- interface policy deny
- ip access-class
- ip access-group
- ip access-list
- ip arp event-history errors
- ip arp inspection log-buffer
- ip arp inspection validate
- ip arp inspection vlan
- ip arp inspection trust
- ip dhcp packet strict-validation
- ip dhcp snooping
- ip dhcp snooping information option
- ip dhcp snooping trust
- ip dhcp snooping verify mac-address
- ip dhcp snooping vlan
- ip port access-group
- ip source binding
- ip verify source dhcp-snooping-vlan
- ip verify unicast source reachable-via
- ipv6 access-class
- ipv6 access-list
- ipv6 port traffic-filter
- ipv6 traffic-filter
I Commands
This chapter describes the Cisco NX-OS security commands that begin with I.
interface policy deny
To enter interface policy configuration mode for a user role, use the interface policy deny command. To revert to the default interface policy for a user role, use the no form of this command.
interface policy deny
no interface policy deny
Syntax Description
This command has no arguments or keywords.
Command Default
All interfaces
Command Modes
User role configuration mode
Command History
|
|
|
4.0(0)N1(1a) |
This command was introduced. |
Examples
This example shows how to enter interface policy configuration mode for a user role:
switch(config)# role name MyRole
switch(config-role)# interface policy deny
switch(config-role-interface)#
This example shows how to revert to the default interface policy for a user role:
switch(config)# role name MyRole
switch(config-role)# no interface policy deny
Related Commands
|
|
|
|---|---|
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |
ip access-class
To create or configure an IPv4 access class to restrict incoming or outgoing traffic on a virtual terminal line (VTY), use the ip access-class command. To remove the access class, use the no form of this command.
ip access-class access-list-name {in | out}
no ip access-class access-list-name {in | out}
Syntax Description
Command Default
None
Command Modes
Line configuration mode
Command History
|
|
|
|---|---|
5.0(2)N1(1) |
This command was introduced. |
Examples
This example shows how to configure an IP access class on a VTY line to restrict inbound packets:
switch# configure terminal
switch(config)# line vty
switch(config-line)# ip access-class VTY_ACCESS in
switch(config-line)#
This example shows how to remove an IP access class that restricts inbound packets:
switch(config)# line vty
switch(config-line)# no ip access-class VTY_ACCESS in
switch(config-line)#
Related Commands
ip access-group
To apply an IPv4 access control list (ACL) to a Layer 3 interface as a router ACL, use the ip access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip access-group access-list-name in
no ip access-group access-list-name in
Syntax Description
access-list- |
Name of the IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
|---|---|
in |
Specifies that the ACL applies to inbound traffic. |
Command Default
None
Command Modes
Interface configuration mode
Subinterface configuration mode
Command History
|
|
|
|---|---|
5.0(3)N1(1) |
This command was introduced. |
Usage Guidelines
By default, no IPv4 ACLs are applied to a Layer 3 routed interface.
You can use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface types:
•
VLAN interfaces
•Layer 3 Ethernet interfaces
•Layer 3 Ethernet subinterfaces
•Layer 3 Ethernet port-channel interfaces and subinterfaces
•Loopback interfaces
•Management interfaces
You can also use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface types:
•Layer 2 Ethernet interfaces
•Layer 2 Ethernet port-channel interfaces
However, an ACL applied to a Layer 2 interface with the ip access-group command is inactive unless the port mode changes to routed (Layer 3) mode.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
A router ACL can be applied only to ingress traffic.
This command does not require a license.
Examples
This example shows how to apply an IPv4 ACL named ip-acl-01 to the Layer 3 Ethernet interface 2/1:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# no switchport
switch(config-if)# ip access-group ip-acl-01 in
This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 2/1:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# no switchport
switch(config-if)# ip access-group ip-acl-01 in
switch(config-if)# no ip access-group ip-acl-01 in
Related Commands
ip access-list
To create an IPv4 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ip access-list command. To remove an IPv4 ACL, use the no form of this command.
ip access-list access-list-name
no ip access-list access-list-name
Syntax Description
access-list-name |
Name of the IPv4 ACL, which can be up to 64 alphanumeric characters long. The name cannot contain a space or quotation mark. |
Command Default
No IPv4 ACLs are defined by default.
