D Commands
This chapter describes the Cisco Nexus 1000V commands that begin with D.
deadtime
To configure the duration of time for which a non-reachable RADIUS or TACACS+ server is skipped, use the deadtime command. To revert to the default, use the no form of this command.
deadtime minutes
no deadtime minutes
Syntax Description
minutes |
Number of minutes, from 0 to 1440, for the interval. |
Command Modes
RADlUS server group configuration ( config-radius)
TACACS+ server group configuration ( config-tacacs+)
Global configuration ( config)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Usage Guidelines
Before you can configure it, you must enable TACACS+ using the tacacs+ enable command.
The dead-time can be configured either globally and applied to all RADIUS or TACACS+ servers; or per server group.
If the dead-time interval for a RADIUS or TACACS+ server group is greater than zero (0), that value takes precedence over the global dead-time value.
Setting the dead-time interval to 0 disables the timer.
When the dead-time interval is 0 minutes, RADIUS and TACACS+ servers are not marked as dead even if they are not responding.
Examples
This example shows how to set the dead-time interval to 2 minutes for a RADIUS server group:
n1000v(config)# aaa group server radius RadServer
n1000v(config-radius)# deadtime 2
This example shows how to set a global dead-time interval to 5 minutes for all TACACS+ servers and server groups:
n1000v(config)# tacacs-server deadtime 5
This example shows how to set the dead-time interval to 5 minutes for a TACACS+ server group:
n1000v(config)# aaa group server tacacs+ TacServer
n1000v(config-tacacs+)# deadtime 5
This example shows how to revert to the dead-time interval default:
n1000v(config)# feature tacacs+
n1000v(config)# aaa group server tacacs+ TacServer
n1000v(config-tacacs+)# no deadtime 5
Related Commands
|
|
aaa group server |
Configures AAA server groups. |
radius-server host |
Configures a RADIUS server. |
show radius-server groups |
Displays RADIUS server group information. |
show tacacs-server groups |
Displays TACACS+ server group information. |
tacacs+ enable |
Enables TACACS+. |
tacacs-server host |
Configures a TACACS+ server. |
debug logfile
To direct the output of the debug commands to a specified file, use the debug logfile command. To revert to the default, use the no form of this command.
debug logfile filename [ size bytes ]
no debug logfile filename [ size bytes ]
Syntax Description
filename |
Name of the file for debug command output. The filename is alphanumeric, case sensitive, and has a maximum of 64 characters. |
size bytes |
(Optional) Specifies the size of the logfile in bytes. The range is from 4096 to 4194304. |
Defaults
Default filename: syslogd_debugs
Default file size: 4194304 bytes
Command Modes
Any
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Usage Guidelines
The logfile is created in the log: file system root directory.
Use the dir log: command to display the log files.
Examples
This example shows how to specify a debug logfile:
n1000v# debug logfile debug_log
This example shows how to revert to the default debug logfile:
n1000v# no debug logfile debug_log
Related Commands
|
|
dir |
Displays the contents of a directory. |
show debug |
Displays the debug configuration. |
show debug logfile |
Displays the debug logfile contents. |
debug logging
To enable debug command output logging, use the debug logging command. To disable debug logging, use the no form of this command.
debug logging
no debug logging
Syntax Description
This command has no arguments or keywords.
Command Modes
Any
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Examples
This example shows how to enable the output logging for the debug command:
This example shows how to disable the output logging for the debug command:
Related Commands
|
|
debug logfile |
Configures the logfile for the debug command output. |
default ip arp inspection limit
To remove a configured rate limit for dynamic ARP inspection, use the default ip arp inspection limit command. This resets the inspection limit to its defaults.
default ip arp inspection limit { rate [ burst interval ] | none }
Syntax Description
rate |
Rate Limit. |
burst |
(Optional) burst interval. |
interval |
(Optional) burst interval. |
none |
No limit. |
Command Modes
Interface configuration (config-if)
network-admin
Command History
|
|
4.2(1) SV1(4) |
This command was introduced. |
Examples
This example shows how to remove a configured rate limit for dynamic ARP inspection from vEthernet interface 3, and reset the rate limit to the default:
n1000v(
config)#
interface vethernet 3
n1000v(config-if)# default ip arp inspection limit rate
Related Commands
|
|
show running-config dhcp |
Displays the DHCP configuration including DAI. |
show ip arp inspection |
Displays the status of DAI. |
ip arp inspection vlan |
Configures a VLAN for dynamic ARP inspection. |
ip arp inspection limit |
Configures a rate limit for dynamic ARP inspection. |
default ip arp inspection trust
To remove a trusted vEthernet interface configuration for dynamic ARP inspection, use the default ip arp inspection trust command. This returns the interface to the default untrusted state.
default ip arp inspection trust
Syntax Description
This command has no arguments or keywords.
Command Modes
Interface configuration (config-if)
network-admin
Command History
|
|
4.2(1) SV1(4) |
This command was introduced. |
Examples
This example shows how to remove the trusted vEthernet interface configuration for dynamic ARP inspection; and return vEthernet interface 3 to the untrusted state:
n1000v(
config)#
interface vethernet 3
n1000v(config-if)# default ip arp inspection trust
Related Commands
|
|
show ip arp inspection interface vethernet interface-number |
Displays the trust state and ARP packet rate for a specific interface. |
ip arp inspection vlan |
Configures a VLAN for dynamic ARP inspection. |
ip arp inspection trust |
Configures a trusted vEthernet interface for dynamic ARP inspection. |
default segment distribution mac
To configure default MAC distribution mode of the bridge-domain. Global Configuration will take effect only on BDs which have default configuration.
default segment distribution mac
Syntax Description
default |
Default segment mode. |
distribution mac |
Configure MAC distribution mode. |
Command Modes
bridge-domain configuration (config-bd)
network-admin
Command History
|
|
4.2(1)SV2(2.1) |
This command was introduced. |
Usage Guidelines
Global Configuration will take effect only on BDs which have default configuration.
Examples
This example shows how to configure the default MAC distribution mode per bridge-domain:
n1000v(config)# bridge-domain tenant-red
n1000v(config-bd)# default segment mode unicast-only
n1000v(config-bd)# default segment distribution mac
Related Commands
|
|
default segment mode unicast-only |
Configure the default segment mode unicast-only per bridge-domain. |
default segment mode unicast-only
To configure default segment mode of the bridge-domain. Global Configuration will take effect only on BDs which have default configuration.
default segment mode unicast-only
Syntax Description
default |
Default segment mode. |
unicast-only |
Configure segment mode unicast-only.. |
Command Modes
bridge-domain configuration ( config-bd)
network-admin
Command History
|
|
4.2(1)SV2(2.1) |
This command was introduced. |
Usage Guidelines
Global Configuration will take effect only on BDs which have default configuration.
