Cisco Nexus 7000 Series NX-OS Security Command Reference
Cisco Nexus 7000 Series NX-OS Security Commands
Downloads: This chapterpdf (PDF - 4.62MB) The complete bookPDF (PDF - 12.83MB) | Feedback

Security Commands

Table Of Contents

Security Commands

aaa accounting default

aaa accounting dot1x

aaa authentication cts default group

aaa authentication dot1x default group

aaa authentication eou default group

aaa authentication login ascii-authentication

aaa authentication login chap enable

aaa authentication login console

aaa authentication login default

aaa authentication login error-enable

aaa authentication login mschap enable

aaa authentication login mschapv2 enable

aaa authorization commands default

aaa authorization config-commands default

aaa authorization cts default group

aaa authorization ssh-certificate

aaa authorization ssh-publickey

aaa group server ldap

aaa group server radius

aaa group server tacacs+

aaa user default-role

absolute

accept-lifetime

action

arp access-list

authentication (LDAP)

capture session

class (policy map)

class-map type control-plane

clear access-list counters

clear accounting log

clear copp statistics

clear cts role-based counters

clear dot1x

clear eou

clear rate-limiter

clear ip access-list counters

clear ip arp inspection log

clear ip arp inspection statistics vlan

clear ip device tracking

clear ip dhcp snooping binding

clear ipv6 access-list counters

clear ldap-server statistics

clear mac access-list counters

clear port-security

clear radius-server statistics

clear ssh hosts

clear tacacs-server statistics

clear user

clear vlan access-list counters

copp copy profile

copp profile

CRLLookup

crypto ca authenticate

crypto ca crl request

crypto ca enroll

crypto ca export

crypto ca import

crypto ca lookup

crypto ca remote ldap crl-refresh-time

crypto ca remote ldap server-group

crypto ca test verify

crypto ca trustpoint

crypto certificatemap mapname

crypto cert ssh-authorize

cts device-id

cts dot1x

cts manual

cts refresh role-based-policy

cts rekey

cts role-based access-list

cts role-based counters enable

cts role-based enforcement

cts role-based sgt

cts role-based sgt-map

cts sgt

cts sxp connection peer

cts sxp default password

cts sxp default source-ip

cts sxp enable

cts sxp reconcile-period

cts sxp retry-period

deadtime

delete ca-certificate

delete certificate

delete crl

deny (ARP)

deny (IPv4)

deny (IPv6)

deny (MAC)

deny (role-based access control list)

description (identity policy)

description (user role)

destination interface

device

dot1x default

dot1x host-mode

dot1x initialize

dot1x mac-auth-bypass

dot1x max-reauth-req

dot1x max-req

dot1x pae authenticator

dot1x port-control

dot1x radius-accounting

dot1x re-authentication (EXEC)

dot1x re-authentication (global configuration and interface configuration)

dot1x system-auth-control

dot1x timeout quiet-period

dot1x timeout ratelimit-period

dot1x timeout re-authperiod

dot1x timeout server-timeout

dot1x timeout supp-timeout

dot1x timeout tx-period

enable Cert-DN-match

enable

enable secret

enable user-server-group

encryption decrypt type6

encrypt pause-frame

encryption delete type6

encryption re-encrypt obfuscated

enrollment terminal

eou allow clientless

eou default

eou initialize

eou logging

eou max-retry

eou port

eou ratelimit

eou revalidate (EXEC)

eou revalidate (global configuration and interface configuration)

eou timeout

eq

feature (user role feature group)

feature cts

feature dhcp

feature dot1x

feature eou

feature ldap

feature password encryption aes

feature port-security

feature privilege

feature scp-server

feature sftp-server

feature ssh

feature tacacs+

feature telnet

filter

fips mode enable

fragments

gt

hardware access-list allow deny ace

hardware access-list capture

hardware access-list resource pooling

hardware access-list update

rate-limiter

host (IPv4)

host (IPv6)

identity policy

identity profile eapoudp

interface policy deny

ip access-class

ip access-group

ip access-list

ip arp inspection filter

ip arp inspection log-buffer

ip arp inspection trust

ip arp inspection validate

ip arp inspection vlan

ip dhcp packet strict-validation

ip dhcp relay

ip dhcp relay address

ip dhcp relay information option

ip dhcp relay information option vpn

ip dhcp relay subnet-broadcast

ip dhcp relay sub-option type cisco

ip dhcp smart-relay

ip dhcp smart-relay global

ip dhcp snooping

ip dhcp snooping information option

ip dhcp snooping trust

ip dhcp snooping verify mac-address

ip dhcp snooping vlan

ip port access-group

ip radius source-interface

ip source binding

ip tacacs source-interface

ipv6 access-class

ip verify source dhcp-snooping-vlan

ip verify unicast source reachable-via

ipv6 access-list

ipv6 port traffic-filter

ipv6 traffic-filter

key

key config-key

key-string

key chain

ldap-server deadtime

ldap-server host

ldap-server port

ldap-server timeout

ldap search-map

logging drop threshold

lt

mac access-list

mac packet-classify

mac port access-group

match (class-map)

match (VLAN access-map)

monitor session

nac enable

neq

object-group (identity policy)

object-group ip address

object-group ip port

object-group ipv6 address

password strength-check

periodic

permit (ACL)

permit (ARP)

permit (IPv4)

permit (IPv6)

permit (MAC)

permit (role-based access control list)

permit interface

permit vlan

permit vrf

platform access-list update

platform rate-limit

police (policy map)

policy

policy-map type control-plane

propagate-sgt

radius abort

radius commit

radius distribute

radius-server deadtime

radius-server directed-request

radius-server host

radius-server key

radius-server retransmit

radius-server test

radius-server timeout

range

rate-limit cpu direction

remark

replay-protection

resequence

revocation-check

role abort

role commit

role distribute

role feature-group name

role name

rsakeypair

rule

sap modelist

sap pmk

send-lifetime

server

service dhcp

service-policy input

set cos

set dscp (policy map class)

set precedence (policy map class)

