS software supports SSH version 1 and 2.
If you want to remove or replace an SSH server key, you must first disable the SSH server using the no ssh server enable command.
Examples
This example shows how to create an SSH server key using RSA with the default key length:
This example shows how to create an SSH server key using RSA with a specified key length:
This example shows how to replace an SSH server key using DSA with the force option:
This example shows how to remove the DSA SSH server key:
This example shows how to remove all SSH server keys:
Related Commands
|
|
---|---|
ssh server enable
To enable the Secure Shell (SSH) server, use the ssh server enable command. To disable the SSH server, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to enable the SSH server:
This example shows how to disable the SSH server:
Related Commands
|
|
---|---|
statistics per-entry
To start recording statistics for how many packets are permitted or denied by each entry in an IP, a MAC access control list (ACL), or a VLAN access-map entry, use the statistics per-entry command. To stop recording per-entry statistics, use the no form of this command.
Syntax Description
Command Default
Command Modes
IPv6 access-list configuration
MAC access-list configuration
VLAN access-map configuration mode
Switch profile VLAN access-map configuration mode
Command History
|
|
---|---|
Usage Guidelines
Statistics are not supported if the DHCP snooping feature is enabled.
Examples
This example shows how to start recording per-entry statistics for a MAC access list called acl-mac-01:
This example shows how to start recording per-entry statistics for a VLAN access map named vlan-map-01:
This example shows how to start recording per-entry statistics for a VLAN access map named vlan-map-03 in a switch profile:
This example shows how to stop recording per-entry statistics for a VLAN access map named vlan-map-03 in a switch profile:
Related Commands
|
|
---|---|
storm-control level
To set the suppression level for traffic storm control, use the storm-control level command. To turn off the suppression mode or revert to the default, use the no form of this command.
storm-control { broadcast | multicast | unicast } level percentage [. fraction ]
no storm-control { broadcast | multicast | unicast } level
Syntax Description
Specifies the percentage of the suppression level. The range is from 0 to 100 percent. |
|
(Optional) Fraction of the suppression level. The range is from 0 to 99. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
Enter the storm-control level command to enable traffic storm control on the interface, configure the traffic storm-control level, and apply the traffic storm-control level to all traffic storm-control modes that are enabled on the interface.
The period (.) is required when you enter the fractional-suppression level.
The suppression level is a percentage of the total bandwidth. A threshold value of 100 percent means that no limit is placed on traffic. A threshold value of 0 or 0.0 (fractional) percent means that all specified traffic is blocked on a port.
Use the show interfaces counters storm-control command to display the discard count.
Use one of the following methods to turn off suppression for the specified traffic type:
Examples
This example shows how to enable suppression of broadcast traffic and set the suppression threshold level:
This example shows how to disable the suppression mode for multicast traffic:
Related Commands
|
|
---|---|
Displays the storm-control suppression counters for an interface. |
|
tacacs-server deadtime
To set a periodic time interval where a nonreachable (nonresponsive) TACACS+ server is monitored for responsiveness, use the tacacs-server deadtime command. To disable the monitoring of the nonresponsive TACACS+ server, use the no form of this command.
tacacs-server deadtime minutes
no tacacs-server deadtime minutes
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
Setting the time interval to zero disables the timer. If the dead-time interval for an individual TACACS+ server is greater than zero (0), that value takes precedence over the value set for the server group.
When the dead-time interval is 0 minutes, TACACS+ server monitoring is not performed unless the TACACS+ server is part of a server group and the dead-time interval for the group is greater than 0 minutes.
You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to configure the dead-time interval and enable periodic monitoring:
This example shows how to revert to the default dead-time interval and disable periodic monitoring:
Related Commands
|
|
---|---|
Sets a dead-time interval for monitoring a nonresponsive RADIUS or TACACS+ server group. |
|
tacacs-server directed-request
To allow users to send authentication requests to a specific TACACS+ server when logging in, use the tacacs-server directed request command. To revert to the default, use the no form of this command.
tacacs-server directed-request
no tacacs-server directed-request
Syntax Description
Command Default
Sends the authentication request to the configured TACACS+ server groups.
Command Modes
Command History
|
|
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
During login, the user can specify the username@vrfname : hostname, where vrfname is the VRF to use and hostname is the name of a configured TACACS+ server. The username is sent to the server name for authentication.
Examples
This example shows how to allow users to send authentication requests to a specific TACACS+ server when logging in:
This example shows how to disallow users to send authentication requests to a specific TACACS+ server when logging in:
Related Commands
|
|
---|---|
tacacs-server host
To configure TACACS+ server host parameters, use the tacacs-server host command. To revert to the defaults, use the no form of this command.
tacacs-server host { hostname | ipv4-address } [ key [ 0 | 7 ] shared-secret ] [ port port-number ] [ test { idle-time time | password password | username name }] [ timeout seconds ]
no tacacs-server host { hostname | ipv4-address } [ key [ 0 | 7 ] shared-secret ] [ port port-number ] [ test { idle-time time | password password | username name }] [ timeout seconds ]
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.
Examples
This example shows how to configure TACACS+ server host parameters:
Related Commands
|
|
---|---|
tacacs-server key
To configure a global TACACS+ shared secret key, use the tacacs-server key command. To remove a configured shared secret, use the no form of this command.
tacacs-server key [ 0 | 7 ] shared-secret
no tacacs-server key [ 0 | 7 ] shared-secret
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
You must configure the TACACS+ preshared key to authenticate the switch to the TACACS+ server. The length of the key is restricted to 65 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all TACACS+ server configurations on the switch. You can override this global key assignment by using the key keyword in the tacacs-server host command.