Command Modes
Global configuration mode
Command History
|
|
|
4.0(0)N1(1a) |
This command was introduced. |
Usage Guidelines
Use IPv4 ACLs to filter IPv4 traffic.
When you use the ip access-list command, the switch enters IP access list configuration mode, where you can use the IPv4 deny and permit commands to configure rules for the ACL. If the specified ACL does not exist, the switch creates it when you enter this command.
Use the ip access-group command to apply the ACL to an interface.
Every IPv4 ACL has the following implicit rule as its last rule:
deny ip any any
This implicit rule ensures that the switch denies unmatched IP traffic.
IPv4 ACLs do not include additional implicit rules to enable the neighbor discovery process. The Address Resolution Protocol (ARP), which is the IPv4 equivalent of the IPv6 neighbor discovery process, uses a separate data link layer protocol. By default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Examples
This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01:
switch(config)# ip access-list ip-acl-01
switch(config-acl)#
Related Commands
ip arp event-history errors
To log Address Resolution Protocol (ARP) debug events into the event history buffer, use the ip arp event-history errors command.
ip arp event-history errors size {disabled | large | medium | small}
no ip arp event-history errors size {disabled | large | medium | small}
Syntax Description
Command Default
By default, the event history buffer is small.
Command Modes
Global configuration mode
Command History
|
|
|
|---|---|
5.0(2)N1(1) |
This command was introduced. |
Examples
This example shows how to configure a medium ARP event history buffer:
switch(config)# ip arp event-history errors size medium
switch(config)#
This example shows how to set the ARP event history buffer to the default:
switch(config)# no ip arp event-history errors size medium
switch(config)#
Related Commands
|
|
|
|---|---|
show running-config arp all |
Displays the ARP configuration, including the default configurations. |
ip arp inspection log-buffer
To configure the Dynamic ARP Inspection (DAI) logging buffer size, use the ip arp inspection log-buffer command. To reset the DAI logging buffer to its default size, use the no form of this command.
ip arp inspection log-buffer entries number
no ip arp inspection log-buffer entries number
Syntax Description
entries number |
Specifies the buffer size in a range of 1 to 1024 messages. |
Command Default
None
Command Modes
Global configuration mode
Command History
|
|
|
5.0(3)N1(1) |
This command was introduced. |
Usage Guidelines
Before you use this command, make sure that you enable Dynamic Host Configuration Protocol (DHCP) snooping on the switch by using the feature dhcp command.
By default, the DAI logging buffer size is 32 messages.
Examples
This example shows how to configure the DAI logging buffer size:
switch# configure terminal
switch(config)# ip arp inspection log-buffer entries 64
switch(config)#
Related Commands
ip arp inspection validate
To enable additional Dynamic ARP Inspection (DAI) validation, use the ip arp inspection validate command. To disable additional DAI, use the no form of this command.
ip arp inspection validate {dst-mac [ip] [src-mac]}
ip arp inspection validate {ip [dst-mac] [src-mac]}
ip arp inspection validate {src-mac [dst-mac] [ip]}
no ip arp inspection validate {dst-mac [ip] [src-mac]}
no ip arp inspection validate {ip [dst-mac] [src-mac]}
no ip arp inspection validate {src-mac [dst-mac] [ip]}
Syntax Description
Command Default
None
Command Modes
Global configuration mode
Command History
|
|
|
5.0(3)N1(1) |
This command was introduced. |
Usage Guidelines
Before you use this command, make sure that you enable Dynamic Host Configuration Protocol (DHCP) snooping on the switch by using the feature dhcp command.
You must specify at least one keyword. If you specify more than one keyword, the order is irrelevant.