source-interface

ssh

ssh key

ssh login-attempts

ssh server enable

ssh6

statistics per-entry

storm-control level

switchport port-security

switchport port-security aging time

switchport port-security aging type

switchport port-security mac-address

switchport port-security mac-address sticky

switchport port-security maximum

switchport port-security violation

switchport port-security violation

show aaa accounting

show aaa authentication

show aaa authorization

show aaa groups

show aaa user default-role

show access-lists

show accounting log

show arp access-lists

show class-map type control-plane

show cli syntax roles network-admin

show copp diff profile

show copp profile

show cli syntax roles network-operator

show copp status

show crypto ca certificates

show crypto ca certstore

show crypto ca crl

show crypto ca remote-certstore

show crypto ca trustpoints

show crypto certificatemap

show crypto key mypubkey rsa

show crypto ssh-auth-map

show cts

show cts credentials

show cts environment-data

show cts interface

show cts pacs

show cts role-based access-list

show cts role-based counters

show cts role-based enable

show cts role-based policy

show cts role-based sgt-map

show cts sxp

show cts sxp connection

show dot1x

show dot1x all

show dot1x interface ethernet

show encryption service stat

show eou

show fips status

show

show access-list status module

show rate-limiter

show identity policy

show identity profile

show ip access-lists

show ip access-lists capture session

show ip arp inspection

show ip arp inspection interface

show ip arp inspection log

show ip arp inspection statistics

show ip arp inspection vlan

show ip device tracking

show ip dhcp relay

show ip dhcp relay address

show ip dhcp snooping

show ip dhcp snooping binding

show ip dhcp snooping statistics

show ip verify source

show ipv6 access-lists

show key chain

show ldap-search-map

show ldap-server

show ldap-server groups

show ldap-server statistics

show mac access-lists

show password strength-check

show policy-map type control-plane

show port-security

show port-security address

show port-security interface

show privilege

show radius

show radius-server

show role

show role feature

show role feature-group

show role pending

show role pending-diff

show role session

show role status

show running-config aaa

show running-config aclmgr

show running-config copp

show running-config cts

show running-config dhcp

show running-config dot1x

show running-config eou

show running-config ldap

show running-config port-security

show running-config radius

show running-config security

show running-config tacacs+

show ssh key

show ssh server

show startup-config aaa

show startup-config aclmgr

show startup-config copp

show startup-config dhcp

show startup-config dot1x

show startup-config eou

show startup-config ldap

show startup-config port-security

show startup-config radius

show startup-config security

show startup-config tacacs+

show system internal pktmgr internal control sw-rate-limit

show tacacs+

show tacacs-server

show telnet server

show time-range

show user-account

show username

show users

show vlan access-list

show vlan access-map

show vlan filter

tacacs+ abort

tacacs+ commit

tacacs+ distribute

tacacs-server deadtime

tacacs-server directed-request

tacacs-server host

tacacs-server key

tacacs-server test

tacacs-server timeout

telnet

telnet server enable

telnet6

terminal verify-only

test aaa authorization command-type

time-range

trustedCert

use-vrf

user-certdn-match

user-pubkey-match

user-switch-bind

username

userprofile

vlan access-map

vlan filter

vlan policy deny

vrf policy deny


Security Commands


This chapter describes the Cisco NX-OS security commands for the Nexus 7000 Series devices.

 
   

aaa accounting default

To configure authentication, authorization, and accounting (AAA) methods for accounting, use the aaa accounting default command. To revert to the default, use the no form of this command.

aaa accounting default {group group-list | local}

no aaa accounting default {group group-list | local}

Syntax Description

group

Specifies to use a server group for accounting.

group-list

Space-separated list of server groups that can include the following:

radius for all configured RADIUS servers.

Any configured RADIUS or TACACS+ server group name.

The maximum number of names in the list is eight.

local

Specifies to use the local database for accounting.


Defaults

local

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The group group-list methods refer to a set of previously defined servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server command to create a named group of servers.

Use the show aaa groups command to display the RADIUS server groups on the device.

If you specify the group method, the local method, or both, and they fail, then the accounting authentication fails.

If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.

This command does not require a license.

Examples

This example shows how to configure any RADIUS server for AAA accounting:

switch# configure terminal
switch(config)# aaa accounting default group radius

Related Commands

Command
Description

aaa group server

Configures AAA RADIUS server groups.

radius-server host

Configures RADIUS servers.

show aaa accounting

Displays AAA accounting status information.

show aaa groups

Displays AAA server group information.

tacacs-server host

Configures TACACS+ servers.


aaa accounting dot1x

To configure authentication, authorization, and accounting (AAA) methods for accounting for 802.1X authentication, use the aaa accounting dot1x command. To revert to the default, use the no form of this command.

aaa accounting dot1x {group group-list | local}

no aaa accounting dot1x {group group-list | local}

Syntax Description

group

Specifies to use a server group for accounting.

group-list

Space-separated list of RADIUS server groups that can include the following:

radius for all configured RADIUS servers.

Any configured RADIUS server group name.

The maximum number of names in the list is eight.

local

Specifies to use the local database for accounting.


Defaults

local

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The group group-list methods refer to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.

Use the show aaa groups command to display the RADIUS server groups on the device.

If you specify the group method, the local method, or both, and they fail, then the accounting authentication fails.

If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.

This command does not require a license.

Examples

This example shows how to configure authentication, authorization, and accounting (AAA) methods for accounting for 802.1X authentication:

switch# configure terminal
switch(config)# aaa accounting dot1x default group group-list

Related Commands

Command
Description

aaa group server radius

Configures AAA RADIUS server groups.

radius-server host

Configures RADIUS servers.

show aaa accounting

Displays AAA accounting status information.

show aaa groups

Displays AAA server group information.


aaa authentication cts default group

To configure the default authentication, authorization, and accounting (AAA) RADIUS server groups for Cisco TrustSec authentication, use the aaa authentication cts default group command. To remove a server group from the default AAA authentication server group list, use the no form of this command.

aaa authentication cts default group group-list

no aaa authentication cts default group group-list

Syntax Description

group-list

Space-separated list of RADIUS server groups that can include the following:

radius for all configured RADIUS servers.

Any configured RADIUS server group name.

The maximum number of names in the list is eight.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

The group-list refers to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.

Use the show aaa groups command to display the RADIUS server groups on the device.

If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.

This command requires the Advanced Services license.

Examples

This example shows how to configure the default AAA authentication RADIUS server group for Cisco TrustSec:

switch# configure terminal
swtich(config)# aaa authentication cts default group RadGroup
 
   

Related Commands

Command
Description

aaa group server

Configures AAA server groups.

feature cts

Enables the Cisco TrustSec feature.

radius-server host

Configures RADIUS servers.

show aaa authentication

Displays the AAA authentication configuration.

show aaa groups

Displays the AAA server groups.


aaa authentication dot1x default group

To configure AAA authentication methods for 802.1X, use the aaa authentication dot1x default group command. To revert to the default, use the no form of this command.

aaa authentication dot1x default group group-list

no aaa authentication dot1x default group group-list

Syntax Description

group-list

Space-separated list of RADIUS server groups that can include the following:

radius for all configured RADIUS servers.

Any configured RADIUS server group name.

The maximum number of names in the list is eight.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must use the feature dot1x command before you configure 802.1X.

The group-list refers to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.

Use the show aaa groups command to display the RADIUS server groups on the device.

If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.

This command does not require a license.

Examples

This example shows how to configure methods for 802.1X authentication:

switch# configure terminal
switch(config)# aaa authentication do1x default group Dot1xGroup
 
   

This example shows how to revert to the default methods for 802.1X authentication:

switch# configure terminal
switch(config)# no aaa authentication do1x default group Dot1xGroup
 
   

Related Commands

Command
Description

feature dot1x

Enables 802.1X.

radius-server host

Configures RADIUS servers.

show aaa authentication

Displays the AAA authentication configuration.

show aaa groups

Displays the AAA server groups.


aaa authentication eou default group

To configure AAA authentication methods for EAP over UDP (EoU), use the aaa authentication eou default group command. To revert to the default, use the no form of this command.

aaa authentication eou default group group-list

no aaa authentication eou default group group-list

Syntax Description

group-list

Space-separated list of RADIUS server groups that can include the following:

radius for all configured RADIUS servers.

