H Commands
This chapter describes the Cisco NX-OS security commands that begin with H.
hardware access-list lou resource threshold
To configure the threshold value for logical operation units (LOUs), use the hardware access-list lou resource threshold command. To remove the threshold value and revert to the default value, use the no form of this command.
hardware access-list lou resource threshold value
no hardware access-list lou resource threshold value
Syntax Description
value |
Threshold value. Valid values are from 1 to 32. The default is 5. |
Command Default
Threshold value of 5.
Command Modes
Global configuration mode
Command History
|
|
6.0(2)N1(1) |
This command was introduced. |
Examples
The following example shows how to configure the maximum threshold value of 15 for LOUs.
switch# configuration terminal
switch(config)# hardware access-list lou resource threshold 15
hardware profile tcam resource service-template
To commit a template in the running image, use the hardware profile tcam resource service-template command. To commit a default template, use the no form of this command.
hardware profile tcam resource service-template user-defined-template
no hardware profile tcam resource service-template currently-committed- template
Syntax Description
user-defined-template |
Name of the user defined template. |
currently-committed- template |
Name of the currently committed template. |
Command Modes
EXEC mode
Command History
|
|
7.0(0)N1(1) |
This command was introduced. |
7.1(4)N1(1) |
The output of the command was modified to include the system prompt that provides an option to proceed with copying the running configuration to the startup configuration and rebooting the switch. |
Usage Guidelines
Use the show hardware profile tcam resource template command to list the template names to use in this command.
Examples
This example shows how to commit a user defined template:
switch# configure terminal
switch(config)# hardware profile tcam resource service-template temp1
Details of the temp1 template you are trying to commit are as follows:
-------------------------------------------------------------------------------
Committing a User-Defined Template
REVIEW DRAFT - CISCO CONFIDENTIAL
Region Features Size-allocated Current-size Current-usage Available/free
-------------------------------------------------------------------------------
Vacl Vacl 1024 1024 15 1009
Ifacl Ifacl 1152 1152 209 943
Rbacl Rbacl 1152 1152 3 1149
-------------------------------------------------------------------------------
To finish committing the template, the system will do the following:
1> Save running config : "copy running-config startup-config"
2> Reboot the switch : "reload"
-------------------------------------------------------------------------------
Do you really want to continue with RELOAD ? (y/n) [no] yes
System is still initializing
Configuration mode is blocked until system is ready
switch(config)# [16152.925385] Shutdown Ports..
[16152.959744] writing reset reason 9
Related Commands
|
|
show hardware profile tcam resource template |
Displays all templates. |
hardware sup-tcam correction asic
To rewrite a corrupted supervisor-region Ternary Content-Addressable Memory (TCAM) entry content with the content stored in the database, use the hardware sup-tcam correction asic command. To disable continuous periodic detection, use the no form of this command.
hardware sup-tcam correction asic {ASIC-ID | all } entry {TCAM-INDEX | all }
Syntax Description
ASIC-ID |
Global ASIC-ID. The range is from 0 to 64. |
all |
All ASICs. |
TCAM-INDEX |
Sup-TCAM entry index. The range is from 0 to 4096. |
all |
All TCAM entries. |
Command Modes
EXEC mode
Command History
|
|
7.1(4)N1(1) |
This command was introduced. |
Usage Guidelines
This command does not require a license.
Examples
This example shows how to rewrite a corrupted supervisor-region TCAM entry content with the content stored in the database:
switch# hardware sup-tcam correction asic 2 entry 5
Related Commands
|
|
hardware sup-tcam monitoring enable |
Enables a continuous periodic detection of corrupted supervisor-region TCAM entries. |
hardware sup-tcam monitoring trigger-detection |
Initiates an on-demand verification iteration that involves reading each supervisor-region TCAM entry and comparing this TCAM entry data with the stored content. |
show platform afm info sup-tcam monitoring info |
Displays details about supervisor-region TCAM monitoring. |
show platform afm info tcam access stats |
Displays write access statistics per TCAM entry per ASIC per slot, along with the number of writes, clears and timestamps of the writes and clears since the previous switch reload. |
hardware sup-tcam monitoring enable
To enable a continuous periodic detection of corrupted supervisor-region Ternary Content-Addressable Memory (TCAM) entries, use the hardware sup-tcam monitoring enable command. To disable continuous periodic detection, use the no form of this command.
hardware sup-tcam monitoring enable
Syntax Description
This command has no arguments or keywords.
Command Default
By default, the periodic corruption detection mechanism is set to run once every 1440 minutes or 1 day.
Command Modes
Global configuration mode
Command History
|
|
7.1(4)N1(1) |
This command was introduced. |
Usage Guidelines
This command does not require a license.
