The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To change the maximum number of times that the Cisco NX-OS device retransmits reauthentication requests to supplicants on an interface before the session times out, use the dot1x max-reauth-req command. To revert to the default, use the no form of this command.
dot1x max-reauth-req retry-count
no dot1x max-reauth-req
retry-count |
Retry count for reauthentication requests. The range is from 1 to 10. |
2 retries
Interface configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You must use the feature dot1x command before you configure 802.1X.
This command does not require a license.
This example shows how to change the maximum number of reauthorization request retries for an interface:
switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# dot1x max-reauth-req 3
This example shows how to revert to the default maximum number of reauthorization request retries for an interface:
switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no dot1x max-reauth-req
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x all |
Displays all 802.1X information. |
To change the maximum number of requests that the Cisco NX-OS device sends to a supplicant before restarting the 802.1X authentication, use the dot1x max-req command. To revert to the default, use the no form of this command.
dot1x max-req retry-count
no dot1x max-req
retry-count |
Retry count for request sent to supplicant before restarting 802.1X reauthentication. The range is from 1 to 10. |
Global configuration: 2 retries
Interface configuration: Global configuration setting
Global configuration
Interface configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You must use the feature dot1x command before you configure 802.1X.
This command does not require a license.
This example shows how to change the maximum number of request retries for the global 802.1X configuration:
switch# configure terminal switch(config)# dot1x max-req 3
This example shows how to revert to the default maximum number of request retries for the global 802.1X configuration:
switch# configure terminal switch(config)# no dot1x max-req
This example shows how to change the maximum number of request retries for an interface:
switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# dot1x max-req 4
This example shows how to revert to the default maximum number of request retries for an interface:
switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no dot1x max-req
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x all |
Displays all 802.1X information. |
To create the 802.1X authenticator port access entity (PAE) role for an interface, use the dot1x pae authenticator command. To remove the 802.1X authenticator PAE role, use the no form of this command.
dot1x pae authenticator
no dot1x pae authenticator
This command has no arguments or keywords.
802.1X automatically creates the authenticator PAE when you enable the feature on an interface.
Interface configuration
Release |
Modification |
---|---|
4.2(1) |
This command was introduced. |
You must use the feature dot1x command before you configure 802.1X.
When you enable 802.1X on an interface, the Cisco NX-OS software creates an authenticator port access entity (PAE) instance. An authenticator PAE is a protocol entity that supports authentication on the interface. When you disable 802.1X on the interface, the Cisco NX-OS software does not automatically clear the authenticator PAE instances. You can explicitly remove the authenticator PAE from the interface and then reapply it, as needed.
This command does not require a license.
This example shows how to create the 802.1X authenticator PAE role on an interface:
switch# configure terminal switch(config)# interface ethernet 2/4 switch(config-if)# dot1x pae authenticator
This example shows how to remove the 802.1X authenticator PAE role from an interface:
switch# configure terminal switch(config)# interface ethernet 2/4 switch(config-if)# no dot1x pae authenticator
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x interface |
Displays 802.1X feature status information for an interface. |
To control the 802.1X authentication performed on an interface, use the dot1x port-control command. To revert to the default, use the no form of this command.
dot1x port-control { auto | force-authorized | force-unauthorized }
no dot1x port-control { auto | force-authorized | force-unauthorized }
auto |
Enables 802.1X authentication on the interface. |
force-authorized |
Disables 802.1X authentication on the interface and allows all traffic on the interface without authentication. |
force-unauthorized |
Disallows all authentication on the interface. |
force-authorized
Interface configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You must use the feature dot1x command before you configure 802.1X.
This command does not require a license.
This example shows how to change the 802.1X authentication action performed on an interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x port-control auto
This example shows how to revert to the default 802.1X authentication action performed on an interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x port-control auto
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x interface ethernet |
Displays 802.1X information for an interface. |
To enable RADIUS accounting for 802.1X, use the dot1x radius-accounting command. To revert to the default, use the no form of this command.
dot1x radius-accounting
no dot1x radius-accounting
This command has no arguments or keywords.
Disabled
Global configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You must use the feature dot1x command before you configure 802.1X.
This command does not require a license.
This example shows how to enable RADIUS accounting for 802.1X authentication:
switch# configure terminal switch(config)# dot1x radius-accounting
This example shows how to disable RADIUS accounting for 802.1X authentication:
switch# configure terminal switch(config)# no dot1x radius-accounting
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show running-config dot1x all |
Displays all 802.1X information in the running configuration. |
To manually reauthenticate 802.1X supplicants, use the dot1x re-authentication command.
dot1x reauthentication [ interface ethernet slot | port]
interface ethernet slot/port |
(Optional) Specifies the interface for manual reauthentication. |
None
EXEC
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You must use the feature dot1x command before you configure 802.1X.
This command does not require a license.
This example shows how to reauthenticate 802.1X supplicants manually:
switch# dot1x re-authentication
This example shows how to reauthenticate the 802.1X supplicant on an interface manually:
switch# dot1x re-authentication interface ethernet 2/1
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x all |
Displays all 802.1X information. |
To enable periodic reauthenticate of 802.1X supplicants, use the dot1x re-authentication command. To revert to the default, use the no form of this command.
dot1x re-authentication
no dot1x re-authentication
This command has no arguments or keywords.
Global configuration: Disabled
Interface configuration: Global configuration setting
Global configurationInterface configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You must use the feature dot1x command before you configure 802.1X.
In global configuration mode, this command configures periodic reauthentication for all supplicants on the Cisco NX-OS device. In interface configuration mode, this command configures periodic reauthentication only for supplicants on the interface.
This command does not require a license.
This example shows how to enable periodic reauthentication of 802.1X supplicants:
switch# configure terminal switch(config)# dot1x re-authentication
This example shows how to disable periodic reauthentication of 802.1X supplicants:
switch# configure terminal switch(config)# no dot1x re-authentication
This example shows how to enable periodic reauthentication of 802.1X supplicants on an interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x re-authentication
This example shows how to disable periodic reauthentication of 802.1X supplicants on an interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# no dot1x re-authentication
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x all |
Displays all 802.1X information. |
To enable 802.1X authentication, use the dot1x system-auth-control command. To disable 802.1X authentication, use the no form of this command.
dot1x system-auth-control
no dot1x system-auth-control
This command has no arguments or keywords.
Enabled
Global configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
The dot1x system-auth-control command does not delete the 802.1X configuration.
You must use the feature dot1x command before you configure 802.1X.
This command does not require a license.