Examples
This example shows how to configure the default segment mode unicast-only per bridge-domain:
n1000v(config)# bridge-domain tenant-red
n1000v(config-bd)# default segment mode unicast-only
Related Commands
|
|
default segment distribution mac |
Configure the default MAC distribution mode per bridge-domain. |
default switchport (port profile)
To remove a particular switchport characteristic from a port profile, use the default switchport command.
default switchport { mode | access vlan | trunk { native | allowed } vlan | private-vlan { host-association | mapping [ trunk ]} | port-security }
Syntax Description
mode |
Removes the port mode characteristic from a port profile, which causes the port mode to revert to global or interface defaults (access mode). This is equivalent to executing the no switchport mode port-profile command. |
access vlan |
Removes an access VLAN configuration. |
trunk allowedvlan |
Removes trunking allowed VLAN characteristics. |
trunk native vlan |
Removes trunking native VLAN characteristics. |
private-vlan host-association |
Removes PVLAN host-association. |
private-vlan mapping |
Removes PVLAN mapping. |
port-security |
Removes port-security characteristics. |
Command Modes
Port profile configuration ( config-port-prof)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Usage Guidelines
The functionally of this command is equivalent to using the no form of a specific switchport command. For example, the effect of the following commands is the same:
- default switchport mode command = no switchport mode command
- default switchport access vlan command = no switchport access vlan command
- default switchport trunk native vlan command= no switchport trunk native vlan command
Examples
This example shows how to revert port profile ports to switch access ports.
n1000v(config-port-prof)#
default switchport mode
This example shows how to remove the trunking allowed VLAN characteristics of a port profile.
n1000v(config-port-prof)# default switchport trunk allowed vlan
This example shows how to remove the private VLAN host association of a port profile.
n1000v(config-port-prof)# default switchport private-vlan host-association
This example shows how to remove port security characteristics of a port profile.
n1000v(config-port-prof)# default switchport port-security
Related Commands
|
|
show port-profile |
Displays information about port profile(s). |
default shutdown (port profile)
To remove a configured administrative state from a port profile, and return its member interfaces to the default state (shutdown), use the default shutdown command.
default shutdown
Syntax Description
This command has no arguments or keywords.
Command Modes
Port profile configuration ( config- port-prof)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Examples
This example shows how to change the member interfaces in the port profile named DataProfile to shutdown:
n1000v#
port-profile DataProfile
n1000v(config-port-prof)#
default shutdown
n1000v(config-port-prof)#
Related Commands
|
|
show port-profile |
Displays the configuration for a port profile. |
|
|
default shutdown (interface)
To remove a configured administrative state from an interface, use the default shutdown command.
default shutdown
Syntax Description
This command has no arguments or keywords.
Command Modes
Interface configuration ( config- if)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Usage Guidelines
When you use the default shutdown command on a port profile member interface, it also allows the port profile configuration to take affect.
Examples
This example shows how to change interface Ethernet 3/2 to shutdown:
n1000v(config)# interface ethernet 3/2
n1000v(config-if)# default shutdown
Related Commands
|
|
show running-config interface |
Displays the interface configuration. |
interface ethernet |
Configures an Ethernet interface. |
interface vethernet |
Configures a vEthernet interface. |
default switchport port-security (VEthernet)
To remove any user configuration for the switchport port-security characteristic from a VEthernet interface, use the default switchport port-security command. This has the effect of setting the default (disabled) for port-security for that interface.
default switchport port-security
Syntax Description
This command has no arguments or keywords.
Command Modes
Interface configuration ( config-if)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Examples
This example shows how to disable port security n1000von VEthernet 2:
n1000v(config)# interface veth 2
n1000v(config-if)# default switchport port-security
Related Commands
|
|
show running-config port-security |
Displays the port security configuration. |
default (table map)
To specify the default action for mapping input field values to output field values in a table map, use the default command.
default { value | copy }
no default { value | copy }
Syntax Description
value |
Default value to use for the output value in the range from 0 to 63. |
copy |
Specifies that the default action is to copy all equal values to an equal output value. |
Defaults
Copies the input value to the output value.
Command Modes
Table map configuration (config-tmap)
Default table map configuration
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Usage Guidelines
The copy keyword is available only in the table map configuration mode. In the default table map configuration mode, the copy keyword is not available because all values must be assigned a mapping.
Examples
This example shows how to remove the default mapping action copy. The resulting default action is ignore:
n1000v(
config)#
table-map my_table1
n1000v(config-tmap)# no default copy
Related Commands
|
|
from |
Specifies input field to output field mappings in table maps. |
show table-map |
Displays table maps. |
delay
To assign an informational throughput delay value to an Ethernet interface, use the delay command. To remove delay value, use the no form of this command.
delay value
no delay [ value ]
Syntax Description
delay_val |
Specifies the throughput delay time in tens of microseconds. Allowable values are between 1 and 16777215. |
Command Modes
Interface configuration (config-if)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Usage Guidelines
The actual Ethernet interface throughput delay time does not change when you set this value—the setting is for informational purposes only.
Examples
This example shows how to assign the delay time to an Ethernet slot 3 port 1 interface:
n1000v(config)# interface ethernet 3/1
n1000v(config-if)# delay 10000
This example shows how to remove the delay time configuration:
n1000v(config)# interface ethernet 3/1
n1000v(config-if)#
no delay 10000
Related Commands
|
|
show interface |
Displays configuration information for an interface. |
delete
To delete a file, use the delete command.
delete [ filesystem : [ // directory / ] | directory / ] filename
Syntax Description
filesystem : |
(Optional) Name of the file system. Valid values are bootflash or volatile. |
// directory / |
(Optional) Name of the directory. The directory name is case sensitive. |
filename |
Name of the file. The name is case sensitive. |
Command Modes
Any
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Usage Guidelines
Use the dir command to locate the file you that want to delete.
Examples
This example shows how to delete a file:
n1000v# delete bootflash:old_config.cfg
Related Commands
|
|
dir |
Displays the contents of a directory. |
deny (IPv4)
To create an IPv4 ACL rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
General Syntax
[ sequence-number ] deny protocol source destination [ dscp dscp | precedence precedence ]
no deny protocol source destination [ dscp dscp | precedence precedence ]
no sequence-number
Internet Control Message Protocol
[ sequence-number ] deny icmp source destination [ icmp-message ] [ dscp dscp | precedence precedence ]
Internet Group Management Protocol
[ sequence-number ] deny igmp source destination [ igmp-message ] [ dscp dscp | precedence precedence ]
Internet Protocol v4
[ sequence-number ] deny ip source destination [ dscp dscp | precedence precedence ]
Transmission Control Protocol
[ sequence-number ] deny tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ flags ] [ established ]
User Datagram Protocol
[ sequence-number ] deny udp source operator port [ port ] destination [ operator port [ port ] [ dscp dscp | precedence precedence ]
Syntax Description
sequence-number |
(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
protocol |
Name or number of the protocol of packets that the rule matches. Valid numbers are from 0 to 255. Valid protocol names are the following keywords:
- icmp —Specifies that the rule applies to ICMP traffic only. When you use this keyword, the icmp-message argument is available, in addition to the keywords that are available for all valid values of the protocol argument.