Examples
This example shows how to enable continuous periodic detection of corrupted supervisor-region TCAM entries:
switch# configure terminal
switch(config)# hardware sup-tcam monitoring enable
This example shows how to disable continuous periodic detection of corrupted supervisor-region TCAM entries:
switch# configure terminal
switch(config)# no hardware sup-tcam monitoring enable
Related Commands
|
|
hardware sup-tcam correction asic |
Rewrites a corrupted supervisor-region TCAM entry content with the content stored in the database. |
hardware sup-tcam monitoring timer-expiry |
Changes the periodic corruption detection mechanism timer value. |
hardware sup-tcam monitoring trigger-detection |
Initiates an on-demand verification iteration that involves reading each supervisor-region TCAM entry and comparing this TCAM entry data with the stored content. |
show platform afm info sup-tcam monitoring info |
Displays details about supervisor-region TCAM monitoring. |
show platform afm info tcam access stats |
Displays write access statistics per TCAM entry per ASIC per slot, along with the number of writes, clears and timestamps of the writes and clears since the previous switch reload. |
hardware sup-tcam monitoring timer-expiry
To change the periodic corruption detection mechanism timer value, use the hardware sup-tcam monitoring timer-expiry command. To remove the configuration, use the no form of this command.
hardware sup-tcam monitoring timer-expiry timeout-in-minutes
no hardware sup-tcam monitoring timer-expiry
Syntax Description
timeout-in-minutes |
Periodic corruption detection mechanism timer value in minutes. The range for the timer is from 5 to 2880 minutes (2 days). |
Command Modes
Global configuration mode
Command History
|
|
7.1(4)N1(1) |
This command was introduced. |
Usage Guidelines
This command does not require a license.
Examples
This example shows how to change the periodic corruption detection mechanism timer value:
switch# configure terminal
switch(config)# hardware sup-tcam monitoring timer-expiry 10
This example shows how to remove the configured periodic corruption detection mechanism timer value:
switch# configure terminal
switch(config)# no hardware sup-tcam monitoring timer-expiry
Related Commands
|
|
hardware sup-tcam correction asic |
Rewrites a corrupted supervisor-region TCAM entry content with the content stored in the database. |
hardware sup-tcam monitoring enable |
Enables a continuous periodic detection of corrupted supervisor-region TCAM entries. |
hardware sup-tcam monitoring trigger-detection |
Initiates an on-demand verification iteration that involves reading each supervisor-region TCAM entry and comparing this TCAM entry data with the stored content. |
show platform afm info sup-tcam monitoring info |
Displays details about supervisor-region TCAM monitoring. |
show platform afm info tcam access stats |
Displays write access statistics per TCAM entry per ASIC per slot, along with the number of writes, clears and timestamps of the writes and clears since the previous switch reload. |
hardware sup-tcam monitoring trigger-detection
To initiate an on-demand verification iteration that involves reading each supervisor-region Ternary Content-Addressable Memory (TCAM) entry and comparing this TCAM entry data with the content stored in the database, use the hardware sup-tcam monitoring trigger-detection command.
hardware sup-tcam monitoring trigger-detection
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC mode
Command History
|
|
7.1(4)N1(1) |
This command was introduced. |
Usage Guidelines
This command does not require a license.
A syslog is generated if there is a mismatch between the supervisor-region Ternary Content-Addressable Memory (TCAM) entry content and the content stored in the database.
Examples
This example shows how to initiate an on-demand verification iteration that involves reading each sup-region TCAM entry and comparing this TCAM entry data with content stored in the database:
switch# hardware sup-tcam monitoring trigger detection
Related Commands
|
|
hardware sup-tcam correction asic |
Rewrites a corrupted supervisor-region TCAM entry content with the content stored in the database. |
hardware sup-tcam monitoring enable |
Enables a continuous periodic detection of corrupted supervisor-region TCAM entries. |
show platform afm info sup-tcam monitoring info |
Displays details about supervisor-region TCAM monitoring. |
show platform afm info tcam access stats |
Displays write access statistics per TCAM entry per ASIC per slot, along with the number of writes, clears and timestamps of the writes and clears since the previous switch reload. |
host (IPv4)
To specify a host or a subnet as a member of an IPv4-address object group, use the host command. To remove a group member from an IPv4-address object group, use the no form of this command.
