Cisco Nexus 5000 Series Command Reference
Security Commands
Downloads: This chapterpdf (PDF - 708.0KB) The complete bookPDF (PDF - 3.84MB) | Feedback

Security Commands

Table Of Contents

Security Commands

aaa accounting default

aaa authentication login console

aaa authentication login default

aaa authentication login error-enable

aaa authentication login mschap enable

aaa authorization commands default

aaa authorization config-commands default

aaa group server radius

aaa user default-role

action

clear access-list counters

clear accounting log

clear ip arp

deadtime

deny (IPv4)

deny (IPv6)

deny (MAC)

description (user role)

feature

interface policy deny

ip access-list

ip port access-group

ipv6 access-list

ipv6 port traffic-filter

mac access-list

mac port access-group

match

permit (IPv4)

permit (IPv6)

permit (MAC)

permit interface

permit vlan

permit vrf

permit vsan

radius-server deadtime

radius-server directed-request

radius-server host

radius-server key

radius-server retransmit

radius-server timeout

remark

resequence

role feature-group name

role name

rule

server

show aaa accounting

show aaa authentication

show aaa authorization

show aaa groups

show aaa user

show access-lists

show accounting log

show ip access-lists

show ip arp

show ipv6 access-lists

show mac access-lists

show radius-server

show role

show role feature

show role feature-group

show running-config aaa

show running-config radius

show running-config security

show ssh key

show ssh server

show startup-config aaa

show startup-config radius

show startup-config security

show tacacs-server

show telnet server

show user-account

show users

show vlan access-list

show vlan access-map

show vlan filter

ssh

ssh6

ssh key

ssh server enable

storm-control level

tacacs-server deadtime

tacacs-server directed-request

tacacs-server host

tacacs-server key

tacacs-server timeout

telnet

telnet server enable

telnet6

use-vrf

username

vlan access-map

vlan filter

vlan policy deny

vrf policy deny

vsan policy deny


Security Commands


This chapter describes the Cisco NX-OS security commands available on Cisco Nexus 5000 Series switches.

aaa accounting default

To configure authentication, authorization, and accounting (AAA) methods for accounting, use the aaa accounting default command. To revert to the default, use the no form of this command.

aaa accounting default {group {group-list} | local}

no aaa accounting default {group {group-list} | local}

Syntax Description

group

Specifies that a server group be used for accounting.

group-list

Space-delimited list that specifies one or more configured RADIUS server groups.

local

Specifies that the local database be used for accounting.


Command Default

The local database is the default.

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

The group group-list method refers to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.

If you specify the group method, or local method and they fail, then the accounting authentication can fail.

Examples

This example shows how to configure any RADIUS server for AAA accounting:

switch(config)# aaa accounting default group 

Related Commands

Command
Description

aaa group server radius

Configures AAA RADIUS server groups.

radius-server host

Configures RADIUS servers.

show aaa accounting

Displays AAA accounting status information.

tacacs-server host

Configures TACACS+ servers.


aaa authentication login console

To configure authentication, authorization, and accounting (AAA) authentication methods for console logins, use the aaa authentication login console command. To revert to the default, use the no form of this command.

aaa authentication login console {group group-list} [none] | local | none}

no aaa authentication login console {group group-list [none] | local | none}

Syntax Description

group

Specifies to use a server group for authentication.

group-list

Space-separated list of RADIUS or TACACS+ server groups. The list can include the following:

radius for all configured RADIUS servers.

tacacs+ for all configured TACACS+ servers.

Any configured RADIUS or TACACS+ server group name.

none

(Optional) Specifies to use the username for authentication.

local

(Optional) Specifies to use the local database for authentication.


Command Default

The local database

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

The group radius, group tacacs+, and group group-list methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host or tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.

If you specify the group method or local method and they fail, then the authentication can fail. If you specify the none method alone or after the group method, then the authentication always succeeds.

Examples

This example shows how to configure the AAA authentication console login method:

switch(config)# aaa authentication login console group radius 

This example shows how to revert to the default AAA authentication console login method:

switch(config)# no aaa authentication login console group radius 

Related Commands

Command
Description

aaa group server

Configures AAA server groups.

radius-server host

Configures RADIUS servers.

show aaa authentication

Displays AAA authentication information.

tacacs-server host

Configures TACACS+ servers.


aaa authentication login default

To configure the default authentication, authorization, and accounting (AAA) authentication methods, use the aaa authentication login default command. To revert to the default, use the no form of this command.

aaa authentication login default {group group-list} [none] | local | none}

no aaa authentication login default {group group-list} [none] | local | none}

Syntax Description

group

Specifies that a server group be used for authentication.

group-list

Space-separated list of RADIUS or TACACS+ server groups that can include the following:

radius for all configured RADIUS servers.

tacacs+ for all configured TACACS+ servers.

Any configured RADIUS or TACACS+ server group name.

none

(Optional) Specifies that the username be used for authentication.

local

(Optional) Specifies that the local database be used for authentication.


Command Default

The local database

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

The group radius, group tacacs+, and group group-list methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host or tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.

If you specify the group method or local method and they fail, then the authentication fails. If you specify the none method alone or after the group method, then the authentication always succeeds.

Examples

This example shows how to configure the AAA authentication console login method:

switch(config)# aaa authentication login default group radius 

This example shows how to revert to the default AAA authentication console login method:

switch(config)# no aaa authentication login default group radius 

Related Commands

Command
Description

aaa group server

Configures AAA server groups.

radius-server host

Configures RADIUS servers.

show aaa authentication

Displays AAA authentication information.

tacacs-server host

Configures TACACS+ servers.


aaa authentication login error-enable

To configure that the authentication, authorization, and accounting (AAA) authentication failure message displays on the console, use the aaa authentication login error-enable command. To revert to the default, use the no form of this command.

aaa authentication login error-enable

no aaa authentication login error-enable

Syntax Description

This command has no arguments or keywords.

Command Default

Disabled

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

When you log in, the login is processed by rolling over to the local user database if the remote AAA servers do not respond. In this situation, the following message is displayed if you have enabled the displaying of login failure messages:

Remote AAA servers unreachable; local authentication done. 
Remote AAA servers unreachable; local authentication failed. 

Examples

This example shows how to enable the display of AAA authentication failure messages to the console:

switch(config)# aaa authentication login error-enable 

This example shows how to disable the display of AAA authentication failure messages to the console:

switch(config)# no aaa authentication login error-enable 

Related Commands

Command
Description

show aaa authentication

Displays the status of the AAA authentication failure message display.


aaa authentication login mschap enable

To enable Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication at login, use the aaa authentication login mschap enable command. To revert to the default, use the no form of this command.

aaa authentication login mschap enable

no aaa authentication login mschap enable

Syntax Description

This command has no arguments or keywords.

Command Default

Disabled

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to enable MS-CHAP authentication:

switch(config)# aaa authentication login mschap enable 

This example shows how to disable MS-CHAP authentication:

switch(config)# no aaa authentication login mschap enable 

Related Commands

Command
Description

show aaa authentication

Displays the status of MS-CHAP authentication.


aaa authorization commands default

To configure default authentication, authorization, and accounting (AAA) authorization methods for all EXEC commands, use the aaa authorization commands default command. To revert to the default, use the no form of this command.

aaa authorization commands default [group group-list] [local | none]

no aaa authorization commands default [group group-list] [local | none]

Syntax Description

group

(Optional) Specifies to use a server group for authorization.

group-list

List of server groups.

The list can include the following:

tacacs+ for all configured TACACS+ servers.

Any configured TACACS+ server group name.

The name can be a space-separated list of server groups, and a maximum of 127 characters.

local

(Optional) Specifies to use the local role-based database for authorization.

none

(Optional) Specifies to use no database for authorization.


Command Default

None

Command Modes

Global configuration mode

Command History

Release
Modification

4.2(1)N1(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the TACACS+ feature by using the feature tacacs+ command.

The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.

If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.

If you specify the group method or local method and it fails, then the authorization can fail. If you specify the none method alone or after the group method, then the authorization always succeeds.

Examples

This example shows how to configure the default AAA authorization methods for EXEC commands:

switch(config)# aaa authorization commands default group TacGroup local 
switch(config)# 

This example shows how to revert to the default AAA authorization methods for EXEC commands:

switch(config)# no aaa authorization commands default group TacGroup local 
switch(config)# 

Related Commands

Command
Description

aaa authorization config-commands default

Configures default AAA authorization methods for configuration commands.

aaa server group

Configures AAA server groups.

feature tacacs+

Enables the TACACS+ feature.

show aaa authorization

Displays the AAA authorization configuration.

tacacs-server host

Configures a TACACS+ server.


aaa authorization config-commands default

To configure the default authentication, authorization, and accounting (AAA) authorization methods for all configuration commands, use the aaa authorization config-commands default command. To revert to the default, use the no form of this command.

aaa authorization config-commands default [group group-list] [local | none]

no aaa authorization config-commands default [group group-list] [local | none]

Syntax Description

group

(Optional) Specifies to use a server group for authorization.

group-list

List of server groups.

The list can include the following:

tacacs+ for all configured TACACS+ servers.

Any configured TACACS+ server group name.

The name can be a space-separated list of server groups, and a maximum of 127 characters.

local

(Optional) Specifies to use the local role-based database for authorization.

none

(Optional) Specifies to use no database for authorization.


Command Default

None

Command Modes

Global configuration mode

Command History

Release
Modification

4.2(1)N1(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the TACACS+ feature by using the feature tacacs+ command.

The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.

If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.

If you specify the group method or local method and it fails, then the authorization can fail. If you specify the none method alone or after the group method, then the authorization always succeeds.

Examples

This example shows how to configure the default AAA authorization methods for configuration commands:

switch(config)# aaa authorization config-commands default group TacGroup local 
switch(config)# 

This example shows how to revert to the default AAA authorization methods for configuration commands:

switch(config)# no aaa authorization config-commands default group TacGroup local 
switch(config)# 

Related Commands

Command
Description

aaa authorization commands default

Configures default AAA authorization methods for EXEC commands.

aaa server group

Configures AAA server groups.

feature tacacs+

Enables the TACACS+ feature.

show aaa authorization

Displays the AAA authorization configuration.

tacacs-server host

Configures a TACACS+ server.


aaa group server radius

To create a RADIUS server group and enter RADIUS server group configuration mode, use the aaa group server radius command. To delete a RADIUS server group, use the no form of this command.

aaa group server radius group-name

no aaa group server radius group-name

Syntax Description

group-name

RADIUS server group name.


Command Default

None

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to create a RADIUS server group and enter RADIUS server configuration mode:

switch(config)# aaa group server radius RadServer 
switch(config-radius)#

This example shows how to delete a RADIUS server group:

switch(config)# no aaa group server radius RadServer 

Related Commands

Command
Description

show aaa groups

Displays server group information.


aaa user default-role

To enable the default role assigned by the authentication, authorization, and accounting (AAA) server administrator for remote authentication, use the aaa user default-role command. To disable the default role, use the no form of this command.

aaa user default-role

no aaa user default-role

Syntax Description

This command has no arguments or keywords.

Command Default

Enabled

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to enable the default role assigned by the AAA server administrator for remote authentication:

switch# aaa user default-role 
switch# 

This example shows how to disable the default role assigned by the AAA server administrator for remote authentication:

switch# no aaa user default-role 
switch# 

Related Commands

Command
Description

show aaa user default-role

Displays the status of the default user for remote authentication.

show aaa authentication

Displays AAA authentication information.


action

To specify what the switch does when a packet matches a permit command in a VLAN access control list (VACL), use the action command. To remove an action command, use the no form of this command.

action {drop forward}

no action {drop forward}

Syntax Description

drop

Specifies that the switch drops the packet.

forward

Specifies that the switch forwards the packet to its destination port.


Command Default

None

Command Modes

VLAN access-map configuration

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

The action command specifies the action that the device takes when a packet matches the conditions in the ACL specified by the match command.

Examples

This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map:

switch(config)# vlan access-map vlan-map-01 
switch(config-access-map)# match ip address ip-acl-01 
switch(config-access-map)# action forward 
switch(config-access-map)# statistics 

Related Commands

Command
Description

match

Specifies an ACL for traffic filtering in a VLAN access map.

show vlan access-map

Displays all VLAN access maps or a VLAN access map.

show vlan filter

Displays information about how a VLAN access map is applied.

statistics

Enables statistics for an access control list or VLAN access map.

vlan access-map

Configures a VLAN access map.

vlan filter

Applies a VLAN access map to one or more VLANs.


clear access-list counters

To clear the counters for all IPv4 access control lists (ACLs) or a single IPv4 ACL, use the clear access-list counters command.

clear access-list counters [access-list-name]

Syntax Description

access-list-name

(Optional) Name of the IPv4 ACL whose counters the switch clears. The name can be a maximum of 64 alphanumeric characters.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to clear counters for all IPv4 ACLs:

switch# clear access-list counters 

This example shows how to clear counters for an IPv4 ACL named acl-ipv4-01:

switch# clear access-list counters acl-ipv4-01 

Related Commands

Command
Description

access-class

Applies an IPv4 ACL to a VTY line.

ip access-group

Applies an IPv4 ACL to an interface.

ip access-list

Configures an IPv4 ACL.

show access-lists

Displays information about one or all IPv4, IPv6, and MAC ACLs.

show ip access-lists

Displays information about one or all IPv4 ACLs.


clear accounting log

To clear the accounting log, use the clear accounting log command.

clear accounting log

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to clear the accounting log:

switch# clear accounting log 

Related Commands

Command
Description

show accounting log

Displays the accounting log contents.


clear ip arp

To clear the Address Resolution Protocol (ARP) table and statistics, use the clear ip arp command.

clear ip arp [vlan vlan-id [force-delete | vrf {vrf-name | all | default | management}]]

Syntax Description

vlan vlan-id

(Optional) Clears the ARP information for a specified VLAN. The range is from 1 to 4094, except for the VLANs reserved for internal use.

force-delete

(Optional) Clears the entries from ARP table without refresh.

vrf

(Optional) Specifies the virtual routing and forwarding (VRF) to clear from the ARP table.

vrf-name

VRF name. The name can be a maximum of 32 alphanumeric characters and is case sensitive.

all

Specifies that all VRF entries be cleared from the ARP table.

default

Specifies that the default VRF entry be cleared from the ARP table.

management

Specifies that the management VRF entry be cleared from the ARP table.


Command Default

None

Command Modes

Any command mode

Command History

Release
Modification

4.2(1)N1(1)

This command was introduced.


Examples

This example shows how to clear the ARP table statistics:

switch# clear ip arp 
switch# 

This example shows how to clear the ARP table statistics for VLAN 10 with the VRF vlan-vrf:

switch# clear ip arp vlan 10 vrf vlan-vrf 
switch# 

Related Commands

Command
Description

show ip arp

Displays the ARP configuration status.


deadtime

To configure the dead-time interval for a RADIUS or TACACS+ server group, use the deadtime command. To revert to the default, use the no form of this command.

deadtime minutes

no deadtime minutes

Syntax Description

minutes

Number of minutes for the interval. The range is from 0 to 1440 minutes. Setting the dead-time interval to 0 disables the timer.


Command Default

0 minutes

Command Modes

RADlUS server group configuration

TACACS+ server group configuration

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

You must use the feature tacacs+ command before you configure TACACS.

Examples

This example shows how to set the dead-time interval to 2 minutes for a RADIUS server group:

switch(config)# aaa group server radius RadServer
switch(config-radius)# deadtime 2

This example shows how to set the dead-time interval to 5 minutes for a TACACS+ server group:

switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# deadtime 5

This example shows how to revert to the dead-time interval default:

switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# no deadtime 5

Related Commands

Command
Description

aaa group server

Configures AAA server groups.

feature tacacs+

Enables TACACS+.

radius-server host

Configures a RADIUS server.

show radius-server groups

Displays RADIUS server group information.

show tacacs-server groups

Displays TACACS+ server group information.

tacacs-server host

Configures a TACACS+ server.


deny (IPv4)

To create an IPv4 access control list (ACL) rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.

General Syntax

[sequence-number] deny protocol source destination {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]

no deny protocol source destination {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]

no sequence-number

Internet Control Message Protocol

[sequence-number] deny icmp source destination [icmp-message] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]

Internet Group Management Protocol

[sequence-number] deny igmp source destination [igmp-message] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]

Internet Protocol v4

[sequence-number] deny ip source destination {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]

Transmission Control Protocol

[sequence-number] deny tcp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name] [flags] [established]

User Datagram Protocol

[sequence-number] deny udp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]

Syntax Description

sequence-number

(Optional) Sequence number of the deny command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL.

A sequence number can be any integer between 1 and 4294967295.

By default, the first rule in an ACL has a sequence number of 10.

If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule.