- igmp —Specifies that the rule applies to IGMP traffic only. When you use this keyword, the igmp-type argument is available, in addition to the keywords that are available for all valid values of the protocol argument.
- ip —Specifies that the rule applies to all IPv4 traffic. When you use this keyword, only the other keywords and arguments that apply to all IPv4 protocols are available. They include the following:
– dscp – precedence
- tcp —Specifies that the rule applies to TCP traffic only. When you use this keyword, the flags and operator arguments are available, in addition to the keywords that are available for all valid values of the protocol argument.
- udp —Specifies that the rule applies to UDP traffic only. When you use this keyword, the operator argument is available, in addition to the keywords that are available for all valid values of the protocol argument.
|
source |
Source IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
destination |
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
dscp dscp |
(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:
- 0–63—The decimal equivalent of the 6 bits of the DSCP field. For example, if you specify 10, the rule matches only those packets that have the following bits in the DSCP field: 001010.
- af11 —Assured Forwarding (AF) class 1, low drop probability (001010)
- af12 —AF class 1, medium drop probability (001100)
- af13 —AF class 1, high drop probability (001110)
- af21 —AF class 2, low drop probability (010010)
- af22 —AF class 2, medium drop probability (010100)
- af23 —AF class 2, high drop probability (010110)
- af31 —AF class 3, low drop probability (011010)
- af32 —AF class 3, medium drop probability (011100)
- af33 —AF class 3, high drop probability (011110)
- af41 —AF class 4, low drop probability (100010)
- af42 —AF class 4, medium drop probability (100100)
- af43 —AF class 4, high drop probability (100110)
- cs1 —Class-selector (CS) 1, precedence 1 (001000)
- cs2 —CS2, precedence 2 (010000)
- cs3 —CS3, precedence 3 (011000)
- cs4 —CS4, precedence 4 (100000)
- cs5 —CS5, precedence 5 (101000)
- cs6 —CS6, precedence 6 (110000)
- cs7 —CS7, precedence 7 (111000)
- default —Default DSCP value (000000)
- ef —Expedited Forwarding (101110)
|
precedence precedence |
(Optional) Specifies that the rule matches only packets that have an IP Precedence field with the value specified by the precedence argument. The precedence argument can be a number or a keyword, as follows:
- 0–7—Decimal equivalent of the 3 bits of the IP Precedence field. For example, if you specify 3, the rule matches only packets that have the following bits in the DSCP field: 011.
- critical —Precedence 5 (101)
- flash —Precedence 3 (011)
- flash-override —Precedence 4 (100)
- immediate —Precedence 2 (010)
- internet —Precedence 6 (110)
- network —Precedence 7 (111)
- priority —Precedence 1 (001)
- routine —Precedence 0 (000)
|
icmp-message |
(ICMP only: Optional) ICMP message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under “ICMP Message Types” in the “Usage Guidelines” section. |
igmp-message |
(IGMP only: Optional) IGMP message type that the rule matches. The igmp-message argument can be the IGMP message number, which is an integer from 0 to 15. It can also be one of the following keywords:
- dvmrp —Distance Vector Multicast Routing Protocol
- host-query —Host query
- host-report —Host report
- pim —Protocol Independent Multicast
- trace —Multicast trace
|
operator port [ port ] |
(Optional; TCP and UDP only) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see “TCP Port Names” and “UDP Port Names” in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
- eq —Matches only if the port in the packet is equal to the port argument.
- gt —Matches only if the port in the packet is greater than and not equal to the port argument.
- lt —Matches only if the port in the packet is less than and not equal to the port argument.
- neq —Matches only if the port in the packet is not equal to the port argument.
- range —Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument.
|
flags |
(TCP only; Optional) TCP control bit flags that the rule matches. The value of the flags argument must be one or more of the following keywords:
|
Defaults
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the device assigns the rule a sequence number that is 10 greater than the last rule in the ACL.
Command Modes
IPv4 ACL configuration (config-acl)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Usage Guidelines
When the device applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
Source and Destination
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
- Address and network wildcard—You can use an IPv4 address followed by a network wildcard to specify a host or a network as a source or destination. The syntax is as follows:
IPv4-address network-wildcard
The following example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
n1000v(config-acl)# deny tcp 192.168.67.0 0.0.0.255 any
- Address and variable-length subnet mask—You can use an IPv4 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:
The following example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
n1000v(config-acl)# deny udp 192.168.67.0/24 any
- Host address—You can use the host keyword and an IPv4 address to specify a host as a source or destination. The syntax is as follows:
This syntax is equivalent to IPv4-address /32 and IPv4-address 0.0.0.0.
The following example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:
n1000v(config-acl)# deny icmp host 192.168.67.132 any
- Any address—You can use the any keyword to specify that a source or destination is any IPv4 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.