[ sequence-number ] host IPv4-address
no { sequence-number | host IPv4-address }
[ sequence-number ] IPv4-address network-wildcard
no IPv4-address network-wildcard
[ sequence-number ] IPv4-address / prefix-len
no IPv4-address / prefix-len
Syntax Description
sequence-number |
(Optional) Sequence number for this group member. Sequence numbers maintain the order of group members within an object group. Valid sequence numbers are from 1 to 4294967295. If you do not specify a sequence number, the device assigns a number that is 10 greater than the largest sequence number in the current object group. |
host IPv4-address |
Specifies that the group member is a single IPv4 address. Enter IPv4-address in dotted-decimal format. |
IPv4-address network-wildcard |
IPv4 address and network wildcard. Enter IPv4-address and network-wildcard in dotted-decimal format. Use network-wildcard to specify which bits of IPv4-address are the network portion of the address, as follows:
switch(config-ipaddr-ogroup)#
10.23.176.0 0.0.0.255
A network-wildcard value of 0.0.0.0 indicates that the group member is a specific IPv4 address. |
IPv4-address / prefix-len |
IPv4 address and variable-length subnet mask. Enter IPv4-address in dotted-decimal format. Use prefix-len to specify how many bits of IPv4-address are the network portion of the address, as follows:
switch(config-ipaddr-ogroup)#
10.23.176.0/24
A prefix-len value of 32 indicates that the group member is a specific IP address. |
Command Modes
IPv4 address object group configuration
Command History
|
|
7.3(0)N1(1) |
This command was introduced. |
Usage Guidelines
To specify a subnet as a group member, use either of the following forms of this command:
[ sequence-number ] IPv4-address network-wildcard
[ sequence-number ] IPv4-address / prefix-len
Regardless of the command form that you use to specify a subnet, the device shows the IP-address / prefix-len form of the group member when you use the show object-group command.
To specify a single IPv4 address as a group member, use any of the following forms of this command:
[ sequence-number ] host IPv4-address
[ sequence-number ] IPv4-address 0.0.0.0
[ sequence-number ] IPv4-address /32
Regardless of the command form that you use to specify a single IPv4 address, the device shows the host IP-address form of the group member when you use the show object-group command.
This command does not require a license.
Examples
This example shows how to configure an IPv4-address object group named ipv4-addr-group-13 with two group members that are specific IPv4 addresses and one group member that is the 10.23.176.0 subnet:
switch(config)# object-group ip address ipv4-addr-group-13
switch(config-ipaddr-ogroup)# host 10.121.57.102
switch(config-ipaddr-ogroup)# 10.121.57.234/32
switch(config-ipaddr-ogroup)# 10.23.176.0 0.0.0.255
switch(config-ipaddr-ogroup)# show object-group ipv4-addr-group-13
switch(config-ipaddr-ogroup)#
Related Commands
|
|
object-group ip address |
Configures an IPv4 address group. |
show object-group |
Displays object groups. |
host (IPv6)
To specify a host or a subnet as a member of an IPv6-address object group, use the host command. To remove a group member from an IPv6-address object group, use the no form of this command.
[ sequence-number ] host IPv6-address
no { sequence-number | host IPv6-address }
[ sequence-number ] IPv6-address / network-prefix
no IPv6-address / network-prefix
Syntax Description
sequence-number |
(Optional) Sequence number for this group member. Sequence numbers maintain the order of group members within an object group. Valid sequence numbers are from 1 to 4294967295. If you do not specify a sequence number, the device assigns a number that is 10 greater than the largest sequence number in the current object group. |
host IPv6-address |
Specifies that the group member is a single IPv6 address. Enter IPv6-address in colon-separated, hexadecimal format. |
IPv6-address / network-prefix |
IPv6 address and a variable-length subnet mask. Enter IPv6-address in colon-separated, hexadecimal format. Use network-prefix to specify how many bits of IPv6-address are the network portion of the address, as follows:
switch(config-ipv6addr-ogroup)#
2001:db8:0:3ab7::/96
A network-prefix value of 128 indicates that the group member is a specific IPv6 address. |
Command Modes
IPv6 address object group configuration
Command History
|
|
7.3(0)N1(1) |
This command was introduced. |
Usage Guidelines
To specify a subnet as a group member, use the following form of this command:
[ sequence-number ] IPv6-address / network-prefix
To specify a single IP address as a group member, use any of the following forms of this command:
[ sequence-number ] host IPv6-address
[ sequence-number ] IPv6-address /128
Regardless of the command form that you use to specify a single IPv6 address, the device shows the host IPv6-address form of the group member when you use the show object-group command.
This command does not require a license.
Examples
This example shows how to configure an IPv6-address object group named ipv6-addr-group-A7 with two group members that are specific IPv6 addresses and one group member that is the 2001:db8:0:3ab7:: subnet:
switch(config)# object-group ipv6 address ipv6-addr-group-A7
switch(config-ipv6addr-ogroup)# host 2001:db8:0:3ab0::1
switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab0::2/128
switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab7::/96
switch(config-ipv6addr-ogroup)# show object-group ipv6-addr-group-A7
10 host 2001:db8:0:3ab0::1
20 host 2001:db8:0:3ab0::2
switch(config-ipv6addr-ogroup)#
Related Commands
|
|
object-group ipv6 address |
Configures an IPv6 address group. |
show object-group |
Displays object groups. |