You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to display configure TACACS+ server shared keys:
Related Commands
|
|
---|---|
tacacs-server timeout
To specify the time between retransmissions to the TACACS+ servers, use the tacacs-server timeout command. To revert to the default, use the no form of this command.
no tacacs-server timeout seconds
Syntax Description
Seconds between retransmissions to the TACACS+ server. The valid range is 1 to 60 seconds. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to configure the TACACS+ server timeout value:
This example shows how to revert to the default TACACS+ server timeout value:
Related Commands
|
|
---|---|
telnet
To create a Telnet session using IPv4 on a Cisco Nexus 3000 Series switch, use the telnet command.
telnet { ipv4-address | hostname } [ port-number ] [ vrf { vrf-name | default | management }]
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
Examples
This example shows how to start a Telnet session using IPv4:
Related Commands
|
|
---|---|
telnet server enable
To enable the Telnet server, use the telnet server enable command. To disable the Telnet server, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to enable the Telnet server:
This example shows how to disable the Telnet server:
Related Commands
|
|
---|---|
use-vrf
To specify a virtual routing and forwarding (VRF) instance for a RADIUS or TACACS+ server group, use the use-vrf command. To remove the VRF instance, use the no form of this command.
use-vrf { vrf-name | default | management }
no use-vrf { vrf-name | default | management }
Syntax Description
VRF instance name. The name is case sensitive and can be a maximum of 32 alphanumeric characters. |
|
Command Default
Command Modes
RADlUS server group configuration mode
TACACS+ server group configuration mode
Command History
|
|
Usage Guidelines
You can configure only one VRF instance for a server group.
Use the aaa group server radius command RADIUS server group configuration mode or the aaa group server tacacs+ command to enter TACACS+ server group configuration mode.
If the server is not found, use the radius-server host command or tacacs-server host command to configure the server.
You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to specify a VRF instance for a RADIUS server group:
This example shows how to specify a VRF instance for a TACACS+ server group:
This example shows how to remove the VRF instance from a TACACS+ server group:
Related Commands
|
|
---|---|
username
To create and configure a user account, use the username command. To remove a user account, use the no form of this command.
username user-id [ expire date ] [ password { 0 | 5 } password ] [ role role-name ] [ priv-lvl level ]
username user-id sshkey { key | filename filename }
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
The switch accepts only strong passwords. The characteristics of a strong password include the following:
- At least eight characters long
- Does not contain many consecutive characters (such as “abcd”)
- Does not contain many repeating characters (such as “aaabbb”)
- Does not contain dictionary words
- Does not contain proper names
- Contains both uppercase and lowercase characters
- Contains numbers
You must enable the cumulative privilege roles for TACACS+ server using the feature privilege command to see the priv-lvl keyword.
Examples
This example shows how to create a user account with a password:
This example shows how to configure the SSH key for a user account:
This example shows how to configure the privilege level for a user account:
Related Commands
vlan access-map
To create a new VLAN access map or to configure an existing VLAN access map, use the vlan access-map command. To remove a VLAN access map, use the no form of this command.
Syntax Description
Name of the VLAN access map that you want to create or configure. The name can be up to 64 alphanumeric, case-sensitive characters. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
Each VLAN access map can include one match command and one action command.
Examples
This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map:
This example shows how to create a VLAN access map named vlan-map-03 in a switch profile:
Related Commands
vlan filter
To apply a VLAN access map to one or more VLANs, use the vlan filter command. To unapply a VLAN access map, use the no form of this command.
vlan filter map-name vlan-list VLAN-list
no vlan filter map-name [ vlan-list VLAN-list ]
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
You can apply a VLAN access map to one or more VLANs.
You can apply only one VLAN access map to a VLAN.
The no form of this command enables you to unapply a VLAN access map from all or part of the VLAN list that you specified when you applied the access map. To unapply an access map from all VLANs where it is applied, you can omit the VLAN-list argument. To unapply an access map from a subset of the VLANs where it is currently applied, use the VLAN-list argument to specify the VLANs where the access map should be removed.
Examples
This example shows how to apply a VLAN access map named vlan-map-01 to VLANs 20 through 45:
This example shows how to apply a VLAN access map named vlan-map-03 to VLANs 12 through 20:
Related Commands
vlan policy deny
To enter VLAN policy configuration mode for a user role, use the vlan policy deny command. To revert to the default VLAN policy for a user role, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to enter VLAN policy configuration mode for a user role:
This example shows how to revert to the default VLAN policy for a user role:
Related Commands
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
vrf policy deny
To configure the deny access to a virtual forwarding and routing instance (VRF) policy for a user role, use the vrf policy deny command. To revert to the default VRF policy configuration for a user role, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to enter VRF policy configuration mode for a user role:
This example shows how to revert to the default VRF policy for a user role:
Related Commands
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
vsan policy deny
To configure the deny access to a VSAN policy for a user role, use the vsan policy deny command. To revert to the default VSAN policy configuration for a user role, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
To permit access to the VSAN policy, use the permit vsan command.
Examples
This example shows how to deny access to a VSAN policy for a user role:
This example shows how to revert to the default VSAN policy configuration for a user role:
Related Commands
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|