The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Cisco NX-OS security commands that begin with I.
To enter interface policy configuration mode for a user role, use the interface policy deny command. To revert to the default interface policy for a user role, use the no form of this command.
|
|
This example shows how to enter interface policy configuration mode for a user role:
This example shows how to revert to the default interface policy for a user role:
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
To create or configure an IPv4 access class to restrict incoming or outgoing traffic on a virtual terminal line (VTY), use the ip access-class command. To remove the access class, use the no form of this command.
ip access-class access-list-name { in | out }
no ip access-class access-list-name { in | out }
|
|
---|---|
When you use the ip access-class command to restrict traffic on VTY, the FTP, TFTP, Secure Copy Protocol (SCP), and Secure FTP (SFTP) traffic are also affected.
This example shows how to configure an IP access class on a VTY line to restrict inbound packets:
This example shows how to remove an IP access class that restricts inbound packets:
|
|
---|---|
Copies the running configuration to the startup configuration file. |
|
To apply an IPv4 access control list (ACL) to a Layer 3 interface as a router ACL, use the ip access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip access-group access-list-name in
no ip access-group access-list-name in
Name of the IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
|
---|---|
Interface configuration mode
Subinterface configuration mode
|
|
---|---|
By default, no IPv4 ACLs are applied to a Layer 3 routed interface.
You can use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface types:
You can also use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface types:
However, an ACL applied to a Layer 2 interface with the ip access-group command is inactive unless the port mode changes to routed (Layer 3) mode.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
This example shows how to apply an IPv4 ACL named ip-acl-01 to the Layer 3 Ethernet interface 2/1:
This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 2/1:
|
|
---|---|
Shows the running configuration of all interfaces or of a specific interface. |
To create an IPv4 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ip access-list command. To remove an IPv4 ACL, use the no form of this command.
ip access-list access-list-name
no ip access-list access-list-name
Name of the IPv4 ACL, which can be up to 64 alphanumeric characters long. The name cannot contain a space or quotation mark. |
|
|
Use IPv4 ACLs to filter IPv4 traffic.
When you use the ip access-list command, the switch enters IP access list configuration mode, where you can use the IPv4 deny and permit commands to configure rules for the ACL. If the specified ACL does not exist, the switch creates it when you enter this command.
Use the ip access-group command to apply the ACL to an interface.
Every IPv4 ACL has the following implicit rule as its last rule:
This implicit rule ensures that the switch denies unmatched IP traffic.
IPv4 ACLs do not include additional implicit rules to enable the neighbor discovery process. The Address Resolution Protocol (ARP), which is the IPv4 equivalent of the IPv6 neighbor discovery process, uses a separate data link layer protocol. By default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01:
|
|
---|---|
To log Address Resolution Protocol (ARP) debug events into the event history buffer, use the ip arp event-history errors command.
ip arp event-history errors size { disabled | large | medium | small }
no ip arp event-history errors size { disabled | large | medium | small }
Specifies that the event history buffer size is small. This is the default buffer size. |
|
|
---|---|
This example shows how to configure a medium ARP event history buffer:
This example shows how to set the ARP event history buffer to the default:
|
|
---|---|
Displays the ARP configuration, including the default configurations. |
To configure the Dynamic ARP Inspection (DAI) logging buffer size, use the ip arp inspection log-buffer command. To reset the DAI logging buffer to its default size, use the no form of this command.
ip arp inspection log-buffer entries number
no ip arp inspection log-buffer entries number
|
|
Before you use this command, make sure that you enable Dynamic Host Configuration Protocol (DHCP) snooping on the switch by using the feature dhcp command.
This example shows how to configure the DAI logging buffer size:
|
|
---|---|
Displays DHCP snooping configuration, including the DAI configuration. |
To enable additional Dynamic ARP Inspection (DAI) validation, use the ip arp inspection validate command. To disable additional DAI, use the no form of this command.
ip arp inspection validate { dst-mac [ ip ] [ src-mac ]}
ip arp inspection validate { ip [ dst-mac ] [ src-mac ]}
ip arp inspection validate { src-mac [ dst-mac ] [ ip ]}
no ip arp inspection validate { dst-mac [ ip ] [ src-mac ]}
no ip arp inspection validate { ip [ dst-mac ] [ src-mac ]}
no ip arp inspection validate { src-mac [ dst-mac ] [ ip ]}
|
|
Before you use this command, make sure that you enable Dynamic Host Configuration Protocol (DHCP) snooping on the switch by using the feature dhcp command.