ICMP Message Types
The icmp-message argument can be the ICMP message number, which is an integer from 0 to 255. It can also be one of the following keywords:
- administratively-prohibited —Administratively prohibited
- alternate-address —Alternate address
- conversion-error —Datagram conversion
- dod-host-prohibited —Host prohibited
- dod-net-prohibited —Net prohibited
- echo —Echo (ping)
- echo-reply —Echo reply
- general-parameter-problem —Parameter problem
- host-isolated —Host isolated
- host-precedence-unreachable —Host unreachable for precedence
- host-redirect —Host redirect
- host-tos-redirect —Host redirect for ToS
- host-tos-unreachable —Host unreachable for ToS
- host-unknown —Host unknown
- host-unreachable —Host unreachable
- information-reply —Information replies
- information-request —Information requests
- mask-reply —Mask replies
- mask-request —Mask requests
- mobile-redirect —Mobile host redirect
- net-redirect —Network redirect
- net-tos-redirect —Net redirect for ToS
- net-tos-unreachable —Network unreachable for ToS
- net-unreachable —Net unreachable
- network-unknown —Network unknown
- no-room-for-option —Parameter required but no room
- option-missing —Parameter required but not present
- packet-too-big —Fragmentation needed and DF set
- parameter-problem —All parameter problems
- port-unreachable —Port unreachable
- precedence-unreachable —Precedence cutoff
- protocol-unreachable —Protocol unreachable
- reassembly-timeout —Reassembly timeout
- redirect —All redirects
- router-advertisement —Router discovery advertisements
- router-solicitation —Router discovery solicitations
- source-quench —Source quenches
- source-route-failed —Source route failed
- time-exceeded —All time-exceeded messages
- timestamp-reply —Time-stamp replies
- timestamp-request —Time-stamp requests
- traceroute —Traceroute
- ttl-exceeded —TTL exceeded
- unreachable —All unreachables
TCP Port Names
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
bgp —Border Gateway Protocol (179)
chargen —Character generator (19)
cmd —Remote commands (rcmd, 514)
daytime —Daytime (13)
discard —Discard (9)
domain —Domain Name Service (53)
drip —Dynamic Routing Information Protocol (3949)
echo —Echo (7)
exec —EXEC (rsh, 512)
finger —Finger (79)
ftp —File Transfer Protocol (21)
ftp-data —FTP data connections (2)
gopher —Gopher (7)
hostname —NIC hostname server (11)
ident —Ident Protocol (113)
irc —Internet Relay Chat (194)
klogin —Kerberos login (543)
kshell —Kerberos shell (544)
login —Login (rlogin, 513)
lpd —Printer service (515)
nntp —Network News Transport Protocol (119)
pim-auto-rp —PIM Auto-RP (496)
pop2 —Post Office Protocol v2 (19)
pop3 —Post Office Protocol v3 (11)
smtp —Simple Mail Transport Protocol (25)
sunrpc —Sun Remote Procedure Call (111)
tacacs —TAC Access Control System (49)
talk —Talk (517)
telnet —Telnet (23)
time —Time (37)
uucp —UNIX-to-UNIX Copy Program (54)
whois —WHOIS/NICNAME (43)
www —World Wide Web (HTTP, 8)
UDP Port Names
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
biff —Biff (mail notification, comsat, 512)
bootpc —Bootstrap Protocol (BOOTP) client (68)
bootps —Bootstrap Protocol (BOOTP) server (67)
discard —Discard (9)
dnsix —DNSIX security protocol auditing (195)
domain —Domain Name Service (DNS, 53)
echo —Echo (7)
isakmp —Internet Security Association and Key Management Protocol (5)
mobile-ip —Mobile IP registration (434)
nameserver —IEN116 name service (obsolete, 42)
netbios-dgm —NetBIOS datagram service (138)
netbios-ns —NetBIOS name service (137)
netbios-ss —NetBIOS session service (139)
non500-isakmp —Internet Security Association and Key Management Protocol (45)
ntp —Network Time Protocol (123)
pim-auto-rp —PIM Auto-RP (496)
rip —Routing Information Protocol (router, in.routed, 52)
snmp —Simple Network Management Protocol (161)
snmptrap —SNMP Traps (162)
sunrpc —Sun Remote Procedure Call (111)
syslog —System Logger (514)
tacacs —TAC Access Control System (49)
talk —Talk (517)
tftp —Trivial File Transfer Protocol (69)
time —Time (37)
who —Who service (rwho, 513)
xdmcp —X Display Manager Control Protocol (177)
Examples
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules that deny all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network and a final rule that permits all other IPv4 traffic:
n1000v(config)# ip access-list acl-lab-01
n1000v(config-acl)# deny tcp 10.23.0.0/16 10.176.0.0/16
n1000v(config-acl)# deny udp 10.23.0.0/16 10.176.0.0/16
n1000v(config-acl)# deny tcp 192.168.37.0/16 10.176.0.0/16
n1000v(config-acl)# deny udp 192.168.37.0/16 10.176.0.0/16
n1000v(config-acl)# permit ip any any
Related Commands
|
|
ip access-list |
Configures an IPv4 ACL. |
permit (IPv4) |
Configures a permit rule in an IPv4 ACL. |
remark |
Configures a remark in an IPv4 ACL. |
show ip access-list |
Displays all IPv4 ACLs or one IPv4 ACL. |
statistics per-entry |
Enables collection of statistics for each entry in an ACL. |
deny (IPv6)
To create an IPv6 ACL rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
General Syntax
[sequence-number] deny protocol source destination [dscp dscp | log ]
no deny protocol source destination [ dscp dscp | log ]
no sequence-number
Internet Control Message Protocol
[ sequence-number ] deny icmp source destination [ icmp-message ] [ dscp dscp | log ]
Internet Protocol v6
[ sequence-number ] deny ipv6 source destination [ dscp dscp | log ]
Transmission Control Protocol
[ sequence-number ] deny tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ flags ] [ established ]
User Datagram Protocol
[ sequence-number ] deny udp source operator port [ port ] destination [ operator port [ port ] [ dscp dscp | log ]
Syntax Description
sequence-number |
(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
protocol |
Name or number of the protocol of packets that the rule matches. Valid numbers are from 0 to 255. Valid protocol names are the following keywords:
- icmp —Specifies that the rule applies to ICMP traffic only. When you use this keyword, the icmp-message argument is available, in addition to the keywords that are available for all valid values of the protocol argument.
- ip —Specifies that the rule applies to all IPv6 traffic. When you use this keyword, only the other keywords and arguments that apply to all IPv6 protocols are available. They include the following:
– dscp
- tcp —Specifies that the rule applies to TCP traffic only. When you use this keyword, the flags and operator arguments are available, in addition to the keywords that are available for all valid values of the protocol argument.
- udp —Specifies that the rule applies to UDP traffic only. When you use this keyword, the operator argument is available, in addition to the keywords that are available for all valid values of the protocol argument.
|
source |
Source IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
destination |
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
dscp dscp |
(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:
- 0–63—The decimal equivalent of the 6 bits of the DSCP field. For example, if you specify 10, the rule matches only those packets that have the following bits in the DSCP field: 001010.
- af11 —Assured Forwarding (AF) class 1, low drop probability (001010)
- af12 —AF class 1, medium drop probability (001100)
- af13 —AF class 1, high drop probability (001110)
- af21 —AF class 2, low drop probability (010010)
- af22 —AF class 2, medium drop probability (010100)
- af23 —AF class 2, high drop probability (010110)
- af31 —AF class 3, low drop probability (011010)
- af32 —AF class 3, medium drop probability (011100)
- af33 —AF class 3, high drop probability (011110)
- af41 —AF class 4, low drop probability (100010)
- af42 —AF class 4, medium drop probability (100100)
- af43 —AF class 4, high drop probability (100110)
- cs1 —Class-selector (CS) 1, precedence 1 (001000)
- cs2 —CS2, precedence 2 (010000)
- cs3 —CS3, precedence 3 (011000)
- cs4 —CS4, precedence 4 (100000)
- cs5 —CS5, precedence 5 (101000)
- cs6 —CS6, precedence 6 (110000)
- cs7 —CS7, precedence 7 (111000)
- default —Default DSCP value (000000)
- ef —Expedited Forwarding (101110)
|
icmp-message |
(ICMP only: Optional) ICMP message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under “ICMP Message Types” in the “Usage Guidelines” section. |
operator port [ port ] |
(Optional; TCP and UDP only) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see “TCP Port Names” and “UDP Port Names” in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
- eq —Matches only if the port in the packet is equal to the port argument.