Use the resequence command to reassign sequence numbers to rules.

protocol

Name or number of the protocol of packets that the rule matches. Valid numbers are from 0 to 255. Valid protocol names are the following keywords:

icmp—Specifies that the rule applies to ICMP traffic only. When you use this keyword, the icmp-message argument is available, in addition to the keywords that are available for all valid values of the protocol argument.

igmp—Specifies that the rule applies to IGMP traffic only. When you use this keyword, the igmp-type argument is available, in addition to the keywords that are available for all valid values of the protocol argument.

ip—Specifies that the rule applies to all IPv4 traffic. When you use this keyword, only the other keywords and arguments that apply to all IPv4 protocols are available. They include the following:

dscp

fragments

log

precedence

time-range

tcp—Specifies that the rule applies to TCP traffic only. When you use this keyword, the flags and operator arguments and the portgroup and established keywords are available, in addition to the keywords that are available for all valid values of the protocol argument.

udp—Specifies that the rule applies to UDP traffic only. When you use this keyword, the operator argument and the portgroup keyword are available, in addition to the keywords that are available for all valid values of the protocol argument.

source

Source IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

destination

Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

dscp dscp

(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:

0-63—The decimal equivalent of the 6 bits of the DSCP field. For example, if you specify 10, the rule matches only those packets that have the following bits in the DSCP field: 001010.

af11—Assured Forwarding (AF) class 1, low drop probability (001010)

af12—AF class 1, medium drop probability (001100)

af13—AF class 1, high drop probability (001110)

af21—AF class 2, low drop probability (010010)

af22—AF class 2, medium drop probability (010100)

af23—AF class 2, high drop probability (010110)

af31—AF class 3, low drop probability (011010)

af32—AF class 3, medium drop probability (011100)

af33—AF class 3, high drop probability (011110)

af41—AF class 4, low drop probability (100010)

af42—AF class 4, medium drop probability (100100)

af43—AF class 4, high drop probability (100110)

cs1—Class-selector (CS) 1, precedence 1 (001000)

cs2—CS2, precedence 2 (010000)

cs3—CS3, precedence 3 (011000)

cs4—CS4, precedence 4 (100000)

cs5—CS5, precedence 5 (101000)

cs6—CS6, precedence 6 (110000)

cs7—CS7, precedence 7 (111000)

default—Default DSCP value (000000)

ef—Expedited Forwarding (101110)

precedence precedence

(Optional) Specifies that the rule matches only packets that have an IP Precedence field with the value specified by the precedence argument. The precedence argument can be a number or a keyword as follows:

0-7—Decimal equivalent of the 3 bits of the IP Precedence field. For example, if you specify 3, the rule matches only packets that have the following bits in the DSCP field: 011.

critical—Precedence 5 (101)

flash—Precedence 3 (011)

flash-override—Precedence 4 (100)

immediate—Precedence 2 (010)

internet—Precedence 6 (110)

network—Precedence 7 (111)

priority—Precedence 1 (001)

routine—Precedence 0 (000)

fragments

(Optional) Specifies that the rule matches only those packets that are noninitial fragments. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments.

time-range time-range-name

(Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command.

icmp-message

(Optional; IGMP only) Rule that matches only packets of the specified ICMP message type. This argument can be an integer from 0 to 255 or one of the keywords listed under "ICMP Message Types" in the "Usage Guidelines" section.

igmp-message

(Optional; IGMP only) Rule that matches only packets of the specified IGMP message type. The igmp-message argument can be the IGMP message number, which is an integer from 0 to 15. It can also be one of the following keywords:

dvmrp—Distance Vector Multicast Routing Protocol

host-query—Host query

host-report—Host report

pim—Protocol Independent Multicast

trace—Multicast trace

operator port [port]

(Optional; TCP and UDP only) Rule that matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument.

The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see "TCP Port Names" and "UDP Port Names" in the "Usage Guidelines" section.

A second port argument is required only when the operator argument is a range.

The operator argument must be one of the following keywords:

eq—Matches only if the port in the packet is equal to the port argument.

gt—Matches only if the port in the packet is greater than the port argument.

lt—Matches only if the port in the packet is less than the port argument.

neq—Matches only if the port in the packet is not equal to the port argument.

range—Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument.

portgroup portgroup

(Optional; TCP and UDP only) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument.

Use the object-group ip port command to create and change IP port-group objects.

flags

(Optional; TCP only) Rule that matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords:

ack

fin

psh

rst

syn

urg

established

(Optional; TCP only) Specifies that the rule matches only packets that belong to an established TCP connection. The switch considers TCP packets with the ACK or RST bits set to belong to an established connection.


Command Default

A newly created IPv4 ACL contains no rules.

If you do not specify a sequence number, the switch assigns the rule a sequence number that is 10 greater than the last rule in the ACL.

Command Modes

IPv4 ACL configuration

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

When the switch applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.

Source and Destination

You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:

Address and network wildcard—You can use an IPv4 address followed by a network wildcard to specify a host or a network as a source or destination. The syntax is as follows:

IPv4-address network-wildcard  

This example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:

switch(config-acl)# deny tcp 192.168.67.0 0.0.0.255 any  

Address and variable-length subnet mask—You can use an IPv4 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:

IPv4-address/prefix-len  

This example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:

switch(config-acl)# deny udp 192.168.67.0/24 any  

Host address—You can use the host keyword and an IPv4 address to specify a host as a source or destination. The syntax is as follows:

host IPv4-address  

This syntax is equivalent to IPv4-address/32 and IPv4-address 0.0.0.0.

This example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:

switch(config-acl)# deny icmp host 192.168.67.132 any  

Any address—You can use the any keyword to specify that a source or destination is any IPv4 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.

ICMP Message Types

The icmp-message argument can be the ICMP message number, which is an integer from 0 to 255. It can also be one of the following keywords:

administratively-prohibited—Administratively prohibited

alternate-address—Alternate address

conversion-error—Datagram conversion

dod-host-prohibited—Host prohibited

dod-net-prohibited—Net prohibited

echo—Echo (ping)

echo-reply—Echo reply

general-parameter-problem—Parameter problem

host-isolated—Host isolated

host-precedence-unreachable—Host unreachable for precedence

host-redirect—Host redirect

host-tos-redirect—Host redirect for ToS

host-tos-unreachable—Host unreachable for ToS

host-unknown—Host unknown

host-unreachable—Host unreachable

information-reply—Information replies

information-request—Information requests

mask-reply—Mask replies

mask-request—Mask requests

mobile-redirect—Mobile host redirect

net-redirect—Network redirect

net-tos-redirect—Net redirect for ToS

net-tos-unreachable—Network unreachable for ToS

net-unreachable—Net unreachable

network-unknown—Network unknown

no-room-for-option—Parameter required but no room

option-missing—Parameter required but not present

packet-too-big—Fragmentation needed and DF set

parameter-problem—All parameter problems

port-unreachable—Port unreachable

precedence-unreachable—Precedence cutoff

protocol-unreachable—Protocol unreachable

reassembly-timeout—Reassembly timeout

redirect—All redirects

router-advertisement—Router discovery advertisements

router-solicitation—Router discovery solicitations

source-quench—Source quenches

source-route-failed—Source route failed

time-exceeded—All time-exceeded messages

timestamp-reply—Time-stamp replies

timestamp-request—Time-stamp requests

traceroute—Traceroute

ttl-exceeded—TTL exceeded

unreachable—All unreachables

TCP Port Names

When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:

bgp—Border Gateway Protocol (179)

chargen—Character generator (19)

cmd—Remote commands (rcmd, 514)

daytime—Daytime (13)

discard—Discard (9)

domain—Domain Name Service (53)

drip—Dynamic Routing Information Protocol (3949)

echo—Echo (7)

exec—EXEC (rsh, 512)

finger—Finger (79)

ftp—File Transfer Protocol (21)

ftp-data—FTP data connections (2)

gopher—Gopher (7)

hostname—NIC hostname server (11)

ident—Ident Protocol (113)

irc—Internet Relay Chat (194)

klogin—Kerberos login (543)

kshell—Kerberos shell (544)

login—Login (rlogin, 513)

lpd—Printer service (515)

nntp—Network News Transport Protocol (119)

pim-auto-rp—PIM Auto-RP (496)

pop2—Post Office Protocol v2 (19)

pop3—Post Office Protocol v3 (11)

smtp—Simple Mail Transport Protocol (25)

sunrpc—Sun Remote Procedure Call (111)

tacacs—TAC Access Control System (49)

talk—Talk (517)

telnet—Telnet (23)

time—Time (37)

uucp—Unix-to-Unix Copy Program (54)

whois—WHOIS/NICNAME (43)

www—World Wide Web (HTTP, 8)

UDP Port Names

When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:

biff—Biff (mail notification, comsat, 512)

bootpc—Bootstrap Protocol (BOOTP) client (68)

bootps—Bootstrap Protocol (BOOTP) server (67)

discard—Discard (9)

dnsix—DNSIX security protocol auditing (195)

domain—Domain Name Service (DNS, 53)

echo—Echo (7)

isakmp—Internet Security Association and Key Management Protocol (5)

mobile-ip—Mobile IP registration (434)

nameserver—IEN116 name service (obsolete, 42)

netbios-dgm—NetBIOS datagram service (138)

netbios-ns—NetBIOS name service (137)

netbios-ss—NetBIOS session service (139)

non500-isakmp—Internet Security Association and Key Management Protocol (45)

ntp—Network Time Protocol (123)

pim-auto-rp—PIM Auto-RP (496)

rip—Routing Information Protocol (router, in.routed, 52)

snmp—Simple Network Management Protocol (161)

snmptrap—SNMP Traps (162)

sunrpc—Sun Remote Procedure Call (111)

syslog—System Logger (514)

tacacs—TAC Access Control System (49)

talk—Talk (517)

tftp—Trivial File Transfer Protocol (69)

time—Time (37)

who—Who service (rwho, 513)

xdmcp—X Display Manager Control Protocol (177)

Examples

This example shows how to configure an IPv4 ACL named acl-lab-01 with rules that deny all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network and a final rule that permits all other IPv4 traffic:

switch(config)# ip access-list acl-lab-01 
switch(config-acl)# deny tcp 10.23.0.0/16 10.176.0.0/16 
switch(config-acl)# deny udp 10.23.0.0/16 10.176.0.0/16 
switch(config-acl)# deny tcp 192.168.37.0/16 10.176.0.0/16 
switch(config-acl)# deny udp 192.168.37.0/16 10.176.0.0/16 
switch(config-acl)# permit ip any any 

Related Commands

Command
Description

ip access-list

Configures an IPv4 ACL.

permit (IPv4)

Configures a permit rule in an IPv4 ACL.

remark

Configures a remark in an IPv4 ACL.

show ip access-list

Displays all IPv4 ACLs or one IPv4 ACL.


deny (IPv6)

To create an IPv6 access control list (ACL) rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.To create an IPv6 ACL rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.

General Syntax

[sequence-number] deny protocol source destination [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]

no deny protocol source destination [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]

no sequence-number

Internet Control Message Protocol

[sequence-number | no] deny icmp source destination [icmp-message] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]

Internet Protocol v6

[sequence-number] deny ipv6 source destination [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]

Stream Control Transmission Protocol

[sequence-number | no] deny sctp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]

Transmission Control Protocol

[sequence-number] deny tcp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name] [flags] [established]

User Datagram Protocol

[sequence-number | no] deny udp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]

Syntax Description

sequence-number

(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL.

A sequence number can be any integer between 1 and 4294967295.

By default, the first rule in an ACL has a sequence number of 10.

If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule.

Use the resequence command to reassign sequence numbers to rules.

protocol

Name or number of the protocol of packets that the rule matches. Valid numbers are from 0 to 255. Valid protocol names are the following keywords:

ahp—Specifies that the rule applies to Authentication Header Protocol (AHP) traffic only. When you use this keyword, only the other keywords and arguments that apply to all IPv6 protocols are available.

esp—Specifies that the rule applies to Encapsulating Security Payload (ESP) traffic only. When you use this keyword, only the other keywords and arguments that apply to all IPv6 protocols are available.

icmp—Specifies that the rule applies to ICMP traffic only. When you use this keyword, the icmp-message argument is available, in addition to the keywords that are available for all valid values of the protocol argument.

ipv6—Specifies that the rule applies to all IPv6 traffic. When you use this keyword, only the other keywords and arguments that apply to all IPv6 protocols are available.

pcp—Specifies that the rule applies to Payload Compression Protocol (PCP) traffic only. When you use this keyword, only the other keywords and arguments that apply to all IPv6 protocols are available.

sctp—Specifies that the rule applies to Stream Control Transmission Protocol (SCTP) traffic only. When you use this keyword, the operator argument and the portgroup keyword are available, in addition to the keywords that are available for all valid values of the protocol argument.

tcp—Specifies that the rule applies to TCP traffic only. When you use this keyword, the flags and operator arguments and the portgroup and established keywords are available, in addition to the keywords that are available for all valid values of the protocol argument.

udp—Specifies that the rule applies to UDP traffic only. When you use this keyword, the operator argument and the portgroup keyword are available, in addition to the keywords that are available for all valid values of the protocol argument.

source

Source IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

destination

Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

dscp dscp

(Optional) Specifies that the rule matches only packets with the specified 6-bit differentiated services value in the DSCP field of the IPv6 header. The dscp argument can be one of the following numbers or keywords:

0-63—The decimal equivalent of the 6 bits of the DSCP field. For example, if you specify 10, the rule matches only packets that have the following bits in the DSCP field: 001010.

af11—Assured Forwarding (AF) class 1, low drop probability (001010)

af12—AF class 1, medium drop probability (001100)

af13—AF class 1, high drop probability (001110)

af21—AF class 2, low drop probability (010010)

af22—AF class 2, medium drop probability (010100)

af23—AF class 2, high drop probability (010110)

af31—AF class 3, low drop probability (011010)

af32—AF class 3, medium drop probability (011100)

af33—AF class 3, high drop probability (011110)

af41—AF class 4, low drop probability (100010)

af42—AF class 4, medium drop probability (100100)

af43—AF class 4, high drop probability (100110)

cs1—Class-selector (CS) 1, precedence 1 (001000)

cs2—CS2, precedence 2 (010000)

cs3—CS3, precedence 3 (011000)

cs4—CS4, precedence 4 (100000)

cs5—CS5, precedence 5 (101000)

cs6—CS6, precedence 6 (110000)

cs7—CS7, precedence 7 (111000)

default—Default DSCP value (000000)

ef—Expedited Forwarding (101110)

flow-label flow-label-value

(Optional) Specifies that the rule matches only IPv6 packets whose Flow Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575.

fragments

(Optional) Specifies that the rule matches noninitial fragmented packets only. The device considers noninitial fragmented packets to be packets with a fragment extension header that contains a fragment offset that is not equal to zero. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments.

time-range time-range-name

(Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command.

icmp-message

(ICMP only: Optional) ICMPv6 message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under "ICMPv6 Message Types" in the "Usage Guidelines" section.

operator port [port]

(Optional; TCP, UDP, and SCTP only) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument.

The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see "TCP Port Names" and "UDP Port Names" in the "Usage Guidelines" section.

A second port argument is required only when the operator argument is a range.

The operator argument must be one of the following keywords:

eq—Matches only if the port in the packet is equal to the port argument.

gt—Matches only if the port in the packet is greater than the port argument.

lt—Matches only if the port in the packet is less than the port argument.

neq—Matches only if the port in the packet is not equal to the port argument.

range—Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument.

portgroup portgroup

(Optional; TCP, UDP, and SCTP only) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument.

Use the object-group ip port command to create and change IP port-group objects.

flags

(TCP only; Optional) Rule matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords:

ack

fin

psh

rst

syn

urg

established

(TCP only; Optional) Specifies that the rule matches only packets that belong to an established TCP connection. The device considers TCP packets with the ACK or RST bits set to belong to an established connection.


Command Default

None

Command Modes

IPv6 ACL configuration

Command History

Release
Modification

4.0(1a)N1(1)

This command was introduced.


Usage Guidelines

A newly created IPv6 ACL contains no rules.

When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.

Source and Destination

You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:

Address and variable-length subnet mask—You can use an IPv6 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:

IPv6-address/prefix-len 

This example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network:

switch(config-acl)# deny udp 2001:0db8:85a3::/48 any 

Host address—You can use the host keyword and an IPv6 address to specify a host as a source or destination. The syntax is as follows:

host IPv6-address 

This syntax is equivalent to IPv6-address/128.

This example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address:

switch(config-acl)# deny icmp host 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 any 

Any address—You can use the any keyword to specify that a source or destination is any IPv6 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.