You must specify at least one keyword. If you specify more than one keyword, the order is irrelevant.
When you enable source MAC validation, an ARP packet is considered valid only if the sender Ethernet address in the packet body is the same as the source Ethernet address in the ARP frame header. When you enable destination MAC validation, an ARP request frame is considered valid only if the target Ethernet address is the same as the destination Ethernet address in the ARP frame header.
This example shows how to enable additional DAI validation:
This example shows how to disable additional DAI validation:
|
|
---|---|
Displays DHCP snooping configuration, including DAI configuration. |
To enable Dynamic ARP Inspection (DAI) for a list of VLANs, use the ip arp inspection vlan command. To disable DAI for a list of VLANs, use the no form of this command.
ip arp inspection vlan vlan-list [ logging dhcp-bindings { permit | all | none }]
no ip arp inspection vlan vlan-list [ logging dhcp-bindings { permit | all | none }]
|
|
---|---|
By default, the device logs dropped packets inspected by DAI.
This example shows how to enable DAI on VLANs 13, 15, and 17 through 23:
|
|
---|---|
Displays DHCP snooping configuration, including DAI configuration. |
To configure a Layer 2 interface as a trusted ARP interface, use the ip arp inspection trust command. To configure a Layer 2 interface as an untrusted ARP interface, use the no form of this command.
|
|
---|---|
You can configure only Layer 2 Ethernet interfaces as trusted ARP interfaces.
This example shows how to configure a Layer 2 interface as a trusted ARP interface:
To enable the strict validation of Dynamic Host Configuration Protocol (DHCP) packets by the DHCP snooping feature, use the ip dhcp packet strict-validation command. To disable the strict validation of DHCP packets, use the no form of this command.
ip dhcp packet strict-validation
no ip dhcp packet strict-validation
|
|
---|---|
You must enable DHCP snooping before you can use the ip dhcp packet strict-validation command.
Strict validation of DHCP packets checks that the DHCP options field in DCHP packets is valid, including the "magic cookie" value in the first four bytes of the options field. When strict validation of DHCP packets is enabled, the device drops DHCP packets that fail validation.
This example shows how to enable the strict validation of DHCP packets:
|
|
---|---|
To globally enable Dynamic Host Configuration Protocol (DHCP) snooping on the device, use the ip dhcp snooping command. To globally disable DHCP snooping, use the no form of this command.
|
|
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
The device preserves DHCP snooping configuration when you disable DHCP snooping with the no ip dhcp snooping command.
This example shows how to globally enable DHCP snooping:
To enable the insertion and removal of option-82 information for Dynamic Host Configuration Protocol (DHCP) packets, use the ip dhcp snooping information option command. To disable the insertion and removal of option-82 information, use the no form of this command.
ip dhcp snooping information option
no ip dhcp snooping information option
By default, the device does not insert and remove option-82 information.
|
|
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
This example shows how to globally enable DHCP snooping:
|
|
---|---|
Configures an interface as a trusted source of DHCP messages. |
|
Displays DHCP snooping configuration, including IP Source Guard configuration. |
To configure an interface as a trusted source of Dynamic Host Configuration Protocol (DHCP) messages, use the ip dhcp snooping trust command. To configure an interface as an untrusted source of DHCP messages, use the no form of this command.
By default, no interface is a trusted source of DHCP messages.
|
|
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
You can configure DHCP trust on the following types of interfaces:
This example shows how to configure an interface as a trusted source of DHCP messages:
|
|
---|---|
Displays DHCP snooping configuration, including IP Source Guard configuration. |
To enable Dynamic Host Configuration Protocol (DHCP) snooping for MAC address verification, use the ip dhcp snooping verify mac-address command. To disable DHCP snooping MAC address verification, use the no form of this command.
ip dhcp snooping verify mac-address
no ip dhcp snooping verify mac-address
|
|
By default, MAC address verification with DHCP snooping is not enabled.
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
If the device receives a packet on an untrusted interface and the source MAC address and the DHCP client hardware address do not match, address verification causes the device to drop the packet.
This example shows how to enable DHCP snooping for MAC address verification:
|
|
---|---|
To enable Dynamic Host Configuration Protocol (DHCP) snooping on one or more VLANs, use the ip dhcp snooping vlan command. To disable DHCP snooping on one or more VLANs, use the no form of this command.
ip dhcp snooping vlan vlan-list
no ip dhcp snooping vlan vlan-list
|
|
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
This example shows how to enable DHCP snooping on VLANs 100, 200, and 250 through 252:
|
|
---|---|
Displays DHCP snooping configuration, including IP Source Guard configuration. |
To apply an IPv4 access control list (ACL) to an interface as a port ACL, use the ip port access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip port access-group access-list-name in
no ip port access-group access-list-name in
Name of the IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters long. |
|
Interface configuration mode
Virtual Ethernet interface configuration mode
|
|
By default, no IPv4 ACLs are applied to an interface.