When you enable source MAC validation, an ARP packet is considered valid only if the sender Ethernet address in the packet body is the same as the source Ethernet address in the ARP frame header. When you enable destination MAC validation, an ARP request frame is considered valid only if the target Ethernet address is the same as the destination Ethernet address in the ARP frame header.
Examples
This example shows how to enable additional DAI validation:
switch# configure terminal
switch(config)# ip arp inspection validate src-mac dst-mac ip
switch(config)#
This example shows how to disable additional DAI validation:
switch(config)# no ip arp inspection validate src-mac dst-mac ip
switch(config)#
Related Commands
ip arp inspection vlan
To enable Dynamic ARP Inspection (DAI) for a list of VLANs, use the ip arp inspection vlan command. To disable DAI for a list of VLANs, use the no form of this command.
ip arp inspection vlan vlan-list [logging dhcp-bindings {permit | all | none}]
no ip arp inspection vlan vlan-list [logging dhcp-bindings {permit | all | none}]
Syntax Description
Command Default
Logging of dropped packets
Command Modes
Global configuration
Command History
|
|
|
|---|---|
5.0(3)N1(1) |
This command was introduced. |
Usage Guidelines
By default, the device logs dropped packets inspected by DAI.
This command does not require a license.
Examples
This example shows how to enable DAI on VLANs 13, 15, and 17 through 23:
switch# configure terminal
switch(config)# ip arp inspection vlan 13,15,17-23
switch(config)#
Related Commands
ip arp inspection trust
To configure a Layer 2 interface as a trusted ARP interface, use the ip arp inspection trust command. To configure a Layer 2 interface as an untrusted ARP interface, use the no form of this command.
ip arp inspection trust
no ip arp inspection trust
Syntax Description
This command has no arguments or keywords.
Command Default
By default, all interfaces are untrusted ARP interfaces.
Command Modes
Interface configuration mode
Command History
|
|
|
|---|---|
5.0(3)N1(1) |
This command was introduced. |
Usage Guidelines
You can configure only Layer 2 Ethernet interfaces as trusted ARP interfaces.
This command does not require a license.
Examples
This example shows how to configure a Layer 2 interface as a trusted ARP interface:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# ip arp inspection trust
switch(config-if)#
Related Commands
ip dhcp packet strict-validation
To enable the strict validation of Dynamic Host Configuration Protocol (DHCP) packets by the DHCP snooping feature, use the ip dhcp packet strict-validation command. To disable the strict validation of DHCP packets, use the no form of this command.
ip dhcp packet strict-validation
no ip dhcp packet strict-validation
Syntax Description
This command has no arguments or keywords.
Command Default
None
Command Modes
Global configuration mode
Command History
|
|
|
|---|---|
5.0(2)N2(1) |
This command was introduced. |
Usage Guidelines
You must enable DHCP snooping before you can use the ip dhcp packet strict-validation command.
Strict validation of DHCP packets checks that the DHCP options field in DCHP packets is valid, including the "magic cookie" value in the first four bytes of the options field. When strict validation of DHCP packets is enabled, the device drops DHCP packets that fail validation.
Examples
This example shows how to enable the strict validation of DHCP packets:
switch# configure terminal
switch(config)# ip dhcp packet strict-validation
switch(config)#
Related Commands
ip dhcp snooping
To globally enable Dynamic Host Configuration Protocol (DHCP) snooping on the device, use the ip dhcp snooping command. To globally disable DHCP snooping, use the no form of this command.
ip dhcp snooping
no ip dhcp snooping
Syntax Description
This command has no arguments or keywords.
Command Default
By default, DHCP snooping is globally disabled.
Command Modes
Global configuration mode
Command History
|
|
|
5.0(2)N2(1) |
This command was introduced. |
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
The device preserves DHCP snooping configuration when you disable DHCP snooping with the no ip dhcp snooping command.