This example shows how to disable 802.1X authentication:
switch# configure terminal switch(config)# no dot1x system-auth-control
This example shows how to enable 802.1X authentication:
switch# configure terminal switch(config)# dot1x system-auth-control
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x |
Displays 802.1X feature status information. |
To configure the 802.1X quiet-period timeout globally or for an interface, use the dot1x timeout quiet-period command. To revert to the default, use the no form of this command.
dot1x timeout quiet-period seconds
no dot1x timeout quiet-period
seconds |
Number of seconds for the 802.1X quiet-period timeout. The range is from 1 to 65535. |
Global configuration: 60 seconds
Interface configuration: The value of the global configuration
Global configuration
Interface configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
The 802.1X quiet-period timeout is the number of seconds that the device remains in the quiet state following a failed authentication exchange with a supplicant.
You must use the feature dot1x command before you configure 802.1X.
Note | You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers. |
This command does not require a license.
This example shows how to configure the global 802.1X quiet-period timeout:
switch# configure terminal switch(config)# dot1x timeout quiet-period 45
This example shows how to revert to the default global 802.1X quiet-period timeout:
switch# configure terminal switch(config)# no dot1x timeout quiet-period
This example shows how to configure the 802.1X quiet-period timeout for an interface:
switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# dot1x timeout quiet-period 50
This example shows how to revert to the default 802.1X quiet-period timeout for an interface:
switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no dot1x timeout quiet-period
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x all |
Displays all 802.1X information. |
To configure the 802.1X rate-limit period timeout for the supplicants on an interface, use the dot1x timeout ratelimit-period command. To revert to the default, use the no form of this command.
dot1x timeout ratelimit-period seconds
no dot1x timeout ratelimit-period
seconds |
Number of seconds for the 802.1X rate-limit period timeout. The range is from 1 to 65535. |
0 seconds
Interface configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
The 802.1X rate-limit timeout period is the number of seconds that the authenticator ignores EAPOL-Start packets from supplicants that have successfully authenticated. This value overrides the global quiet period timeout.
You must use the feature dot1x command before you configure 802.1X.
Note | You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers. |
This command does not require a license.
This example shows how to configure the 802.1X rate-limit period timeout on an interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x timeout ratelimit-period 60
This example shows how to revert to the default 802.1X rate-limit period timeout on an interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x timeout ratelimit-period 60
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x interface ethernet |
Displays 802.1X information for an interface. |
To configure the 802.1X reauthentication-period timeout either globally or on an interface, use the dot1x timeout re-authperiod command. To revert to the default, use the no form of this command.
dot1x timeout re-authperiod seconds
no dot1x timeout re-authperiod
seconds |
Number of seconds for the 802.1X reauthentication-period timeout. The range is from 1 to 65535. |
Global configuration: 3600 seconds
Interface configuration: Global configuration setting
Global configuration
Interface configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
The 802.1X reauthentication timeout period is the number of seconds between reauthentication attempts.
You must use the feature dot1x command before you configure 802.1X.
Note | You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers. |
This command does not require a license.
This example shows how to configure the global 802.1X reauthentication-period timeout:
switch# configure terminal switch(config)# dot1x timeout re-authperiod 3000
This example shows how to configure the 802.1X reauthentication-period timeout on an interface:
switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# dot1x timeout re-authperiod 3300
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x all |
Displays all 802.1X information. |
To configure the 802.1X server timeout for an interface, use the dot1x timeout server-timeout command. To revert to the default, use the no form of this command.
dot1x timeout server-timeout seconds
no dot1x timeout server-timeout
seconds |
Number of seconds for the 802.1X server timeout. The range is from 1 to 65535. |
30 seconds
Interface configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
The 802.1X server timeout for an interface is the number of seconds that the Cisco NX-OS device waits before retransmitting a packet to the authentication server. This value overrides the global reauthentication period timeout.
You must use the feature dot1x command before you configure 802.1X.
Note | You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers. |
This command does not require a license.
This example shows how to configure the global 802.1X server timeout interval:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x timeout server-timeout 45
This example shows how to revert to the default global 802.1X server timeout interval:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x timeout server-timeout 45
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x interface ethernet |
Displays 802.1X information for an interface. |
To configure the 802.1X supplicant timeout for an interface, use the dot1x timeout supp-timeout command. To revert to the default, use the no form of this command.
dot1x timeout supp-timeout seconds
no dot1x timeout supp-timeout
seconds |
Number of seconds for the 802.1X supplicant timeout. The range is from 1 to 65535. |
30 seconds
Interface configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
The 802.1X supplicant timeout for an interface is the number of seconds that the Cisco NX-OS device waits for the supplicant to respond to an EAP request frame before the Cisco NX-OS device retransmits the frame.
You must use the feature dot1x command before you configure 802.1X.
Note | You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers. |
This command does not require a license.
This example shows how to configure the 802.1X server timeout interval on an interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x timeout supp-timeout 45
This example shows how to revert to the default 802.1X server timeout interval on an interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# no dot1x timeout supp-timeout
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x interface ethernet |
Displays 802.1X information for an interface. |
To configure the 802.1X transmission-period timeout either globally or for an interface, use the dot1x timeout tx-period command. To revert to the default, use the no form of this command.
dot1x timeout tx-period seconds
no dot1x timeout tx-period
seconds |
Number of seconds for the 802.1X transmission-period timeout. The range is from 1 to 65535. |
Global configuration: 60 seconds
Interface configuration: Global configuration setting
Global configuration
Interface configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
The 802.1X transmission-timeout period is the number of seconds that the Cisco NX-OS device waits for a response to an EAP-request/identity frame from the supplicant before retransmitting the request.
You must use the feature dot1x command before you configure 802.1X.
Note | You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers. |
This command does not require a license.
This example shows how to configure the global 802.1X transmission-period timeout:
switch# configure terminal switch(config)# dot1x timeout tx-period 45
This example shows how to revert to the default global 802.1X transmission-period timeout:
switch# configure terminal switch(config)# no dot1x timeout tx-period
This example shows how to configure the 802.1X transmission-period timeout for an interface:
switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# dot1x timeout tx-period 45
This example shows how to revert to the default 802.1X transmission-period timeout for an interface:
switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no dot1x timeout tx-period
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x all |
Displays all 802.1X information. |
To configure the dead-time interval for a RADIUS or TACACS+ server group, use the deadtime command. To revert to the default, use the no form of this command.
deadtime minutes
no deadtime minutes
minutes |
Number of minutes for the interval. The range is from 0 to 1440 minutes.
|
0 minutes
RADlUS server group configuration
TACACS+ server group configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You must use the feature tacacs+ command before you configure TACACS+.
This command does not require a license.