You can use the ip port access-group command to apply an IPv4 ACL as a port ACL to the following interface types:
You can also apply an IPv4 ACL as a VLAN ACL. For more information, see the match command.
The switch applies port ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the switch without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
This example shows how to apply an IPv4 ACL named ip-acl-01 to Ethernet interface 1/2 as a port ACL:
This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 1/2:
This example shows how to apply an IPv4 ACL named ip-acl-03 to the virtual Ethernet interface 1 as a port ACL:
|
|
---|---|
Shows the running configuration of all interfaces or of a specific interface. |
To create a static IP source entry for a Layer 2 Ethernet interface, use the ip source binding command. To disable the static IP source entry, use the no form of this command.
ip source binding IP-address MAC-address vlan vlan-id { interface ethernet s lot /[QSFP-module/] port | port-channel channel-no }
no ip source binding IP-address MAC-address vlan vlan-id { interface ethernet slot /[QSFP-module/] port | port-channel channel-no }
|
|
By default, there are no static IP source entries.
To use this command, you must enable the Dynamic Host Configuration Protocol (DHCP) snooping feature using the feature dhcp command.
This example shows how to create a static IP source entry associated with VLAN 100 on Ethernet interface 2/3:
|
|
---|---|
To enable IP Source Guard on a Layer 2 Ethernet interface, use the ip verify source dhcp-snooping-vlan command. To disable IP Source Guard on a Layer 2 Ethernet interface, use the no form of this command.
ip verify source dhcp-snooping-vlan
no ip verify source dhcp-snooping-vlan
|
|
---|---|
Before you use this command, make sure that you enable Dynamic Host Configuration Protocol (DHCP) snooping on the switch by using the feature dhcp command.
IP Source Guard limits IP traffic on an interface to only those sources that have an IP-MAC address binding table entry or static IP source entry.
IP Source Guard is dependent upon DHCP snooping to build and maintain the IP-MAC address binding table or upon manual maintenance of static IP source entries.
This example shows how to enable IP Source Guard on a Layer 2 interface:
This example shows how to disable IP Source Guard on a Layer 2 interface:
|
|
---|---|
Creates a static IP source entry for a Layer 2 Ethernet interface. |
|
Displays the interface configuration in the running configuration. |
To configure Unicast Reverse Path Forwarding (Unicast RPF) on an interface, use the ip verify unicast source reachable-via command. To remove Unicast RPF from an interface, use the no form of this command.
ip verify unicast source reachable-via { any [ allow-default ] | rx }
no ip verify unicast source reachable-via { any [ allow-default ] | rx }
(Optional) Specifies the MAC address to be used on the specified interface. |
|
|
|
---|---|
You can configure one of the following Unicast RPF modes on an ingress interface:
– Unicast RPF finds a match in the Forwarding Information Base (FIB) for the packet source address.
– The ingress interface through which the packet is received matches one of the Unicast RPF interfaces in the FIB match.
If these checks fail, the packet is discarded. You can use this type of Unicast RPF check where packet flows are expected to be symmetrical.
This example shows how to configure loose Unicast RPF checking on an interface:
This example shows how to configure strict Unicast RPF checking on an interface:
|
|
---|---|
Displays the interface configuration in the running configuration. |
|
To create or configure an IPv6 access class to restrict incoming or outgoing traffic on a virtual terminal line (VTY), use the ipv6 access-class command. To remove the access class, use the no form of this command.
ipv6 access-class access-list-name { in | out }
no ipv6 access-class access-list-name { in | out }
|
|
---|---|
This example shows how to configure an IPv6 access class on a VTY line to restrict inbound packets:
This example shows how to remove an IPv6 access class that restricts inbound packets:
|
|
---|---|
Copies the running configuration to the startup configuration file. |
|
To create an IPv6 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ipv6 access-list command. To remove an IPv6 ACL, use the no form of this command.
ipv6 access-list access-list-name
no ipv6 access-list access-list-name
Name of the IPv6 ACL, which can be up to 64 alphanumeric characters long. The name cannot contain a space or quotation mark. |
|
|
Use IPv6 ACLs to filter IPv6 traffic.