Examples
This example shows how to globally enable DHCP snooping:
switch# configure terminal
switch(config)# ip dhcp snooping
switch(config)#
Related Commands
ip dhcp snooping information option
To enable the insertion and removal of option-82 information for Dynamic Host Configuration Protocol (DHCP) packets, use the ip dhcp snooping information option command. To disable the insertion and removal of option-82 information, use the no form of this command.
ip dhcp snooping information option
no ip dhcp snooping information option
Syntax Description
This command has no arguments or keywords.
Command Default
By default, the device does not insert and remove option-82 information.
Command Modes
Global configuration mode
Command History
|
|
|
5.0(2)N2(1) |
This command was introduced. |
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
Examples
This example shows how to globally enable DHCP snooping:
switch# configure terminal
switch(config)# ip dhcp snooping information option
switch(config)#
Related Commands
ip dhcp snooping trust
To configure an interface as a trusted source of Dynamic Host Configuration Protocol (DHCP) messages, use the ip dhcp snooping trust command. To configure an interface as an untrusted source of DHCP messages, use the no form of this command.
ip dhcp snooping trust
no ip dhcp snooping trust
Syntax Description
This command has no arguments or keywords.
Command Default
By default, no interface is a trusted source of DHCP messages.
Command Modes
Interface configuration mode
Command History
|
|
|
5.0(2)N2(1) |
This command was introduced. |
Usage Guidelines
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
You can configure DHCP trust on the following types of interfaces:
•Layer 3 Ethernet interfaces and subinterfaces
•Layer 2 Ethernet interfaces
•Private VLAN interfaces
Examples
This example shows how to configure an interface as a trusted source of DHCP messages:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# ip dhcp snooping trust
switch(config-if)#
Related Commands
ip dhcp snooping verify mac-address
To enable Dynamic Host Configuration Protocol (DHCP) snooping for MAC address verification, use the ip dhcp snooping verify mac-address command. To disable DHCP snooping MAC address verification, use the no form of this command.
ip dhcp snooping verify mac-address
no ip dhcp snooping verify mac-address
Syntax Description
This command has no arguments or keywords.
Command Default
None
Command Modes
Global configuration mode
Command History
|
|
|
5.0(2)N2(1) |
This command was introduced. |
Usage Guidelines
By default, MAC address verification with DHCP snooping is not enabled.
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
If the device receives a packet on an untrusted interface and the source MAC address and the DHCP client hardware address do not match, address verification causes the device to drop the packet.
Examples
This example shows how to enable DHCP snooping for MAC address verification:
switch# configure terminal
switch(config)# ip dhcp snooping verify mac-address
switch(config)#
Related Commands
|
|
|
|---|---|
feature dhcp |
Enables DHCP snooping on the switch. |
show running-config dhcp |
Displays the DHCP snooping configuration configuration. |
ip dhcp snooping vlan
To enable Dynamic Host Configuration Protocol (DHCP) snooping on one or more VLANs, use the ip dhcp snooping vlan command. To disable DHCP snooping on one or more VLANs, use the no form of this command.
ip dhcp snooping vlan vlan-list
no ip dhcp snooping vlan vlan-list
Syntax Description
Command Default
By default, DHCP snooping is not enabled on any VLAN.
Command Modes
Global configuration mode
Command History
|
|
|
5.0(2)N2(1) |
This command was introduced. |
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
Examples
This example shows how to enable DHCP snooping on VLANs 100, 200, and 250 through 252:
switch# configure terminal
switch(config)# ip dhcp snooping vlan 100,200,250-252
switch(config)#
Related Commands
ip port access-group
To apply an IPv4 access control list (ACL) to an interface as a port ACL, use the ip port access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip port access-group access-list-name in
no ip port access-group access-list-name in
Syntax Description
access-list-name |
Name of the IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters long. |
in |
Specifies that the ACL applies to inbound traffic. |
Command Default
None
Command Modes
Interface configuration mode
Virtual Ethernet interface configuration mode
Command History
|
|
|
4.0(0)N1(1a) |
This command was introduced. |
5.1(3)N1(1) |
Support for this command was introduced for virtual Ethernet interfaces. |
Usage Guidelines
By default, no IPv4 ACLs are applied to an interface.