This example shows how to set the dead-time interval to 2 minutes for a RADIUS server group:
switch# configure terminal switch(config)# aaa group server radius RadServer switch(config-radius)# deadtime 2
This example shows how to set the dead-time interval to 5 minutes for a TACACS+ server group:
switch# configure terminal switch(config)# feature tacacs+ switch(config)# aaa group server tacacs+ TacServer switch(config-tacacs+)# deadtime 5
This example shows how to revert to the dead-time interval default:
switch# configure terminal switch(config)# feature tacacs+ switch(config)# aaa group server tacacs+ TacServer switch(config-tacacs+)# no deadtime 5
Command |
Description |
---|---|
aaa group server |
Configures AAA server groups. |
radius-server host |
Configures a RADIUS server. |
show radius-server groups |
Displays RADIUS server group information. |
show tacacs-server groups |
Displays TACACS+ server group information. |
feature tacacs+ |
Enables TACACS+. |
tacacs-server host |
Configures a TACACS+ server. |
To delete certificate authority certificates, use the delete ca-certificate command.
delete ca-certificate
This command has no arguments or keywords.
None
Trustpoint configuration
Release |
Modification |
---|---|
4.1(2) |
This command was introduced. |
This command deletes the CA certificate or certificate chain corresponding to the trustpoint CA. As a result, the trustpoint CA is no longer trusted. If there is an identity certificate form the CA, you must delete it before you can delete the CA certificate. This prevents the accidental deletion of a CA certificate when you have not yet deleted the identity certificate obtained from that CA. Deleting the CA certificate may be necessary when you no longer want to trust the CA because the CA is compromised or the CA certificate has expired.
The trustpoint configuration, certificates, and key pair configurations are persistent only after saving to the startup configuration. Deletions become persistent only after you save the running configuration to the startup configuration.
Enter the copy running-config startup-config command to make the certificate and key pair deletions persistent.
This command does not require a license.
This example shows how to delete a certificate authority certificate:
switch# configure terminal switch(config)# crypto ca trustpoint admin-ca switch(config-trustpoint)# delete ca-certificate
Command |
Description |
---|---|
delete certificate |
Deletes the identity certificate. |
delete crl |
Deletes the CRL from the trustpoint. |
To delete the identity certificate, use the delete certificate command.
delete certificate [force]
force |
(Optional) Forces the deletion of the identity certificate. |
None
Trustpoint configuration
Release |
Modification |
---|---|
4.1(2) |
This command was introduced. |
Use the delete certificate command to delete the identity certificate obtained from the trustpoint CA when the identity certificate expires or the corresponding key pair is compromised. Applications on the device are left without any identity certificate to use after you delete the last or the only identity certificate present. The Cisco NX-OS software generates an error message if the certificate being deleted is the only certificate present or is the last identity certificate in a chain. You can use the optional force keyword to remove the certificate.
The trustpoint configuration, certificates, and key pair configurations are persistent only after saving to the startup configuration. Deletions become persistent only after you save the running configuration to the startup configuration.
Enter the copy running-config startup-config command to make the certificate and key pair deletions persistent.
This command does not require a license.
This example shows how to delete the identity certificate:
switch# configure terminal switch(config)# crypto ca trustpoint admin-ca switch(config-trustpoint)# delete certificate
This example shows how to force the deletion of the identity certificate:
switch# configure terminal switch(config)# crypto ca trustpoint admin-ca switch(config-trustpoint)# delete certificate force
Command |
Description |
---|---|
delete ca-certificate |
Deletes the certificate authority certificate. |
delete crl |
Deletes the CRL from the trustpoint. |
To delete the certificate revocation list (CRL) from the trustpoint, use the delete crl command.
delete crl
This command has no argument or keywords.
None
Trustpoint configuration
Release |
Modification |
---|---|
4.1(2) |
This command was introduced. |
This command does not require a license.
This example shows how to delete the CRL from the trustpoint:
switch# configure terminal switch(config)# crypto ca trustpoint admin-ca switch(config-trustpoint)# delete crl
Command |
Description |
---|---|
delete ca-certificate |
Deletes the certificate authority certificate. |
delete certificate |
Deletes the identity certificate. |
To create an ARP ACL rule that denies ARP traffic that matches its conditions, use the deny command. To remove a rule, use the no form of this command.
[sequence-number] deny ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [log]
[sequence-number] deny request ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [log]
[sequence-number] deny response ip { any | host sender-IP | sender-IP sender-IP-mask } { any | host target-IP | target-IP target-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ any | host target-MAC | target-MAC target-MAC-mask ] [log]
no sequence-number
no deny ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [log]
no deny request ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [log]
no deny response ip { any | host sender-IP | sender-IP sender-IP-mask } { any | host target-IP | target-IP target-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ any | host target-MAC | target-MAC target-MAC-mask ] [log]
sequence-number |
(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
||
ip |
Introduces the IP address portion of the rule. |
||
any |
(Optional) Specifies that any host matches the part of the rule that contains the any keyword. You can use the any to specify the sender IP address, target IP address, sender MAC address, and target MAC address. |
||
host sender-IP |
(Optional) Specifies that the rule matches ARP packets only when the sender IP address in the packet matches the value of the sender-IP argument. Valid values for the sender-IP argument are IPv4 addresses in dotted-decimal format. |
||
sender-IP sender-IP-mask |
(Optional) IPv4 address and mask for the set of IPv4 addresses that the sender IP address in the packet can match. The sender-IP and sender-IP-mask argument must be given in dotted-decimal format. Specifying 255.255.255.255 as the sender-IP-mask argument is the equivalent of using the host keyword. |
||
mac |
Introduces the MAC address portion of the rule. |
||
host sender-MAC |
(Optional) Specifies that the rule matches ARP packets only when the sender MAC address in the packet matches the value of the sender-MAC argument. Valid values for the sender-MAC argument are MAC addresses in dotted-hexadecimal format. |
||
sender-MAC sender-MAC-mask |
(Optional) MAC address and mask for the set of MAC addresses that the sender MAC address in the packet can match. The sender-MAC and sender-MAC-mask argument must be given in dotted-hexadecimal format. Specifying ffff.ffff.ffff as the sender-MAC-mask argument is the equivalent of using the host keyword. |
||
log |
(Optional) Specifies that the device logs ARP packets that match the rule. |
||
request |
(Optional) Specifies that the rule applies only to packets containing ARP request messages.
|
||
response |
(Optional) Specifies that the rule applies only to packets containing ARP response messages.