Any configured RADIUS server group name.

The maximum number of names in the list is eight.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

Before configuring EAPoUDP default authentication methods, you must enable EAPoUDP using the feature eou command.

The group-list refers to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.

Use the show aaa groups command to display the RADIUS server groups on the device.

If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.

This command does not require a license.

Examples

This example shows how to configure methods for EAPoUDP authentication:

switch# configure terminal
switch(config)# aaa authentication eou default group EoUGroup
 
   

This example shows how to revert to the default methods for EAPoUDP authentication:

switch# configure terminal
switch(config)# no aaa authentication eou default group EoUGroup
 
   

Related Commands

Command
Description

feature eou

Enables EAPoUDP.

radius-server host

Configures RADIUS servers.

show aaa authentication

Displays the AAA authentication configuration.

show aaa groups

Displays the AAA server groups.


aaa authentication login ascii-authentication

To enable ASCII authentication for passwords on a TACACS+ server, use the aaa authentication login ascii-authentication command. To revert to the default, use the no form of this command.

aaa authentication login ascii-authentication

no aaa authentication login ascii-authentication

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

4.1(2)

This command was introduced.


Usage Guidelines

Only the TACACS+ protocol supports this feature.

This command does not require a license.

Examples

This example shows how to enable ASCII authentication for passwords on TACACS+ servers:

switch# configure terminal
switch(config)# aaa authentication login ascii-authentication 
 
   

This example shows how to disable ASCII authentication for passwords on TACACS+ servers:

switch# configure terminal
switch(config)# no aaa authentication login ascii-authentication 

Related Commands

Command
Description

show aaa authentication login ascii-authentication

Displays the status of the ASCII authentication for passwords.


aaa authentication login chap enable

To enable Challenge Handshake Authentication Protocol (CHAP) authentication at login, use the aaa authentication login chap enable command. To revert to the default, use the no form of this command.

aaa authentication login chap enable

no aaa authentication login chap enable

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

You cannot enable both CHAP and MSCHAP or MSCHAP V2 on your Cisco NX-OS device.

This command does not require a license.

Examples

This example shows how to enable CHAP authentication:

switch# configure terminal
switch(config)# aaa authentication login chap enable
 
   

This example shows how to disable CHAP authentication:

switch# configure terminal
switch(config)# no aaa authentication login chap enable
 
   

Related Commands

Command
Description

show aaa authentication login chap

Displays the status of CHAP authentication.


aaa authentication login console

To configure AAA authentication methods for console logins, use the aaa authentication login console command. To revert to the default, use the no form of this command.

aaa authentication login console {fallback error local | group group-list [none] | local | none}

no aaa authentication login console {fallback error local | group group-list [none] | local | none}

Syntax Description

fallback error local

Enables fallback to local authentication for the console login if remote authentication is configured and all AAA servers are unreachable. Fallback to local authentication is enabled by default.

Note Disabling fallback to local authentication can lock your Cisco NX-OS device, forcing you to perform a password recovery in order to gain access. To prevent being locked out of the device, we recommend disabling fallback to local authentication for only the default login or the console login, not both.

group

Specifies to use a server group for authentication.

group-list

Space-separated list of server groups. The list can include the following:

radius for all configured RADIUS servers.

tacacs+ for all configured TACACS+ servers.

ldap for all configured LDAP servers.

Any configured RADIUS, TACACS+, or LDAP server group name.

none

(Optional) Specifies that no authentication is to be used.

local

Specifies to use the local database for authentication.


Defaults

local

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

Support for LDAP server groups was added.

5.0(2)

The fallback error local keyword was added.

4.0(1)

This command was introduced.


Usage Guidelines

The group radius, group tacacs+, group ldap, and group group-list methods refer to a set of previously defined RADIUS, TACACS+, or LDAP servers. Use the radius-server host, tacacs-server host, or ldap-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.

Use the show aaa groups command to display the server groups on the device.

If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.

If you specify the group method or local method and they fail, the authentication can fail. If you specify the none method alone or after the group method, the authentication always succeeds.

The command operates only in the default VDC (VDC 1).

This command does not require a license.

Examples

This example shows how to configure the AAA authentication console login methods:

switch# configure terminal
switch(config)# aaa authentication login console group radius
 
   

This example shows how to revert to the default AAA authentication console login method:

switch# configure terminal
switch(config)# no aaa authentication login console group radius
 
   

Related Commands

Command
Description

aaa group server

Configures AAA server groups.

ldap-server host

Configures LDAP servers.

radius-server host

Configures RADIUS servers.

show aaa authentication

Displays AAA authentication information.

show aaa groups

Displays the AAA server groups.

tacacs-server host

Configures TACACS+ servers.


aaa authentication login default

To configure the default AAA authentication methods, use the aaa authentication login default command. To revert to the default, use the no form of this command.

aaa authentication login default {fallback error local | group group-list [none] | local | none}

no aaa authentication login default {fallback error local | group group-list [none] | local | none}

Syntax Description

fallback error local

Enables fallback to local authentication for the default login if remote authentication is configured and all AAA servers are unreachable. Fallback to local authentication is enabled by default.

Note Disabling fallback to local authentication can lock your Cisco NX-OS device, forcing you to perform a password recovery in order to gain access. To prevent being locked out of the device, we recommend disabling fallback to local authentication for only the default login or the console login, not both.

group

Specifies a server group list to be used for authentication.

group-list

Space-separated list of server groups that can include the following:

radius for all configured RADIUS servers.

tacacs+ for all configured TACACS+ servers.

ldap for all configured LDAP servers.

Any configured RADIUS, TACACS+, or LDAP server group name.

none

(Optional) Specifies that no authentication is to be used.

local

Specifies to use the local database for authentication.


Defaults

local

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

Support for LDAP server groups was added.

5.0(2)

The fallback error local keyword was added.

4.0(1)

This command was introduced.


Usage Guidelines

The group radius, group tacacs+, group ldap, and group group-list methods refer to a set of previously defined RADIUS, TACACS+, or LDAP servers. Use the radius-server host, tacacs-server host, or ldap-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.

Use the show aaa groups command to display the server groups on the device.

If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.

If you specify the group method or local method and they fail, the authentication fails. If you specify the none method alone or after the group method, the authentication always succeeds.

This command does not require a license.

Examples

This example shows how to configure the AAA authentication default login method:

switch# configure terminal
switch(config)# aaa authentication login default group radius
 
   

This example shows how to revert to the default AAA authentication default login method:

switch# configure terminal
switch(config)# no aaa authentication login default group radius
 
   

Related Commands

Command
Description

aaa group server

Configures AAA server groups.

ldap-server host

Configures LDAP servers.

radius-server host

Configures RADIUS servers.

show aaa authentication

Displays AAA authentication information.

show aaa groups

Displays the AAA server groups.

tacacs-server host

Configures TACACS+ servers.


aaa authentication login error-enable

To configure that the AAA authentication failure message displays on the console, use the aaa authentication login error-enable command. To revert to the default, use the no form of this command.

aaa authentication login error-enable

no aaa authentication login error-enable

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

When you log in, the login is processed by rolling over to the local user database if the remote AAA servers do not respond. In such cases, the following message is displayed on the user's terminal—if you have enabled the displaying of login failure messages:

Remote AAA servers unreachable; local authentication done.
Remote AAA servers unreachable; local authentication failed.
 