You can use the ip port access-group command to apply an IPv4 ACL as a port ACL to the following interface types:
•Layer 2 Ethernet interfaces
•Layer 2 EtherChannel interfaces
•Virtual Ethernet interface
You can also apply an IPv4 ACL as a VLAN ACL. For more information, see the match command.
The switch applies port ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the switch without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply an IPv4 ACL named ip-acl-01 to Ethernet interface 1/2 as a port ACL:
switch(config)# interface ethernet 1/2
switch(config-if)# ip port access-group ip-acl-01 in
This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 1/2:
switch(config)# interface ethernet 1/2
switch(config-if)# no ip port access-group ip-acl-01 in
switch(config-if)#
This example shows how to apply an IPv4 ACL named ip-acl-03 to the virtual Ethernet interface 1 as a port ACL:
switch# configure terminal
switch(config)# interface vethernet 1
switch(config-if)# ip port access-group ip-acl-03 in
switch(config-if)#
Related Commands
ip source binding
To create a static IP source entry for a Layer 2 Ethernet interface, use the ip source binding command. To disable the static IP source entry, use the no form of this command.
ip source binding IP-address MAC-address vlan vlan-id {interface ethernet slot/port | port-channel channel-no}
no ip source binding IP-address MAC-address vlan vlan-id {interface ethernet slot/port | port-channel channel-no}
Syntax Description
Command Default
None
Command Modes
Global configuration mode
Command History
|
|
|
5.0(2)N2(1) |
This command was introduced. |
Usage Guidelines
By default, there are no static IP source entries.
To use this command, you must enable the Dynamic Host Configuration Protocol (DHCP) snooping feature using the feature dhcp command.
Examples
This example shows how to create a static IP source entry associated with VLAN 100 on Ethernet interface 2/3:
switch# configure terminal
switch(config)# ip source binding 10.5.22.7 001f.28bd.0013 vlan 100 interface ethernet 2/3
switch(config)#
Related Commands
ip verify source dhcp-snooping-vlan
To enable IP Source Guard on a Layer 2 Ethernet interface, use the ip verify source dhcp-snooping-vlan command. To disable IP Source Guard on a Layer 2 Ethernet interface, use the no form of this command.
ip verify source dhcp-snooping-vlan
no ip verify source dhcp-snooping-vlan
Syntax Description
This command has no arguments or keywords.
Command Default
Disabled
Command Modes
Interface configuration mode
Command History
|
|
|
|---|---|
5.0(3)N1(1) |
This command was introduced. |
Usage Guidelines
Before you use this command, make sure that you enable Dynamic Host Configuration Protocol (DHCP) snooping on the switch by using the feature dhcp command.
IP Source Guard limits IP traffic on an interface to only those sources that have an IP-MAC address binding table entry or static IP source entry.
IP Source Guard is dependent upon DHCP snooping to build and maintain the IP-MAC address binding table or upon manual maintenance of static IP source entries.
This command does not require a license.
Examples
This example shows how to enable IP Source Guard on a Layer 2 interface:
switch# configure terminal
switch(config)# interface ethernet 1/5
switch(config-if)# ip verify source dhcp-snooping-vlan
switch(config-if)#
This example shows how to disable IP Source Guard on a Layer 2 interface:
switch# configure terminal
switch(config)# interface ethernet 1/5
switch(config-if)# no ip verify source dhcp-snooping-vlan
switch(config-if)#
Related Commands
ip verify unicast source reachable-via
To configure Unicast Reverse Path Forwarding (Unicast RPF) on an interface, use the ip verify unicast source reachable-via command. To remove Unicast RPF from an interface, use the no form of this command.