|
||
host target-IP |
(Optional) Specifies that the rule matches ARP packets only when the target IP address in the packet matches the value of the target-IP argument. You can specify host target-IP only when you use the response keyword. Valid values for the target-IP argument are IPv4 addresses in dotted-decimal format. |
||
target-IP target-IP-mask |
(Optional) IPv4 address and mask for the set of IPv4 addresses that the target IP address in the packet can match. You can specify target-IP target-IP-mask only when you use the response keyword. The target-IP and target-IP-mask argument must be given in dotted-decimal format. Specifying 255.255.255.255 as the target-IP-mask argument is the equivalent of using the host keyword. |
||
host target-MAC |
(Optional) Specifies that the rule matches ARP packets only when the target MAC address in the packet matches the value of the target-MAC argument. You can specify host target-MAC only when you use the response keyword. Valid values for the target-MAC argument are MAC addresses in dotted-hexadecimal format. |
||
target-MAC target-MAC-mask |
(Optional) MAC address and mask for the set of MAC addresses that the target MAC address in the packet can match. You can specify target-MAC target-MAC-mask only when you use the response keyword. The target-MAC and target-MAC-mask argument must be given in dotted-hexadecimal format. Specifying ffff.ffff.ffff as the target-MAC-mask argument is the equivalent of using the host keyword. |
None
ARP ACL configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
A newly created ARP ACL contains no rules.
If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
When the device applies an ARP ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
If you do not specify either the response or request keyword, the rule applies to packets that contain any ARP message.
This command does not require a license.
This example shows how to enter ARP access list configuration mode for an ARP ACL named arp-acl-01 and add a rule that denies ARP request messages that contain a sender IP address that is within the 10.32.143.0 subnet:
switch# conf t switch(config)# arp access-list arp-acl-01 switch(config-arp-acl)# deny request ip 10.32.143.0 255.255.255.0 mac any
Command |
Description |
---|---|
arp access-list |
Configures an ARP ACL. |
ip arp inspection filter |
Applies an ARP ACL to a VLAN. |
permit (ARP) |
Configures a permit rule in an ARP ACL. |
remark |
Configures a remark in an ACL. |
show arp access-list |
Displays all ARP ACLs or one ARP ACL. |
To create an IPv4 ACL rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
[sequence-number] deny protocol source destination [ dscp dscp | precedence precedence ] [fragments] [log] [ time-range time-range-name ] [ packet-length operator packet-length [packet-length] ]
no deny protocol source destination [ dscp dscp | precedence precedence ] [fragments] [log] [ time-range time-range-name ] [ packet-length operator packet-length [packet-length] ]
no sequence-number
[sequence-number] deny icmp source destination [ icmp-message | icmp-type [icmp-code] ] [ dscp dscp | precedence precedence ] [fragments] [log] [ time-range time-range-name ] [ packet-length operator packet-length [packet-length] ]
[sequence-number] deny igmp source destination [igmp-message] [ dscp dscp | precedence precedence ] [fragments] [log] [ time-range time-range-name ] [ packet-length operator packet-length [packet-length] ]
[sequence-number] deny ip source destination [ dscp dscp | precedence precedence ] [fragments] [log] [ time-range time-range-name ] [ packet-length operator packet-length [packet-length] ]
[sequence-number] deny tcp source [ operator port [port] | portgroup portgroup ] destination [ operator port [port] | portgroup portgroup ] [ dscp dscp | precedence precedence ] [fragments] [log] [ time-range time-range-name ] [flags] [established] [ packet-length operator packet-length [packet-length] ]
[sequence-number] deny udp source [ operator port [port] | portgroup portgroup ] destination [ operator port [port] | portgroup portgroup ] [ dscp dscp | precedence precedence ] [fragments] [log] [ time-range time-range-name ] [ packet-length operator packet-length [packet-length] ]
sequence-number |
(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
protocol |
Name or number of the protocol of packets that the rule matches. For details about the methods that you can use to specify this argument, see “Protocol” in the “Usage Guidelines” section. |
source |
Source IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
destination |
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
dscp dscp |
(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:
|
precedence precedence |
(Optional) Specifies that the rule matches only packets that have an IP Precedence field with the value specified by the precedence argument. The precedence argument can be a number or a keyword, as follows:
|
fragments |
(Optional) Specifies that the rule matches only those packets that are noninitial fragments. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. |
log |
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information:
|
time-range time-range-name |
(Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command. The time-range-name argument can be up to 64 alphanumeric, case-sensitive characters. |
icmp-message |
(ICMP only: Optional) ICMP message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under “ICMP Message Types” in the “Usage Guidelines” section. |
icmp-type [icmp-code] |
(ICMP only: Optional) ICMP message type that the rule matches. Valid values for the icmp-type argument are an integer from 0 to 255. If the ICMP message type supports message codes, you can use the icmp-code argument to specify the code that the rule matches. For more information about ICMP message types and codes, see http://www.iana.org/assignments/icmp-parameters . |
igmp-message |
(IGMP only: Optional) IGMP message type that the rule matches. The igmp-message argument can be the IGMP message number, which is an integer from 0 to 15. It can also be one of the following keywords:
|
operator port [port] |
(Optional; TCP and UDP only) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see “TCP Port Names” and “UDP Port Names” in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
|
portgroup portgroup |
(Optional; TCP and UDP only) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port object group specified by the portgroup argument, which can be up to 64 alphanumeric, case-sensitive characters. Whether the IP port object group applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument. Use the object-group ip port command to create and change IP port object groups. |
flags |
(TCP only; Optional) TCP control bit flags that the rule matches. The value of the flags argument must be one or more of the following keywords:
|
established |
(TCP only; Optional) Specifies that the rule matches only packets that belong to an established TCP connection. The device considers TCP packets with the ACK or RST bits set to belong to an established connection. |
packet-lengthoperatorpacket-length [packet-length |
(Optional) Rule matches only packets that have a length in bytes that satisfies the condition specified by the operator and packet-length arguments. Valid values for the packet-length argument are whole numbers from 20 to 9210. The operator argument must be one of the following keywords:
|
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the device assigns the rule a sequence number that is 10 greater than the last rule in the ACL.
IPv4 ACL configuration
Release |
Modification |
---|---|
4.1(2) |
Support was added for the following:
|
4.0(1) |
This command was introduced. |
When the device applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
This command does not require a license.
Protocol
You can specify the protocol of packets that the rule applies to by the protocol name or the number of the protocol. If you want the rule to apply to all IPv4 traffic, use the ip keyword.
The protocol keyword that you specify affects the additional keywords and arguments that are available. Unless otherwise specified, only the other keywords that apply to all IPv4 protocols are available. Those keywords include the following:
Valid protocol numbers are from 0 to 255.