When you use the ipv6 access-list command, the switch enters IP access list configuration mode, where you can use the IPv6 deny and permit commands to configure rules for the ACL. If the specified ACL does not exist, the switch creates it when you enter this command.
Every IPv6 ACL has the following implicit rule as its last rule:
This implicit rule ensures that the switch denies unmatched IP traffic.
This example shows how to enter IP access list configuration mode for an IPv6 ACL named ipv6-acl-01:
|
|
---|---|
To enable the Lightweight DHCPv6 Relay Agent (LDRA) feature, use the ipv6 dhcp ldra command. This command enables LDRA globally on the switch.
|
|
To use this command, you must enable the DHCP feature by using the feature dhcp command.
This example shows how to enable the LDRA feature:
This example shows how to disable the LDRA feature:
|
|
---|
To enable the Lightweight DHCPv6 Relay Agent (LDRA) feature on an interface, use the ipv6 dhcp-ldra command.
ipv6 dhcp-ldra attach-policy {client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing}
no ipv6 dhcp-ldra attach-policy {client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing}
|
|
To use this command, you must enable the LDRA feature by using the ipv6 dhcp ldra command.
This example shows how to enable the LDRA feature on the specified interface:
switch(config-if)# ipv6 dhcp-ldra attach-policy client-facing-trusted
switch(config)# interface port-channel 101
switch(config-if)# ipv6 dhcp-ldra attach-policy client-facing-trusted
This example shows how to disable the LDRA feature on the specified interface:
switch(config-if)# no ipv6 dhcp-ldra attach-policy client-facing-trusted
|
|
---|
To enable the Lightweight DHCPv6 Relay Agent (LDRA) feature on a VLAN, use the ipv6 dhcp-ldra attach-policy vlan command.
ipv6 dhcp-ldra attach-policy vlan vlan-id {client-facing-trusted | client-facing-untrusted}
no ipv6 dhcp-ldra attach-policy vlan vlan-id {client-facing-trusted | client-facing-untrusted}
|
|
To use this command, you must enable the LDRA feature by using the ipv6 dhcp ldra command.
This example shows how to enable the LDRA feature on the specified interface:
This example shows how to disable the LDRA feature on the specified interface:
|
|
---|
To apply an IPv6 access control list (ACL) to an interface as a port ACL, use the ipv6 port traffic-filter command. To remove an IPv6 ACL from an interface, use the no form of this command.
ipv6 port traffic-filter access-list-name in
no ipv6 port traffic-filter access-list-name in
Name of the IPv6 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
|
Specifies that the device applies the ACL to inbound traffic. |
Interface configuration mode
Virtual Ethernet interface configuration mode
|
|
By default, no IPv6 ACLs are applied to an interface.
You can use the ipv6 port traffic-filter command to apply an IPv6 ACL as a port ACL to the following interface types:
You can also use the ipv6 port traffic-filter command to apply an IPv6 ACL as a port ACL to the following interface types:
Note You must enable VLAN interfaces globally before you can configure a VLAN interface. For more information, see the feature interface-vlan command.
The switch applies port ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
This example shows how to apply an IPv6 ACL named ipv6-acl to Ethernet interface 1/3:
This example shows how to remove an IPv6 ACL named ipv6-acl from Ethernet interface 1/3:
This example shows how to apply an IPv6 ACL named ipv6-acl-03 to a specific virtual Ethernet interface:
|
|
---|---|
To apply an IPv6 access control list (ACL) to an interface, use the ipv6 traffic-filter command. To remove an IPv6 ACL from an interface, use the no form of this command.
ipv6 traffic-filter access-list-name in
no ipv6 traffic-filter access-list-name in
Name of the IPv6 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
|
Specifies that the device applies the ACL to inbound traffic. |
Interface configuration mode
Virtual Ethernet interface configuration mode
|
|
By default, no IPv6 ACLs are applied to an interface.
You can use the ipv6 traffic-filter command to apply an IPv6 ACL to the following interface types:
Note You must enable VLAN interfaces globally before you can configure a VLAN interface. For more information, see the feature interface-vlan command.
The switch applies ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
This example shows how to apply an IPv6 ACL named ipv6-acl to Ethernet interface 1/3:
This example shows how to remove an IPv6 ACL named ipv6-acl from Ethernet interface 1/3:
This example shows how to apply an IPv6 ACL named ipv6-acl-03 to a specific virtual Ethernet interface:
|
|
---|---|