ip verify unicast source reachable-via {any [allow-default] | rx}
no ip verify unicast source reachable-via {any [allow-default] | rx}
Syntax Description
any |
Specifies loose checking. |
allow-default |
(Optional) Specifies the MAC address to be used on the specified interface. |
rx |
Specifies strict checking. |
Command Default
None
Command Modes
Interface configuration mode
Command History
|
|
|
|---|---|
5.0(3)N1(1) |
This command was introduced. |
Usage Guidelines
You can configure one of the following Unicast RPF modes on an ingress interface:
•Strict Unicast RPF mode—A strict mode check is successful when the following matches occur:
–Unicast RPF finds a match in the Forwarding Information Base (FIB) for the packet source address.
–The ingress interface through which the packet is received matches one of the Unicast RPF interfaces in the FIB match.
If these checks fail, the packet is discarded. You can use this type of Unicast RPF check where packet flows are expected to be symmetrical.
•Loose Unicast RPF mode—A loose mode check is successful when a lookup of a packet source address in the FIB returns a match and the FIB result indicates that the source is reachable through at least one real interface. The ingress interface through which the packet is received is not required to match any of the interfaces in the FIB result.
This command does not require a license.
Examples
This example shows how to configure loose Unicast RPF checking on an interface:
switch# configure terminal
switch(config)# interface ethernet 2/3
switch(config-if)# ip verify unicast source reachable-via any
This example shows how to configure strict Unicast RPF checking on an interface:
switch# configure terminal
switch(config)# interface ethernet 2/3
switch(config-if)# ip verify unicast source reachable-via rx
Related Commands
ipv6 access-class
To create or configure an IPv6 access class to restrict incoming or outgoing traffic on a virtual terminal line (VTY), use the ipv6 access-class command. To remove the access class, use the no form of this command.
ipv6 access-class access-list-name {in | out}
no ipv6 access-class access-list-name {in | out}
Syntax Description
Command Default
None
Command Modes
Line configuration mode
Command History
|
|
|
|---|---|
5.0(2)N1(1) |
This command was introduced. |
Examples
This example shows how to configure an IPv6 access class on a VTY line to restrict inbound packets:
switch# configure terminal
switch(config)# line vty
switch(config-line)# ipv6 access-class VTY_I6ACCESS in
switch(config-line)#
This example shows how to remove an IPv6 access class that restricts inbound packets:
switch(config)# line vty
switch(config-line)# no ipv6 access-class VTY_I6ACCESS in
switch(config-line)#
Related Commands
ipv6 access-list
To create an IPv6 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ipv6 access-list command. To remove an IPv6 ACL, use the no form of this command.
ipv6 access-list access-list-name
no ipv6 access-list access-list-name
Syntax Description
access-list-name |
Name of the IPv6 ACL, which can be up to 64 alphanumeric characters long. The name cannot contain a space or quotation mark. |
Command Default
No IPv6 ACLs are defined by default.
Command Modes
Global configuration mode
Command History
|
|
|
4.0(1a)N1(1) |
This command was introduced. |
Usage Guidelines
Use IPv6 ACLs to filter IPv6 traffic.
When you use the ipv6 access-list command, the switch enters IP access list configuration mode, where you can use the IPv6 deny and permit commands to configure rules for the ACL. If the specified ACL does not exist, the switch creates it when you enter this command.
Every IPv6 ACL has the following implicit rule as its last rule:
deny ipv6 any any
This implicit rule ensures that the switch denies unmatched IP traffic.