Valid protocol names are the following keywords:
Source and Destination
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
addrgroup address-group-name
The following example shows how to use an IPv4 address object group named lab-gateway-svrs to specify the destination argument:
switch(config-acl)# deny ip any addrgroup lab-gateway-svrs
IPv4-address network-wildcard
The following example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
switch(config-acl)# deny tcp 192.168.67.0 0.0.0.255 any
IPv4-address/prefix-len
The following example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
switch(config-acl)# deny udp 192.168.67.0/24 any
host IPv4-address
This syntax is equivalent to IPv4-address/32 and IPv4-address 0.0.0.0.
The following example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:
switch(config-acl)# deny icmp host 192.168.67.132 any
ICMP Message Types
The icmp-message argument can be one of the following keywords:
TCP Port Names
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
bgp—Border Gateway Protocol (179)
chargen—Character generator (19)
cmd—Remote commands (rcmd, 514)
daytime—Daytime (13)
discard—Discard (9)
domain—Domain Name Service (53)
drip—Dynamic Routing Information Protocol (3949)
echo—Echo (7)
exec—EXEC (rsh, 512)
finger—Finger (79)
ftp—File Transfer Protocol (21)
ftp-data—FTP data connections (20)
gopher—Gopher (7)
hostname—NIC hostname server (11)
ident—Ident Protocol (113)
irc—Internet Relay Chat (194)
klogin—Kerberos login (543)
kshell—Kerberos shell (544)
login—Login (rlogin, 513)
lpd—Printer service (515)
nntp—Network News Transport Protocol (119)
pim-auto-rp—PIM Auto-RP (496)
pop2—Post Office Protocol v2 (19)
pop3—Post Office Protocol v3 (11)
smtp—Simple Mail Transport Protocol (25)
sunrpc—Sun Remote Procedure Call (111)
tacacs—TAC Access Control System (49)
talk—Talk (517)
telnet—Telnet (23)
time—Time (37)
uucp—UNIX-to-UNIX Copy Program (54)
whois—WHOIS/NICNAME (43)
www—World Wide Web (HTTP, 80)
UDP Port Names
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
biff—Biff (mail notification, comsat, 512)
bootpc—Bootstrap Protocol (BOOTP) client (68)
bootps—Bootstrap Protocol (BOOTP) server (67)
discard—Discard (9)
dnsix—DNSIX security protocol auditing (195)
domain—Domain Name Service (DNS, 53)
echo—Echo (7)
isakmp—Internet Security Association and Key Management Protocol (5)
mobile-ip—Mobile IP registration (434)
nameserver—IEN116 name service (obsolete, 42)
netbios-dgm—NetBIOS datagram service (138)
netbios-ns—NetBIOS name service (137)
netbios-ss—NetBIOS session service (139)
non500-isakmp—Internet Security Association and Key Management Protocol (45)
ntp—Network Time Protocol (123)
pim-auto-rp—PIM Auto-RP (496)
rip—Routing Information Protocol (router, in.routed, 52)
snmp—Simple Network Management Protocol (161)
snmptrap—SNMP Traps (162)
sunrpc—Sun Remote Procedure Call (111)
syslog—System Logger (514)
tacacs—TAC Access Control System (49)
talk—Talk (517)
tftp—Trivial File Transfer Protocol (69)
time—Time (37)
who—Who service (rwho, 513)
xdmcp—X Display Manager Control Protocol (177)
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules that deny all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network and a final rule that permits all other IPv4 traffic:
switch# configure terminal switch(config)# ip access-list acl-lab-01 switch(config-acl)# deny tcp 10.23.0.0/16 10.176.0.0/16 switch(config-acl)# deny udp 10.23.0.0/16 10.176.0.0/16 switch(config-acl)# deny tcp 192.168.37.0/16 10.176.0.0/16 switch(config-acl)# deny udp 192.168.37.0/16 10.176.0.0/16 switch(config-acl)# permit ip any any
This example shows how to configure an IPv4 ACL named acl-eng-to-marketing with a rule that denies all IP traffic from an IPv4 address object group named eng_workstations to an IP address object group named marketing_group followed by a rule that permits all other IPv4 traffic:
switch# configure terminal switch(config)# ip access-list acl-eng-to-marketing switch(config-acl)# deny ip addrgroup eng_workstations addrgroup marketing_group switch(config-acl)# permit ip any any
Command |
Description |
---|---|
fragments |
Configures how an IP ACL processes noninitial fragments. |
ip access-list |
Configures an IPv4 ACL. |
object-group ip address |
Configures an IPv4 address object group. |
object-group ip port |
Configures an IP port object group. |
permit (IPv4) |
Configures a permit rule in an IPv4 ACL. |
remark |
Configures a remark in an IPv4 ACL. |
show ip access-list |
Displays all IPv4 ACLs or one IPv4 ACL. |
statistics per-entry |
Enables collection of statistics for each entry in an ACL. |
time-range |
Configures a time range. |
To create an IPv6 ACL rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
[sequence-number] deny protocol source destination [ dscp dscp ] [ flow-label flow-label-value ] [fragments] [log] [ time-range time-range-name ] [ packet-length operator packet-length [packet-length] ]
no deny protocol source destination [ dscp dscp ] [ flow-label flow-label-value ] [fragments] [log] [ time-range time-range-name ] [ packet-length operator packet-length [packet-length] ]
no sequence-number
[ sequence-number | no ] deny icmp source destination [ icmp-message | icmp-type [icmp-code] ] [ dscp dscp ] [ flow-label flow-label-value ] [fragments] [log] [ time-range time-range-name ] [ packet-length operator packet-length [packet-length] ]
[sequence-number] deny ipv6 source destination [ dscp dscp ] [ flow-label flow-label-value ] [fragments] [log] [ time-range time-range-name ] [ packet-length operator packet-length [packet-length] ]
[ sequence-number | no ] deny sctp source [ operator port [port] | portgroup portgroup ] destination [ operator port [port] | portgroup portgroup ] [ dscp dscp ] [ flow-label flow-label-value ] [fragments] [log] [ time-range time-range-name ] [ packet-length operator packet-length [packet-length] ]
[sequence-number] deny tcp source [ operator port [port] | portgroup portgroup ] destination [ operator port [port] | portgroup portgroup ] [ dscp dscp ] [ flow-label flow-label-value ] [fragments] [log] [ time-range time-range-name ] [flags] [established] [ packet-length operator packet-length [packet-length] ]
[ sequence-number | no ] deny udp source [ operator port [port] | portgroup portgroup ] destination [ operator port [port] | portgroup portgroup ] [ dscp dscp ] [ flow-label flow-label-value ] [fragments] [log] [ time-range time-range-name ] [ packet-length operator packet-length [packet-length] ]
sequence-number |
(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
protocol |
Name or number of the protocol of packets that the rule matches. Valid numbers are from 0 to 255. Valid protocol names are the following keywords:
|
source |
Source IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
destination |
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
dscp dscp |
(Optional) Specifies that the rule matches only packets with the specified 6-bit differentiated services value in the DSCP field of the IPv6 header. The dscp argument can be one of the following numbers or keywords:
|
flow-label flow-label-value |
(Optional) Specifies that the rule matches only IPv6 packets whose Flow Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575. |
fragments |
(Optional) Specifies that the rule matches noninitial fragmented packets only. The device considers noninitial fragmented packets to be packets with a fragment extension header that contains a fragment offset that is not equal to zero. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. |
log |
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information:
|
time-range time-range-name |
(Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command. |
icmp-message |
(ICMP only: Optional) ICMPv6 message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under “ICMPv6 Message Types” in the “Usage Guidelines” section. |
icmp-type [icmp-code] |
(ICMP only: Optional) ICMP message type that the rule matches. Valid values for the icmp-type argument are an integer from 0 to 255. If the ICMP message type supports message codes, you can use the icmp-code argument to specify the code that the rule matches. For more information about ICMP message types and codes, see http://www.iana.org/assignments/icmp-parameters . |
operator port [port] |
(Optional; TCP, UDP, and SCTP only) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see “TCP Port Names” and “UDP Port Names” in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
|
portgroup portgroup |
(Optional; TCP, UDP, and SCTP only) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument. Use the object-group ip port command to create and change IP port-group objects. |
established |
(TCP only; Optional) Specifies that the rule matches only packets that belong to an established TCP connection. The device considers TCP packets with the ACK or RST bits set to belong to an established connection. |
flags |
(TCP only; Optional) Rule matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords:
|
packet-lengthoperatorpacket-length [packet-length |
(Optional) Rule matches only packets that have a length in bytes that satisfies the condition specified by the operator and packet-length arguments. Valid values for the packet-length argument are whole numbers from 20 to 9210. The operator argument must be one of the following keywords:
|
None
IPv6 ACL configuration
Release |
Modification |
---|---|
4.1(2) |
This command was introduced. |
A newly created IPv6 ACL contains no rules.
When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
This command does not require a license.
Source and Destination
You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
addrgroup address-group-name
The following example shows how to use an IPv6 address object group named lab-svrs-1301 to specify the destination argument:
switch(config-acl)# deny ipv6 any addrgroup lab-svrs-1301
IPv6-address/prefix-len
The following example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network:
switch(config-acl)# deny udp 2001:0db8:85a3::/48 any
host IPv6-address
This syntax is equivalent to IPv6-address/128.
The following example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address:
switch(config-acl)# deny icmp host 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 any
ICMPv6 Message Types
The icmp-message argument can be one of the following keywords:
TCP Port Names
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
bgp—Border Gateway Protocol (179)
chargen—Character generator (19)
cmd—Remote commands (rcmd, 514)
daytime—Daytime (13)
discard—Discard (9)
domain—Domain Name Service (53)
drip—Dynamic Routing Information Protocol (3949)
echo—Echo (7)
exec—Exec (rsh, 512)
finger—Finger (79)
ftp—File Transfer Protocol (21)
ftp-data—FTP data connections (20)
gopher—Gopher (7)
hostname—NIC hostname server (11)
ident—Ident Protocol (113)
irc—Internet Relay Chat (194)
klogin—Kerberos login (543)
kshell—Kerberos shell (544)
login—Login (rlogin, 513)
lpd—Printer service (515)
nntp—Network News Transport Protocol (119)
pim-auto-rp—PIM Auto-RP (496)
pop2—Post Office Protocol v2 (19)
pop3—Post Office Protocol v3 (11)
smtp—Simple Mail Transport Protocol (25)
sunrpc—Sun Remote Procedure Call (111)
tacacs—TAC Access Control System (49)
talk—Talk (517)
telnet—Telnet (23)
time—Time (37)
uucp—Unix-to-Unix Copy Program (54)
whois—WHOIS/NICNAME (43)
www—World Wide Web (HTTP, 80)
UDP Port Names
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
biff—Biff (mail notification, comsat, 512)
bootpc—Bootstrap Protocol (BOOTP) client (68)
bootps—Bootstrap Protocol (BOOTP) server (67)
discard—Discard (9)
dnsix—DNSIX security protocol auditing (195)
domain—Domain Name Service (DNS, 53)
echo—Echo (7)
isakmp—Internet Security Association and Key Management Protocol (5)
mobile-ip—Mobile IP registration (434)
nameserver—IEN116 name service (obsolete, 42)
netbios-dgm—NetBIOS datagram service (138)
netbios-ns—NetBIOS name service (137)
netbios-ss—NetBIOS session service (139)
non500-isakmp—Internet Security Association and Key Management Protocol (45)
ntp—Network Time Protocol (123)
pim-auto-rp—PIM Auto-RP (496)
rip—Routing Information Protocol (router, in.routed, 52)
snmp—Simple Network Management Protocol (161)
snmptrap—SNMP Traps (162)
sunrpc—Sun Remote Procedure Call (111)
syslog—System Logger (514)
tacacs—TAC Access Control System (49)
talk—Talk (517)
tftp—Trivial File Transfer Protocol (69)
time—Time (37)
who—Who service (rwho, 513)
xdmcp—X Display Manager Control Protocol (177)
This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules denying all TCP and UDP traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network:
switch# config t switch(config)# ipv6 access-list acl-lab13-ipv6 switch(config-ipv6-acl)# deny tcp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64 switch(config-ipv6-acl)# deny udp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64 switch(config-ipv6-acl)# deny tcp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64 switch(config-ipv6-acl)# deny udp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64
This example shows how to configure an IPv6 ACL named ipv6-eng-to-marketing with a rule that denies all IPv6 traffic from an IPv6-address object group named eng_ipv6 to an IPv6-address object group named marketing_group:
switch# config t switch(config)# ipv6 access-list ipv6-eng-to-marketing switch(config-ipv6-acl)# deny ipv6 addrgroup eng_ipv6 addrgroup marketing_group
Command |
Description |
---|---|
fragments |
Configures how an IP ACL processes noninitial fragments. |
ipv6 access-list |
Configures an IPv6 ACL. |
object-group ipv6 address |
Configures an IPv6-address object group. |
object-group ip port |
Configures an IP-port object group. |
permit (IPv6) |
Configures a permit rule in an IPv6 ACL. |
remark |
Configures a remark in an ACL. |
show ipv6 access-list |
Displays all IPv6 ACLs or one IPv6 ACL. |
statistics per-entry |
Enables collection of statistics for each entry in an ACL. |
time-range |
Configures a time range. |
To create a MAC access control list (ACL)+ rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
[sequence-number] deny source destination [protocol] [ cos cos-value ] [ vlan VLAN-ID ] [ time-range time-range-name ]
no deny source destination [protocol] [ cos cos-value ] [ vlan VLAN-ID ] [ time-range time-range-name ]
no sequence-number
sequence-number |
(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
source |
Source MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
destination |
Destination MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
protocol |
(Optional) Protocol number that the rule matches. Valid protocol numbers are 0x0 to 0xffff. For listings of valid protocol names, see “MAC Protocols” in the “Usage Guidelines” section. |
cos cos-value |
(Optional) Specifies that the rule matches only packets with an IEEE 802.1Q header that contains the Class of Service (CoS) value given in the cos-value argument. The cos-value argument can be an integer from 0 to 7. |
vlan VLAN-ID |
(Optional) Specifies that the rule matches only packets with an IEEE 802.1Q header that contains the VLAN ID given. The VLAN-ID argument can be an integer from 1 to 4094. |
time-range time-range-name |
(Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command. |
A newly created MAC ACL contains no rules.