   

This command does not require a license.

Examples

This example shows how to enable the display of AAA authentication failure messages to the console:

switch# configure terminal
switch(config)# aaa authentication login error-enable
 
   

This example shows how to disable the display of AAA authentication failure messages to the console:

switch# configure terminal
switch(config)# no aaa authentication login error-enable
 
   

Related Commands

Command
Description

show aaa authentication login error-enable

Displays the status of the AAA authentication failure message display.


aaa authentication login mschap enable

To enable Microsoft Challenge Handshake Authentication Protocol (MSCHAP) authentication at login, use the aaa authentication login mschap enable command. To revert to the default, use the no form of this command.

aaa authentication login mschap enable

no aaa authentication login mschap enable

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You cannot enable both MSCHAP and CHAP or MSCHAP V2 on your Cisco NX-OS device.

This command does not require a license.

Examples

This example shows how to enable MSCHAP authentication:

switch# configure terminal
switch(config)# aaa authentication login mschap enable
 
   

This example shows how to disable MSCHAP authentication:

switch# configure terminal
switch(config)# no aaa authentication login mschap enable
 
   

Related Commands

Command
Description

show aaa authentication login mschap

Displays the status of MSCHAP authentication.


aaa authentication login mschapv2 enable

To enable Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) authentication at login, use the aaa authentication login mschapv2 enable command. To revert to the default, use the no form of this command.

aaa authentication login mschapv2 enable

no aaa authentication login mschapv2 enable

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.1(2)

This command was introduced.


Usage Guidelines

You cannot enable both MSCHAP V2 and CHAP or MSCHAP on your Cisco NX-OS device.

This command does not require a license.

Examples

This example shows how to enable MSCHAP V2 authentication:

switch# configure terminal
switch(config)# aaa authentication login mschapv2 enable
 
   

This example shows how to disable MSCHAP V2 authentication:

switch# configure terminal
switch(config)# no aaa authentication login mschapv2 enable
 
   

Related Commands

Command
Description

show aaa authentication login mschapv2

Displays the status of MSCHAP V2 authentication.


aaa authorization commands default

To configure default AAA authorization methods for all EXEC commands, use the aaa authorization commands default command. To revert to the default, use the no form of this command.

aaa authorization commands default [group group-list [local] | local]

no aaa authorization commands default [group group-list [local] | local]

Syntax Description

group

(Optional) Specifies to use a server group for authorization.

group-list

Space-separated list of server groups. The list can include the following:

tacacs+ for all configured TACACS+ servers.

Any configured TACACS+ server group name.

local

(Optional) Specifies to use the local role-based database for authentication.


Defaults

local

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

The none keyword was deprecated.

4.2(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the TACACS+ feature using the feature tacacs+ command.

The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.

If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.

If you specify the group method or local method and it fails, then the authorization can fail. If you have not configured a fallback method after the TACACS+ server group method, authorization fails if all server groups fail to respond.


Caution Command authorization disables user role based authorization control (RBAC), including the default roles.


Note Command authorization is available only to non-console sessions. If you use a console to login to the server, command authorization is disabled.



Note By default, context sensitive help and command tab completion show only the commands supported for a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.


This command does not require a license.

Examples

This example shows how to configure the default AAA authorization methods for EXEC commands:

switch# configure terminal
switch(config)# aaa authorization commands default group TacGroup local
Per command authorization will disable RBAC for all users. Proceed (y/n)?
 
   

Note If you press Enter at the confirmation prompt, the default response is n.


This example shows how to revert to the default AAA authorization methods for EXEC commands:

switch# configure terminal
switch(config)# no aaa authorization commands default group TacGroup local
 
   

Related Commands

Command
Description

aaa authorization config-commands default

Configures default AAA authorization methods for configuration commands.

feature tacacs+

Enables the TACACS+ feature.

show aaa authorization

Displays the AAA authorization configuration.

terminal verify-only

Enables the command authorization verification.

test aaa authorization command-type

Tests the command authorization using the AAA command authorization methods.


aaa authorization config-commands default

To configure default AAA authorization methods for all configuration commands, use the aaa authorization config-commands default command. To revert to the default, use the no form of this command.

aaa authorization config-commands default [group group-list [local] | local]

no aaa authorization config-commands default [group group-list [local] | local]

Syntax Description

group

(Optional) Specifies to use a server group for authorization.

group-list

Space-separated list of server groups. The list can include the following:

tacacs+ for all configured TACACS+ servers.

Any configured TACACS+ server group name.

local

(Optional) Specifies to use the local role-based database for authentication.


Defaults

local

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

The none keyword was deprecated.

4.2(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the TACACS+ feature using the feature tacacs+ command.

The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.

If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.

If you specify the group method or local method and it fails, then the authorization can fail. If you have not configured a fallback method after the TACACS+ server group method, authorization fails if all server groups fail to respond.


Caution Command authorization disables user role based authorization control (RBAC), including the default roles.


Note Command authorization is available only to non-console sessions. If you use a console to login to the server, command authorization is disabled.



Note By default, context sensitive help and command tab completion show only the commands supported for a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.


This command does not require a license.

Examples

This example shows how to configure the default AAA authorization methods for configuration commands:

switch# configure terminal
switch(config)# aaa authorization config-commands default group TacGroup local
 
   

This example shows how to revert to the default AAA authorization methods for configuration commands:

switch# configure terminal
switch(config)# no aaa authorization config-commands default group TacGroup local
 
   

Related Commands

Command
Description

aaa authorization commands default

Configures default AAA authorization methods for EXEC commands.

feature tacacs+

Enables the TACACS+ feature.

show aaa authorization

Displays the AAA authorization configuration.

terminal verify-only

Enables the command authorization verification.

test aaa authorization command-type

Tests the command authorization using the AAA command authorization methods.


aaa authorization cts default group

To configure the default authentication, authorization, and accounting (AAA) RADIUS server groups for Cisco TrustSec authorization, use the aaa authorization cts default group command. To remove a server group from the default AAA authorization server group list, use the no form of this command.

aaa authorization cts default group group-list

no aaa authorization cts default group group-list

Syntax Description

group-list

Space-separated list of RADIUS server groups that can include the following:

radius for all configured RADIUS servers.

Any configured RADIUS server group name.

The maximum number of names in the list is eight.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use the aaa authorization cts default group command, you must enable the Cisco TrustSec feature using the feature cts command.

The group-list refers to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.

Use the show aaa groups command to display the RADIUS server groups on the device.

If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.

This command requires the Advanced Services license.