ICMPv6 Message Types

The icmp-message argument can be the ICMPv6 message number, which is an integer from 0 to 255. It can also be one of the following keywords:

beyond-scope—Destination beyond scope

destination-unreachable—Destination address is unreachable

echo-reply—Echo reply

echo-request—Echo request (ping)

header—Parameter header problems

hop-limit—Hop limit exceeded in transit

mld-query—Multicast Listener Discovery Query

mld-reduction—Multicast Listener Discovery Reduction

mld-report—Multicast Listener Discovery Report

nd-na—Neighbor discovery neighbor advertisements

nd-ns—Neighbor discovery neighbor solicitations

next-header—Parameter next header problems

no-admin—Administration prohibited destination

no-route—No route to destination

packet-too-big—Packet too big

parameter-option—Parameter option problems

parameter-problem—All parameter problems

port-unreachable—Port unreachable

reassembly-timeout—Reassembly timeout

redirect—Neighbor redirect

renum-command—Router renumbering command

renum-result—Router renumbering result

renum-seq-number—Router renumbering sequence number reset

router-advertisement—Neighbor discovery router advertisements

router-renumbering—All router renumbering

router-solicitation—Neighbor discovery router solicitations

time-exceeded—All time exceeded messages

unreachable—All unreachable

TCP Port Names

When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:

bgp—Border Gateway Protocol (179)

chargen—Character generator (19)

cmd—Remote commands (rcmd, 514)

daytime—Daytime (13)

discard—Discard (9)

domain—Domain Name Service (53)

drip—Dynamic Routing Information Protocol (3949)

echo—Echo (7)

exec—Exec (rsh, 512)

finger—Finger (79)

ftp—File Transfer Protocol (21)

ftp-data—FTP data connections (2)

gopher—Gopher (7)

hostname—NIC hostname server (11)

ident—Ident Protocol (113)

irc—Internet Relay Chat (194)

klogin—Kerberos login (543)

kshell—Kerberos shell (544)

login—Login (rlogin, 513)

lpd—Printer service (515)

nntp—Network News Transport Protocol (119)

pim-auto-rp—PIM Auto-RP (496)

pop2—Post Office Protocol v2 (19)

pop3—Post Office Protocol v3 (11)

smtp—Simple Mail Transport Protocol (25)

sunrpc—Sun Remote Procedure Call (111)

tacacs—TAC Access Control System (49)

talk—Talk (517)

telnet—Telnet (23)

time—Time (37)

uucp—Unix-to-Unix Copy Program (54)

whois—WHOIS/NICNAME (43)

www—World Wide Web (HTTP, 8)

UDP Port Names

When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:

biff—Biff (mail notification, comsat, 512)

bootpc—Bootstrap Protocol (BOOTP) client (68)

bootps—Bootstrap Protocol (BOOTP) server (67)

discard—Discard (9)

dnsix—DNSIX security protocol auditing (195)

domain—Domain Name Service (DNS, 53)

echo—Echo (7)

isakmp—Internet Security Association and Key Management Protocol (5)

mobile-ip—Mobile IP registration (434)

nameserver—IEN116 name service (obsolete, 42)

netbios-dgm—NetBIOS datagram service (138)

netbios-ns—NetBIOS name service (137)

netbios-ss—NetBIOS session service (139)

non500-isakmp—Internet Security Association and Key Management Protocol (45)

ntp—Network Time Protocol (123)

pim-auto-rp—PIM Auto-RP (496)

rip—Routing Information Protocol (router, in.routed, 52)

snmp—Simple Network Management Protocol (161)

snmptrap—SNMP Traps (162)

sunrpc—Sun Remote Procedure Call (111)

syslog—System Logger (514)

tacacs—TAC Access Control System (49)

talk—Talk (517)

tftp—Trivial File Transfer Protocol (69)

time—Time (37)

who—Who service (rwho, 513)

xdmcp—X Display Manager Control Protocol (177)

Examples

This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules denying all TCP and UDP traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network:

switch# configure terminal 
switch(config)# ipv6 access-list acl-lab13-ipv6 
switch(config-ipv6-acl)# deny tcp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64
switch(config-ipv6-acl)# deny udp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64
switch(config-ipv6-acl)# deny tcp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64
switch(config-ipv6-acl)# deny udp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64

This example shows how to configure an IPv6 ACL named ipv6-eng-to-marketing with a rule that denies all IPv6 traffic from an IPv6-address object group named eng_ipv6 to an IPv6-address object group named marketing_group:

switch# configure terminal
switch(config)# ipv6 access-list ipv6-eng-to-marketing 
switch(config-ipv6-acl)# deny ipv6 addrgroup eng_ipv6 addrgroup marketing_group

Related Commands

Command
Description

ipv6 access-list

Configures an IPv6 ACL.

permit (IPv6)

Configures a permit rule in an IPv6 ACL.

remark

Configures a remark in an ACL.

time-range

Configures a time range.


deny (MAC)

To create a Media Access Control (MAC) access control list (ACL)+ rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.

[sequence-number] deny source destination [protocol] [cos cos-value] [vlan vlan-id]

no deny source destination [protocol] [cos cos-value] [vlan vlan-id]

no sequence-number

Syntax Description

sequence-number

(Optional) Sequence number of the deny command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL.

A sequence number can be any integer between 1 and 4294967295.

By default, the first rule in an ACL has a sequence number of 10.

If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule.

Use the resequence command to reassign sequence numbers to rules.

source

Source MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

destination

Destination MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

protocol

(Optional) Protocol number that the rule matches. Valid protocol numbers are 0x0 to 0xffff. For listings of valid protocol names, see "MAC Protocols" in the "Usage Guidelines" section.

cos cos-value

(Optional) Specifies that the rule matches only packets whose IEEE 802.1Q header contains the class of service (CoS) value given in the cos-value argument. The cos-value argument can be an integer from 0 to 7.

vlan vlan-id

(Optional) Specifies that the rule matches only packets whose IEEE 802.1Q header contains the VLAN ID given. The vlan-id argument can be an integer from 1 to 4094.


Command Default

A newly created MAC ACL contains no rules.

If you do not specify a sequence number, the switch assigns the rule a sequence number that is 10 greater than the last rule in the ACL.

Command Modes

MAC ACL configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

When the switch applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.

Source and Destination

You can specify the source and destination arguments in one of two ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:

Address and mask—You can use a MAC address followed by a mask to specify a single address or a group of addresses. The syntax is as follows:

MAC-address MAC-mask  

This example specifies the source argument with the MAC address 00c0.4f03.0a72:

switch(config-acl)# deny 00c0.4f03.0a72 0000.0000.0000 any  

This example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:

switch(config-acl)# deny any 0060.3e00.0000 0000.0000.0000  

Any address—You can use the any keyword to specify that a source or destination is any MAC address. For examples of the use of the any keyword, see the examples in this section. Each of the examples shows how to specify a source or destination by using the any keyword.

MAC Protocols

The protocol argument can be the MAC protocol number or a keyword. Protocol numbers are a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:

aarp—Appletalk ARP (0x80f3)

appletalk—Appletalk (0x809b)

decnet-iv—DECnet Phase IV (0x6003)

diagnostic—DEC Diagnostic Protocol (0x6005)

etype-6000—EtherType 0x6000 (0x6000)

etype-8042—EtherType 0x8042 (0x8042)

ip—Internet Protocol v4 (0x0800)

lat—DEC LAT (0x6004)

lavc-sca—DEC LAVC, SCA (0x6007)

mop-console—DEC MOP Remote console (0x6002)

mop-dump—DEC MOP dump (0x6001)

vines-echo—VINES Echo (0x0baf)

Examples

This example shows how to configure a MAC ACL named mac-ip-filter with rules that permit any non-IPv4 traffic between two groups of MAC addresses:

switch(config)# mac access-list mac-ip-filter 
switch(config-mac-acl)# deny 00c0.4f00.0000 0000.00ff.ffff 0060.3e00.0000 0000.00ff.ffff 
ip 
switch(config-mac-acl)# permit any any 

Related Commands

Command
Description

mac access-list

Configures a MAC ACL.

permit (MAC)

Configures a deny rule in a MAC ACL.

remark

Configures a remark in an ACL.

show mac access-list

Displays all MAC ACLs or one MAC ACL.


description (user role)

To configure a description for a user role, use the description command. To revert to the default, use the no form of this command.

description text

no description

Syntax Description

text

Text string that describes the user role. The maximum length is 128 alphanumeric characters.


Command Default

None

Command Modes

User role configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

You can include blank spaces in the user role description text.

Examples

This example shows how to configure the description for a user role:

switch(config)# role name MyRole 
switch(config-role)# description User role for my user account. 

This example shows how to remove the description from a user role:

switch(config)# role name MyRole 
switch(config-role)# no description 

Related Commands

Command
Description

show role

Displays information about the user role configuration.


feature

To configure a feature in a user role feature group, use the feature command. To delete a feature in a user role feature group, use the no form of this command.

feature feature-name

no feature feature-name

Syntax Description

feature-name

Switch feature name as listed in the show role feature command output.


Command Default

None

Command Modes

User role feature group configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

Use the show role feature command to list the valid feature names to use in this command.

Examples

This example shows how to add features to a user role feature group:

switch(config)# role feature-group name SecGroup 
switch(config-role-featuregrp)# feature aaa 
switch(config-role-featuregrp)# feature radius 
switch(config-role-featuregrp)# feature tacacs 

This example shows how to remove a feature from a user role feature group:

switch(config)# role feature-group name MyGroup 
switch(config-role-featuregrp)# no feature callhome 

Related Commands

Command
Description

role feature-group name

Creates or configures a user role feature group.

show role feature-group

Displays the user role feature groups.


interface policy deny

To enter interface policy configuration mode for a user role, use the interface policy deny command. To revert to the default interface policy for a user role, use the no form of this command.

interface policy deny

no interface policy deny

Syntax Description

This command has no arguments or keywords.

Command Default

All interfaces

Command Modes

User role configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to enter interface policy configuration mode for a user role:

switch(config)# role name MyRole 
switch(config-role)# interface policy deny 
switch(config-role-interface)# 

This example shows how to revert to the default interface policy for a user role:

switch(config)# role name MyRole 
switch(config-role)# no interface policy deny 

Related Commands

Command
Description

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.


ip access-list

To create an IPv4 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ip access-list command. To remove an IPv4 ACL, use the no form of this command.

ip access-list access-list-name

no ip access-list access-list-name

Syntax Description

access-list-name

Name of the IPv4 ACL, which can be up to 64 alphanumeric characters long. The name cannot contain a space or quotation mark.


Command Default

No IPv4 ACLs are defined by default.

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

Use IPv4 ACLs to filter IPv4 traffic.

When you use the ip access-list command, the switch enters IP access list configuration mode, where you can use the IPv4 deny and permit commands to configure rules for the ACL. If the specified ACL does not exist, the switch creates it when you enter this command.

Use the ip access-group command to apply the ACL to an interface.

Every IPv4 ACL has the following implicit rule as its last rule:

deny ip any any  

This implicit rule ensures that the switch denies unmatched IP traffic.

IPv4 ACLs do not include additional implicit rules to enable the neighbor discovery process. The Address Resolution Protocol (ARP), which is the IPv4 equivalent of the IPv6 neighbor discovery process, uses a separate data link layer protocol. By default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.

Examples

This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01:

switch(config)# ip access-list ip-acl-01 
switch(config-acl)#

Related Commands

Command
Description

access-class

Applies an IPv4 ACL to a VTY line.

deny (IPv4)

Configures a deny rule in an IPv4 ACL.

ip access-group

Applies an IPv4 ACL to an interface.

permit (IPv4)

Configures a permit rule in an IPv4 ACL.

show ip access-lists

Displays all IPv4 ACLs or a specific IPv4 ACL.


ip port access-group

To apply an IPv4 access control list (ACL) to an interface as a port ACL, use the ip port access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.

ip port access-group access-list-name in

no ip port access-group access-list-name in

Syntax Description

access-list-name

Name of the IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters long.

in

Specifies that the ACL applies to inbound traffic.


Command Default

None

Command Modes

Interface configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

By default, no IPv4 ACLs are applied to an interface.

You can use the ip port access-group command to apply an IPv4 ACL as a port ACL to the following interface types:

Layer 2 Ethernet interfaces

Layer 2 EtherChannel interfaces

You can also apply an IPv4 ACL as a VLAN ACL. For more information, see the match command.

The switch applies port ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.

If you delete the specified ACL from the switch without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.

Examples

This example shows how to apply an IPv4 ACL named ip-acl-01 to Ethernet interface 1/2 as a port ACL:

switch(config)# interface ethernet 1/2 
switch(config-if)# ip port access-group ip-acl-01 in 

This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 1/2:

switch(config)# interface ethernet 1/2 
switch(config-if)# no ip port access-group ip-acl-01 in 

Related Commands

Command
Description

ip access-list

Configures an IPv4 ACL.

show access-lists

Displays all ACLs.

show ip access-lists

Shows either a specific IPv4 ACL or all IPv4 ACLs.

show running-config interface

Shows the running configuration of all interfaces or of a specific interface.


ipv6 access-list

To create an IPv6 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ipv6 access-list command. To remove an IPv6 ACL, use the no form of this command.

ipv6 access-list access-list-name

no ipv6 access-list access-list-name

Syntax Description

access-list-name

Name of the IPv6 ACL, which can be up to 64 alphanumeric characters long. The name cannot contain a space or quotation mark.


Command Default

No IPv6 ACLs are defined by default.

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(1a)N1(1)

This command was introduced.


Usage Guidelines

Use IPv6 ACLs to filter IPv6 traffic.

When you use the ipv6 access-list command, the switch enters IP access list configuration mode, where you can use the IPv6 deny and permit commands to configure rules for the ACL. If the specified ACL does not exist, the switch creates it when you enter this command.

Every IPv6 ACL has the following implicit rule as its last rule:

deny ipv6 any any 

This implicit rule ensures that the switch denies unmatched IP traffic.

Examples

This example shows how to enter IP access list configuration mode for an IPv6 ACL named ipv6-acl-01:

switch(config)# ipv6 access-list ipv6-acl-01 
switch(config-ipv6-acl)# 

Related Commands

Command
Description

deny (IPv6)

Configures a deny rule in an IPv6 ACL.

permit (IPv6)

Configures a permit rule in an IPv6 ACL.


ipv6 port traffic-filter

To apply an IPv6 access control list (ACL) to an interface as a port ACL, use the ipv6 port traffic-filter command. To remove an IPv6 ACL from an interface, use the no form of this command.

ipv6 port traffic-filter access-list-name in

no ipv6 port traffic-filter access-list-name in

Syntax Description

access-list-name

Name of the IPv6 ACL, which can be up to 64 alphanumeric, case-sensitive characters.

in

Specifies that the device applies the ACL to inbound traffic.


Command Default

None

Command Modes

Interface configuration mode

Command History

Release
Modification

4.0(1a)N1(1)

This command was introduced.


Usage Guidelines

By default, no IPv6 ACLs are applied to an interface.

You can use the ipv6 port traffic-filter command to apply an IPv6 ACL as a port ACL to the following interface types:

Ethernet interfaces

EtherChannel interfaces

You can also use the ipv6 port traffic-filter command to apply an IPv6 ACL as a port ACL to the following interface types:

VLAN interfaces


Note You must enable VLAN interfaces globally before you can configure a VLAN interface. For more information, see the feature interface-vlan command.


The switch applies port ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.

If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.

Examples

This example shows how to apply an IPv6 ACL named ipv6-acl to Ethernet interface 1/3:

switch# configure terminal 
switch(config)# interface ethernet 1/3
switch(config-if)# ipv6 port traffic-filter ipv6-acl in

This example shows how to remove an IPv6 ACL named ipv6-acl from Ethernet interface 1/3:

switch# configure terminal
switch(config)# interface ethernet 1/3
switch(config-if)# no ipv6 port traffic-filter ipv6-acl in

Related Commands

Command
Description

ipv6 access-list

Configures an IPv6 ACL.

show access-lists

Displays all ACLs.

show ipv6 access-lists

Shows either a specific IPv6 ACL or all IPv6 ACLs.


mac access-list

To create a Media Access Control (MAC) access control list (ACL) or to enter MAC access list configuration mode for a specific ACL, use the mac access-list command. To remove a MAC ACL, use the no form of this command.

mac access-list access-list-name

no mac access-list access-list-name

Syntax Description

access-list-name

Name of the MAC ACLACL, which can be up to 64 alphanumeric, case-sensitive characters long.


Command Default

No MAC ACLs are defined by default.

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

Use MAC ACLs to filter non-IP traffic.

When you use the mac access-list command, the switch enters MAC access list configuration mode, where you can use the MAC deny and permit commands to configure rules for the ACL. If the ACL specified does not exist, the switch creates it when you enter this command.

Use the mac access-group command to apply the ACL to an interface.

Every MAC ACL has the following implicit rule as its last rule:

deny any any protocol 

This implicit rule ensures that the switch denies the unmatched traffic, regardless of the protocol specified in the Layer 2 header of the traffic.

Examples

This example shows how to enter MAC access list configuration mode for a MAC ACL named mac-acl-01:

switch(config)# mac access-list mac-acl-01 
switch(config-acl)#

Related Commands

Command
Description

deny (MAC)

Configures a deny rule in a MAC ACL.

mac access-group

Applies a MAC ACL to an interface.

permit (MAC)

Configures a permit rule in a MAC ACL.

show mac access-lists

Displays all MAC ACLs or a specific MAC ACL.


mac port access-group

To apply a MAC access control list (ACL) to an interface, use the mac port access-group command. To remove a MAC ACL from an interface, use the no form of this command.

mac port access-group access-list-name

no mac port access-group access-list-name

Syntax Description

access-list-name

Name of the MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters long.


Command Default

None

Command Modes

Interface configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

By default, no MAC ACLs are applied to an interface.

MAC ACLs apply to non-IP traffic.

You can use the mac port access-group command to apply a MAC ACL as a port ACL to the following interface types:

Layer 2 interfaces

Layer 2 EtherChannel interfaces

You can also apply a MAC ACL as a VLAN ACL. For more information, see the match command.

The switch applies MAC ACLs only to inbound traffic. When the switch applies a MAC ACL, the switch checks packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.

If you delete the specified ACL from the switch without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.

Examples

This example shows how to apply a MAC ACL named mac-acl-01 to Ethernet interface 1/2:

switch(config)# interface ethernet 1/2 
switch(config-if)# mac port access-group mac-acl-01 

This example shows how to remove a MAC ACL named mac-acl-01 from Ethernet interface 1/2:

switch(config)# interface ethernet 1/2 
switch(config-if)# no mac port access-group mac-acl-01 

Related Commands

Command
Description

mac access-list

Configures a MAC ACL.

show access-lists

Displays all ACLs.

show mac access-lists

Shows either a specific MAC ACL or all MAC ACLs.

show running-config interface

Shows the running configuration of all interfaces or of a specific interface.


match

To specify an access control list (ACL) for traffic filtering in a VLAN access map, use the match command. To remove a match command from a VLAN access map, use the no form of this command.

match {ip | ipv6 | mac} address access-list-name

no match {ip | ipv6 | mac} address access-list-name

Syntax Description

ip

Specifies an IPv4 ACL.

ipv6

Specifies an IPv6 ACL

mac

Specifies a MAC ACL.

address access-list-name

Specifies the IPv4, IPv6, or MAC address and the access list name. The name can be up to 64 alphanumeric, case-sensitive characters long.


Command Default

By default, the switch classifies traffic and applies IPv4 ACLs to IPv4 traffic and MAC ACLs to all other traffic.

Command Modes

VLAN access-map configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

You can specify only one match command per access map.