- gt —Matches only if the port in the packet is greater than and not equal to the port argument.
- lt —Matches only if the port in the packet is less than and not equal to the port argument.
- neq —Matches only if the port in the packet is not equal to the port argument.
- range —Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument.
|
flags |
(TCP only; Optional) TCP control bit flags that the rule matches. The value of the flags argument must be one or more of the following keywords:
|
Defaults
A newly created IPv6 ACL contains no rules.
If you do not specify a sequence number, the device assigns the rule a sequence number that is 10 greater than the last rule in the ACL.
Command Modes
IPv6 ACL configuration (config-ipv6-acl)
network-admin
Command History
|
|
5.2(1)SV3(1.1) |
This command was introduced. |
Usage Guidelines
When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
Source and Destination
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
- Address and network wildcard—You can use an IPv6 address followed by a network wildcard to specify a host or a network as a source or destination. The syntax is as follows:
IPv6-address network-wildcard
The following example shows how to specify the source argument with the IPv6 address and network wildcard for the 2001::1 subnet:
n1000v(config-ipv6-acl)# deny tcp 2001::1 0::0 any
- Address and variable-length subnet mask—You can use an IPv6 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:
The following example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:1::100 subnet:
n1000v(config-ipv6-acl)# deny udp 2001:1::100/128 any
- Host address—You can use the host keyword and an IPv6 address to specify a host as a source or destination. The syntax is as follows:
This syntax is equivalent to IPv6-address /128 and IPv6-address 0:0::0:0
The following example shows how to specify the source argument with the host keyword and the 2001::100 IPv6 address:
n1000v(config-ipv6-acl)# deny icmp host 2001::100 any
- Any address—You can use the any keyword to specify that a source or destination is any IPv6 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.
ICMP Message Types
The icmp-message argument can be the ICMP message number, which is an integer from 0 to 255. It can also be one of the following keywords:
- administratively-prohibited —Administratively prohibited
- alternate-address —Alternate address
- conversion-error —Datagram conversion
- dod-host-prohibited —Host prohibited
- dod-net-prohibited —Net prohibited
- echo —Echo (ping)
- echo-reply —Echo reply
- general-parameter-problem —Parameter problem
- host-isolated —Host isolated
- host-precedence-unreachable —Host unreachable for precedence
- host-redirect —Host redirect
- host-tos-redirect —Host redirect for ToS
- host-tos-unreachable —Host unreachable for ToS
- host-unknown —Host unknown
- host-unreachable —Host unreachable
- information-reply —Information replies
- information-request —Information requests
- mask-reply —Mask replies
- mask-request —Mask requests
- mobile-redirect —Mobile host redirect
- net-redirect —Network redirect
- net-tos-redirect —Net redirect for ToS
- net-tos-unreachable —Network unreachable for ToS
- net-unreachable —Net unreachable
- network-unknown —Network unknown
- no-room-for-option —Parameter required but no room
- option-missing —Parameter required but not present
- packet-too-big —Fragmentation needed and DF set
- parameter-problem —All parameter problems
- port-unreachable —Port unreachable
- precedence-unreachable —Precedence cutoff
- protocol-unreachable —Protocol unreachable
- reassembly-timeout —Reassembly timeout
- redirect —All redirects
- router-advertisement —Router discovery advertisements
- router-solicitation —Router discovery solicitations
- source-quench —Source quenches
- source-route-failed —Source route failed
- time-exceeded —All time-exceeded messages
- timestamp-reply —Time-stamp replies
- timestamp-request —Time-stamp requests
- traceroute —Traceroute
- ttl-exceeded —TTL exceeded
- unreachable —All unreachables
TCP Port Names
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
bgp —Border Gateway Protocol (179)
chargen —Character generator (19)
cmd —Remote commands (rcmd, 514)
daytime —Daytime (13)
discard —Discard (9)
domain —Domain Name Service (53)
drip —Dynamic Routing Information Protocol (3949)
echo —Echo (7)
exec —EXEC (rsh, 512)
finger —Finger (79)
ftp —File Transfer Protocol (21)
ftp-data —FTP data connections (2)
gopher —Gopher (7)
hostname —NIC hostname server (11)
ident —Ident Protocol (113)
irc —Internet Relay Chat (194)
klogin —Kerberos login (543)
kshell —Kerberos shell (544)
login —Login (rlogin, 513)
lpd —Printer service (515)
nntp —Network News Transport Protocol (119)
pim-auto-rp —PIM Auto-RP (496)
pop2 —Post Office Protocol v2 (19)
pop3 —Post Office Protocol v3 (11)
smtp —Simple Mail Transport Protocol (25)
sunrpc —Sun Remote Procedure Call (111)
tacacs —TAC Access Control System (49)
talk —Talk (517)
telnet —Telnet (23)
time —Time (37)
uucp —UNIX-to-UNIX Copy Program (54)
whois —WHOIS/NICNAME (43)
www —World Wide Web (HTTP, 8)
UDP Port Names
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
biff —Biff (mail notification, comsat, 512)
bootpc —Bootstrap Protocol (BOOTP) client (68)
bootps —Bootstrap Protocol (BOOTP) server (67)
discard —Discard (9)
dnsix —DNSIX security protocol auditing (195)
domain —Domain Name Service (DNS, 53)
echo —Echo (7)
isakmp —Internet Security Association and Key Management Protocol (5)
mobile-ip —Mobile IP registration (434)
nameserver —IEN116 name service (obsolete, 42)
netbios-dgm —NetBIOS datagram service (138)
netbios-ns —NetBIOS name service (137)
netbios-ss —NetBIOS session service (139)
non500-isakmp —Internet Security Association and Key Management Protocol (45)
ntp —Network Time Protocol (123)
pim-auto-rp —PIM Auto-RP (496)
rip —Routing Information Protocol (router, in.routed, 52)
snmp —Simple Network Management Protocol (161)
snmptrap —SNMP Traps (162)
sunrpc —Sun Remote Procedure Call (111)
syslog —System Logger (514)
tacacs —TAC Access Control System (49)
talk —Talk (517)
tftp —Trivial File Transfer Protocol (69)
time —Time (37)
who —Who service (rwho, 513)
xdmcp —X Display Manager Control Protocol (177)
Examples
This example shows how to configure an IPv6 ACL named acl-lab-01 with rules that deny all TCP and UDP traffic from the 2001:100::100 and 2001:200::200 ip address to the 2002:100::100 ip address and a final rule that permits all other IPv6 traffic:
n1000v(config)# ipv6 access-list acl-lab-01
n1000v(config-ipv6-acl)# deny tcp 2001:100::100/128 2002:100::100/128
n1000v(config-ipv6-acl)# deny udp 2001:200::200/128 2002:100::100/128
n1000v(config-ipv6-acl)# permit ipv6 any any
Related Commands
|
|
ipv6 access-list |
Configures an IPv6 ACL. |
permit (IPv6) |
Configures a permit rule in an IPv6 ACL. |
remark |
Configures a remark in an IPv6 ACL. |
show ipv6 access-list |
Displays all IPv6 ACLs or one IPv6 ACL. |
statistics per-entry |
Enables collection of statistics for each entry in an ACL. |
deny (MAC)
To create a MAC access control list (ACL)+ rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
[ sequence-number ] deny source destination [ protocol ] [ cos cos-value ] [ vlan vlan-id ]
no deny source destination [ protocol ] [ cos cos-value ] [ vlan vlan-id ]
no sequence-number
Syntax Description
sequence-number |
(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
source |
Source MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
destination |
Destination MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
protocol |
(Optional) Protocol number that the rule matches. Valid protocol numbers are 0x0 to 0xffff. For listings of valid protocol names, see “MAC Protocols” in the “Usage Guidelines” section. |
cos cos-value |
(Optional) Specifies that the rule matches only packets with an IEEE 802.1Q header that contains the Class of Service (CoS) value given in the cos-value argument. The cos-value argument can be an integer from 0 to 7. |
vlan vlan-id |
(Optional) Specifies that the rule matches only packets with an IEEE 802.1Q header that contains the VLAN ID given. The vlan-id argument can be an integer from 1 to 4094. |
Defaults
A newly created MAC ACL contains no rules.
