Table Of Contents
hardware access-list resource pooling
H Commands
This chapter describes the Cisco NX-OS security commands that begin with H.
hardware access-list capture
To enable access control list (ACL) capture on all virtual device contexts (VDCs), use the hardware access-list capture command. To disable ACL capture, use the no form of the command.
hardware access-list capture
no hardware access-list capture
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
Only M1 Series modules not support ACL capture.
ACL capture is a hardware-assisted feature and is not supported for the management interface or for control packets originating in the supervisor. It is also not supported for software ACLs such as SNMP community ACLs and virtual teletype (VTY) ACLs.
Enabling ACL capture disables ACL logging for all VDCs and the rate limiter for ACL logging.
Only one ACL capture session can be active at any given time in the system across VDCs.
This command does not require a license.
Examples
This example shows how to enable ACL capture on all VDCs:
switch# configure terminal
switch(config)# hardware access-list capture
This example shows how to disable ACL capture on all VDCs:switch # configure terminal
switch(config)# no hardware access-list captureRelated Commands
Command Descriptionshow hardware access-list status module
Displays the access control list (ACL) capture configuration.
hardware access-list resource pooling
To allow ACL-based features to use more than one TCAM bank on one or more I/O modules, use the hardware access-list resource pooling command. To restrict ACL-based features to using one TCAM bank on an I/O module, use the no form of this command.
hardware access-list resource pooling module slot-number-list
no hardware access-list resource pooling module slot-number-list
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Release Modification4.2(1)
The hyphen was removed between the resource and pooling keywords.
4.1(2)
This command was introduced.
Usage Guidelines
By default, each ACL-based feature can use one TCAM bank on an I/O module. This default behavior limits each feature to 16,000 TCAM entries. If you have very large security ACLs, you may encounter this limit. The hardware access-list resource pooling command allows you to make more than 16,000 TCAM entries available to ACL-based features.
This command does not require a license.
Examples
This example shows how to enable ACL programming across TCAM banks on the I/O module in slot 1:
switch# config tswitch(config)# hardware access-list resource pooling module 1Related Commands
hardware access-list update
To configure how a supervisor module updates an I/O module with changes to an access-control list (ACL), use the hardware access-list update command in the default virtual device context (VDC). To disable atomic updates, use the no form of this command.
hardware access-list update {atomic | default-result permit}
no hardware access-list update {atomic | default-result permit}
Syntax Description
Defaults
atomic
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Release Modification4.1(4)
This command is available only in the default VDC.
4.1(2)
This command was introduced to replace the platform access-list update command.
Usage Guidelines
In Cisco NX-OS Release 4.1(4) and later releases, the hardware access-list update command is available in the default VDC only and affects all VDCs.
By default, when a supervisor module of a Cisco Nexus 7000 Series device updates an I/O module with changes to an ACL, it performs an atomic ACL update. An atomic update does not disrupt traffic that the updated ACL applies to; however, an atomic update requires that an I/O module that receives an ACL update has enough available resources to store each updated ACL entry in addition to all preexisting entries in the affected ACL. After the update occurs, the additional resources used for the update are freed. If the I/O module lacks the required resources, the device generates an error message and the ACL update to the I/O module fails.
If an I/O module lacks the resources required for an atomic update, you can disable atomic updates by using the no hardware access-list update atomic command in the default VDC; however, during the brief time required for the device to remove the preexisting ACL and implement the updated ACL, traffic that the ACL applies to is dropped by default.
If you want to permit all traffic that an ACL applies to while it receives a nonatomic update, use the hardware access-list update default-result permit command in the default VDC.
This command does not require a license.
Examples
Note In Cisco NX-OS Release 4.1(4) and later releases, the hardware access-list update command is available in the default VDC only. To verify that the current VDC is the VDC 1 (the default VDC), use the show vdc current-vdc command.
This example shows how to disable atomic ACL updates:
switch# config tswitch(config)# no hardware access-list update atomicThis example shows how to permit affected traffic during a nonatomic ACL update:
switch# config tswitch(config)# hardware access-list update default-result permitThis example shows how to revert to the atomic update method:
switch# config tswitch(config)# no hardware access-list update default-result permitswitch(config)# hardware access-list update atomicRelated Commands
hardware rate-limiter
To configure rate limits in packets per second on supervisor-bound traffic, use the hardware rate-limiter command. To revert to the default, use the no form of this command.