Examples

This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map:

switch(config)# vlan access-map vlan-map-01 
switch(config-access-map)# match ip address ip-acl-01 
switch(config-access-map)# action forward 
switch(config-access-map)# statistics 

Related Commands

Command
Description

action

Specifies an action for traffic filtering in a VLAN access map.

show vlan access-map

Displays all VLAN access maps or a VLAN access map.

show vlan filter

Displays information about how a VLAN access map is applied.

vlan access-map

Configures a VLAN access map.

vlan filter

Applies a VLAN access map to one or more VLANs.


permit (IPv4)

To create an IPv4 access control list (ACL) rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.

General Syntax

[sequence-number] permit protocol source destination {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]

no permit protocol source destination {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]

no sequence-number

Internet Control Message Protocol

[sequence-number] permit icmp source destination [icmp-message] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]

Internet Group Management Protocol

[sequence-number] permit igmp source destination [igmp-message] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]

Internet Protocol v4

[sequence-number] permit ip source destination {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]

Transmission Control Protocol

[sequence-number] permit tcp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name] [flags] [established]

User Datagram Protocol

[sequence-number] permit udp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]

Syntax Description

sequence-number

(Optional) Sequence number of the permit command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL.

A sequence number can be any integer between 1 and 4294967295.

By default, the first rule in an ACL has a sequence number of 10.

If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule.

Use the resequence command to reassign sequence numbers to rules.

protocol

Name or number of the protocol of packets that the rule matches. Valid numbers are from 0 to 255. Valid protocol names are the following keywords:

icmp—Specifies that the rule applies to ICMP traffic only. When you use this keyword, the icmp-message argument is available, in addition to the keywords that are available for all valid values of the protocol argument.

igmp—Specifies that the rule applies to IGMP traffic only. When you use this keyword, the igmp-type argument is available, in addition to the keywords that are available for all valid values of the protocol argument.

ip—Specifies that the rule applies to all IPv4 traffic. When you use this keyword, only the other keywords and arguments that apply to all IPv4 protocols are available. They include the following:

dscp

fragments

log

precedence

time-range

tcp—Specifies that the rule applies to TCP traffic only. When you use this keyword, the flags and operator arguments and the portgroup and established keywords are available, in addition to the keywords that are available for all valid values of the protocol argument.

udp—Specifies that the rule applies to UDP traffic only. When you use this keyword, the operator argument and the portgroup keyword are available, in addition to the keywords that are available for all valid values of the protocol argument.

source

Source IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

destination

Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

dscp dscp

(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:

0-63—The decimal equivalent of the 6 bits of the DSCP field. For example, if you specify 10, the rule matches only those packets that have the following bits in the DSCP field: 001010.

af11—Assured Forwarding (AF) class 1, low drop probability (001010)

af12—AF class 1, medium drop probability (001100)

af13—AF class 1, high drop probability (001110)

af21—AF class 2, low drop probability (010010)

af22—AF class 2, medium drop probability (010100)

af23—AF class 2, high drop probability (010110)

af31—AF class 3, low drop probability (011010)

af32—AF class 3, medium drop probability (011100)

af33—AF class 3, high drop probability (011110)

af41—AF class 4, low drop probability (100010)

af42—AF class 4, medium drop probability (100100)

af43—AF class 4, high drop probability (100110)

cs1—Class-selector (CS) 1, precedence 1 (001000)

cs2—CS2, precedence 2 (010000)

cs3—CS3, precedence 3 (011000)

cs4—CS4, precedence 4 (100000)

cs5—CS5, precedence 5 (101000)

cs6—CS6, precedence 6 (110000)

cs7—CS7, precedence 7 (111000)

default—Default DSCP value (000000)

ef—Expedited Forwarding (101110)

precedence precedence

(Optional) Specifies that the rule matches only packets that have an IP Precedence field with the value specified by the precedence argument. The precedence argument can be a number or a keyword as follows:

0-7—Decimal equivalent of the 3 bits of the IP Precedence field. For example, if you specify 3, the rule matches only packets that have the following bits in the DSCP field: 011.

critical—Precedence 5 (101)

flash—Precedence 3 (011)

flash-override—Precedence 4 (100)

immediate—Precedence 2 (010)

internet—Precedence 6 (110)

network—Precedence 7 (111)

priority—Precedence 1 (001)

routine—Precedence 0 (000)

fragments

(Optional) Specifies that the rule matches only those packets that are noninitial fragments. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments.

time-range time-range-name

(Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command.

icmp-message

(Optional; IGMP only) Rule that matches only packets of the specified ICMP message type. This argument can be an integer from 0 to 255 or one of the keywords listed under "ICMP Message Types" in the "Usage Guidelines" section.

igmp-message

(Optional; IGMP only) Rule that matches only packets of the specified IGMP message type. The igmp-message argument can be the IGMP message number, which is an integer from 0 to 15. It can also be one of the following keywords:

dvmrp—Distance Vector Multicast Routing Protocol

host-query—Host query

host-report—Host report

pim—Protocol Independent Multicast

trace—Multicast trace

operator port [port]

(Optional; TCP and UDP only) Rule that matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument.

The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see "TCP Port Names" and "UDP Port Names" in the "Usage Guidelines" section.

A second port argument is required only when the operator argument is a range.

The operator argument must be one of the following keywords:

eq—Matches only if the port in the packet is equal to the port argument.

gt—Matches only if the port in the packet is greater than the port argument.

lt—Matches only if the port in the packet is less than the port argument.

neq—Matches only if the port in the packet is not equal to the port argument.

range—Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument.

portgroup portgroup

(Optional; TCP and UDP only) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument.

Use the object-group ip port command to create and change IP port-group objects.

flags

(Optional; TCP only) Rule that matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords:

ack

fin

psh

rst

syn

urg

established

(Optional; TCP only) Specifies that the rule matches only packets that belong to an established TCP connection. The switch considers TCP packets with the ACK or RST bits set to belong to an established connection.


Command Default

A newly created IPv4 ACL contains no rules.

If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.

Command Modes

IPv4 ACL configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

When the switch applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.

Source and Destination

You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:

Address and network wildcard—You can use an IPv4 address followed by a network wildcard to specify a host or a network as a source or destination. The syntax is as follows:

IPv4-address network-wildcard  

This example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:

switch(config-acl)# permit tcp 192.168.67.0 0.0.0.255 any  

Address and variable-length subnet mask—You can use an IPv4 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:

IPv4-address/prefix-len  

This example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:

switch(config-acl)# permit udp 192.168.67.0/24 any  

Host address—You can use the host keyword and an IPv4 address to specify a host as a source or destination. The syntax is as follows:

host IPv4-address  

This syntax is equivalent to IPv4-address/32 and IPv4-address 0.0.0.0.

This example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:

switch(config-acl)# permit icmp host 192.168.67.132 any  

Any address—You can use the any keyword to specify that a source or destination is any IPv4 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.

ICMP Message Types

The icmp-message argument can be the ICMP message number, which is an integer from 0 to 255. It can also be one of the following keywords:

administratively-prohibited—Administratively prohibited

alternate-address—Alternate address

conversion-error—Datagram conversion

dod-host-prohibited—Host prohibited

dod-net-prohibited—Net prohibited

echo—Echo (ping)

echo-reply—Echo reply

general-parameter-problem—Parameter problem

host-isolated—Host isolated

host-precedence-unreachable—Host unreachable for precedence

host-redirect—Host redirect

host-tos-redirect—Host redirect for ToS

host-tos-unreachable—Host unreachable for ToS

host-unknown—Host unknown

host-unreachable—Host unreachable

information-reply—Information replies

information-request—Information requests

mask-reply—Mask replies

mask-request—Mask requests

mobile-redirect—Mobile host redirect

net-redirect—Network redirect

net-tos-redirect—Net redirect for ToS

net-tos-unreachable—Network unreachable for ToS

net-unreachable—Net unreachable

network-unknown—Network unknown

no-room-for-option—Parameter required but no room

option-missing—Parameter required but not present

packet-too-big—Fragmentation needed and DF set

parameter-problem—All parameter problems

port-unreachable—Port unreachable

precedence-unreachable—Precedence cutoff

protocol-unreachable—Protocol unreachable

reassembly-timeout—Reassembly timeout

redirect—All redirects

router-advertisement—Router discovery advertisements

router-solicitation—Router discovery solicitations

source-quench—Source quenches

source-route-failed—Source route failed

time-exceeded—All time-exceeded messages

timestamp-reply—Time-stamp replies

timestamp-request—Time-stamp requests

traceroute—Traceroute

ttl-exceeded—TTL exceeded

unreachable—All unreachables

TCP Port Names

When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:

bgp—Border Gateway Protocol (179)

chargen—Character generator (19)

cmd—Remote commands (rcmd, 514)

daytime—Daytime (13)

discard—Discard (9)

domain—Domain Name Service (53)

drip—Dynamic Routing Information Protocol (3949)

echo—Echo (7)

exec—EXEC (rsh, 512)

finger—Finger (79)

ftp—File Transfer Protocol (21)

ftp-data—FTP data connections (2)

gopher—Gopher (7)

hostname—NIC hostname server (11)

ident—Ident Protocol (113)

irc—Internet Relay Chat (194)

klogin—Kerberos login (543)

kshell—Kerberos shell (544)

login—Login (rlogin, 513)

lpd—Printer service (515)

nntp—Network News Transport Protocol (119)

pim-auto-rp—PIM Auto-RP (496)

pop2—Post Office Protocol v2 (19)

pop3—Post Office Protocol v3 (11)

smtp—Simple Mail Transport Protocol (25)

sunrpc—Sun Remote Procedure Call (111)

tacacs—TAC Access Control System (49)

talk—Talk (517)

telnet—Telnet (23)

time—Time (37)

uucp—Unix-to-Unix Copy Program (54)

whois—WHOIS/NICNAME (43)

www—World Wide Web (HTTP, 8)

UDP Port Names

When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:

biff—Biff (mail notification, comsat, 512)

bootpc—Bootstrap Protocol (BOOTP) client (68)

bootps—Bootstrap Protocol (BOOTP) server (67)

discard—Discard (9)

dnsix—DNSIX security protocol auditing (195)

domain—Domain Name Service (DNS, 53)

echo—Echo (7)

isakmp—Internet Security Association and Key Management Protocol (5)

mobile-ip—Mobile IP registration (434)

nameserver—IEN116 name service (obsolete, 42)

netbios-dgm—NetBIOS datagram service (138)

netbios-ns—NetBIOS name service (137)

netbios-ss—NetBIOS session service (139)

non500-isakmp—Internet Security Association and Key Management Protocol (45)

ntp—Network Time Protocol (123)

pim-auto-rp—PIM Auto-RP (496)

rip—Routing Information Protocol (router, in.routed, 52)

snmp—Simple Network Management Protocol (161)

snmptrap—SNMP Traps (162)

sunrpc—Sun Remote Procedure Call (111)

syslog—System Logger (514)

tacacs—TAC Access Control System (49)

talk—Talk (517)

tftp—Trivial File Transfer Protocol (69)

time—Time (37)

who—Who service (rwho, 513)

xdmcp—X Display Manager Control Protocol (177)

Examples

This example shows how to configure an IPv4 ACL named acl-lab-01 with rules permitting all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network:

switch(config)# ip access-list acl-lab-01 
switch(config-acl)# permit tcp 10.23.0.0/16 10.176.0.0/16 
switch(config-acl)# permit udp 10.23.0.0/16 10.176.0.0/16 
switch(config-acl)# permit tcp 192.168.37.0/16 10.176.0.0/16 
switch(config-acl)# permit udp 192.168.37.0/16 10.176.0.0/16 

Related Commands

Command
Description

deny (IPv4)

Configures a deny rule in an IPv4 ACL.

ip access-list

Configures an IPv4 ACL.

remark

Configures a remark in an ACL.

show ip access-lists

Displays all IPv4 ACLs or one IPv4 ACL.


permit (IPv6)

To create an IPv6 access control list (ACL) rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.

General Syntax

[sequence-number] permit protocol source destination [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]

no permit protocol source destination [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]

no sequence-number

Internet Control Message Protocol

[sequence-number | no] permit icmp source destination [icmp-message] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]

Internet Protocol v6

[sequence-number] permit ipv6 source destination [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]

Stream Control Transmission Protocol

[sequence-number | no] permit sctp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]

Transmission Control Protocol

[sequence-number] permit tcp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name] [flags] [established]

User Datagram Protocol

[sequence-number | no] permit udp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]

Syntax Description

sequence-number

(Optional) Sequence number of the permit command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL.

A sequence number can be any integer between 1 and 4294967295.

By default, the first rule in an ACL has a sequence number of 10.

If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule.

Use the resequence command to reassign sequence numbers to rules.

protocol

Name or number of the protocol of packets that the rule matches. Valid numbers are from 0 to 255. Valid protocol names are the following keywords:

ahp—Specifies that the rule applies to Authentication Header Protocol (AHP) traffic only. When you use this keyword, only the other keywords and arguments that apply to all IPv6 protocols are available.

esp—Specifies that the rule applies to Encapsulating Security Payload (ESP) traffic only. When you use this keyword, only the other keywords and arguments that apply to all IPv6 protocols are available.

icmp—Specifies that the rule applies to ICMP traffic only. When you use this keyword, the icmp-message argument is available, in addition to the keywords that are available for all valid values of the protocol argument.

ipv6—Specifies that the rule applies to all IPv6 traffic. When you use this keyword, only the other keywords and arguments that apply to all IPv6 protocols are available.

pcp—Specifies that the rule applies to Payload Compression Protocol (PCP) traffic only. When you use this keyword, only the other keywords and arguments that apply to all IPv6 protocols are available.

sctp—Specifies that the rule applies to Stream Control Transmission Protocol (SCTP) traffic only. When you use this keyword, the operator argument and the portgroup keyword are available, in addition to the keywords that are available for all valid values of the protocol argument.

tcp—Specifies that the rule applies to TCP traffic only. When you use this keyword, the flags and operator arguments and the portgroup and established keywords are available, in addition to the keywords that are available for all valid values of the protocol argument.

udp—Specifies that the rule applies to UDP traffic only. When you use this keyword, the operator argument and the portgroup keyword are available, in addition to the keywords that are available for all valid values of the protocol argument.

source

Source IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

destination

Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

dscp dscp

(Optional) Specifies that the rule matches only packets with the specified 6-bit differentiated services value in the DSCP field of the IPv6 header. The dscp argument can be one of the following numbers or keywords:

0-63—The decimal equivalent of the 6 bits of the DSCP field. For example, if you specify 10, the rule matches only packets that have the following bits in the DSCP field: 001010.

af11—Assured Forwarding (AF) class 1, low drop probability (001010)

af12—AF class 1, medium drop probability (001100)

af13—AF class 1, high drop probability (001110)

af21—AF class 2, low drop probability (010010)

af22—AF class 2, medium drop probability (010100)

af23—AF class 2, high drop probability (010110)

af31—AF class 3, low drop probability (011010)

af32—AF class 3, medium drop probability (011100)

af33—AF class 3, high drop probability (011110)

af41—AF class 4, low drop probability (100010)

af42—AF class 4, medium drop probability (100100)

af43—AF class 4, high drop probability (100110)

cs1—Class-selector (CS) 1, precedence 1 (001000)

cs2—CS2, precedence 2 (010000)

cs3—CS3, precedence 3 (011000)

cs4—CS4, precedence 4 (100000)

cs5—CS5, precedence 5 (101000)

cs6—CS6, precedence 6 (110000)

cs7—CS7, precedence 7 (111000)

default—Default DSCP value (000000)

ef—Expedited Forwarding (101110)

flow-label flow-label-value

(Optional) Specifies that the rule matches only IPv6 packets whose Flow Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575.

fragments

(Optional) Specifies that the rule matches noninitial fragmented packets only. The device considers noninitial fragmented packets to be packets with a fragment extension header that contains a fragment offset that is not equal to zero. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments.

time-range time-range-name

(Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command.

icmp-message

(ICMP only: Optional) ICMPv6 message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under "ICMPv6 Message Types" in the "Usage Guidelines" section.

operator port [port]

(Optional; TCP, UDP, and SCTP only) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument.

The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see "TCP Port Names" and "UDP Port Names" in the "Usage Guidelines" section.

A second port argument is required only when the operator argument is a range.

The operator argument must be one of the following keywords:

eq—Matches only if the port in the packet is equal to the port argument.

gt—Matches only if the port in the packet is greater than the port argument.

lt—Matches only if the port in the packet is less than the port argument.

neq—Matches only if the port in the packet is not equal to the port argument.

range—Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument.

portgroup portgroup

(Optional; TCP, UDP, and SCTP only) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument.

Use the object-group ip port command to create and change IP port-group objects.

flags

(TCP only; Optional) Rule matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords:

ack

fin

psh

rst

syn

urg

established

(TCP only; Optional) Specifies that the rule matches only packets that belong to an established TCP connection. The device considers TCP packets with the ACK or RST bits set to belong to an established connection.


Command Default

None

Command Modes

IPv6 ACL configuration mode

Command History

Release
Modification

4.0(1a)N1(1)

This command was introduced.


Usage Guidelines

A newly created IPv6 ACL contains no rules.

When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.

Source and Destination

You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:

Address and variable-length subnet mask—You can use an IPv6 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:

IPv6-address/prefix-len 

This example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network:

switch(config-acl)# permit udp 2001:0db8:85a3::/48 any 

Host address—You can use the host keyword and an IPv6 address to specify a host as a source or destination. The syntax is as follows:

host IPv6-address 

This syntax is equivalent to IPv6-address/128.

This example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address:

switch(config-acl)# permit icmp host 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 any 

Any address—You can use the any keyword to specify that a source or destination is any IPv6 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.