Examples

This example shows how to configure the default AAA authorization RADIUS server group for Cisco TrustSec:

switch# configure terminal
swtich(config)# aaa authorization cts default group RadGroup
 
   

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show aaa authorization

Displays the AAA authorization configuration.

show aaa groups

Displays the AAA server groups.


aaa authorization ssh-certificate

To configure the default AAA authorization method for TACACS+ or Lightweight Directory Access Protocol (LDAP) servers, use the aaa authorization ssh-certificate command. To disable this configuration, use the no form of this command.

aaa authorization ssh-certificate default {group group-list | local}

no aaa authorization ssh-certificate default {group group-list | local}

Syntax Description

group

Specifies to use a server group for authorization.

group-list

Space-separated list of server groups. The list can include the following:

tacacs+ for all configured TACACS+ servers.

ldap for all configured LDAP servers.

Any configured TACACS+ or LDAP server group name.

local

Specifies to use the local database for authentication.


Defaults

local

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

To use this command, you must enable the TACACS+ feature using the feature tacacs+ command or the LDAP feature using the feature ldap command.

The group tacacs+, group ldap, and group group-list methods refer to a set of previously defined TACACS+ and LDAP servers. Use the tacacs-server host command or ldap-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.

If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.

If you specify the group method or local method and it fails, the authorization can fail. If you have not configured a fallback method after the TACACS+ or LDAP server group method, authorization fails if all server groups fail to respond.

This command does not require a license.

Examples

This example shows how to configure LDAP authorization with certificate authentication as the default AAA authorization method for LDAP servers:

switch# configure terminal
switch(config)# aaa authorization ssh-certificate default group LDAPServer1 LDAPServer2
 
   

Related Commands

Command
Description

aaa authorization ssh-publickey

Configures LDAP or local authorization with the SSH public key as the default AAA authorization method for LDAP servers.

feature ldap

Enables the LDAP feature.

feature tacacs+

Enables the TACACS+ feature.

show aaa authorization

Displays the AAA authorization configuration.


aaa authorization ssh-publickey

To configure Lightweight Directory Access Protocol (LDAP) or local authorization with the Secure Shell (SSH) public key as the default AAA authorization method for LDAP servers, use the aaa authorization ssh-publickey command. To revert to the default, use the no form of this command.

aaa authorization ssh-publickey default {group group-list | local}

no aaa authorization ssh-publickey default {group group-list | local}

Syntax Description

group

Specifies to use a server group for authorization.

group-list

Space-separated list of server groups. The list can include the following:

ldap for all configured LDAP servers.

Any configured LDAP server group name.

local

Specifies to use the local database for authentication.


Defaults

local

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

To use this command, you must enable the LDAP feature using the feature ldap command.

The group ldap and group group-list methods refer to a set of previously defined LDAP servers. Use the ldap-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.

If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.

If you specify the group method or local method and it fails, the authorization can fail. If you have not configured a fallback method after the LDAP server group method, authorization fails if all server groups fail to respond.

This command does not require a license.

Examples

This example shows how to configure LDAP authorization with the SSH public key as the default AAA authorization method for LDAP servers:

switch# configure terminal
switch(config)# aaa authorization ssh-publickey default group LDAPServer1 LDAPServer2

Related Commands

Command
Description

aaa authorization ssh-certificate

Configures LDAP or local authorization with certificate authentication as the default AAA authorization method for LDAP servers.

feature ldap

Enables the LDAP feature.

show aaa authorization

Displays the AAA authorization configuration.


aaa group server ldap

To create a Lightweight Directory Access Protocol (LDAP) server group and enter LDAP server group configuration mode, use the aaa group server ldap command. To delete an LDAP server group, use the no form of this command.

aaa group server ldap group-name

no aaa group server ldap group-name

Syntax Description

group-name

LDAP server group name. The name is alphanumeric and case-sensitive. The maximum length is 64 characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

You must use the feature ldap command before you configure LDAP.

This command does not require a license.

Examples

This example shows how to create an LDAP server group and enter LDAP server configuration mode:

switch# configure terminal
switch(config)# aaa group server ldap LdapServer
switch(config-ldap)#
 
   

This example shows how to delete an LDAP server group:

switch# configure terminal
switch(config)# no aaa group server ldap LdapServer
 
   

Related Commands

Command
Description

feature ldap

Enables LDAP.

show aaa groups

Displays server group information.


aaa group server radius

To create a RADIUS server group and enter RADIUS server group configuration mode, use the aaa group server radius command. To delete a RADIUS server group, use the no form of this command.

aaa group server radius group-name

no aaa group server radius group-name

Syntax Description

group-name

RADIUS server group name.The name is alphanumeric and case-sensitive. The maximum length is 64 characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to create a RADIUS server group and enter RADIUS server configuration mode:

switch# configure terminal
switch(config)# aaa group server radius RadServer
switch(config-radius)#
 
   

This example shows how to delete a RADIUS server group:

switch# configure terminal
switch(config)# no aaa group server radius RadServer
 
   

Related Commands

Command
Description

show aaa groups

Displays server group information.


aaa group server tacacs+

To create a TACACS+ server group and enter TACACS+ server group configuration mode, use the aaa group server tacacs+ command. To delete a TACACS+ server group, use the no form of this command.

aaa group server tacacs+ group-name

no aaa group server tacacs+ group-name

Syntax Description

group-name

TACACS+ server group name. The name is alphanumeric and case-sensitive. The maximum length is 64 characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must use the feature tacacs+ command before you configure TACACS+.

This command does not require a license.

Examples

This example shows how to create a TACACS+ server group and enter TACACS+ server configuration mode:

switch# configure terminal
switch(config)# aaa group server tacacs+ TacServer
switch(config-radius)#
 
   

This example shows how to delete a TACACS+ server group:

switch# configure terminal
switch(config)# no aaa group server tacacs+ TacServer
 
   

Related Commands

Command
Description

feature tacacs+

Enables TACACS+.

show aaa groups

Displays server group information.


aaa user default-role

To allow remote users who do not have a user role to log in to the device through RADIUS or TACACS+ using a default user role, use the aaa user default-role command. To disable default user roles for remote users, use the no form of this command.

aaa user default-role

no aaa user default-role

Syntax Description

This command has no arguments or keywords.

Defaults

Enabled

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(3)

This command was introduced.


Usage Guidelines

You can enable or disable this feature for the virtual device context (VDC) as needed. For the default VDC, the default role is network-operator. For nondefault VDCs, the default VDC is vdc-operator. When you disable the AAA default user role feature, remote users who do not have a user role cannot log in to the device.

This command does not require a license.

Examples

This example shows how to enable default user roles for AAA authentication of remote users:

switch# configure terminal
switch(config)# aaa user default-role
 
   

This example shows how to disable default user roles for AAA authentication of remote users:

switch# configure terminal
switch(config)# no aaa user default-role
 
   

Related Commands

Command
Description

show aaa user default-role

Displays the status of AAA default user role feature.


absolute

To specify a time range that has a specific start date and time, a specific end date and time, or both, use the absolute command. To remove an absolute time range, use the no form of this command.

[sequence-number] absolute [start time date] [end time date]

no {sequence-number | absolute [start time date] [end time date]}

Syntax Description

sequence-number

(Optional) Sequence number of the rule, which causes the device to insert the command in that numbered position in the time range. Sequence numbers maintain the order of rules within a time range.

A sequence number can be any integer between 1 and 4294967295.

By default, the first rule in a time range has a sequence number of 10.