If you do not specify a sequence number, the device assigns the rule a sequence number that is 10 greater than the last rule in the ACL.
MAC ACL configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
When the device applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
This command does not require a license.
Source and Destination
You can specify the source and destination arguments in one of two ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
MAC-address MAC-mask
The following example specifies the source argument with the MAC address 00c0.4f03.0a72:
switch(config-acl)# deny 00c0.4f03.0a72 0000.0000.0000 any
The following example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:
switch(config-acl)# deny any 0060.3e00.0000 0000.0000.0000
MAC Protocols
The protocol argument can be the MAC protocol number or a keyword. The protocol number is a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:
This example shows how to configure a MAC ACL named mac-ip-filter with rules that permit any non-IPv4 traffic between two groups of MAC addresses:
switch# configure terminal switch(config)# mac access-list mac-ip-filter switch(config-mac-acl)# deny 00c0.4f00.0000 0000.00ff.ffff 0060.3e00.0000 0000.00ff.ffff ip switch(config-mac-acl)# permit any any
Command |
Description |
---|---|
mac access-list |
Configures a MAC ACL. |
permit (MAC) |
Configures a deny rule in a MAC ACL. |
remark |
Configures a remark in an ACL. |
show mac access-list |
Displays all MAC ACLs or one MAC ACL. |
statistics per-entry |
Enables collection of statistics for each entry in an ACL. |
time-range |
Configures a time range. |
To configure a deny action in the security group access control list (SGACL), use the deny command. To remove the action, use the no form of this command.
(explicit id ) deny { all | icmp | igmp | ip } { tcp | udp } [ { src | dst } { | { eq | gt | lt | neq } | port -number } | range { port-number 1 | port-number 2 } [ log ]
no deny { all | icmp | igmp | ip } { tcp | udp } [ { src | dst } { | { eq | gt | lt | neq } | port -number } | range { port-number 1 | port-number 2 } [ log ]
all |
Specifies all traffic. |
icmp |
Specifies Internet Control Message Protocol (ICMP) traffic. |
igmp |
Specifies Internet Group Management Protocol (IGMP) traffic. |
ip |
Specifies IP traffic. |
tcp |
Specifies TCP traffic. |
udp |
Specifies User Datagram Protocol (UDP) traffic. |
src |
Specifies the source port number. |
dst |
Specifies the destination port number. |
eq |
Specifies equal to the port number. |
gt |
Specifies greater than the port number. |
lt |
Specifies less than the port number. |
neq |
Specifies not equal to the port number. |
port-number |
Port number for TCP or UDP. The range is from 0 to 65535. |
range |
Specifies a port range for TCP or UDP. |
port-number1 |
First port in the range. The range is from 0 to 65535. |
port-number2 |
Last port in the range. The range is from 0 to 65535. |
log |
(Optional) Specifies that packets matching this configuration be logged. |
None
role-based access control list
Release |
Modification |
---|---|
5.0(2) |
The log keyword was added to support the enabling of role-based access control list (RBACL) logging. |
4.0(1) |
This command was introduced. |
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
To enable RBACL logging, you must enable RBACL policy enforcement on the VLAN and VRF.
To enable RBACL logging, you must set the logging level of ACLLOG syslogs to 6 and the logging level of CTS manager syslogs to 5.
This command requires the Advanced Services license.
This example shows how to add a deny action to an SGACL and enable RBACL logging:
switch# configure terminal switch(config)# cts role-based access-list MySGACL switch(config-rbacl)# deny icmp log
This example shows how to remove a deny action from an SGACL:
switch# configure terminal switch(config)# cts role-based access-list MySGACL switch(config-rbacl)# no deny icmp log
Command |
Description |
---|---|
cts role-based access-list |
Configures Cisco TrustSec SGACLs. |
feature cts |
Enables the Cisco TrustSec feature. |
show cts role-based access-list |
Displays the Cisco TrustSec SGACL configuration. |
To configure a description for an identity policy, use the description command. To revert to the default, use the no form of this command.
description text
no description
"text" |
Text string that describes the identity policy. The string is alphanumeric. The maximum length is 100 characters. |
None
Identity policy configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
This command does not require a license.
This example shows how to configure the description for an identity policy:
switch# configure terminal switch(config)# identity policy AdminPolicy switch(config-id-policy)# description "Administrator identity policy"
This example shows how to remove the description from an identity policy:
switch# configure terminal switch(config)# identity policy AdminPolicy switch(config-id-policy)# no description
Command |
Description |
---|---|
identity policy |
Creates or specifies an identity policy and enters identity policy configuration mode. |
show identity policy |
Displays identity policy information. |
To configure a description for a user role, use the description command. To revert to the default, use the no form of this command.
description text
no description
text |
Text string that describes the user role. The string is alphanumeric. The maximum length is 128 characters. |
None
User role configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You can include blank spaces in the user role description text.
This command does not require a license.
This example shows how to configure the description for a user role:
switch# configure terminal switch(config)# role name MyRole switch(config-role)# description User role for my user account.
This example shows how to remove the description from a user role:
switch# configure terminal switch(config)# role name MyRole switch(config-role)# no description
Command |
Description |
---|---|
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |
To configure a destination for ACL capture packets, use the destination interface command.
destination interface ethernet slot/port
ethernet |
Specifies Ethernet IEEE 802.3z. |
slot/port |
Slot and port identifiers for the interface. The range is from 1 to 253. |
None
ACL capture configuration mode (config-acl-capture)
Release |
Modification |
---|---|
5.2(1) |
This command was introduced. |
Only the physical interface can be used for the destination. Port-channel interfaces and supervisor in-band ports are not supported.
