Table Of Contents
V Commands
This chapter describes the Cisco NX-OS security commands that begin with V.
vlan access-map
To create a new VLAN access-map entry or to configure an existing VLAN access-map entry, use the vlan access-map command. To remove a VLAN access-map entry, use the no form of this command.
vlan access-map map-name [sequence-number]
no vlan access-map map-name [sequence-number]
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
Each VLAN access-map entry can include one action command and one or more match command.
Use the statistics per-entry command to configure the device to record statistics for a VLAN access-map entry.
This command does not require a license.
Examples
This example shows how to create a VLAN access map named vlan-map-01, add two entries that each have two match commands and one action command, and enable statistics for the packets matched by the second entry:
switch(config)# vlan access-map vlan-map-01switch(config-access-map)# match ip address ip-acl-01switch(config-access-map)# action forwardswitch(config-access-map)# match mac address mac-acl-00fswitch(config-access-map)# vlan access-map vlan-map-01switch(config-access-map)# match ip address ip-acl-320switch(config-access-map)# match mac address mac-acl-00eswitch(config-access-map)# action dropswitch(config-access-map)# statistics per-entryswitch(config-access-map)# show vlan access-mapVlan access-map vlan-map-01 10match ip: ip-acl-01match mac: mac-acl-00faction: forwardVlan access-map vlan-map-01 20match ip: ip-acl-320match mac: mac-acl-00eaction: dropstatistics per-entryRelated Commands
vlan filter
To apply a VLAN access map to one or more VLANs, use the vlan filter command. To unapply a VLAN access map, use the no form of this command.
vlan filter map-name vlan-list VLAN-list
no vlan filter map-name vlan-list VLAN-list
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can apply a VLAN access map to one or more VLANs.
You can apply only one VLAN access map to a VLAN.
The no form of this command enables you to unapply a VLAN access map from all or part of the VLAN list that you specified when you applied the access map. To unapply an access map from all VLANs where it is applied, you can omit the VLAN-list argument. To unapply an access map from a subset of the VLANs where it is currently applied, use the VLAN-list argument to specify the VLANs where the access map should be removed.
This command does not require a license.
Examples
This example shows how to apply a VLAN access map named vlan-map-01 to VLANs 20 through 45:
switch# config tswitch(config)# vlan filter vlan-map-01 20-45This example show how to use the no form of the command to unapply the VLAN access map named vlan-map-01 from VLANs 30 through 32, which leaves the access map applied to VLANs 20 through 29 and 33 through 45:
switch# show vlan filtervlan map vlan-map-01:Configured on VLANs: 20-45switch(config)# no vlan filter vlan-map-01 30-32switch# show vlan filtervlan map vlan-map-01:Configured on VLANs: 20-29,33-45Related Commands
vlan policy deny
To enter VLAN policy configuration mode for a user role, use the vlan policy deny command. To revert to the default VLAN policy for a user role, use the no form of this command.
vlan policy deny
no vlan policy deny
Syntax Description
This command has no arguments or keywords.
Defaults
All VLANs
Command Modes
User role configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command denies all VLANs to the user role except for those that you allow using the permit vlan command in user role VLAN policy configuration mode.
This command does not require a license.
Examples
This example shows how to enter user role VLAN policy configuration mode for a user role:
switch# config tswitch(config)# role name MyRoleswitch(config-role)# vlan policy denyswitch(config-role-vlan)#This example shows how to revert to the default VLAN policy for a user role:
switch# config tswitch(config)# role name MyRoleswitch(config-role)# no vlan policy denyRelated Commands
Command Descriptionpermit vlan
Allows a VLAN in a user role VLAN policy.
role name
Creates or specifies a user role and enters user role configuration mode.
show role
Displays user role information.
vrf policy deny
To enter virtual forwarding and routing instance (VRF) policy configuration mode for a user role, use the vrf policy deny command. To revert to the default VRF policy for a user role, use the no form of this command.
vrf policy deny
no vrf policy deny
Syntax Description
This command has no arguments or keywords.
Defaults
All VRFs
Command Modes
User role configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command denies all VRFs to the user role except for those that you allow using the permit vrf command in user role VRF policy configuration mode.
This command does not require a license.
Examples
This example shows how to enter VRF policy configuration mode for a user role:
switch# config tswitch(config)# role name MyRoleswitch(config-role)# vrf policy denyswitch(config-role-vrf)#This example shows how to revert to the default VRF policy for a user role:
switch# config tswitch(config)# role name MyRoleswitch(config-role)# no vrf policy denyRelated Commands
Command Descriptionvrf permit
Permits VRFs in a user role VRF policy.
role name
Creates or specifies a user role and enters user role configuration mode.
show role
Displays user role information.