If you do not specify a sequence number, the device adds the rule to the end of the time range and assigns a sequence number that is 10 greater than the sequence number of the preceding rule.

Use the resequence command to reassign sequence numbers to rules.

start time date

(Optional) Specifies the exact time and date when the device begins enforcing the permit and deny rules associated with the time range. If you do not specify a start time and date, the device enforces the permit or deny rules immediately.

For information about value values for the time and date arguments, see the "Usage Guidelines" section.

end time date

(Optional) Specifies the exact time and date when the device stops enforcing the permit and deny commands associated with the time range. If you do not specify an end time and date, the device always enforces the permit or deny rules after the start time and date have passed.

For information about the values for the time and date arguments, see the "Usage Guidelines" section.


Defaults

None

Command Modes

Time-range configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The device interprets all time range rules as local time.

If you omit both the start and the end keywords, the device considers the absolute time range to be always active.

You specify time arguments in 24-hour notation, in the form of hours:minutes or hours:minutes:seconds. For example, in 24-hour notation, 8:00 a.m. is 8:00 and 8:00 p.m. is 20:00.

You specify date arguments in the day month year format. The minimum valid start time and date is 00:00:00 1 January 1970, and the maximum valid start time is 23:59:59 31 December 2037.

This command does not require a license.

Examples

This example shows how to create an absolute time rule that begins at 7:00 a.m. on September 17, 2007, and ends at 11:59:59 p.m. on September 19, 2007:

switch# configure terminal
switch(config)# time-range conference-remote-access
switch(config-time-range)# absolute start 07:00 17 September 2007 end 23:59:59 19 
September 2007
 
   

Related Commands

Command
Description

periodic

Configures a periodic time range rule.

time-range

Configures a time range for use in IPv4 or IPv6 ACLs.


accept-lifetime

To specify the time interval within which the device accepts a key during a key exchange with another device, use the accept-lifetime command. To remove the time interval, use the no form of this command.

accept-lifetime [local] start-time [duration duration-value | infinite | end-time]

no accept-lifetime [local] start-time [duration duration-value | infinite | end-time]

Syntax Description

local

(Optional) Specifies that the device treats the configured times as local times. By default, the device treats the start-time and end-time arguments as UTC.

start-time

Time of day and date that the device begins accepting the key.

For information about the values for the start-time argument, see the "Usage Guidelines" section.

duration duration-value

(Optional) Specifies the length of the lifetime in seconds. The maximum length is 2147483646 seconds (approximately 68 years).

infinite

(Optional) Specifies that the key never expires.

end-time

(Optional) Time of day and date that the device stops accepting the key.

For information about the values for the time of day and date arguments, see the "Usage Guidelines" section.


Defaults

infinite

Command Modes

Key configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

By default, the device interprets all time range rules as UTC.

By default, the time interval within which the device accepts a key during a key exchange with another device—the accept lifetime—is infinite, which means that the key is always valid.

The start-time and end-time arguments both require time and date components, in the following format:

hour[:minute[:second]] month day year

You specify the hour in 24-hour notation. For example, in 24-hour notation, 8:00 a.m. is 8:00 and 8:00 p.m. is 20:00. The minimum valid start-time is 00:00:00 Jan 1 1970, and the maximum valid start-time is 23:59:59 Dec 31 2037.

This command does not require a license.

Examples

This example shows how to create an accept lifetime that begins at midnight on June 13, 2008, and ends at 11:59:59 p.m. on August 12, 2008:

switch# configure terminal 
switch(config)# key chain glbp-keys 
switch(config-keychain)# key 13 
switch(config-keychain-key)# accept-lifetime 00:00:00 Jun 13 2008 23:59:59 Sep 12 2008 
switch(config-keychain-key)# 

Related Commands

Command
Description

key

Configures a key.

keychain

Configures a keychain.

key-string

Configures a key string.

send-lifetime

Configures a send lifetime for a key.

show key chain

Shows keychain configuration.


action

To specify what the device does when a packet matches a permit command in a VLAN access control list (VACL), use the action command. To remove an action command, use the no form of this command.

action drop [log]

no action drop [log]

action forward

no action forward

action redirect {ethernet slot/port | port-channel channel-number.subinterface-number}

no action redirect {ethernet slot/port | port-channel channel-number.subinterface-number}

Syntax Description

drop

Specifies that the device drops the packet.

log

(Optional) Specifies that the device logs the packets it drops because of the drop keyword.

forward

Specifies that the device forwards the packet to its destination port.

redirect

Specifies that the device redirects the packet to an interface.

ethernet slot/port

Specifies the Ethernet interface that the device redirects the packet to.

port-channel channel-number.subinterface-
number

Specifies the port-channel interface that the device redirects the packet to.

Note The dot separator is required between the channel-number and subinterface-number arguments.


Defaults

None

Command Modes

VLAN access-map configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The action command specifies the action that the device takes when a packet matches the conditions in an ACL specified by a match command in the same access map entry as the action command.

This command does not require a license.

Examples

This example shows how to create a VLAN access map named vlan-map-01 and add two entries that each have two match commands and one action command:

 
   
switch(config-access-map)# vlan access-map vlan-map-01
switch(config-access-map)# match ip address ip-acl-01
switch(config-access-map)# action forward
switch(config-access-map)# match mac address mac-acl-00f
switch(config-access-map)# vlan access-map vlan-map-01
switch(config-access-map)# match ip address ip-acl-320
switch(config-access-map)# match mac address mac-acl-00e
switch(config-access-map)# action drop
switch(config-access-map)# show vlan access-map
 
   
Vlan access-map vlan-map-01 10
        match ip: ip-acl-01
        match mac: mac-acl-00f
        action: forward
Vlan access-map vlan-map-01 20
        match ip: ip-acl-320
        match mac: mac-acl-00e
        action: drop
 
   

Related Commands

Command
Description

match

Specifies an ACL for traffic filtering in a VLAN access map.

show vlan access-map

Displays all VLAN access maps or a VLAN access map.

show vlan filter

Displays information about how a VLAN access map is applied.

statistics

Enables statistics for an access control list or VLAN access map.

vlan access-map

Configures a VLAN access map.

vlan filter

Applies a VLAN access map to one or more VLANs.


arp access-list

To create an Address Resolution Protocol (ARP) access control list (ACL) or to enter ARP access list configuration mode for a specific ARP ACL, use the arp access-list command. To remove an ARP ACL, use the no form of this command.

arp access-list access-list-name

no arp access-list access-list-name

Syntax Description

access-list-name

Name of the ARP ACL. The name can be up to 64 alphanumeric, case-sensitive characters. Names cannot contain a space or quotation mark.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

Use ARP ACLs to filter ARP traffic when you cannot use DCHP snooping.

No ARP ACLs are defined by default.

When you use the arp access-list command, the device enters ARP access list configuration mode, where you can use the ARP deny and permit commands to configure rules for the ACL. If the ACL specified does not exist, the device creates it when you enter this command.

Use the ip arp inspection filter command to apply the ARP ACL to a VLAN.

This command does not require a license.