Port channels and supervisor in-band ports are not supported as a destination for ACL capture.
ACL capture session destination interfaces do not support ingress forwarding and ingress MAC learning. If a destination interface is configured with these options, the monitor keeps the ACL capture session down. Use the show monitor session all command to see if ingress forwarding and MAC learning are enabled.
Note | You can use the no switchport monitor command to disable ingress forwarding and MAC learning on the interface. |
The source port of the packet and the ACL capture destination port cannot be part of the same ASIC. If both ports belong to the same ASIC, a message appears when you configure the destination ports for ACL capture, and the packet is not captured.
You can enter the destination interface command multiple times to add multiple destinations.
This command does not require a license.
This example shows how to configure a destination for ACL capture packets:
switch# configure terminal switch(config)# monitor session 7 type acl-capture switch(config-acl-capture)# destination interface ethernet 5/5
Command |
Description |
---|---|
monitor session session type acl-capture |
Configures an ACL capture session. |
To add a supplicant device to the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) identity profile exception list, use the device command. To remove a supplicant device, use the no form of this command.
device { authenticate | not-authenticate } { ip-address ipv4-address [subnet-mask] | mac-address mac-address [mac-address-mask] } policy policy-name
no device { authenticate | not-authenticate } { ip-address ipv4-address [subnet-mask] | mac-address mac-address [mac-address-mask] } policy policy-name
authenticate |
Specifies to allow authentication of the device using the policy. |
not-authenticate |
Specifies to not allow authentication of the device using the policy. |
ip-address ipv4-address |
Specifies the IPv4 address for the supplicant device in the A.B.C.D format. |
subnet-mask |
(Optional) IPv4 subnet mask for the IPv4 address. |
mac-address mac-address |
Specifies the MAC address for the supplicant device in the XXXX.XXXX.XXXX format. |
mac-address-mask |
(Optional) Mask for the MAC address. |
policy policy-name |
Specifies the policy to use for the supplicant device. |
None
Identity policy configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
This command does not require a license.
This example shows how to add a device to the EAPoUDP identity profile:
switch# configure terminal switch(config)# identity profile eapoupd switch(config-id-policy)# device authenticate 10.10.1.1 255.255.255.245 policy AdminPolicy
This example shows how to remove a device from the EAPoUDP identity profile:
switch# configure terminal switch(config)# identity profile eapoupd switch(config-id-policy)# no device authenticate 10.10.2.2 255.255.255.245 policy UserPolicy
Command |
Description |
---|---|
identity policy |
Creates or specifies an identity policy and enters identity policy configuration mode. |
show identity policy |
Displays identity policy information. |
To specify the role of the device attached to the port, use the device-role command in IPv6 snooping policy configuration mode or router advertisement (RA) guard policy configuration mode.
device-role { host | monitor | router }
host |
Sets the role of the device to host. |
monitor |
Sets the role of the device to monitor. |
router |
Sets the role of the device to router. |
The device role is host.
RA guard policy configuration (config-ra-guard)
Release |
Modification |
---|---|
8.0(1) |
This command was introduced. |
The device-role command specifies the role of the device attached to the port. By default, the device role is host, and therefore all the inbound router advertisement and redirect messages are blocked. If the device role is enabled using the router keyword, all messages (router solicitation [RS], router advertisement [RA], or redirect) are allowed on this port.
When the router or monitor keyword is used, the multicast RS messages are bridged on the port, regardless of whether limited broadcast is enabled. However, the monitor keyword does not allow inbound RA or redirect messages. When the monitor keyword is used, devices that need these messages will receive them.
The following example defines an RA guard policy name as raguard1, places the device in RA guard policy configuration mode, and configures the device as the host:
switch(config)# ipv6 nd raguard policy raguard1 switch(config-ra-guard)# device-role host
Command |
Description |
---|---|
ipv6 nd raguard policy |
Defines the RA guard policy name and enters RA guard policy configuration mode. |
To reset the 802.1X global or interface configuration to the default, use the dot1x default command.
dot1x default
This command has no arguments or keywords.
None
Global configuration
Interface configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You must use the feature dot1x command before you configure 802.1X.
This command does not require a license.
This example shows how to set the global 802.1X parameters to the default:
switch# configure terminal switch(config)# dot1x default
This example shows how to set the interface 802.1X parameters to the default:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x default
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x |
Displays 802.1X feature status information. |
To allow 802.1X authentication for either a single supplicant or multiple supplicants on an interface, use the dot1x host-mode command. To revert to the default, use the no form of this command.
dot1x host-mode { multi-host | single-host }
no dot1x host-mode
mutli-host |
Allows 802.1X authentication for multiple supplicants on the interface. |
single-host |
Allows 802.1X authentication for only a single supplicant on the interface. |
single-host
Interface configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You must use the feature dot1x command before you configure 802.1X.
This command does not require a license.
This example shows how to allow 802.1X authentication of multiple supplicants on an interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x host-mode multi-host
This example shows how to revert to the default host mode on an interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# no dot1x host-mode
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x all |
Displays all 802.1X information. |
To initialize 802.1X authentication for supplicants, use the dot1x initialize command.
dot1x initialize [ interface ethernet slot | port]
interface ethernet slot / port |
(Optional) Specifies the interface for 802.1X authentication initialization. |
None
Any command mode
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You must use the feature dot1x command before you configure 802.1X.
This command does not require a license.
This example shows how to initialize 802.1X authentication for supplicants on the Cisco NX-OS device:
switch# dot1x initialize
This example shows how to initialize 802.1X authentication for supplicants on an interface:
switch# dot1x initialize interface ethernet 2/1
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x all |
Displays all 802.1X information. |
To enable MAC address authentication bypass on interfaces with no 802.1X supplicants, use the dot1x mac-auth-bypass command. To disable MAC address authentication bypass, use the no form of this command.
dot1x mac-auth-bypass [eap]
no dot1x mac-auth-bypass
eap |
Specifies that the bypass use Extensible Authentication Protocol (EAP). |
Disabled
Interface configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You must use the feature dot1x command before you configure 802.1X.
This command does not require a license.
This example shows how to enable MAC address authentication bypass:
switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# dot1x mac-auth-bypass
This example shows how to disable MAC address authentication bypass:
switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no dot1x mac-auth-bypass
Command |
Description |
---|---|
feature dot1x |
Enables the 802.1X feature. |
show dot1x all |
Displays all 802.1X information. |