ICMPv6 Message Types

The icmp-message argument can be the ICMPv6 message number, which is an integer from 0 to 255. It can also be one of the following keywords:

beyond-scope—Destination beyond scope

destination-unreachable—Destination address is unreachable

echo-reply—Echo reply

echo-request—Echo request (ping)

header—Parameter header problems

hop-limit—Hop limit exceeded in transit

mld-query—Multicast Listener Discovery Query

mld-reduction—Multicast Listener Discovery Reduction

mld-report—Multicast Listener Discovery Report

nd-na—Neighbor discovery neighbor advertisements

nd-ns—Neighbor discovery neighbor solicitations

next-header—Parameter next header problems

no-admin—Administration prohibited destination

no-route—No route to destination

packet-too-big—Packet too big

parameter-option—Parameter option problems

parameter-problem—All parameter problems

port-unreachable—Port unreachable

reassembly-timeout—Reassembly timeout

redirect—Neighbor redirect

renum-command—Router renumbering command

renum-result—Router renumbering result

renum-seq-number—Router renumbering sequence number reset

router-advertisement—Neighbor discovery router advertisements

router-renumbering—All router renumbering

router-solicitation—Neighbor discovery router solicitations

time-exceeded—All time exceeded messages

unreachable—All unreachable

TCP Port Names

When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:

bgp—Border Gateway Protocol (179)

chargen—Character generator (19)

cmd—Remote commands (rcmd, 514)

daytime—Daytime (13)

discard—Discard (9)

domain—Domain Name Service (53)

drip—Dynamic Routing Information Protocol (3949)

echo—Echo (7)

exec—Exec (rsh, 512)

finger—Finger (79)

ftp—File Transfer Protocol (21)

ftp-data—FTP data connections (2)

gopher—Gopher (7)

hostname—NIC hostname server (11)

ident—Ident Protocol (113)

irc—Internet Relay Chat (194)

klogin—Kerberos login (543)

kshell—Kerberos shell (544)

login—Login (rlogin, 513)

lpd—Printer service (515)

nntp—Network News Transport Protocol (119)

pim-auto-rp—PIM Auto-RP (496)

pop2—Post Office Protocol v2 (19)

pop3—Post Office Protocol v3 (11)

smtp—Simple Mail Transport Protocol (25)

sunrpc—Sun Remote Procedure Call (111)

tacacs—TAC Access Control System (49)

talk—Talk (517)

telnet—Telnet (23)

time—Time (37)

uucp—Unix-to-Unix Copy Program (54)

whois—WHOIS/NICNAME (43)

www—World Wide Web (HTTP, 8)

UDP Port Names

When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:

biff—Biff (mail notification, comsat, 512)

bootpc—Bootstrap Protocol (BOOTP) client (68)

bootps—Bootstrap Protocol (BOOTP) server (67)

discard—Discard (9)

dnsix—DNSIX security protocol auditing (195)

domain—Domain Name Service (DNS, 53)

echo—Echo (7)

isakmp—Internet Security Association and Key Management Protocol (5)

mobile-ip—Mobile IP registration (434)

nameserver—IEN116 name service (obsolete, 42)

netbios-dgm—NetBIOS datagram service (138)

netbios-ns—NetBIOS name service (137)

netbios-ss—NetBIOS session service (139)

non500-isakmp—Internet Security Association and Key Management Protocol (45)

ntp—Network Time Protocol (123)

pim-auto-rp—PIM Auto-RP (496)

rip—Routing Information Protocol (router, in.routed, 52)

snmp—Simple Network Management Protocol (161)

snmptrap—SNMP Traps (162)

sunrpc—Sun Remote Procedure Call (111)

syslog—System Logger (514)

tacacs—TAC Access Control System (49)

talk—Talk (517)

tftp—Trivial File Transfer Protocol (69)

time—Time (37)

who—Who service (rwho, 513)

xdmcp—X Display Manager Control Protocol (177)

Examples

This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules permitting all TCP and UDP traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network:

switch# configure terminal 
switch(config)# ipv6 access-list acl-lab13-ipv6 
switch(config-ipv6-acl)# permit tcp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64 
switch(config-ipv6-acl)# permit udp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64 
switch(config-ipv6-acl)# permit tcp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64 
switch(config-ipv6-acl)# permit udp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64 

This example shows how to configure an IPv6 ACL named ipv6-eng-to-marketing with a rule that permits all IPv6 traffic from an IPv6-address object group named eng_ipv6 to an IPv6-address object group named marketing_group:

switch# configure terminal 
switch(config)# ipv6 access-list ipv6-eng-to-marketing 
switch(config-ipv6-acl)# permit ipv6 addrgroup eng_ipv6 addrgroup marketing_group 

Related Commands

Command
Description

deny (IPv6)

Configures a deny rule in an IPv6 ACL.

ipv6 access-list

Configures an IPv6 ACL.

remark

Configures a remark in an ACL.


permit (MAC)

To create a MAC access control list (ACL) rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.

[sequence-number] permit source destination [protocol] [cos cos-value] [vlan vlan-id]

no permit source destination [protocol] [cos cos-value] [vlan vlan-id]

no sequence-number

Syntax Description

sequence-number

(Optional) Sequence number of the permit command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL.

A sequence number can be any integer between 1 and 4294967295.

By default, the first rule in an ACL has a sequence number of 10.

If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule.

Use the resequence command to reassign sequence numbers to rules.

source

Source MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

destination

Destination MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

protocol

( Optional) Protocol number that the rule matches. Valid protocol numbers are 0x0 to 0xffff. For listings of valid protocol names, see "MAC Protocols" in the "Usage Guidelines" section.

cos cos-value

(Optional) Specifies that the rule matches only packets whose IEEE 802.1Q header contains the Class of Service (CoS) value given in the cos-value argument. The cos-value argument can be an integer from 0 to 7.

vlan vlan-id

(Optional) Specifies that the rule matches only packets whose IEEE 802.1Q header contains the VLAN ID given. The vlan-id argument can be an integer from 1 to 4094.


Command Default

A newly created MAC ACL contains no rules.

If you do not specify a sequence number, the switch assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.

Command Modes

MAC ACL configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

When the switch applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.

Source and Destination

You can specify the source and destination arguments in one of two ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:

Address and mask—You can use a MAC address followed by a mask to specify a single address or a group of addresses. The syntax is as follows:

MAC-address MAC-mask  

This example specifies the source argument with the MAC address 00c0.4f03.0a72:

switch(config-acl)# permit 00c0.4f03.0a72 0000.0000.0000 any  

This example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:

switch(config-acl)# permit any 0060.3e00.0000 0000.0000.0000  

Any address—You can use the any keyword to specify that a source or destination is any MAC address. For examples of the use of the any keyword, see the examples in this section. Each of the examples shows how to specify a source or destination by using the any keyword.

MAC Protocols

The protocol argument can be the MAC protocol number or a keyword. The protocol number is a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:

aarp—Appletalk ARP (0x80f3)

appletalk—Appletalk (0x809b)

decnet-iv—DECnet Phase IV (0x6003)

diagnostic—DEC Diagnostic Protocol (0x6005)

etype-6000—Ethertype 0x6000 (0x6000)

etype-8042—Ethertype 0x8042 (0x8042)

ip—Internet Protocol v4 (0x0800)

lat—DEC LAT (0x6004)

lavc-sca—DEC LAVC, SCA (0x6007)

mop-console—DEC MOP Remote console (0x6002)

mop-dump—DEC MOP dump (0x6001)

vines-echo—VINES Echo (0x0baf)

Examples

This example shows how to configure a MAC ACL named mac-ip-filter with a rule that permits all IPv4 traffic between two groups of MAC addresses:

switch(config)# mac access-list mac-ip-filter 
switch(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff 0060.3e00.0000 0000.00ff.ffff 
ip 
switch(config-mac-acl)# 

Related Commands

Command
Description

deny (MAC)

Configures a deny rule in a MAC ACL.

mac access-list

Configures a MAC ACL.

remark

Configures a remark in an ACL.

show mac access-list

Displays all MAC ACLs or one MAC ACL.


permit interface

To add interfaces for a user role interface policy, use the permit interface command. To remove interfaces, use the no form of this command.

permit interface interface-list

no permit interface

Syntax Description

interface-list

List of interfaces that the user role has permission to access.


Command Default

All interfaces

Command Modes

Interface policy configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

For permit interface statements to work, you need to configure a command rule to allow interface access, as shown in the following example:

switch(config-role)# rule number permit command configure terminal ; interface * 

Examples

This example shows how to configure a range of interfaces for a user role interface policy:

switch(config)# role name MyRole 
switch(config-role)# interface policy deny 
switch(config-role-interface)# permit interface ethernet 1/2 - 8 

This example shows how to configure a list of interfaces for a user role interface policy:

switch(config)# role name MyRole 
switch(config-role)# interface policy deny 
switch(config-role-interface)# permit interface ethernet 1/1, ethernet 1/3, ethernet 1/5 

This example shows how to remove an interface from a user role interface policy:

switch(config)# role name MyRole 
switch(config-role)# interface policy deny 
switch(config-role-interface)# no permit interface ethernet 1/2 

Related Commands

Command
Description

interface policy deny

Enters interface policy configuration mode for a user role.

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.


permit vlan

To add VLANs for a user role VLAN policy, use the permit vlan command. To remove VLANs, use the no form of this command.

permit vlan vlan-list

no permit vlan

Syntax Description

vlan-list

List of VLANs that the user role has permission to access.


Command Default

All VLANs

Command Modes

VLAN policy configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

For permit vlan statements to work, you need to configure a command rule to allow VLAN access, as shown in the following example:

switch(config-role)# rule number permit command configure terminal ; vlan *  

Examples

This example shows how to configure a range of VLANs for a user role VLAN policy:

switch(config)# role name MyRole 
switch(config-role)# vlan policy deny 
switch(config-role-vlan)# permit vlan 1-8 

This example shows how to configure a list of VLANs for a user role VLAN policy:

switch(config)# role name MyRole 
switch(config-role)# vlan policy deny 
switch(config-role-vlan)# permit vlan 1, 10, 12, 20 

This example shows how to remove a VLAN from a user role VLAN policy:

switch(config)# role name MyRole 
switch(config-role)# vlan policy deny 
switch(config-role-vlan)# no permit vlan 2 

Related Commands

Command
Description

vlan policy deny

Enters VLAN policy configuration mode for a user role.

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.


permit vrf

To add virtual routing and forwarding instances (VRFs) for a user role VRF policy, use the permit vrf command. To remove VRFs, use the no form of this command.

permit vrf vrf-list

no permit vrf

Syntax Description

vrf-list

List of VRFs that the user role has permission to access.


Command Default

All VRFs

Command Modes

VRF policy configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to configure a range of VRFs for a user role VRF policy:

switch(config)# role name MyRole 
switch(config-role)# vrf policy deny 
switch(config-role-vrf)# permit vrf management 

Related Commands

Command
Description

vrf policy deny

Enters VRF policy configuration mode for a user role.

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.


permit vsan

To permit access to a VSAN policy for a user role, use the permit vsan command. To revert to the default VSAN policy configuration for a user role, use the no form of this command.

permit vsan vsan-list

no permit vsan vsan-list

Syntax Description

vsan-list

Range of VSANs accessible to a user role. The range is from 1 to 4093.

You can separate the range using the following separators:

, is a multirange separator; for example, 1-5, 10, 12, 100-201.

- is a range separator; for example, 101-201.


Command Default

None

Command Modes

User role configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

This command is enabled only after you deny a VSAN policy by using the vsan policy deny command.

Examples

This example shows how to permit access to a VSAN policy for a user role:

switch(config)# role name MyRole 
switch(config-role)# vsan policy deny 
switch(config-role-vsan)# permit vsan 10, 12, 100-104 
switch(config-role-vsan)# 

Related Commands

Command
Description

vsan policy deny

Denies access to a VSAN policy for a user.

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.


radius-server deadtime

To configure the dead-time interval for all RADIUS servers on a Cisco Nexus 5000 Series switch, use the radius-server deadtime command. To revert to the default, use the no form of this command.

radius-server deadtime minutes

no radius-server deadtime minutes

Syntax Description

minutes

Number of minutes for the dead-time interval. The range is from 1 to 1440 minutes.


Command Default

0 minutes

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

The dead-time interval is the number of minutes before the switch checks a RADIUS server that was previously unresponsive.


Note When the idle time interval is 0 minutes, periodic RADIUS server monitoring is not performed.


Examples

This example shows how to configure the global dead-time interval for all RADIUS servers to perform periodic monitoring:

switch(config)# radius-server deadtime 5 

This example shows how to revert to the default for the global dead-time interval for all RADIUS servers and disable periodic server monitoring:

switch(config)# no radius-server deadtime 5 

Related Commands

Command
Description

show radius-server

Displays RADIUS server information.


radius-server directed-request

To allow users to send authentication requests to a specific RADIUS server when logging in, use the radius-server directed request command. To revert to the default, use the no form of this command.

radius-server directed-request

no radius-server directed-request

Syntax Description

This command has no arguments or keywords.

Command Default

Sends the authentication request to the configured RADIUS server group.

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

You can specify the username@vrfname:hostname during login, where vrfname is the VRF to use and hostname is the name of a configured RADIUS server. The username is sent to the RADIUS server for authentication.

Examples

This example shows how to allow users to send authentication requests to a specific RADIUS server when logging in:

switch(config)# radius-server directed-request 

This example shows how to disallow users to send authentication requests to a specific RADIUS server when logging in:

switch(config)# no radius-server directed-request 

Related Commands

Command
Description

show radius-server directed-request

Displays the directed request RADIUS server configuration.


radius-server host

To configure RADIUS server parameters, use the radius-server host command. To revert to the default, use the no form of this command.

radius-server host {hostname | ipv4-address | ipv6-address}
[key [0 | 7] shared-secret [pac]] [accounting]
[acct-port port-number] [auth-port port-number] [authentication] [retransmit count]
[test {idle-time time | password password | username name}]
[timeout seconds [retransmit count]]

no radius-server host {hostname | ipv4-address | ipv6-address}
[
key [0 | 7] shared-secret [pac]] [accounting]
[acct-port port-number] [auth-port port-number] [authentication] [retransmit count]
[
test {idle-time time | password password | username name}]
[
timeout seconds [retransmit count]]

Syntax Description

hostname

RADIUS server Domain Name Server (DNS) name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters.

ipv4-address

RADIUS server IPv4 address in the A.B.C.D format.

ipv6-address

RADIUS server IPv6 address in the X:X:X:X format.

key

(Optional) Configures the RADIUS server preshared secret key.

0

(Optional) Configures a preshared key specified in clear text to authenticate communication between the RADIUS client and server. This is the default.

7

(Optional) Configures a preshared key specified in encrypted text (indicated by 7) to authenticate communication between the RADIUS client and server.

shared-secret

Preshared key to authenticate communication between the RADIUS client and server. The preshared key can include any printable ASCII characters (white spaces are not allowed), is case sensitive, and has a maximum of 63 characters.

pac

(Optional) Enables the generation of Protected Access Credentials on the RADIUS Cisco ACS server for use with Cisco TrustSec.

accounting

(Optional) Configures accounting.

acct-port port-number

(Optional) Configures the RADIUS server port for accounting. The range is from 0 to 65535.

auth-port port-number

(Optional) Configures the RADIUS server port for authentication. The range is from 0 to 65535.

authentication

(Optional) Configures authentication.

retransmit count

(Optional) Configures the number of times that the switch tries to connect to a RADIUS server before reverting to local authentication. The range is from 1 to 5 times and the default is 1 time.

test

(Optional) Configures parameters to send test packets to the RADIUS server.

idle-time time

Specifies the time interval (in minutes) for monitoring the server. The range is from 1 to 1440 minutes.

password password

Specifies a user password in the test packets. The password is alphanumeric, case sensitive, and has a maximum of 32 characters.

username name

Specifies a username in the test packets. The is alphanumeric, not case sensitive, and has a maximum of 32 characters.

timeout seconds

Specifies the timeout (in seconds) between retransmissions to the RADIUS server. The default is 1 second and the range is from 1 to 60 seconds.


Command Default

Accounting port: 1813

Authentication port: 1812

Accounting: enabled

Authentication: enabled

Retransmission count: 1

Idle-time: 0

Server monitoring: disabled

Timeout: 5 seconds

Test username: test

Test password: test

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

When the idle time interval is 0 minutes, periodic RADIUS server monitoring is not performed.

Examples

This example shows how to configure RADIUS server authentication and accounting parameters:

switch(config)# radius-server host 192.168.2.3 key HostKey 
switch(config)# radius-server host 192.168.2.3 auth-port 2003 
switch(config)# radius-server host 192.168.2.3 acct-port 2004 
switch(config)# radius-server host 192.168.2.3 accounting 
switch(config)# radius-server host radius2 key 0 abcd 
switch(config)# radius-server host radius3 key 7 1234 
switch(config)# radius-server host 192.168.2.3 test idle-time 10 
switch(config)# radius-server host 192.168.2.3 test username tester 
switch(config)# radius-server host 192.168.2.3 test password 2B9ka5 

Related Commands

Command
Description

show radius-server

Displays RADIUS server information.


radius-server key

To configure a RADIUS shared secret key, use the radius-server key command. To remove a configured shared secret, use the no form of this command.

radius-server key [0 | 7] shared-secret

no radius-server key [0 | 7] shared-secret

Syntax Description

0

(Optional) Configures a preshared key specified in clear text to authenticate communication between the RADIUS client and server.

7

(Optional) Configures a preshared key specified in encrypted text to authenticate communication between the RADIUS client and server.

shared-secret

Preshared key used to authenticate communication between the RADIUS client and server. The preshared key can include any printable ASCII characters (white spaces are not allowed), is case sensitive, and has a maximum of 63 characters.


Command Default

Clear text authentication

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

You must configure the RADIUS preshared key to authenticate the switch to the RADIUS server. The length of the key is restricted to 65 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all RADIUS server configurations on the switch. You can override this global key assignment by using the key keyword in the radius-server host command.

