The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To configure the duration of time for which a non-reachable RADIUS or TACACS+ server is skipped, use the deadtime command. To revert to the default, use the no form of this command.
RADlUS server group configuration (
config-radius
)
TACACS+ server group configuration (
config-tacacs+
)
Global configuration (
config
)
Before you can configure it, you must enable TACACS+ using the tacacs+ enable command.
The dead-time can be configured either globally and applied to all RADIUS or TACACS+ servers; or per server group.
If the dead-time interval for a RADIUS or TACACS+ server group is greater than zero (0), that value takes precedence over the global dead-time value.
Setting the dead-time interval to 0 disables the timer.
When the dead-time interval is 0 minutes, RADIUS and TACACS+ servers are not marked as dead even if they are not responding.
This example shows how to set the dead-time interval to 2 minutes for a RADIUS server group:
This example shows how to set a global dead-time interval to 5 minutes for all TACACS+ servers and server groups:
This example shows how to set the dead-time interval to 5 minutes for a TACACS+ server group:
This example shows how to revert to the dead-time interval default:
To direct the output of the debug commands to a specified file, use the debug logfile command. To revert to the default, use the no form of this command.
debug logfile filename [ size bytes ]
To enable debug command output logging, use the debug logging command. To disable debug logging, use the no form of this command.
To remove a configured rate limit for dynamic ARP inspection, use the default ip arp inspection limit command. This resets the inspection limit to its defaults.
default ip arp inspection limit { rate [ burst interval ] | none }
Interface configuration (config-if)
This example shows how to remove a configured rate limit for dynamic ARP inspection from vEthernet interface 3, and reset the rate limit to the default:
To remove a trusted vEthernet interface configuration for dynamic ARP inspection, use the default ip arp inspection trust command. This returns the interface to the default untrusted state.
Interface configuration (config-if)
This example shows how to remove the trusted vEthernet interface configuration for dynamic ARP inspection; and return vEthernet interface 3 to the untrusted state:
To remove a particular switchport characteristic from a port profile, use the default switchport command.
default switchport { mode | access vlan | trunk { native | allowed } vlan | private-vlan { host-association | mapping [ trunk ]} | port-security }
Port profile configuration ( config-port-prof )
The functionally of this command is equivalent to using the no form of a specific switchport command. For example, the effect of the following commands is the same:
This example shows how to revert port profile ports to switch access ports.
This example shows how to remove the trunking allowed VLAN characteristics of a port profile.
This example shows how to remove the private VLAN host association of a port profile.
This example shows how to remove port security characteristics of a port profile.
To remove a configured administrative state from a port profile, and return its member interfaces to the default state (shutdown), use the default shutdown command.
To remove a configured administrative state from an interface, use the default shutdown command.
Interface configuration ( config- if )
When you use the default shutdown command on a port profile member interface, it also allows the port profile configuration to take affect.
To remove any user configuration for the switchport port-security characteristic from a VEthernet interface, use the default switchport port-security command. This has the effect of setting the default (disabled) for port-security for that interface.
To specify the default action for mapping input field values to output field values in a table map, use the default command.
Table map configuration (config-tmap)
Default table map configuration
The copy keyword is available only in the table map configuration mode. In the default table map configuration mode, the copy keyword is not available because all values must be assigned a mapping.
To assign an informational throughput delay value to an Ethernet interface, use the delay command. To remove delay value, use the no form of this command.
Interface configuration (config-if)
The actual Ethernet interface throughput delay time does not change when you set this value—the setting is for informational purposes only.
To delete a file, use the delete command.
delete [ filesystem : [ // directory / ] | directory / ] filename
To create an IPv4 ACL rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
[ sequence-number ] deny protocol source destination [ dscp dscp | precedence precedence ]
no deny protocol source destination [ dscp dscp | precedence precedence ]
Internet Control Message Protocol
[ sequence-number ] deny icmp source destination [ icmp-message ] [ dscp dscp | precedence precedence ]
Internet Group Management Protocol
[ sequence-number ] deny igmp source destination [ igmp-message ] [ dscp dscp | precedence precedence ]
[ sequence-number ] deny ip source destination [ dscp dscp | precedence precedence ]
[ sequence-number ] deny tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ flags ] [ established ]
[ sequence-number ] deny udp source operator port [ port ] destination [ operator port [ port ] [ dscp dscp | precedence precedence ]
IPv4 ACL configuration (config-acl)
When the device applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
The following example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
The following example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
This syntax is equivalent to IPv4-address /32 and IPv4-address 0.0.0.0.
