V Commands

Available Languages

Download Options

PDF (124.7 KB)
View with Adobe Reader on a variety of devices

Updated:June 23, 2008

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

V Commands

Table Of Contents

V Commands

vlan access-map

vlan filter

vlan policy deny

vrf policy deny

V Commands

This chapter describes the Cisco NX-OS security commands that begin with V.

vlan access-map

To create a new VLAN access-map entry or to configure an existing VLAN access-map entry, use the vlan access-map command. To remove a VLAN access-map entry, use the no form of this command.

vlan access-map map-name [sequence-number]

no vlan access-map map-name [sequence-number]

Syntax Description

sequence-number

(Optional) Sequence number of the VLAN access-map entry that you are creating or editing.

A sequence number can be any integer between 1 and 4294967295.

By default, the first entry in a VLAN access map has a sequence number of 10.

If you do not specify a sequence number, the device adds the rule to the end of the VLAN access map and assigns a sequence number that is 10 greater than the sequence number of the preceding entry.

When you use the no form of the command, use the sequence-number argument to specify an entry that you want to remove. Omit the sequence-number argument if you want to remove the entire VLAN access map.

map-name

Name of the VLAN access map that you want to create or configure. The map-name argument can be up to 64 alphanumeric, case-sensitive characters.

Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

Each VLAN access-map entry can include one action command and one or more match command.

Use the statistics per-entry command to configure the device to record statistics for a VLAN access-map entry.

This command does not require a license.

Examples

This example shows how to create a VLAN access map named vlan-map-01, add two entries that each have two match commands and one action command, and enable statistics for the packets matched by the second entry:
switch(config)# vlan access-map vlan-map-01
switch(config-access-map)# match ip address ip-acl-01
switch(config-access-map)# action forward
switch(config-access-map)# match mac address mac-acl-00f
switch(config-access-map)# vlan access-map vlan-map-01
switch(config-access-map)# match ip address ip-acl-320
switch(config-access-map)# match mac address mac-acl-00e
switch(config-access-map)# action drop
switch(config-access-map)# statistics per-entry
switch(config-access-map)# show vlan access-map
Vlan access-map vlan-map-01 10
        match ip: ip-acl-01
        match mac: mac-acl-00f
        action: forward
Vlan access-map vlan-map-01 20
        match ip: ip-acl-320
        match mac: mac-acl-00e
        action: drop
        statistics per-entry
Related Commands

Command

Description

action

Specifies an action for traffic filtering in a VLAN access map.

match

Specifies an ACL for traffic filtering in a VLAN access map.

show vlan access-map

Displays all VLAN access maps or a VLAN access map.

show vlan filter

Displays information about how a VLAN access map is applied.

statistics per-entry

Enables collection of statistics for each entry in an ACL.

vlan filter

Applies a VLAN access map to one or more VLANs.

vlan filter

To apply a VLAN access map to one or more VLANs, use the vlan filter command. To unapply a VLAN access map, use the no form of this command.

vlan filter map-name vlan-list VLAN-list

no vlan filter map-name vlan-list VLAN-list

Syntax Description

map-name

Name of the VLAN access map that you want to create or configure.

vlan-list VLAN-list

Specifies the ID of one or more VLANs that the VLAN access map filters. Valid VLAN IDs are from 1 to 4096.

Use a hyphen (-) to separate the beginning and ending IDs of a range of VLAN IDs; for example, use 70-100.

Use a comma (,) to separate individual VLAN IDs and ranges of VLAN IDs; for example, use 20,70-100,142.

Note When you use the no form of this command, the VLAN-list argument is optional. If you omit this argument, the device removes the access map from all VLANs where the access map is applied.

Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

You can apply a VLAN access map to one or more VLANs.

You can apply only one VLAN access map to a VLAN.

The no form of this command enables you to unapply a VLAN access map from all or part of the VLAN list that you specified when you applied the access map. To unapply an access map from all VLANs where it is applied, you can omit the VLAN-list argument. To unapply an access map from a subset of the VLANs where it is currently applied, use the VLAN-list argument to specify the VLANs where the access map should be removed.

This command does not require a license.