Examples

This example shows how to provide various scenarios to configure RADIUS authentication:

switch(config)# radius-server key AnyWord 
switch(config)# radius-server key 0 AnyWord 
switch(config)# radius-server key 7 public pac 

Related Commands

Command
Description

show radius-server

Displays RADIUS server information.


radius-server retransmit

To specify the number of times that the switch should try a request with a RADIUS server, use the radius-server retransmit command. To revert to the default, use the no form of this command.

radius-server retransmit count

no radius-server retransmit count

Syntax Description

count

Number of times that the switch tries to connect to a RADIUS server before reverting to local authentication. The range is from 1 to 5 times.


Command Default

1 retransmission

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to configure the number of retransmissions to RADIUS servers:

switch(config)# radius-server retransmit 3 

This example shows how to revert to the default number of retransmissions to RADIUS servers:

switch(config)# no radius-server retransmit 3 

Related Commands

Command
Description

show radius-server

Displays RADIUS server information.


radius-server timeout

To specify the time between retransmissions to the RADIUS servers, use the radius-server timeout command. To revert to the default, use the no form of this command.

radius-server timeout seconds

no radius-server timeout seconds

Syntax Description

seconds

Number of seconds between retransmissions to the RADIUS server. The range is from 1 to 60 seconds.


Command Default

1 second

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to configure the timeout interval:

switch(config)# radius-server timeout 30 

This example shows how to revert to the default interval:

switch(config)# no radius-server timeout 30 

Related Commands

Command
Description

show radius-server

Displays RADIUS server information.


remark

To enter a comment into an IPv4 or MAC access control list (ACL), use the remark command. To remove a remark command, use the no form of this command.

[sequence-number] remark remark

no {sequence-number | remark remark}

Syntax Description

sequence-number

(Optional) Sequence number of the remark command, which causes the switch to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL.

A sequence number can be any integer between 1 and 4294967295.

By default, the first rule in an ACL has a sequence number of 10.

If you do not specify a sequence number, the switch adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule.

Use the resequence command to reassign sequence numbers to remarks and rules.

remark

Text of the remark. This argument can be up to 100 characters.


Command Default

No ACL contains a remark by default.

Command Modes

IPv4 ACL configuration mode

MAC ACL configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

The remark argument can be up to 100 characters. If you enter more than 100 characters for the remark argument, the switch accepts the first 100 characters and drops any additional characters.

Examples

This example shows how to create a remark in an IPv4 ACL and display the results:

switch(config)# ip access-list acl-ipv4-01 
switch(config-acl)# 100 remark this ACL denies the marketing department access to the lab 
switch(config-acl)# show access-list acl-ipv4-01 

Related Commands

Command
Description

ip access-list

Configures an IPv4 ACL.

mac access-list

Configures a MAC ACL.

show access-list

Displays all ACLs or one ACL.


resequence

To reassign sequence numbers to all rules in an access control list (ACL) or a time range, use the resequence command.

resequence access-list-type access-list access-list-name starting-number increment

resequence time-range time-range-name starting-number increment

Syntax Description

access-list-type

Type of the ACL. Valid values for this argument are the following keywords:

arp

ip

mac

access-list access-list-name

Specifies the name of the ACL.

time-range time-range-name

Specifies the name of the time range.

starting-number

Sequence number for the first rule in the ACL or time range.

increment

Number that the switch adds to each subsequent sequence number.


Command Default

None

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

The resequence command allows you to reassign sequence numbers to the rules of an ACL or time range. The new sequence number for the first rule is determined by the starting-number argument. Each additional rule receives a new sequence number determined by the increment argument. If the highest sequence number would exceed the maximum possible sequence number, then no sequencing occurs and the following message appears:

ERROR: Exceeded maximum sequence number. 

The maximum sequence number is 4294967295.

Examples

This example shows how to resequence an IPv4 ACL named ip-acl-01 with a starting sequence number of 100 and an increment of 10, using the show ip access-lists command to verify sequence numbering before and after the use of the resequence command:

switch(config)# show ip access-lists ip-acl-01 

IP access list ip-acl-01 
        7 permit tcp 128.0.0/16 any eq www 
        10 permit udp 128.0.0/16 any 
        13 permit icmp 128.0.0/16 any eq echo 
        17 deny igmp any any 
switch(config)# resequence ip access-list ip-acl-01 100 10 
switch(config)# show ip access-lists ip-acl-01 

IP access list ip-acl-01 
        100 permit tcp 128.0.0/16 any eq www 
        110 permit udp 128.0.0/16 any 
        120 permit icmp 128.0.0/16 any eq echo 
        130 deny igmp any any 
switch(config)#

Related Commands

Command
Description

ip access-list

Configures an IPv4 ACL.

mac access-list

Configures a MAC ACL.

show access-lists

Displays all ACLs or a specific ACL.


role feature-group name

To create or specify a user role feature group and enter user role feature group configuration mode, use the role feature-group name command. To delete a user role feature group, use the no form of this command.

role feature-group name group-name

no role feature-group name group-name

Syntax Description

group-name

User role feature group name. The group-name has a maximum length of 32 characters and is a case-sensitive, alphanumeric character string.


Command Default

None

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to create a user role feature group and enter user role feature group configuration mode:

switch(config)# role feature-group name MyGroup 
switch(config-role-featuregrp)# 

This example shows how to remove a user role feature group:

switch(config)# no role feature-group name MyGroup 
switch(config)#

Related Commands

Command
Description

feature-group name

Specifies or creates a user role feature group and enters user role feature group configuration mode.

show role feature-group

Displays the user role feature groups.


role name

To create or specify a user role and enter user role configuration mode, use the role name command. To delete a user role, use the no form of this command.

role name role-name

no role name role-name

Syntax Description

role-name

User role name. The role-name has a maximum length of 16 characters and is a case-sensitive, alphanumeric character string.


Command Default

None

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

A Cisco Nexus 5000 Series switch provides the following default user roles:

Network Administrator—Complete read-and-write access to the entire switch

Complete read access to the entire switch

You cannot change or remove the default user roles.

Examples

This example shows how to create a user role and enter user role configuration mode:

switch(config)# role name MyRole 
switch(config-role)# 

This example shows how to remove a user role:

switch(config)# no role name MyRole 

Related Commands

Command
Description

show role

Displays the user roles.


rule

To configure rules for a user role, use the rule command. To delete a rule, use the no form of this command.

rule number {deny | permit} {command command-string | {read | read-write} [feature feature-name | feature-group group-name]}

no rule number

Syntax Description

number

Sequence number for the rule. The switch applies the rule with the highest value first and then the rest in descending order.

deny

Denies access to commands or features.

permit

Permits access to commands or features.

command command-string

Specifies a command string.

read

Specifies read access.

read-write

Specifies read and write access.

feature feature-name

(Optional) Specifies a feature name. Use the show role feature command to list the switch feature names.

feature-group group-name

(Optional) Specifies a feature group.


Command Default

None

Command Modes

User role configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

You can configure up to 256 rules for each role.

The rule number that you specify determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.

Examples

This example shows how to add rules to a user role:

switch(config)# role MyRole 
switch(config-role)# rule 1 deny command clear users 
switch(config-role)# rule 1 permit read-write feature-group L3 

This example shows how to remove rule from a user role:

switch(config)# role MyRole 
switch(config-role)# no rule 10 

Related Commands

Command
Description

role name

Creates or specifies a user role name and enters user role configuration mode.

show role

Displays the user roles.


server

To add a server to a RADIUS or TACACS+ server group, use the server command. To delete a server from a server group, use the no form of this command.

server {ipv4-address | ipv6-address | hostname}

no server {ipv4-address | ipv6-address | hostname}

Syntax Description

ipv4-address

Server IPv4 address in the A.B.C.D format.

ipv6-address

Server IPv6 address in the X:X:X::X format.

hostname

Server name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters.


Command Default

None

Command Modes

RADlUS server group configuration mode

TACACS+ server group configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

You can configure up to 64 servers in a server group.

Use the aaa group server radius command to enter RADIUS server group configuration mode or aaa group server tacacs+ command to enter TACACS+ server group configuration mode.

If the server is not found, use the radius-server host command or tacacs-server host command to configure the server.


Note You must use the feature tacacs+ command before you configure TACACS+.


Examples

This example shows how to add a server to a RADIUS server group:

switch(config)# aaa group server radius RadServer 
switch(config-radius)# server 192.168.1.1 

This example shows how to delete a server from a RADIUS server group:

switch(config)# aaa group server radius RadServer 
switch(config-radius)# no server 192.168.1.1 

This example shows how to add a server to a TACACS+ server group:

switch(config)# feature tacacs+ 
switch(config)# aaa group server tacacs+ TacServer 
switch(config-tacacs+)# server 192.168.2.2 

This example shows how to delete a server from a TACACS+ server group:

switch(config)# feature tacacs+ 
switch(config)# aaa group server tacacs+ TacServer 
switch(config-tacacs+)# no server 192.168.2.2 

Related Commands

Command
Description

aaa group server

Configures AAA server groups.

feature tacacs+

Enables TACACS+.

radius-server host

Configures a RADIUS server.

show radius-server groups

Displays RADIUS server group information.

show tacacs-server groups

Displays TACACS+ server group information.

tacacs-server host

Configures a TACACS+ server.


show aaa accounting

To display authentication, authorization, and accounting (AAA) accounting configuration, use the show aaa accounting command.

show aaa accounting

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display the configuration of the accounting log:

switch# show aaa accounting 

Related Commands

Command
Description

aaa accounting default

Configures AAA methods for accounting.


show aaa authentication

To display authentication, authorization, and accounting (AAA) authentication configuration information, use the show aaa authentication command.

show aaa authentication login [error-enable | mschap]

Syntax Description

error-enable

(Optional) Displays the authentication login error message enable configuration.

mschap

(Optional) Displays the authentication login Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) enable configuration.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display the configured authentication parameters:

switch# show aaa authentication 

This example shows how to display the authentication login error enable configuration:

switch# show aaa authentication login error-enable 

This example shows how to display the authentication login MS-CHAP configuration:

switch# show aaa authentication login mschap 

Related Commands

Command
Description

aaa authentication

Configures AAA authentication methods.


show aaa authorization

To display AAA authorization configuration information, use the show aaa authorization command.

show aaa authorization [all]

Syntax Description

all

(Optional) Displays configured and default values.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.2(1)N1(1)

This command was introduced.


Examples

This example shows how to display the configured authorization methods:

switch# show aaa authorization 
AAA command authorization:
         default authorization for config-commands: none

switch# 

This example shows how to revert to the default AAA authorization methods for configuration commands:

switch(config)# no aaa authorization config-commands default group TacGroup local 
switch(config)# 

Related Commands

Command
Description

aaa authorization commands default

Configures default AAA authorization methods for EXEC commands.

aaa authorization config-commands default

Configures default AAA authorization methods for configuration commands.


show aaa groups

To display authentication, authorization, and accounting (AAA) server group configuration, use the show aaa groups command.

show aaa groups

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display AAA group information:

switch# show aaa groups 

Related Commands

Command
Description

aaa group server radius

Creates a RADIUS server group.


show aaa user

To display the status of the default role assigned by the authentication, authorization, and accounting (AAA) server administrator for remote authentication, use the show aaa user command.

show aaa user default-role

Syntax Description

default-role

Displays the status of the default AAA role.


Command Default

None

Command Modes

EXEC mode.

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display the status of the default role assigned by the AAA server administrator for remote authentication:

switch# show aaa user default-role 
enabled
switch# 

Related Commands

Command
Description

aaa user default-role

Configures the default user for remote authentication.

show aaa authentication

Displays AAA authentication information.


show access-lists

To display all IPv4 and MAC access control lists (ACLs) or a specific ACL, use the show access-lists command.

show access-lists [access-list-name]

Syntax Description

access-list-name

(Optional) Name of an ACL, which can be up to 64 alphanumeric, case-sensitive characters.


Command Default

The switch shows all ACLs unless you use the access-list-name argument to specify an ACL.

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display all IPv4 and MAC ACLs on the switch:

switch# show access-lists 

Related Commands

Command
Description

ip access-list

Configures an IPv4 ACL.

mac access-list

Configures a MAC ACL.

show ip access-lists

Displays all IPv4 ACLs or a specific IPv4 ACL.

show mac access-lists

Displays all MAC ACLs or a specific MAC ACL.


show accounting log

To display the accounting log contents, use the show accounting log command.

show accounting log [size] [start-time year month day HH:MM:SS] [end-time year month day HH:MM:SS]

Syntax Description

size

(Optional) Amount of the log to display in bytes. The range is from 0 to 250000.

start-time year month day HH:MM:SS

(Optional) Specifies a start time. The year argument is in yyyy format. The month is the three-letter English abbreviation. The day argument range is from 1 to 31. The HH:MM:SS argument is in standard 24-hour format.

end-time year month day HH:MM:SS

(Optional) Specifies an end time. The year argument is in yyyy format. The month is the three-letter English abbreviation. The day argument range is from 1 to 31. The HH:MM:SS argument is in standard 24-hour format.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display the entire accounting log:

switch# show accounting log 

This example shows how to display 400 bytes of the accounting log:

switch# show accounting log 400 

This example shows how to display the accounting log starting at 16:00:00 on February 16, 2008:

switch# show accounting log start-time 2008 Feb 16 16:00:00 

This example shows how to display the accounting log starting at 15:59:59 on February 1, 2008 and ending at 16:00:00 on February 29, 2008:

switch# show accounting log start-time 2008 Feb 1 15:59:59 end-time 2008 Feb 29 16:00:00 

Related Commands

Command
Description

clear accounting log

Clears the accounting log.


show ip access-lists

To display all IPv4 access control lists (ACLs) or a specific IPv4 ACL, use the show ip access-lists command.

show ip access-lists [access-list-name]

Syntax Description

access-list-name

(Optional) Name of an IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters.


Command Default

The switch shows all IPv4 ACLs unless you use the access-list-name argument to specify an ACL.

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

By default, this command displays the IPv4 ACLs configured on the switch. The command displays the statistics information for an IPv4 ACL only if the IPv4 ACL is applied to the management (mgmt0) interface. If the ACL is applied to an SVI interface or in a QoS class map, then the command does not display any statistics information.

Examples

This example shows how to display all IPv4 ACLs on the switch:

switch# show ip access-lists 

IP access list BulkData
        10 deny ip any any
IP access list CriticalData
        10 deny ip any any
IP access list Scavenger
        10 deny ip any any
IP access list deny
        10 deny ip 192.168.30.1/32 192.168.40.1/32
IP access list deny4
IP access list denyv4
        statistics per-entry
        20 deny ip 192.168.10.0/24 10.20.10.0/24 fragments
        30 permit udp 192.168.10.0/24 gt isakmp 192.168.20.0/24 lt 400
        40 permit icmp any any router-advertisement
        60 deny tcp 10.10.10.0/24 10.20.10.0/24 syn
        70 permit igmp any any host-report
        80 deny tcp any any rst
        90 deny tcp any any ack
        100 permit tcp any any fin
        110 permit tcp any gt 300 any lt 400
        130 deny tcp any range 200 300 any lt 600
IP access list dot
--More--
<--output truncated-->
switch# 

Related Commands

Command
Description

ip access-list

Configures an IPv4 ACL.

show access-lists

Displays all ACLs or a specific ACL.

show mac access-lists

Displays all MAC ACLs or a specific MAC ACL.


show ip arp

To display the Address Resolution Protocol (ARP) table statistics, use the show ip arp command.

show ip arp [detail | vlan vlan-id [vrf {vrf-name | all | default | management}]]

Syntax Description

detail

(Optional) Displays the detailed ARP information.

vlan vlan-id

(Optional) Displays the ARP information for a specified VLAN. The range is from 1 to 4094, except for the VLANs reserved for internal use.

vrf

(Optional) Specifies the virtual routing and forwarding (VRF) to use.

vrf-name

VRF name. The name can be a maximum of 32 alphanumeric characters, and is case sensitive.

all

Displays all VRF entries for the specified VLAN in the ARP table.

default

Displays the default VRF entry for the specified VLAN.

management

Displays the management VRF entry for the specified VLAN.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.2(1)N1(1)

This command was introduced.


Examples

This example shows how to display the ARP table:

switch# show ip arp 

IP ARP Table for context default
Total number of entries: 1
Address         Age       MAC Address     Interface
90.10.10.2      00:03:11  000d.ece7.df7c  Vlan900
switch#

This example shows how to display the detailed ARP table:

switch# show ip arp detail 

IP ARP Table for context default
Total number of entries: 1
Address         Age       MAC Address     Interface        Physical Interface
90.10.10.2      00:02:55  000d.ece7.df7c  Vlan900          Ethernet1/12
switch#

This example shows how to display the ARP table for VLAN 10 and all VRFs:

switch# show ip arp vlan 10 vrf all 

Related Commands

Command
Description

clear ip arp

Clears the ARP cache and table.

show running-config arp

Displays the running ARP configuration.


show ipv6 access-lists

To display all IPv6 access control lists (ACLs) or a specific IPv6 ACL, use the show ipv6 access-lists command.

show ipv6 access-lists [access-list-name] [expanded | summary]

Syntax Description

access-list-name

(Optional) Name of an IPv6 ACL, which can be up to 64 alphanumeric, case-sensitive characters.

expanded

(Optional) Specifies that the contents of IPv6 address groups or port groups show rather than the names of object groups only.

summary

(Optional) Specifies that the command displays information about the ACL rather than the ACL configuration. For more information, see the "Usage Guidelines" section.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

The device shows all IPv6 ACLs, unless you use the access-list-name argument to specify an ACL.

The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:

Whether per-entry statistics is configured for the ACL.

The number of rules in the ACL configuration. This number does not reflect how many entries the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.

The interfaces that the ACL is applied to.

The interfaces that the ACL is active on.