The following example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:
The icmp-message argument can be the ICMP message number, which is an integer from 0 to 255. It can also be one of the following keywords:
When you specify the protocol argument as tcp , the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
bgp —Border Gateway Protocol (179)
chargen —Character generator (19)
cmd —Remote commands (rcmd, 514)
domain —Domain Name Service (53)
drip —Dynamic Routing Information Protocol (3949)
ftp —File Transfer Protocol (21)
ftp-data —FTP data connections (2)
hostname —NIC hostname server (11)
irc —Internet Relay Chat (194)
nntp —Network News Transport Protocol (119)
pim-auto-rp —PIM Auto-RP (496)
pop2 —Post Office Protocol v2 (19)
pop3 —Post Office Protocol v3 (11)
smtp —Simple Mail Transport Protocol (25)
sunrpc —Sun Remote Procedure Call (111)
tacacs —TAC Access Control System (49)
uucp —UNIX-to-UNIX Copy Program (54)
When you specify the protocol argument as udp , the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
biff —Biff (mail notification, comsat, 512)
bootpc —Bootstrap Protocol (BOOTP) client (68)
bootps —Bootstrap Protocol (BOOTP) server (67)
dnsix —DNSIX security protocol auditing (195)
domain —Domain Name Service (DNS, 53)
isakmp —Internet Security Association and Key Management Protocol (5)
mobile-ip —Mobile IP registration (434)
nameserver —IEN116 name service (obsolete, 42)
netbios-dgm —NetBIOS datagram service (138)
netbios-ns —NetBIOS name service (137)
netbios-ss —NetBIOS session service (139)
non500-isakmp —Internet Security Association and Key Management Protocol (45)
ntp —Network Time Protocol (123)
pim-auto-rp —PIM Auto-RP (496)
rip —Routing Information Protocol (router, in.routed, 52)
snmp —Simple Network Management Protocol (161)
sunrpc —Sun Remote Procedure Call (111)
tacacs —TAC Access Control System (49)
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules that deny all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network and a final rule that permits all other IPv4 traffic:
To create a MAC access control list (ACL)+ rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
[ sequence-number ] deny source destination [ protocol ] [ cos cos-value ] [ vlan vlan-id ]
no deny source destination [ protocol ] [ cos cos-value ] [ vlan vlan-id ]
MAC ACL configuration ( config-mac-acl )
When the device applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
You can specify the source and destination arguments in one of two ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
The following example specifies the source argument with the MAC address 00c0.4f03.0a72:
The following example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:
The protocol argument can be the MAC protocol number or a keyword. The protocol number is a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:
This example shows how to configure a MAC ACL named mac-ip-filter with rules that permit any non-IPv4 traffic between two groups of MAC addresses:
To do add a description for the interface and save it in the running configuration, use the description command. To remove the interface description, use the no form of this command.
Interface configuration (config-if)
This example shows how to add the description for the interface and save it in the running configuration.:
To add a description to a flow record, flow monitor, or flow exporter, use the description command. To remove the description, use the no form of this command.
NetFlow flow record (config-flow-record)
NetFlow flow exporter (config-flow-exporter)
Netflow flow monitor (config-flow-monitor)
This example shows how to add a description to a flow record:
This example shows how to add a description to a flow exporter:
This example shows how to add a description to a flow monitor:
To add a description to a port profile role, use the description command. To remove the description, use the no form of this command.
To add a description to a QoS class map, policy map, or table map use the description command. To remove the description, use the no form of this command.
QoS class map configuration (
config-cmap-qo
s)
QoS table map configuration (
config-tmap-qo
s)
QoS policy map configuration (
config-pmap-qos
)
To add a description for a role, use the description command. To remove a description of a role, use the no form of this command.
To add a description to a SPAN session, use the description command. To remove the description, use the no form of this command.
To add a destination IP address or VRF to a NetFlow flow exporter, use the destination command. To remove the IP address or VRF, use the no form of this command.
NetFlow flow exporter configuration (config-flow-exporter)
This example shows how to add a destination IP address to a Netflow flow exporter:
This example shows how to remove the IP address from a flow exporter:
To configures the port(s) in a SPAN session to act as destination(s) for copied source packets, use the destination interface command. To remove the destination interface, use the no form of this command.
destination interface type number(s)_or_range
SPAN monitor configuration ( config-monitor )
SPAN destination ports must already be configured as either access or trunk ports.
SPAN sessions are created in the shut state by default.
When you create a SPAN session that already exists, any additional configuration is added to that session. To make sure the session is cleared of any previous configuration, you can delete the session first using the command, no monitor session .
To display the contents of a directory or file, use the dir command.
network-admin
network-operator
Use the pwd command to identify the directory you are currently working in.
Use the cd command to change the directory you are currently working in.
To assign a domain-id, use the domain id command. To remove a domain-id, use the no form of this command.
Domain configuration (config-svs-domain)
During installation of the Cisco Nexus 1000V the setup utility prompts you to configure a domain, including the domain ID and control and packet VLANs.
To add a differentiated services codepoint (DSCP) to a NetFlow flow exporter, use the dscp command. To remove the DSCP, use the no form of this command.
NetFlow flow exporter configuration (config-flow-exporter)
This example shows how to configure DSCP for a NetFlow flow exporter:
This example shows how to remove DSCP from the NetFlow flow exporter:
To set the duplex mode for an interface as full, half, or autonegotiate, use the duplex command. To revert back to the default setting, use the no form of this command.
Interface configuration (config-if)
When you use the no version of this command, an argument (such as full, half, or auto) is optional. To return to the default duplex setting, you can use either of the following commands (if, for example, the setting had been changed to full):