If you do not specify a sequence number, the device assigns the rule a sequence number that is 10 greater than the last rule in the ACL.
Command Modes
MAC ACL configuration ( config-mac-acl)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Usage Guidelines
When the device applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
Source and Destination
You can specify the source and destination arguments in one of two ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
- Address and mask—You can use a MAC address followed by a mask to specify a single address or a group of addresses. The syntax is as follows:
The following example specifies the source argument with the MAC address 00c0.4f03.0a72:
n1000v(config-acl)# deny 00c0.4f03.0a72 0000.0000.0000 any
The following example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:
n1000v(config-acl)# deny any 0060.3e00.0000 0000.0000.0000
- Any address—You can use the any keyword to specify that a source or destination is any MAC address. For examples of the use of the any keyword, see the examples in this section. Each of the examples shows how to specify a source or destination by using the any keyword.
MAC Protocols
The protocol argument can be the MAC protocol number or a keyword. The protocol number is a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:
- aarp —Appletalk ARP (0x80f3)
- appletalk —Appletalk (0x809b)
- decnet-iv —DECnet Phase IV (0x6003)
- diagnostic —DEC Diagnostic Protocol (0x6005)
- etype-6000 —EtherType 0x6000 (0x6000)
- etype-8042 —EtherType 0x8042 (0x8042)
- ip —Internet Protocol v4 (0x0800)
- lat —DEC LAT (0x6004)
- lavc-sca —DEC LAVC, SCA (0x6007)
- mop-console —DEC MOP Remote console (0x6002)
- mop-dump —DEC MOP dump (0x6001)
- vines-echo —VINES Echo (0x0baf)
Examples
This example shows how to configure a MAC ACL named mac-ip-filter with rules that permit any non-IPv4 traffic between two groups of MAC addresses:
n1000v(config)# mac access-list mac-ip-filter
n1000v(config-mac-acl)# deny 00c0.4f00.0000 0000.00ff.ffff 0060.3e00.0000 0000.00ff.ffff ip
n1000v(config-mac-acl)# permit any any
Related Commands
|
|
mac access-list |
Configures a MAC ACL. |
permit (MAC) |
Configures a deny rule in a MAC ACL. |
remark |
Configures a remark in an ACL. |
show mac access-list |
Displays all MAC ACLs or one MAC ACL. |
statistics per-entry |
Enables collection of statistics for each entry in an ACL. |
description (interface)
To do add a description for the interface and save it in the running configuration, use the description command. To remove the interface description, use the no form of this command.
description text
no description
Syntax Description
text |
Describes the interface. The maximum number of characters is 80. |
Command Modes
Interface configuration (config-if)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Examples
This example shows how to add the description for the interface and save it in the running configuration.:
n1000v(
config-if)#
description Ethernet port 3 on module 1
This example shows how to remove the interface description.
n1000v(
config-if)#
no description Ethernet port 3 on module 1
Related Commands
|
|
interface vethernet |
Creates a virtual Ethernet interface. |
interface port-channel |
Creates a port-channel interface. |
interface ethernet |
Creates an Ethernet interface. |
interface mgmt |
Configure the management interface. |
show interface |
Displays the interface status, including the description. |
description (NetFlow)
To add a description to a flow record, flow monitor, or flow exporter, use the description command. To remove the description, use the no form of this command.
description line
no description
Syntax Description
line |
Description of up to 63 characters. |
Command Modes
NetFlow flow record (config-flow-record)
NetFlow flow exporter (config-flow-exporter)
Netflow flow monitor (config-flow-monitor)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Examples
This example shows how to add a description to a flow record:
n1000v(config)# flow record RecordTest
n1000v(config-flow-record)# description Ipv4flow
This example shows how to add a description to a flow exporter:
n1000v(config)# flow exporter ExportTest
n1000v(config-flow-exporter)# description ExportHamilton
This example shows how to add a description to a flow monitor:
n1000v(config)# flow monitor MonitorTest
n1000v(config-flow-monitor)# description Ipv4Monitor
Related Commands
|
|
flow exporter |
Creates a Flexible NetFlow flow exporter. |
flow record |
Creates a Flexible NetFlow flow record. |
flow monitor |
Creates a Flexible NetFlow flow monitor. |
show flow exporter |
Displays information about the NetFlow flow exporter. |
show flow record |
Displays information about NetFlow flow records. |
show flow monitor |
Displays information about the NetFlow flow monitor. |
description(Network Segmentation Policy)
To add a description to the network segmentation policy, use the description command. To remove the description, use the no form of this command.