Examples

This example shows how to enter ARP access list configuration mode for an ARP ACL named arp-acl-01:

switch# conf t
switch(config)# arp access-list arp-acl-01
switch(config-arp-acl)#

Related Commands

Command
Description

deny (ARP)

Configures a deny rule in an ARP ACL.

ip arp inspection filter

Applies an ARP ACL to a VLAN.

permit (ARP)

Configures a permit rule in an ARP ACL.

show arp access-lists

Displays all ARP ACLs or a specific ARP ACL.


authentication (LDAP)

To configure Lightweight Directory Access Protocol (LDAP) authentication to use the bind or compare method, use the authentication command. To disable this configuration, use the no form of this command.

authentication {bind-first [append-with-baseDN DNstring] | compare [password-attribute password]}

no authentication {bind-first [append-with-baseDN DNstring] | compare [password-attribute password]}

Syntax Description

bind-first

Sets the LDAP authentication method to bind first.

append-with-baseDN DNstring

(Optional) Specifies the designated name (DN) string. You can enter up to 63 alphanumeric characters.

compare

Sets the LDAP authentication method to compare.

password-
attribute
password

(Optional) Specifies the user password. You can enter up to 63 alphanumeric characters.


Defaults

Bind method using first search and then bind

Command Modes

LDAP server group configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to configure LDAP authentication to use the compare method:

switch# conf t
switch(config)# aaa group server ldap LDAPServer1
switch(config-ldap)# server 10.10.2.2
switch(config-ldap)# authentication compare password-attribute TyuL8r
switch(config-ldap)#

Related Commands

Command
Description

aaa group server ldap

Creates an LDAP server group and enters the LDAP server group configuration mode for that group.

server

Configures the LDAP server as a member of the LDAP server group.

show ldap-server groups

Displays the LDAP server group configuration.


capture session

To enable a capture session for the access control list (ACL), use the capture session command.

capture session session

Syntax Description

session

Session ID. The range is from 1 to 48.


Defaults

None

Command Modes

ACL capture configuration mode (config-acl-capture)

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.2(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to configure an ACL capture session configuration:

switch# configure terminal
switch(config)# ip access-list abc1234
switch(config-acl)# capture session 7
switch(config-acl)# 

Related Commands

Command
Description

ip access-list

Creates an access list.

monitor session session type acl-capture

Configures an ACL capture session.


class (policy map)

To specify a control plane class map for a control plane policy map, use the class command. To delete a control plane class map from a control plane policy map, use the no form of this command.

class {class-map-name [insert-before class-map-name2] | class-default}

no class class-map-name

Syntax Description

class-map-name

Name of the class map.

insert-before class-map-name2

(Optional) Inserts the control plane class map ahead of another control plane class map for the control plane policy map.

class-default

Specifies the default class.


Defaults

None

Command Modes

Policy map configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to configure a class map for a control plane policy map:

switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
switch(config-pmap)# class ClassMapA
swtich(config-pmap-c)
 
   

This example shows how to delete a class map from a control plane policy map:

switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
switch(config-pmap)# no class ClassMapA
 
   

Related Commands

Command
Description

policy-map type control-plane

Specifies a control plane policy map and enters policy map configuration mode.

show policy-map type control-plane

Displays configuration information for control plane policy maps.


class-map type control-plane

To create or specify a control plane class map and enter class map configuration mode, use the class-map type control-plane command. To delete a control plane class map, use the no form of this command.

class-map type control-plane [match-all | match-any] class-map-name

no class-map type control-plane [match-all | match-any] class-map-name

Syntax Description

match-all

(Optional) Specifies to match all match conditions in the class map.

match-any

(Optional) Specifies to match any match conditions in the class map.

class-map-name

Name of the class map. The name is alphanumeric and case-sensitive. The maximum length is 64 characters.


Defaults

match-any

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You cannot use match-all, match-any, or class-default as names for control plane class maps.

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to specify a control plane class map and enter class map configuration mode:

switch# configure terminal
switch(config)# class-map type control-plane ClassMapA
switch(config-cmap)#
 
   

This example shows how to delete a control plane class map:

switch# configure terminal
switch(config)# no class-map type control-plane ClassMapA
 
   

Related Commands

Command
Description

show class-map type control-plane

Displays control plane policy map configuration information.


clear access-list counters

To clear the counters for all IPv4, IPv6, and MAC access control lists (ACLs) or a single ACL, use the clear access-list counters command.

clear access-list counters [access-list-name]

Syntax Description

access-list-name

(Optional) Name of the ACL whose counters the device clears. The name can be up to 64 alphanumeric, case-sensitive characters.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.1(2)

Added support for clearing IPv6 ACL counters.

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to clear counters for all IPv4, IPv6, and MAC ACLs:

switch# clear access-list counters
switch#
 
   

This example shows how to clear counters for an IPv4 ACL named acl-ipv4-01:

switch# clear access-list counters acl-ipv4-01
switch#
 
   

Related Commands

Command
Description

clear ip access-list counters

Clears counters for IPv4 ACLs.

clear ipv6 access-list counters

Clears counters for IPv6 ACLs.

clear mac access-list counters

Clears counters for MAC ACLs.

clear vlan access-list counters

Clears counters for VACLs.

show access-lists

Displays information about one or all IPv4, IPv6, and MAC ACLs.


clear accounting log

To clear the accounting log, use the clear accounting log command.

clear accounting log [logflash]

Syntax Description

logflash

(Optional) Clears the accounting log stored in the logflash for the current VDC.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

The logflash keyword was added.

4.0(1)

This command was introduced.


Usage Guidelines

The clear accounting log command operates only in the default virtual device context (VDC 1).

This command does not require a license.

Examples

This example shows how to clear the accounting log:

switch# clear accounting log
 
   

Related Commands

Command
Description

show accounting log

Displays the accounting log contents.


clear copp statistics

To clear control plane policing (CoPP) statistics, use the clear copp statistics command.

clear copp statistics

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to specify a control plane class map and enter class map configuration mode:

switch# clear copp statistics
 
   

Related Commands

Command
Description

show policy-map interface control-plane

Displays the CoPP statistics for interfaces.


clear cts role-based counters

To clear the role-based access control list (RBACL) statistics so that all counters are reset to 0, use the clear cts role-based counters command.

clear cts role-based counters

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

This command requires the Advanced Services license.

Examples

This example shows how to clear the RBACL statistics:

switch# clear cts role-based counters

Related Commands

Command
Description

cts role-based counters enable

Enables the RBACL statistics.

show cts role-based counters

Displays the configuration status of RBACL statistics and lists statistics for all RBACL policies.


clear dot1x

To clear 802.1X authenticator instances, use the clear dot1x command.

clear dot1x {all | interface ethernet slot/port}

Syntax Description

all

Specifies all 802.1X authenticator instances.

interface ethernet slot/port

Specifies the 802.1X authenticator instances for a specified interface.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must use the feature dot1x command before you configure 802.1X.

This command does not require a license.