The show ipv6 access-lists command displays statistics for each entry in an ACL if the following conditions are both true:

The ACL configuration contains the statistics per-entry command.

The ACL is applied to an interface that is administratively up.

Examples

This example shows how to display all IPv6 ACLs on a switch:

switch# show ipv6 access-lists 

Related Commands

Command
Description

ipv6 access-list

Configures an IPv6 ACL.


show mac access-lists

To display all Media Access Control (MAC) access control lists (ACLs) or a specific MAC ACL, use the show mac access-lists command.

show mac access-lists [access-list-name]

Syntax Description

access-list-name

(Optional) Name of a MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters.


Command Default

The switch shows all MAC ACLs unless you use the access-list-name argument to specify an ACL.

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display all MAC ACLs on the switch:

switch# show mac access-lists 

Related Commands

Command
Description

mac access-list

Configures a MAC ACL.

show access-lists

Displays all ACLs or a specific ACL.

show ip access-lists

Displays all IPv4 ACLs or a specific IPv4 ACL.


show radius-server

To display RADIUS server information, use the show radius-server command.

show radius-server [hostname | ipv4-address | ipv6-address] [directed-request | groups [group-name] | sorted | statistics hostname | ipv4-address | ipv6-address]

Syntax Description

hostname

(Optional) RADIUS server Domain Name Server (DNS) name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters.

ipv4-address

(Optional) RADIUS server IPv4 address in the A.B.C.D format.

ipv6-address

(Optional) RADIUS server IPv6 address in the X:X::X:X format.

directed-request

(Optional) Displays the directed request configuration.

groups [group-name]

(Optional) Displays information about the configured RADIUS server groups. Supply a group-name to display information about a specific RADIUS server group.

sorted

(Optional) Displays sorted-by-name information about the RADIUS servers.

statistics

(Optional) Displays RADIUS statistics for the RADIUS servers. A hostname or IP address is required.


Command Default

Displays the global RADIUS server configuration.

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

RADIUS preshared keys are not visible in the show radius-server command output. Use the show running-config radius command to display the RADIUS preshared keys.

Examples

This example shows how to display information for all RADIUS servers:

switch# show radius-server 

This example shows how to display information for a specified RADIUS server:

switch# show radius-server 192.168.1.1 

This example shows how to display the RADIUS directed request configuration:

switch# show radius-server directed-request 

This example shows how to display information for RADIUS server groups:

switch# show radius-server groups 

This example shows how to display information for a specified RADIUS server group:

switch# show radius-server groups RadServer 

This example shows how to display sorted information for all RADIUS servers:

switch# show radius-server sorted 

This example shows how to display statistics for a specified RADIUS servers:

switch# show radius-server statistics 192.168.1.1 

Related Commands

Command
Description

show running-config radius

Displays the RADIUS information in the running configuration file.


show role

To display the user role configuration, use the show role command.

show role [name role-name]

Syntax Description

name role-name

(Optional) Displays information for a specific user role name.


Command Default

Displays information for all user roles.

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display information for a specific user role:

switch# show role name MyRole 

This example shows how to display information for all user roles:

switch# show role 

Related Commands

Command
Description

role name

Configures user roles.


show role feature

To display the user role features, use the show role feature command.

show role feature [detail | name feature-name]

Syntax Description

detail

(Optional) Displays detailed information for all features.

name feature-name

(Optional) Displays detailed information for a specific feature.


Command Default

Displays a list of user role feature names.

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display the user role features:

switch# show role feature 

This example shows how to display detailed information all the user role features:

switch# show role feature detail 

This example shows how to display detailed information a specific user role feature:

switch# show role feature name boot-variable 

Related Commands

Command
Description

role feature-group

Configures feature groups for user roles.

rule

Configures rules for user roles.


show role feature-group

To display the user role feature groups, use the show role feature-group command.

show role feature-group [detail | name group-name]

Syntax Description

detail

(Optional) Displays detailed information for all feature groups.

name group-name

(Optional) Displays detailed information for a specific feature group.


Command Default

Displays a list of user role feature groups.

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display the user role feature groups:

switch# show role feature-group 

This example shows how to display detailed information about all the user role feature groups:

switch# show role feature-group detail 

This example shows how to display information for a specific user role feature group:

switch# show role feature-group name SecGroup 

Related Commands

Command
Description

role feature-group

Configures feature groups for user roles.

rule

Configures rules for user roles.


show running-config aaa

To display authentication, authorization, and accounting (AAA) configuration information in the running configuration, use the show running-config aaa command.

show running-config aaa [all]

Syntax Description

all

(Optional) Displays configured and default information.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display the configured AAA information in the running configuration:

switch# show running-config aaa 

show running-config radius

To display RADIUS server information in the running configuration, use the show running-config radius command.

show running-config radius [all]

Syntax Description

all

(Optional) Displays default RADIUS configuration information.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display information for RADIUS in the running configuration:

switch# show running-config radius 

Related Commands

Command
Description

show radius-server

Displays RADIUS information.


show running-config security

To display user account, Secure Shell (SSH) server, and Telnet server information in the running configuration, use the show running-config security command.

show running-config security [all]

Syntax Description

all

(Optional) Displays default user account, SSH server, and Telnet server configuration information.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display user account, SSH server, and Telnet server information in the running configuration:

switch# show running-config security 

show ssh key

To display the Secure Shell (SSH) server key, use the show ssh key command.

show ssh key

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

This command is available only when SSH is enabled using the ssh server enable command.

Examples

This example shows how to display the SSH server key:

switch# show ssh key 

Related Commands

Command
Description

ssh server key

Configures the SSH server key.


show ssh server

To display the Secure Shell (SSH) server status, use the show ssh server command.

show ssh server

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display the SSH server status:

switch# show ssh server 

Related Commands

Command
Description

ssh server enable

Enables the SSH server.


show startup-config aaa

To display authentication, authorization, and accounting (AAA) configuration information in the startup configuration, use the show startup-config aaa command.

show startup-config aaa

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display the AAA information in the startup configuration:

switch# show startup-config aaa 

show startup-config radius

To display RADIUS configuration information in the startup configuration, use the show startup-config radius command.

show startup-config radius

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display the RADIUS information in the startup configuration:

switch# show startup-config radius 

show startup-config security

To display user account, Secure Shell (SSH) server, and Telnet server configuration information in the startup configuration, use the show startup-config security command.

show startup-config security

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display the user account, SSH server, and Telnet server information in the startup configuration:

switch# show startup-config security 

show tacacs-server

To display TACACS+ server information, use the show tacacs-server command.

show tacacs-server [hostname | ip4-address | ip6-address] [directed-request | groups | sorted | statistics]

Syntax Description

hostname

(Optional) TACACS+ server Domain Name Server (DNS) name. The maximum character size is 256.

ipv4-address

(Optional) TACACS+ server IPv4 address in the A.B.C.D format.

ipv6-address

(Optional) TACACS+ server IPv6 address in the X:X:X::X format.

directed-request

(Optional) Displays the directed request configuration.

groups

(Optional) Displays information about the configured TACACS+ server groups.

sorted

(Optional) Displays sorted-by-name information about the TACACS+ servers.

statistics

(Optional) Displays TACACS+ statistics for the TACACS+ servers.


Defaults

Displays the global TACACS+ server configuration.

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

TACACS+ preshared keys are not visible in the show tacacs-server command output. Use the show running-config tacacs+ command to display the TACACS+ preshared keys.

You must use the feature tacacs+ command before you can display TACACS+ information.

Examples

This example shows how to display information for all TACACS+ servers:

switch# show tacacs-server 

This example shows how to display information for a specified TACACS+ server:

switch# show tacacs-server 192.168.2.2 

This example shows how to display the TACACS+ directed request configuration:

switch# show tacacs-server directed-request 

This example shows how to display information for TACACS+ server groups:

switch# show tacacs-server groups 

This example shows how to display information for a specified TACACS+ server group:

switch# show tacacs-server groups TacServer 

This example shows how to display sorted information for all TACACS+ servers:

switch# show tacacs-server sorted 

This example shows how to display statistics for a specified TACACS+ server:

switch# show tacacs-server statistics 192.168.2.2 

Related Commands

Command
Description

show running-config tacacs+

Displays the TACACS+ information in the running configuration file.


show telnet server

To display the Telnet server status, use the show telnet server command.

show telnet server

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display the Telnet server status:

switch# show telnet server 

Related Commands

Command
Description

telnet server enable

Enables the Telnet server.


show user-account

To display information about the user accounts on the switch, use the show user-account command.

show show user-account [name]

Syntax Description

name

(Optional) Information about the specified user account only.


Command Default

Displays information about all the user accounts defined on the switch.

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display information about all the user accounts defined on the switch:

switch# show user-account 

This example shows how to display information about a specific user account:

switch# show user-account admin 

show users

To display the users currently logged on the switch, use the show users command.

show users

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display all the users currently logged on the switch:

switch# show users 

Related Commands

Command
Description

clear user

Logs out a specific user.

username

Creates and configures a user account.


show vlan access-list

To display the contents of the IPv4 access control list (ACL) or MAC ACL associated with a specific VLAN access map, use the show vlan access-list command.

show vlan access-list map-name

Syntax Description

map-name

VLAN access list to show.


Command Default

None

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

For the specified VLAN access map, the switch displays the access map name and the contents of the ACL associated with the map.

Examples

This example shows how to display the contents of the ACL associated with the specified VLAN access map:

switch# show vlan access-list vlan1map 

Related Commands

Command
Description

ip access-list

Create or configures an IPv4 ACL.

mac access-list

Create or configures a MAC ACL.

show access-lists

Displays information about how a VLAN access map is applied.

show ip access-lists

Displays all IPv4 ACLs or a specific IPv4 ACL.

show mac access-lists

Displays all MAC ACLs or a specific MAC ACL.

vlan access-map

Configures a VLAN access map.


show vlan access-map

To display all VLAN access maps or a VLAN access map, use the show vlan access-map command.

show vlan access-map [map-name]

Syntax Description

map-name

(Optional) VLAN access map to show.


Command Default

The switch shows all VLAN access maps, unless you use the map-name argument to select a specific access map.

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

For each VLAN access map displayed, the switch shows the access map name, the ACL specified by the match command, and the action specified by the action command.

Use the show vlan filter command to see which VLANs have a VLAN access map applied to them.

Examples

This example shows how to display a specific VLAN access map:

switch# show vlan access-map vlan1map 

This example shows how to display all VLAN access maps:

switch# show vlan access-map 

Related Commands

Command
Description

action

Specifies an action for traffic filtering in a VLAN access map.

match

Specifies an ACL for traffic filtering in a VLAN access map.

show vlan filter

Displays information about how a VLAN access map is applied.

vlan access-map

Configures a VLAN access map.

vlan filter

Applies a VLAN access map to one or more VLANs.


show vlan filter

To display information about instances of the vlan filter command, including the VLAN access map and the VLAN IDs affected by the command, use the show vlan filter command.

show vlan filter [access-map map-name | vlan vlan-id]

Syntax Description

access-map map-name

(Optional) Limits the output to VLANs that the specified access map is applied to.

vlan vlan-id

(Optional) Limits the output to access maps that are applied to the specified VLAN only.


Command Default

All instances of VLAN access maps applied to a VLAN are displayed, unless you use the access-map keyword and specify an access map or you use the vlan keyword and specify a VLAN ID.

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to display all VLAN access map information on the switch:

switch# show vlan filter 

Related Commands

Command
Description

action

Specifies an action for traffic filtering in a VLAN access map.

match

Specifies an ACL for traffic filtering in a VLAN access map.

show vlan access-map

Displays all VLAN access maps or a VLAN access map.

vlan access-map

Configures a VLAN access map.

vlan filter

Applies a VLAN access map to one or more VLANs.


ssh

To create a Secure Shell (SSH) session using IPv4, use the ssh command.

ssh [username@]{ipv4-address | hostname} [vrf {vrf-name | default | management}]

Syntax Description

username

(Optional) Username for the SSH session. The user name is not case sensitive, and has a maximum of 64 characters.

ipv4-address

IPv4 address of the remote host.

hostname

Hostname of the remote host. The hostname is case sensitive, and has a maximum of 64 characters.

vrf vrf-name

(Optional) Specifies the virtual routing and forwarding (VRF) name to use for the SSH session. The name can be a maximum of 32 alphanumeric characters.

default

Specifies the default VRF.

management

Specifies the management VRF.


Command Default

Default VRF

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

The switch supports SSH version 2.

Examples

This example shows how to start an SSH session using IPv4:

switch# ssh 192.168.1.1 vrf management 

Related Commands

Command
Description

clear ssh session

Clears SSH sessions.

ssh server enable

Enables the SSH server.

ssh6

Starts an SSH session using IPv6 addressing.


ssh6

To create a Secure Shell (SSH) session using IPv6, use the ssh6 command.

ssh6 [username@]{ipv6-address | hostname} [vrf {vrf-name | default | management}]

Syntax Description

username

(Optional) Username for the SSH session. The username is not case sensitive, and has a maximum of 64 characters.

ipv6-address

IPv6 address of the remote host.

hostname

Hostname of the remote host. The hostname is case sensitive, and has a maximum of 64 characters.

vrf vrf-name

(Optional) Specifies the virtual routing and forwarding (VRF) name to use for the SSH IPv6 session. The name can be a maximum of 32 alphanumeric characters.

default

Specifies the default VRF.

management

Specifies the management VRF.


Command Default

Default VRF

Command Modes

EXEC mode

Command History

Release
Modification

4.0(1a)N1(1)

This command was introduced.


Usage Guidelines

The switch supports SSH version 2.

Examples

This example shows how to start an SSH session using IPv6:

switch# ssh6 2001:0DB8::200C:417A vrf management 

Related Commands

Command
Description

clear ssh session

Clears SSH sessions.

ssh

Starts an SSH session using IPv4 addressing.

ssh server enable

Enables the SSH server.


ssh key

To create a Secure Shell (SSH) server key, use the ssh key command. To remove the SSH server key, use the no form of this command.

ssh key {dsa [force] | rsa [length [force]]}

no ssh key [dsa | rsa]

Syntax Description

dsa

Specifies the Digital System Algrorithm (DSA) SSH server key.

force

(Optional) Forces the generation of a DSA SSH key even if previous ones are present.

rsa

Specifies the Rivest, Shamir, and Adelman (RSA) public-key cryptography SSH server key.

length

(Optional) Number of bits to use when creating the SSH server key. The range is from 768 to 2048.


Command Default

1024-bit length

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

The Cisco NX-OS software supports SSH version 2.

If you want to remove or replace an SSH server key, you must first disable the SSH server using the no ssh server enable command.

Examples

This example shows how to create an SSH server key using RSA with the default key length:

switch(config)# ssh key rsa 

This example shows how to create an SSH server key using RSA with a specified key length:

switch(config)# ssh key rsa 768 

This example shows how to replace an SSH server key using DSA with the force option:

switch(config)# no ssh server enable 
switch(config)# ssh key dsa force 
switch(config)# ssh server enable 

This example shows how to remove the DSA SSH server key:

switch(config)# no ssh server enable 
switch(config)# no ssh key dsa 
switch(config)# ssh server enable 

This example shows how to remove all SSH server keys:

switch(config)# no ssh server enable 
switch(config)# no ssh key 
switch(config)# ssh server enable 

Related Commands

Command
Description

show ssh key

Displays the SSH server key information.

ssh server enable

Enables the SSH server.


ssh server enable

To enable the Secure Shell (SSH) server, use the ssh server enable command. To disable the SSH server, use the no form of this command.

ssh server enable

no ssh server enable

Syntax Description

This command has no arguments or keywords.

Command Default

Enabled

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

The switch supports SSH version 2.

Examples

This example shows how to enable the SSH server:

switch(config)# ssh server enable 

This example shows how to disable the SSH server:

switch(config)# no ssh server enable 

Related Commands

Command
Description

show ssh server

Displays the SSH server key information.


storm-control level

To set the suppression level for traffic storm control, use the storm-control level command. To turn off the suppression mode or revert to the default, use the no form of this command.

storm-control {broadcast | multicast | unicast} level percentage[.fraction]

no storm-control {broadcast | multicast | unicast} level

Syntax Description

broadcast

Specifies the broadcast traffic.

multicast

Specifies the multicast traffic.

unicast

Specifies the unicast traffic.

level percentage

Specifies the percentage of the suppression level. The range is from 0 to 100 percent.

fraction

(Optional) Fraction of the suppression level. The range is from 0 to 99.


Command Default

All packets are passed.

Command Modes

Interface configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

Enter the storm-control level command to enable traffic storm control on the interface, configure the traffic storm-control level, and apply the traffic storm-control level to all traffic storm-control modes that are enabled on the interface.

The period (.) is required when you enter the fractional-suppression level.

The suppression level is a percentage of the total bandwidth. A threshold value of 100 percent means that no limit is placed on traffic. A threshold value of 0 or 0.0 (fractional) percent means that all specified traffic is blocked on a port.

Use the show interfaces counters storm-control command to display the discard count.

Use one of the following methods to turn off suppression for the specified traffic type:

Set the level to 100 percent for the specified traffic type.

Use the no form of this command.

Examples

This example shows how to enable suppression of broadcast traffic and set the suppression threshold level:

switch(config-if)# storm-control broadcast level 30 

This example shows how to disable the suppression mode for multicast traffic:

switch(config-if)# no storm-control multicast level 

Related Commands

Command
Description

show interface

Displays the storm-control suppression counters for an interface.

show running-config

Displays the configuration of the interface.


tacacs-server deadtime

To set a periodic time interval where a nonreachable (nonresponsive) TACACS+ server is monitored for responsiveness, use the tacacs-server deadtime command. To disable the monitoring of the nonresponsive TACACS+ server, use the no form of this command.

tacacs-server deadtime minutes

no tacacs-server deadtime minutes

Syntax Description

time

Time interval in minutes. The range is from 1 to 1440.