description description
no description [ description ]
Syntax Description
description |
The description of the network segmentation policy. The description can be up to 80 ASCII characters. |
Command Modes
Network Segment Policy configuration (config-network-segment-policy)
network-admin
Command History
|
|
4.2(1)SV1(5.1) |
This command was introduced. |
Examples
This example shows how to add a description to the network segmentation policy:
n1000v# configure terminal
n1000v(config)# network-segment policy abc-policy-vxlan
n1000v(config-network-segment-policy)# description network segmentation policy for ABC for VXLAN networks
n1000v(config-network-segment-policy)
Related Commands
|
|
network-segment policy |
Creates a network segmentation policy. |
show run network-segment policy |
Displays the network segmentation policy configuration. |
description (Port Profile Role)
To add a description to a port profile role, use the description command. To remove the description, use the no form of this command.
description string
no description
Syntax Description
string |
Describes the role in up to 32 characters. |
Command Modes
Port profile role configuration (config-port-profile-role)
network-admin
Command History
|
|
4.2(1)SV1(4) |
This command was introduced. |
Examples
This example shows how to add a description to a role:
n1000v(config)# port-profile-role adminRole
n1000v(
config-port-profile-role)#
description adminOnly
This example shows how to remove the role description:
n1000v(config)# port-profile-role adminRole
n1000v(
config-role)#
no description
Related Commands
|
|
show port-profile-role |
Displays the port profile role configuration, including role names, descriptions, assigned users, and assigned groups. |
show port-profile-role users |
Displays available users and groups. |
show port-profile |
Displays the port profile configuration, including roles assigned to them. |
port-profile-role |
Creates a port profile role. |
user |
Assigns a user to a port profile role. |
group |
Assigns a group to a port profile role. |
assign port-profile-role |
Assigns a port profile role to a specific port profile. |
feature port-profile-role |
Enables support for the restriction of port profile roles. |
port-profile |
Creates a port profile. |
description (QoS)
To add a description to a QoS class map, policy map, or table map use the description command. To remove the description, use the no form of this command.
description text
no description text
Syntax Description
text |
Description, of up to 200 characters, for the class map or policy map. |
Command Modes
QoS class map configuration ( config-cmap-qo s)
QoS table map configuration ( config-tmap-qo s)
QoS policy map configuration ( config-pmap-qos)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Examples
This example shows how to add a description to a policy map:
n1000v(
config)#
policy-map my_policy1
n1000v(config-pmap)# description this policy applies to input packets
Related Commands
|
|
class-map |
Creates or modifies a class map. |
policy-map |
Creates or modifies a policy map. |
table-map |
Creates or modifies a QoS table map. |
description (role)
To add a description for a role, use the description command. To remove a description of a role, use the no form of this command.
description string
no description
Syntax Description
string |
Describes the role. The string can include spaces. |
Command Modes
Role configuration ( config-role)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Examples
This example shows how to add a description to a role:
n1000v(
config-role)#
description admin
This example shows how to remove the role description:
n1000v(
config-role)#
no description admin
Related Commands
|
|
username |
Creates a user account including the assignment of a role. |
show role |
Displays a role configuration. |
description (SPAN)
To add a description to a SPAN session, use the description command. To remove the description, use the no form of this command.
description string
no description
Syntax Description
string |
Specifies a description of up to 32 alphanumeric characters. |
Defaults
Blank (no description)
Command Modes
SPAN monitor configuration (config-monitor)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Examples
This example shows how to add a description to a SPAN session:
n1000v(config)#
monitor session 8
n1000v(config-monitor)#
description span_session_8a
This example shows how to remove a description from a SPAN session:
n1000v(config)#
monitor session 8
n1000v(
config)#
no description span_session_8a
Related Commands
|
|
show monitor session |
Displays session information. |
destination (NetFlow)
To add a destination IP address or VRF to a NetFlow flow exporter, use the destination command. To remove the IP address or VRF, use the no form of this command.
destination { ipaddr | ipv6addr } [ use-vrf vrf_name ]
no destination
Syntax Description
ipaddr |
Destination IP address for collector. |
ipv6addr |
Destination IPv6 address for collector. |
use-vrf vrf_name |
(Optional) Optional VRF label. |
Command Modes
NetFlow flow exporter configuration (config-flow-exporter)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Examples
This example shows how to add a destination IP address to a Netflow flow exporter:
n1000v(config)# flow exporter ExportTest
n1000v(config-flow-exporter)# destination 192.0.2.1
This example shows how to remove the IP address from a flow exporter:
n1000v(config)# flow exporter ExportTest
n1000v(config-flow-exporter)# no destination 192.0.2.1
Related Commands
|
|
flow exporter |
Creates a Flexible NetFlow flow exporter. |
flow record |
Creates a Flexible NetFlow flow record. |
flow monitor |
Creates a Flexible NetFlow flow monitor. |
show flow exporter |
Displays information about the NetFlow flow exporter. |
show flow record |
Displays information about NetFlow flow records. |
show flow monitor |
Displays information about the NetFlow flow monitor. |
destination interface (SPAN)
To configures the port(s) in a SPAN session to act as destination(s) for copied source packets, use the destination interface command. To remove the destination interface, use the no form of this command.
destination interface type number(s)_or_range
no destination interface type number(s)_or_range
Syntax Description
ethernet slot/port_or_range |
Designates the SPAN destination(s) Ethernet interface(s). |
port-channel number(s)_or_range |
Designates the SPAN destination(s) port channel(s). |
vethernet number(s)_or_range |
Designates the SPAN destination(s) virtual Ethernet interface(s). |
Command Modes
SPAN monitor configuration ( config-monitor)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Usage Guidelines
SPAN destination ports must already be configured as either access or trunk ports.
SPAN sessions are created in the shut state by default.
When you create a SPAN session that already exists, any additional configuration is added to that session. To make sure the session is cleared of any previous configuration, you can delete the session first using the command, no monitor session.
Examples
This example shows how to configure ethernet interfaces 2/5 and 3/7 in a SPAN session to act as destination(s) for copied source packets:
n1000v(config)#
monitor session 8
n1000v(config-monitor)#
destination interface ethernet 2/5, ethernet 3/7
This example shows how to remove the SPAN configuration from destination interface ethernet 2/5:
n1000v(config)#
monitor session 8
n1000v(config-monitor)#
no
destination interface ethernet 2/5
Related Commands
|
|
show interface |
Displays the interface trunking configuration for the specified destination interface. |
show monitor |
Displays Ethernet SPAN information. |
monitor session |
Starts the specified SPAN monitor session(s). |
dir
To display the contents of a directory or file, use the dir command.
dir [ bootflash: | debug: | log: | volatile:]
Syntax Description
bootflash: |
(Optional) Directory or filename. |
debug: |
(Optional) Directory or filename on expansion flash. |
log: |
(Optional) Directory or filename on log flash. |
volatile: |
(Optional) Directory or filename on volatile flash. |
Command Modes
Any
network-admin
network-operator
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Usage Guidelines
Use the pwd command to identify the directory you are currently working in.