Examples

This example shows how to apply a VLAN access map named vlan-map-01 to VLANs 20 through 45:
switch# config t
switch(config)# vlan filter vlan-map-01 20-45
This example show how to use the no form of the command to unapply the VLAN access map named vlan-map-01 from VLANs 30 through 32, which leaves the access map applied to VLANs 20 through 29 and 33 through 45:
switch# show vlan filter
vlan map vlan-map-01:
        Configured on VLANs:    20-45
switch(config)# no vlan filter vlan-map-01 30-32
switch# show vlan filter
vlan map vlan-map-01:
        Configured on VLANs:    20-29,33-45
Related Commands

Command

Description

action

Specifies an action for traffic filtering in a VLAN access map.

match

Specifies an ACL for traffic filtering in a VLAN access map.

show vlan access-map

Displays all VLAN access maps or a VLAN access map.

show vlan filter

Displays information about how a VLAN access map is applied.

vlan access-map

Configures a VLAN access map.

vlan policy deny

To enter VLAN policy configuration mode for a user role, use the vlan policy deny command. To revert to the default VLAN policy for a user role, use the no form of this command.

vlan policy deny

no vlan policy deny

Syntax Description

This command has no arguments or keywords.

Defaults

All VLANs

Command Modes

User role configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

This command denies all VLANs to the user role except for those that you allow using the permit vlan command in user role VLAN policy configuration mode.

This command does not require a license.

Examples

This example shows how to enter user role VLAN policy configuration mode for a user role:
switch# config t
switch(config)# role name MyRole
switch(config-role)# vlan policy deny
switch(config-role-vlan)# 
This example shows how to revert to the default VLAN policy for a user role:
switch# config t
switch(config)# role name MyRole
switch(config-role)# no vlan policy deny
Related Commands

Command

Description

permit vlan

Allows a VLAN in a user role VLAN policy.

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.
vrf policy deny

To enter virtual forwarding and routing instance (VRF) policy configuration mode for a user role, use the vrf policy deny command. To revert to the default VRF policy for a user role, use the no form of this command.

vrf policy deny

no vrf policy deny

Syntax Description

This command has no arguments or keywords.

Defaults

All VRFs

Command Modes

User role configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release

Modification

4.0(1)

This command was introduced.

Usage Guidelines

This command denies all VRFs to the user role except for those that you allow using the permit vrf command in user role VRF policy configuration mode.

This command does not require a license.

Examples

This example shows how to enter VRF policy configuration mode for a user role:
switch# config t
switch(config)# role name MyRole
switch(config-role)# vrf policy deny
switch(config-role-vrf)# 
This example shows how to revert to the default VRF policy for a user role:
switch# config t
switch(config)# role name MyRole
switch(config-role)# no vrf policy deny
Related Commands

Command

Description

vrf permit

Permits VRFs in a user role VRF policy.

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.

sequence-number	(Optional) Sequence number of the VLAN access-map entry that you are creating or editing. A sequence number can be any integer between 1 and 4294967295. By default, the first entry in a VLAN access map has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the VLAN access map and assigns a sequence number that is 10 greater than the sequence number of the preceding entry. When you use the no form of the command, use the sequence-number argument to specify an entry that you want to remove. Omit the sequence-number argument if you want to remove the entire VLAN access map.
map-name	Name of the VLAN access map that you want to create or configure. The map-name argument can be up to 64 alphanumeric, case-sensitive characters.

Release	Modification
4.0(1)	This command was introduced.

Command	Description
action	Specifies an action for traffic filtering in a VLAN access map.
match	Specifies an ACL for traffic filtering in a VLAN access map.
show vlan access-map	Displays all VLAN access maps or a VLAN access map.
show vlan filter	Displays information about how a VLAN access map is applied.
statistics per-entry	Enables collection of statistics for each entry in an ACL.
vlan filter	Applies a VLAN access map to one or more VLANs.

map-name	Name of the VLAN access map that you want to create or configure.
vlan-list VLAN-list	Specifies the ID of one or more VLANs that the VLAN access map filters. Valid VLAN IDs are from 1 to 4096. Use a hyphen (-) to separate the beginning and ending IDs of a range of VLAN IDs; for example, use 70-100. Use a comma (,) to separate individual VLAN IDs and ranges of VLAN IDs; for example, use 20,70-100,142. Note When you use the no form of this command, the VLAN-list argument is optional. If you omit this argument, the device removes the access map from all VLANs where the access map is applied.

Release	Modification
4.0(1)	This command was introduced.

Command	Description
action	Specifies an action for traffic filtering in a VLAN access map.
match	Specifies an ACL for traffic filtering in a VLAN access map.
show vlan access-map	Displays all VLAN access maps or a VLAN access map.
show vlan filter	Displays information about how a VLAN access map is applied.
vlan access-map	Configures a VLAN access map.

Release	Modification
4.0(1)	This command was introduced.

Command	Description
permit vlan	Allows a VLAN in a user role VLAN policy.
role name	Creates or specifies a user role and enters user role configuration mode.
show role	Displays user role information.

Release	Modification
4.0(1)	This command was introduced.

Command	Description
vrf permit	Permits VRFs in a user role VRF policy.
role name	Creates or specifies a user role and enters user role configuration mode.
show role	Displays user role information.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)