hardware rate-limiter {access-list-log {packets | disable} [module module [port start end]] | copy {packets | disable} [module module [port start end]] | f1 {rl-1 {packets | disable} [module module [port start end]] | rl-2 {packets | disable} [module module [port start end]] | rl-3 {packets | disable} [module module [port start end]] | rl-4 {packets | disable} [module module [port start end]] | rl-5 {packets | disable} [module module [port start end]]} | layer-2 {l2pt {packets | disable} [module module [port start end]] | mcast-snooping {packets | disable} [module module [port start end]] | port-security {packets | disable} [module module [port start end]] | storm-control {packets | disable} [module module [port start end]] | vpc-low {packets | disable} [module module [port start end]]} | layer-3 {control{packets | disable} [module module [port start end]] | glean {packets | disable} [module module [port start end]] | mtu {packets | disable} [module module [port start end]] | multicast {packets | disable} [module module [port start end]] | ttl {packets | disable} [module module [port start end]]} | receive {packets | disable} [module module [port start end]]
no hardware rate-limiter {access-list-log {packets | disable} [module module [port start end]] | copy {packets | disable} [module module [port start end]] | f1 {rl-1 {packets | disable} [module module [port start end]] | rl-2 {packets | disable} [module module [port start end]] | rl-3 {packets | disable} [module module [port start end]] | rl-4 {packets | disable} [module module [port start end]] | rl-5 {packets | disable} [module module [port start end]]} | layer-2 {l2pt {packets | disable} [module module [port start end]] | mcast-snooping {packets | disable} [module module [port start end]] | port-security {packets | disable} [module module [port start end]] | storm-control {packets | disable} [module module [port start end]] | vpc-low {packets | disable} [module module [port start end]]} | layer-3 {control{packets | disable} [module module [port start end]] | glean {packets | disable} [module module [port start end]] | mtu {packets | disable} [module module [port start end]] | multicast {packets | disable} [module module [port start end]] | ttl {packets | disable} [module module [port start end]]} | receive {packets | disable} [module module [port start end]]
Syntax Description
Defaults
See the Syntax Description for the default rate limits.
Default rate limits for the F1 Series modules:
RL-1: 4500 packets per second
RL-2: 1000 packets per second
RL-3: 1000 packets per second
RL-4: 100 packets per second
RL-5: 1500 packets per second
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to configure a rate limit for control packets:
switch# config tswitch(config)# hardware rate-limiter layer-3 control 20000This example shows how to revert to the default rate limit for control packets:
switch# config tswitch(config)# no hardware rate-limiter layer-3 controlRelated Commands
Command Descriptionclear hardware rate-limiter
Clears rate-limit statistics.
show hardware rate-limiter
Displays rate-limit information.
show running-config
Displays the running configuration.
host (IPv4)
To specify a host or a subnet as a member of an IPv4-address object group, use the host command. To remove a group member from an IPv4-address object group, use the no form of this command.
[sequence-number] host IPv4-address
no {sequence-number | host IPv4-address}
[sequence-number] IPv4-address network-wildcard
no IPv4-address network-wildcard
[sequence-number] IPv4-address/prefix-len
no IPv4-address/prefix-len
Syntax Description
Defaults
None
Command Modes
IPv4 address object group configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To specify a subnet as a group member, use either of the following forms of this command:
[sequence-number] IPv4-address network-wildcard
[sequence-number] IPv4-address/prefix-len
Regardless of the command form that you use to specify a subnet, the device shows the IP-address/prefix-len form of the group member when you use the show object-group command.
To specify a single IPv4 address as a group member, use any of the following forms of this command:
[sequence-number] host IPv4-address
[sequence-number] IPv4-address 0.0.0.0
[sequence-number] IPv4-address/32
Regardless of the command form that you use to specify a single IPv4 address, the device shows the host IP-address form of the group member when you use the show object-group command.
This command does not require a license.
Examples
This example shows how to configure an IPv4-address object group named ipv4-addr-group-13 with two group members that are specific IPv4 addresses and one group member that is the 10.23.176.0 subnet:
switch# config tswitch(config)# object-group ip address ipv4-addr-group-13switch(config-ipaddr-ogroup)# host 10.121.57.102switch(config-ipaddr-ogroup)# 10.121.57.234/32switch(config-ipaddr-ogroup)# 10.23.176.0 0.0.0.255switch(config-ipaddr-ogroup)# show object-group ipv4-addr-group-1310 host 10.121.57.10220 host 10.121.57.23430 10.23.176.0/24switch(config-ipaddr-ogroup)#Related Commands
Command Descriptionobject-group ip address
Configures an IPv4 address group.
show object-group
Displays object groups.
host (IPv6)
To specify a host or a subnet as a member of an IPv6-address object group, use the host command. To remove a group member from an IPv6-address object group, use the no form of this command.
[sequence-number] host IPv6-address
no {sequence-number | host IPv6-address}
[sequence-number] IPv6-address/network-prefix
no IPv6-address/network-prefix
Syntax Description
Defaults
None
Command Modes
IPv6 address object group configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To specify a subnet as a group member, use the following form of this command:
[sequence-number] IPv6-address/network-prefix
To specify a single IP address as a group member, use any of the following forms of this command:
[sequence-number] host IPv6-address
[sequence-number] IPv6-address/128
Regardless of the command form that you use to specify a single IPv6 address, the device shows the host IPv6-address form of the group member when you use the show object-group command.
This command does not require a license.
Examples
This example shows how to configure an IPv6-address object group named ipv6-addr-group-A7 with two group members that are specific IPv6 addresses and one group member that is the 2001:db8:0:3ab7:: subnet:
switch# config tswitch(config)# object-group ipv6 address ipv6-addr-group-A7switch(config-ipv6addr-ogroup)# host 2001:db8:0:3ab0::1switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab0::2/128switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab7::/96switch(config-ipv6addr-ogroup)# show object-group ipv6-addr-group-A710 host 2001:db8:0:3ab0::120 host 2001:db8:0:3ab0::230 2001:db8:0:3ab7::/96switch(config-ipv6addr-ogroup)#Related Commands
Command Descriptionobject-group ipv6 address
Configures an IPv6 address group.
show object-group
Displays object groups.