Use the cd command to change the directory you are currently working in.
Examples
This example shows how to display the contents of the bootflash: directory
Related Commands
|
|
cd |
Changes the current working directory. |
pwd |
Displays the current working directory. |
disable-loop-detection
To disable the loop detection mechanism to support a redundant routing protocol, use the disable-loop-detection command. To enable the loop detection mechanism, use the no form of this command.
disable-loop-detection {carp|hsrp| vrrp| custom-rp {[ src-mac-range mac_range_start mac_range_end ] [ dest-ip dest_ip ] [ ip-proto proto_no ] [ port port_no ]} }
no disable-loop-detection {carp|hsrp| vrrp|custom-rp {[ src-mac-range mac_range_start mac_range_end ] [ dest-ip dest_ip ] [ ip-proto proto_no ] [ port port_no ]} }
Syntax Description
carp |
Disables loop detection mechanism for Common Address Redundancy Protocol. |
hsrp |
Disables loop detection mechanism for Hot Standby Router Protocol. |
vrrp |
Disables loop detection mechanism for Virtual Router Redundancy Protocol. |
custom-rp |
Disables loop detection mechanism for user defined redundant routing protocol. |
src-mac-range |
(Optional) Source MAC address range for the user defined protocol. |
mac_range_start |
(Optional) Start MAC address. |
mac_range_end |
(Optional) End MAC address. |
dest-ip dest_ip |
(Optional) Destination IP address for the user defined protocol. |
ip-proto proto_no |
(Optional) IP protocol number for the user defined protocol. |
port port_no |
(Optional) UDP or TCP destination port number for the user defined protocol. |
Defaults
By default, the loop detection mechanism is enabled.
Command Modes
Interface configuration (config-if)
Port profile configuration (config-port-prof)
network-admin
Command History
|
|
4.2(1)SV1(5.1) |
This command was introduced. |
Usage Guidelines
- If you configure a vEthernet Interface and a port profile to run multiple protocols on the same virtual machine, then the configuration on the vEthernet Interface overrides the configuration on the port profile.
- Disable IGMP Snooping on both Cisco Nexus 1000 and upstream switches between the servers to support most redundant routing protocols.
- Disable loop detection configuration is not supported on PVLAN ports.
- Disable loop detection configuration is not supported on the port security ports.
Examples
This example shows how to disable loop detection for redundant routing protocols:
n1000v(config)# int veth5
n1000v(config-if)# disable-loop-detection carp
n1000v(config-if)# disable-loop-detection vrrp
n1000v(config-if)# disable-loop-detection hsrp
n1000v(config-if)# disable-loop-detection custom-rp dest-ip 224.0.0.12 port 2234
n1000v# show running-config interface vethernet 5
!Command: show running-config interface Vethernet5
!Time: Fri Nov 4 02:21:24 2011
inherit port-profile vm59
description Fedora117, Network Adapter 2
disable-loop-detection carp
disable-loop-detection custom-rp dest-ip 224.0.0.12 port 2234
disable-loop-detection hsrp
disable-loop-detection vrrp
vmware dvport 32 dvswitch uuid "ea 5c 3b 50 cd 00 9f 55-41 a3 2d 61 84 9e 0e c4"
vmware vm mac 0050.56B3.00B2
Related Commands
|
|
show running-config interface |
Displays the interface configuration. |
domain id
To assign a domain-id, use the domain id command. To remove a domain-id, use the no form of this command.
domain id number
no domain id
Syntax Description
number |
Specifies the domain-id number. The allowable domain IDs are 1 to 4095. |
Command Modes
Domain configuration (config-svs-domain)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Usage Guidelines
During installation of the Cisco Nexus 1000V the setup utility prompts you to configure a domain, including the domain ID and control and packet VLANs.
Examples
This example shows how to assign a domain id:
n1000v(config)#
sve-domain
n1000v(
config-svs-domain)#
domain-id number 32
n1000v(
config-svs-domain)#
This example shows how to remove the domain-id:
n1000v(config)#
sve-domain
n1000v(
config-svs-domain)#
no domain-id number 32
n1000v(
config-svs-domain)#
Related Commands
|
|
show svs domain |
Displays domain configuration. |
dscp (NetFlow)
To add a differentiated services codepoint (DSCP) to a NetFlow flow exporter, use the dscp command. To remove the DSCP, use the no form of this command.
dscp value
no dscp
Syntax Description
value |
Specifies a DSCP between 0 and 63. |
Command Modes
NetFlow flow exporter configuration (config-flow-exporter)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Examples
This example shows how to configure DSCP for a NetFlow flow exporter:
n1000v(config)# flow exporter ExportTest
n1000v(config-flow-exporter)# dscp 2
n1000v(config-flow-exporter)#
This example shows how to remove DSCP from the NetFlow flow exporter:
n1000v(config)# flow exporter ExportTest
n1000v(config-flow-exporter)# no dscp 2
n1000v(config-flow-exporter)#
Related Commands
|
|
flow exporter |
Creates a Flexible NetFlow flow exporter. |
flow record |
Creates a Flexible NetFlow flow record. |
flow monitor |
Creates a Flexible NetFlow flow monitor. |
show flow exporter |
Displays information about the NetFlow flow exporter. |
show flow record |
Displays information about NetFlow flow records. |
show flow monitor |
Displays information about the NetFlow flow monitor. |
duplex
To set the duplex mode for an interface as full, half, or autonegotiate, use the duplex command. To revert back to the default setting, use the no form of this command.
duplex { full | half | auto }
no duplex [ full | half | auto ]
Syntax Description
full |
Specifies full-duplex mode for the interface. |
half |
Specifies half-duplex mode for the interface. |
auto |
Sets the duplex mode on the interface to autonegotiate with the connecting port. |
Command Modes
Interface configuration (config-if)
network-admin
Command History
|
|
4.0(4)SV1(1) |
This command was introduced. |
Usage Guidelines
When you use the no version of this command, an argument (such as full, half, or auto) is optional. To return to the default duplex setting, you can use either of the following commands (if, for example, the setting had been changed to full):
n1000v(config-if)# no duplex
n1000v(config-if)# no duplex full
Examples
This example shows how to set the Ethernet port 1 on the module in slot 3 to full-duplex mode:
n1000v(config)# interface ethernet 2/1
n1000v(config-if)# duplex full
This example shows how to revert to the default duplex setting for the Ethernet port 1 on the module in slot 3:
n1000v(config)# interface ethernet 2/1
n1000v(config-if)# no duplex
Related Commands
|
|
interface |
Specifies the interface that you are configuring. |
speed |
Sets the speed for the port channel interface. |
show interface |
Displays the interface status, which includes the speed and duplex mode parameters. |