Examples
This example shows how to enter IP access list configuration mode for an IPv6 ACL named ipv6-acl-01:
switch(config)# ipv6 access-list ipv6-acl-01
switch(config-ipv6-acl)#
Related Commands
|
|
|
|---|---|
deny (IPv6) |
Configures a deny rule in an IPv6 ACL. |
permit (IPv6) |
Configures a permit rule in an IPv6 ACL. |
ipv6 port traffic-filter
To apply an IPv6 access control list (ACL) to an interface as a port ACL, use the ipv6 port traffic-filter command. To remove an IPv6 ACL from an interface, use the no form of this command.
ipv6 port traffic-filter access-list-name in
no ipv6 port traffic-filter access-list-name in
Syntax Description
access-list-name |
Name of the IPv6 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
in |
Specifies that the device applies the ACL to inbound traffic. |
Command Default
None
Command Modes
Interface configuration mode
Virtual Ethernet interface configuration mode
Command History
|
|
|
4.0(1a)N1(1) |
This command was introduced. |
5.1(3)N1(1) |
Support for this command was introduced for virtual Ethernet interfaces. |
Usage Guidelines
By default, no IPv6 ACLs are applied to an interface.
You can use the ipv6 port traffic-filter command to apply an IPv6 ACL as a port ACL to the following interface types:
•Ethernet interfaces
•EtherChannel interfaces
•Virtual Ethernet interface
You can also use the ipv6 port traffic-filter command to apply an IPv6 ACL as a port ACL to the following interface types:
•VLAN interfaces
Note You must enable VLAN interfaces globally before you can configure a VLAN interface. For more information, see the feature interface-vlan command.
The switch applies port ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply an IPv6 ACL named ipv6-acl to Ethernet interface 1/3:
switch# configure terminal
switch(config)# interface ethernet 1/3
switch(config-if)# ipv6 port traffic-filter ipv6-acl in
switch(config-if)#
This example shows how to remove an IPv6 ACL named ipv6-acl from Ethernet interface 1/3:
switch# configure terminal
switch(config)# interface ethernet 1/3
switch(config-if)# no ipv6 port traffic-filter ipv6-acl in
switch(config-if)#
This example shows how to apply an IPv6 ACL named ipv6-acl-03 to a specific virtual Ethernet interface:
switch# configure terminal
switch(config)# interface vethernet 1
switch(config-if)# ipv6 port traffic-filter ipv6-acl-03 in
switch(config-if)#
Related Commands
ipv6 traffic-filter
To apply an IPv6 access control list (ACL) to an interface, use the ipv6 traffic-filter command. To remove an IPv6 ACL from an interface, use the no form of this command.
ipv6 traffic-filter access-list-name in
no ipv6 traffic-filter access-list-name in
Syntax Description
access-list-name |
Name of the IPv6 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
in |
Specifies that the device applies the ACL to inbound traffic. |
Command Default
None
Command Modes
Interface configuration mode
Virtual Ethernet interface configuration mode
Command History
|
|
|
4.0(1a)N1(1) |
This command was introduced. |
5.1(3)N1(1) |
Support for this command was introduced for virtual Ethernet interfaces. |
Usage Guidelines
By default, no IPv6 ACLs are applied to an interface.
You can use the ipv6 traffic-filter command to apply an IPv6 ACL to the following interface types:
•Ethernet interfaces
•EtherChannel interfaces
•Virtual Ethernet interface
•VLAN interfaces
Note You must enable VLAN interfaces globally before you can configure a VLAN interface. For more information, see the feature interface-vlan command.
The switch applies ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply an IPv6 ACL named ipv6-acl to Ethernet interface 1/3:
switch# configure terminal
switch(config)# interface ethernet 1/3
switch(config-if)# ipv6 traffic-filter ipv6-acl in
switch(config-if)#
This example shows how to remove an IPv6 ACL named ipv6-acl from Ethernet interface 1/3:
switch# configure terminal
switch(config)# interface ethernet 1/3
switch(config-if)# no ipv6 traffic-filter ipv6-acl in
switch(config-if)#
This example shows how to apply an IPv6 ACL named ipv6-acl-03 to a specific virtual Ethernet interface:
switch# configure terminal
switch(config)# interface vethernet 1
switch(config-if)# ipv6 traffic-filter ipv6-acl-03 in
switch(config-if)#
Related Commands
Feedback