Command Default

0 minutes

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

Setting the time interval to zero disables the timer. If the dead-time interval for an individual TACACS+ server is greater than zero (0), that value takes precedence over the value set for the server group.

When the dead-time interval is 0 minutes, TACACS+ server monitoring is not performed unless the TACACS+ server is part of a server group and the dead-time interval for the group is greater than 0 minutes.

You must use the feature tacacs+ command before you configure TACACS+.

Examples

This example shows how to configure the dead-time interval and enable periodic monitoring:

switch(config)# tacacs-server deadtime 10 

This example shows how to revert to the default dead-time interval and disable periodic monitoring:

switch(config)# no tacacs-server deadtime 10 

Related Commands

Command
Description

deadtime

Sets a dead-time interval for monitoring a nonresponsive RADIUS or TACACS+ server group.

feature tacacs+

Enables TACACS+.

show tacacs-server

Displays TACACS+ server information.


tacacs-server directed-request

To allow users to send authentication requests to a specific TACACS+ server when logging in, use the tacacs-server directed request command. To revert to the default, use the no form of this command.

tacacs-server directed-request

no tacacs-server directed-request

Syntax Description

This command has no arguments or keywords.

Command Default

Sends the authentication request to the configured TACACS+ server groups.

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

You must use the feature tacacs+ command before you configure TACACS+.

During login, the user can specify the username@vrfname:hostname, where vrfname is the VRF to use and hostname is the name of a configured TACACS+ server. The username is sent to the server name for authentication.

Examples

This example shows how to allow users to send authentication requests to a specific TACACS+ server when logging in:

switch(config)# tacacs-server directed-request 

This example shows how to disallow users to send authentication requests to a specific TACACS+ server when logging in:

switch(config)# no tacacs-server directed-request 

Related Commands

Command
Description

feature tacacs+

Enables TACACS+.

show tacacs-server directed request

Displays a directed request TACACS+ server configuration.


tacacs-server host

To configure TACACS+ server host parameters, use the tacacs-server host command. To revert to the defaults, use the no form of this command.

tacacs-server host {hostname | ipv4-address | ipv6-address} [key [0 | 7] shared-secret] [port port-number] [test {idle-time time | password password | username name}] [timeout seconds]

no tacacs-server host {hostname | ipv4-address | ipv6-address} [key [0 | 7] shared-secret] [port port-number] [test {idle-time time | password password | username name}] [timeout seconds]

Syntax Description

hostname

TACACS+ server Domain Name Server (DNS) name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters.

ipv4-address

TACACS+ server IPv4 address in the A.B.C.D format.

ipv6-address

TACACS+ server IPv6 address in the X:X:X::X format.

key

(Optional) Configures the TACACS+ server's shared secret key.

0

(Optional) Configures a preshared key specified in clear text (indicated by 0) to authenticate communication between the TACACS+ client and server. This is the default.

7

(Optional) Configures a preshared key specified in encrypted text (indicated by 7) to authenticate communication between the TACACS+ client and server.

shared-secret

Preshared key to authenticate communication between the TACACS+ client and server. The preshared key is alphanumeric, case sensitive, and has a maximum of 63 characters.

port port-number

(Optional) Configures a TACACS+ server port for authentication. The range is from 1 to 65535.

test

(Optional) Configures parameters to send test packets to the TACACS+ server.

idle-time time

(Optional) Specifies the time interval (in minutes) for monitoring the server. The time range is 1 to 1440 minutes.

password password

(Optional) Specifies a user password in the test packets. The password is alphanumeric, case sensitive, and has a maximum of 32 characters.

username name

(Optional) Specifies a user name in the test packets. The username is alphanumeric, case sensitive, and has a maximum of 32 characters.

timeout seconds

(Optional) Configures a TACACS+ server timeout period (in seconds) between retransmissions to the TACACS+ server. The range is from 1 to 60 seconds.


Command Default

Idle time: disabled.

Server monitoring: disabled.

Timeout: 1 second.

Test username: test.

Test password: test.

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

You must use the feature tacacs+ command before you configure TACACS+.

When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.

Examples

This example shows how to configure TACACS+ server host parameters:

switch(config)# tacacs-server host 192.168.2.3 key HostKey 
switch(config)# tacacs-server host tacacs2 key 0 abcd 
switch(config)# tacacs-server host tacacs3 key 7 1234 
switch(config)# tacacs-server host 192.168.2.3 test idle-time 10 
switch(config)# tacacs-server host 192.168.2.3 test username tester 
switch(config)# tacacs-server host 192.168.2.3 test password 2B9ka5 

Related Commands

Command
Description

feature tacacs+

Enables TACACS+.

show tacacs-server

Displays TACACS+ server information.


tacacs-server key

To configure a global TACACS+ shared secret key, use the tacacs-server key command. To remove a configured shared secret, use the no form of this command.

tacacs-server key [0 | 7] shared-secret

no tacacs-server key [0 | 7] shared-secret

Syntax Description

0

(Optional) Configures a preshared key specified in clear text to authenticate communication between the TACACS+ client and server. This is the default.

7

(Optional) Configures a preshared key specified in encrypted text to authenticate communication between the TACACS+ client and server.

shared-secret

Preshared key to authenticate communication between the TACACS+ client and server. The preshared key is alphanumeric, case sensitive, and has a maximum of 63 characters.


Command Default

None

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

You must configure the TACACS+ preshared key to authenticate the switch to the TACACS+ server. The length of the key is restricted to 65 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all TACACS+ server configurations on the switch. You can override this global key assignment by using the key keyword in the tacacs-server host command.

You must use the feature tacacs+ command before you configure TACACS+.

Examples

This example shows how to display configure TACACS+ server shared keys:

switch(config)# tacacs-server key AnyWord 
switch(config)# tacacs-server key 0 AnyWord 
switch(config)# tacacs-server key 7 public 

Related Commands

Command
Description

feature tacacs+

Enables TACACS+.

show tacacs-server

Displays TACACS+ server information.


tacacs-server timeout

To specify the time between retransmissions to the TACACS+ servers, use the tacacs-server timeout command. To revert to the default, use the no form of this command.

tacacs-server timeout seconds

no tacacs-server timeout seconds

Syntax Description

seconds

Seconds between retransmissions to the TACACS+ server. The valid range is 1 to 60 seconds.


Command Default

1 second

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

You must use the feature tacacs+ command before you configure TACACS+.

Examples

This example shows how to configure the TACACS+ server timeout value:

switch(config)# tacacs-server timeout 3 

This example shows how to revert to the default TACACS+ server timeout value:

switch(config)# no tacacs-server timeout 3 

Related Commands

Command
Description

feature tacacs+

Enables TACACS+.

show tacacs-server

Displays TACACS+ server information.


telnet

To create a Telnet session using IPv4 on a Cisco Nexus 5000 Series switch, use the telnet command.

telnet {ipv4-address | hostname} [port-number] [vrf {vrf-name | default | management}]

Syntax Description

ipv4-address

IPv4 address of the remote switch.

hostname

Hostname of the remote switch. The name is alphanumeric, case sensitive, and has a maximum of 64 characters.

port-number

(Optional) Port number for the Telnet session. The range is from 1 to 65535.

vrf vrf-name

(Optional) Specifies the virtual routing and forwarding (VRF) name to use for the Telnet session. The name is case sensitive and can be a maximum of 32 alphanumeric characters.

default

Specifies the default VRF.

management

Specifies the management VRF.


Command Default

Port 23 is the default port.

Command Modes

EXEC mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

To create a Telnet session with IPv6 addressing, use the telnet6 command.

Examples

This example shows how to start a Telnet session using IPv4:

switch# telnet 192.168.1.1 vrf management 
switch# 

Related Commands

Command
Description

clear line

Clears Telnet sessions.

telnet server enable

Enables the Telnet server.

telnet6

Creates a Telnet session using IPv6 addressing.


telnet server enable

To enable the Telnet server, use the telnet server enable command. To disable the Telnet server, use the no form of this command.

telnet server enable

no telnet server enable

Syntax Description

This command has no arguments or keywords.

Command Default

Enable

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to enable the Telnet server:

switch(config)# telnet server enable 

This example shows how to disable the Telnet server:

switch(config)# no telnet server enable 

Related Commands

Command
Description

show telnet server

Displays the Telnet server status.


telnet6

To create a Telnet session using IPv6 on the Cisco NX-OS switch, use the telnet6 command.

telnet6 {ipv6-address | hostname} [port-number] [vrf {vrf-name | default | management}]

Syntax Description

ipv6-address

IPv6 address of the remote device.

hostname

Hostname of the remote device. The name is alphanumeric, case sensitive, and has a maximum of 64 characters.

port-number

(Optional) Port number for the Telnet session. The range is from 1 to 65535.

vrf vrf-name

(Optional) Specifies the virtual routing and forwarding (VRF) name to use for the Telnet session. The name is case sensitive and can be a maximum of 32 alphanumeric characters.

default

Specifies the default VRF.

management

Specifies the management VRF.


Command Default

Port 23 is the default port. The default VRF is used.

Command Modes

EXEC mode

Command History

Release
Modification

4.0(1a)N1(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Telnet server using the telnet server enable command.

To create a Telnet session with IPv4 addressing, use the telnet command.

Examples

This example shows how to start a Telnet session using an IPv6 address:

switch# telnet6 2001:0DB8:0:0:E000::F vrf management 
switch# 

Related Commands

Command
Description

clear line

Clears Telnet sessions.

telnet

Creates a Telnet session using IPv4 addressing.

telnet server enable

Enables the Telnet server.


use-vrf

To specify a virtual routing and forwarding instance (VRF) instance for a RADIUS or TACACS+ server group, use the use-vrf command. To remove the VRF instance, use the no form of this command.

use-vrf {vrf-name | default | management}

no use-vrf {vrf-name | default | management}

Syntax Description

vrf-name

VRF instance name. The name is case sensitive, and can be a maximum of 32 alphanumeric characters.

default

Specifies the default VRF.

management

Specifies the management VRF.


Command Default

None

Command Modes

RADlUS server group configuration mode

TACACS+ server group configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

You can configure only one VRF instance for a server group.

Use the aaa group server radius command RADIUS server group configuration mode or the aaa group server tacacs+ command to enter TACACS+ server group configuration mode.

If the server is not found, use the radius-server host command or tacacs-server host command to configure the server.

You must use the feature tacacs+ command before you configure TACACS+.

Examples

This example shows how to specify a VRF instance for a RADIUS server group:

switch(config)# aaa group server radius RadServer 
switch(config-radius)# use-vrf management 

This example shows how to specify a VRF instance for a TACACS+ server group:

switch(config)# aaa group server tacacs+ TacServer 
switch(config-tacacs+)# use-vrf management 

This example shows how to remove the VRF instance from a TACACS+ server group:

switch(config)# aaa group server tacacs+ TacServer 
switch(config-tacacs+)# no use-vrf management 

Related Commands

Command
Description

aaa group server

Configures AAA server groups.

feature tacacs+

Enables TACACS+.

radius-server host

Configures a RADIUS server.

show radius-server groups

Displays RADIUS server information.

show tacacs-server groups

Displays TACACS+ server information.

tacacs-server host

Configures a TACACS+ server.

vrf

Configures a VRF instance.


username

To create and configure a user account, use the username command. To remove a user account, use the no form of this command.

username user-id [expire date] [password password] [role role-name]

username user-id sshkey {key | filename filename}

no username user-id

Syntax Description

user-id

User identifier for the user account. The user-id argument is a case-sensitive, alphanumeric character string with a maximum length of 28 characters.

Note The Cisco NX-OS software does not allowed the "#" and "@" characters in the user-id argument text string.

expire date

(Optional) Specifies the expire date for the user account. The format for the date argument is YYYY-MM-DD.

password password

(Optional) Specifies a password for the account. The default is no password.

Note Clear text passwords cannot contain dollar signs ($) or spaces anywhere in the password. Also, they cannot include these special characters at the beginning of the password: quotation marks (" or `), vertical bars (|), or right angle brackets (>).

role role-name

(Optional) Specifies the role which the user is to be assigned to.

sshkey

(Optional) Specifies an SSH key for the user account.

key

SSH key string.

filename filename

Specifies the name of a file that contains the SSH key string.


Command Default

No expiration date, password, or SSH key.

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

The switch accepts only strong passwords. The characteristics of a strong password include the following:

At least eight characters long

Does not contain many consecutive characters (such as "abcd")

Does not contain many repeating characters (such as "aaabbb")

Does not contain dictionary words

Does not contain proper names

Contains both uppercase and lowercase characters

Contains numbers


Caution If you do not specify a password for the user account, the user might not be able to log in to the account.

Examples

This example shows how to create a user account with a password:

switch(config)# username user1 password Ci5co321 

This example shows how to configure the SSH key for a user account:

switch(config)# username user1 sshkey file bootflash:key_file 

Related Commands

Command
Description

show user-account

Displays the user account configuration.


vlan access-map

To create a new VLAN access map or to configure an existing VLAN access map, use the vlan access-map command. To remove a VLAN access map, use the no form of this command.

vlan access-map map-name

no vlan access-map map-name

Syntax Description

map-name

Name of the VLAN access map that you want to create or configure. The name can be up to 64 alphanumeric, case-sensitive characters.


Command Default

None

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

Each VLAN access map can include one match command and one action command.

Examples

This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map:

switch(config)# vlan access-map vlan-map-01 
switch(config-access-map)# match ip address ip-acl-01 
switch(config-access-map)# action forward 
switch(config-access-map)# statistics 

Related Commands

Command
Description

action

Specifies an action for traffic filtering in a VLAN access map.

match

Specifies an ACL for traffic filtering in a VLAN access map.

show vlan access-map

Displays all VLAN access maps or a VLAN access map.

show vlan filter

Displays information about how a VLAN access map is applied.

vlan filter

Applies a VLAN access map to one or more VLANs.


vlan filter

To apply a VLAN access map to one or more VLANs, use the vlan filter command. To unapply a VLAN access map, use the no form of this command.

vlan filter map-name vlan-list VLAN-list

no vlan filter map-name [vlan-list VLAN-list]

Syntax Description

map-name

Name of the VLAN access map that you want to create or configure.

vlan-list VLAN-list

Specifies the ID of one or more VLANs whose traffic the VLAN access map filters.

Use a hyphen (-) to separate the beginning and ending IDs of a range of VLAN IDs; for example, use 70-100.

Use a comma (,) to separate individual VLAN IDs and ranges of VLAN IDs; for example, use 20,70-100,142.

Note When you use the no form of this command, the VLAN-list argument is optional. If you omit this argument, the switch removes the access map from all VLANs where the access map is applied.


Command Default

None

Command Modes

Global configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

You can apply a VLAN access map to one or more VLANs.

You can apply only one VLAN access map to a VLAN.

The no form of this command enables you to unapply a VLAN access map from all or part of the VLAN list that you specified when you applied the access map. To unapply an access map from all VLANs where it is applied, you can omit the VLAN-list argument. To unapply an access map from a subset of the VLANs where it is currently applied, use the VLAN-list argument to specify the VLANs where the access map should be removed.

Examples

This example shows how to apply a VLAN access map named vlan-map-01 to VLANs 20 through 45:

switch(config)# vlan filter vlan-map-01 20-45 

Related Commands

Command
Description

action

Specifies an action for traffic filtering in a VLAN access map.

match

Specifies an ACL for traffic filtering in a VLAN access map.

show vlan access-map

Displays all VLAN access maps or a VLAN access map.

show vlan filter

Displays information about how a VLAN access map is applied.

vlan access-map

Configures a VLAN access map.


vlan policy deny

To enter VLAN policy configuration mode for a user role, use the vlan policy deny command. To revert to the default VLAN policy for a user role, use the no form of this command.

vlan policy deny

no vlan policy deny

Syntax Description

This command has no arguments or keywords.

Command Default

All VLANs

Command Modes

User role configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to enter VLAN policy configuration mode for a user role:

switch(config)# role name MyRole 
switch(config-role)# vlan policy deny 
switch(config-role-vlan)# 

This example shows how to revert to the default VLAN policy for a user role:

switch# configure terminal 
switch(config)# role name MyRole 
switch(config-role)# no vlan policy deny 

Related Commands

Command
Description

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.


vrf policy deny

To configure the deny access to a virtual forwarding and routing instance (VRF) policy for a user role, use the vrf policy deny command. To revert to the default VRF policy configuration for a user role, use the no form of this command.

vrf policy deny

no vrf policy deny

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

User role configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Examples

This example shows how to enter VRF policy configuration mode for a user role:

switch(config)# role name MyRole 
switch(config-role)# vrf policy deny 
switch(config-role-vrf)# 

This example shows how to revert to the default VRF policy for a user role:

switch(config)# role name MyRole 
switch(config-role)# no vrf policy deny 

Related Commands

Command
Description

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.


vsan policy deny

To configure the deny access to a VSAN policy for a user role, use the vsan policy deny command. To revert to the default VSAN policy configuration for a user role, use the no form of this command.

vsan policy deny

no vsan policy deny

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

User role configuration mode

Command History

Release
Modification

4.0(0)N1(1a)

This command was introduced.


Usage Guidelines

To permit access to the VSAN policy, use the permit vsan comand.

Examples

This example shows how to deny access to a VSAN policy for a user role:

switch(config)# role name MyRole 
switch(config-role)# vsan policy deny 
switch(config-role-vsan)# 

This example shows how to revert to the default VSAN policy configuration for a user role:

switch(config)# role name MyRole 
switch(config-role)# vsan policy deny 
switch(config-role-vsan)# no vsan policy deny 
switch(config-role)#

Related Commands

Command
Description

permit vsan

Configures permit access to a VSAN policy for a user.

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.