Examples

This example shows how to clear all 802.1X authenticator instances:

switch# clear dot1x all
 
   

This example shows how to clear the 802.1X authenticator instances for an interface:

switch# clear dot1x interface ethernet 1/1
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x all

Displays all 802.1X information.


clear eou

To clear Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) sessions, use the clear eou command.

clear eou {all | authentication {clientless | eap | static} | interface ethernet slot/port | ip-address ipv4-address | mac-address mac-address | posturetoken type}

Syntax Description

all

Specifies all EAPoUDP sessions.

authentication

Specifies EAPoUDP authentication.

clientless

Specifies sessions authenticated using clientless posture validation.

eap

Specifies sessions authenticated using EAPoUDP.

static

Specifies sessions authenticated using statically configured exception lists.

interface ethernet slot/port

Specifies an interface.

ip-address ipv4-address

Specifies an IPv4 address. in the A.B.C.D format.

mac-address mac-address

Specifies a MAC address.

posturetoken type

Specifies a posture token name.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must enable EAPoUDP by using the feature eou command before using the clear eou command.

This command does not require a license.

Examples

This example shows how to clear all the EAPoUDP sessions:

switch# clear eou all
 
   

This example shows how to clear the statically authenticated EAPoUDP sessions:

switch# clear eou authentication static
 
   

This example shows how to clear the EAPoUDP sessions for an interface:

switch# clear eou interface ethernet 1/1
 
   

This example shows how to clear the EAPoUDP sessions for an IP address:

switch# clear eou ip-address 10.10.1.1
 
   

This example shows how to clear the EAPoUDP sessions for a MAC address:

switch# clear eou mac-address 0019.076c.dac4
 
   

This example shows how to the EAPoUDP sessions with a posture token type of checkup:

switch# clear eou posturetoken healthy
 
   

Related Commands

Command
Description

feature eou

Enables EAPoUDP.

show eou

Displays EAPoUDP information.


clear rate-limiter

To clear rate-limit statistics, use the clear rate-limiter command.

clear rate-limiter {access-list-log | all | copy | layer-2 {l2pt | mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | mtu | multicast {directly-connected | local-groups | rpf-leak} | ttl} | receive}

Syntax Description

access-list-log

Clears rate-limit statistics for access-list log packets.

all

Clears all rate-limit statistics.

copy

Clears rate-limit statistics for copy packets.

layer-2

Specifies Layer 2 packet rate limits.

l2pt

Clears rate-limit statistics for Layer 2 Tunnel Protocol (L2TP) packets.

mcast-snooping

Clears rate-limit statistics for Layer 2 multicast-snooping packets.

port-security

Clears rate-limit statistics for Layer 2 port-security packets.

storm-control

Clears rate-limit statistics for Layer 2 storm-control packets.

vpc-low

Clears rate-limit statistics for Layer 2 control packets over the VPC low queue.

layer-3

Specifies Layer 3 packet rate limits.

control

Clears rate-limit statistics for Layer 3 control packets.

glean

Clears rate-limit statistics for Layer 3 glean packets.

mtu

Clears rate-limit statistics for Layer 3 maximum transmission unit (MTU) packets.

multicast

Specifies Layer 3 multicast rate limits.

directly-connected

Clears rate-limit statistics for Layer 3 directly connected multicast packets.

local-groups

Clears rate-limit statistics for Layer 3 local group multicast packets.

rpf-leak

Clears rate-limit statistics for Layer 3 reverse path forwarding (RPF) leak multicast packets.

ttl

Clears rate-limit statistics for Layer 3 time-to-live (TTL) packets.

receive

Clears rate-limit statistics for receive packets.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin

Command History

Release
Modification

5.0(2)

Added the l2pt keyword.

4.0(3)

Added the port-security keyword.

4.0(1)

This command was introduced.


Usage Guidelines

You can use the command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to clear all the rate-limit statistics:

switch# clear  rate-limiter all
 
   

This example shows how to clear the rate-limit statistics for access-list log packets:

switch# clear  rate-limiter access-list-log
 
   

This example shows how to clear the rate-limit statistics for Layer 2 storm-control packets:

switch# clear  rate-limiter layer-2 storm-control
 
   

This example shows how to clear the rate-limit statistics for Layer 3 glean packets:

switch# clear  rate-limiter layer-3 glean
 
   

This example shows how to clear the rate-limit statistics for Layer 3 directly-connected multicast packets:

switch# clear  rate-limiter layer-3 multicast directly-connected
 
   

This example shows how to clear the rate-limit statistics for received packets:

switch# clear  rate-limiter receive
 
   

Related Commands

Command
Description

rate-limiter

Configures rate limits.

show rate-limiter

Displays rate-limit information.


clear ip access-list counters

To clear the counters for all IPv4 access control lists (ACLs) or a single IPv4 ACL, use the clear ip access-list counters command.

clear ip access-list counters [access-list-name]

Syntax Description

access-list-name

(Optional) Name of the IPv4 ACL whose counters the device clears. The name can be up to 64 alphanumeric, case-sensitive characters.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to clear counters for all IPv4 ACLs:

switch# clear ip access-list counters
switch#
 
   

This example shows how to clear counters for an IP ACL named acl-ipv4-101:

switch# clear ip access-list counters acl-ipv4-101
switch#
 
   

Related Commands

Command
Description

clear access-list counters

Clears counters for IPv4, IPv6, and MAC ACLs.

clear ipv6 access-list counters

Clears counters for IPv6 ACLs.

clear mac access-list counters

Clears counters for MAC ACLs.

clear vlan access-list counters

Clears counters for VACLs.

show access-lists

Displays information about one or all IPv4, IPv6, and MAC ACLs.

show ip access-lists

Displays information about one or all IPv4 ACLs.


clear ip arp inspection log

To clear the Dynamic ARP Inspection (DAI) logging buffer, use the clear ip arp inspection log command.

clear ip arp inspection log

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to clear the DAI logging buffer:

switch# clear ip arp inspection log 
switch# 

Related Commands

Command
Description

ip arp inspection log-buffer

Configures the DAI logging buffer size.

show ip arp inspection

Displays the DAI configuration status.

show ip arp inspection log

Displays the DAI log configuration.

show ip arp inspection statistics

Displays the DAI statistics.


clear ip arp inspection statistics vlan

To clear the Dynamic ARP Inspection (DAI) statistics for a specified VLAN, use the clear ip arp inspection statistics vlan command.

clear ip arp inspection statistics vlan vlan-list

Syntax Description

vlan vlan-list

Specifies the VLANs whose DAI statistics this command clears. The vlan-list argument allows you to specify a single VLAN ID, a range of VLAN IDs, or comma-separated IDs and ranges (see the "Examples" section). Valid VLAN IDs are from 1 to 4094.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to clear the DAI statistics for VLAN 2:

switch# clear ip arp inspection statistics vlan 2
switch# 
 
   

This example shows how to clear the DAI statistics for VLANs 5 through 12:

switch# clear ip arp inspection statistics vlan 5-12
switch# 
 
   

This example shows how to clear the DAI statistics for VLAN 2 and VLANs 5 through 12:

switch# clear ip arp inspection statistics vlan 2,5-12
switch# 
 
   

Related Commands

Command
Description

clear ip arp inspection log

Clears the DAI logging buffer.

ip arp inspection log-buffer

Configures the DAI logging buffer size.

show ip arp inspection

Displays the DAI configuration status.

show ip arp inspection vlan

Displays DAI status for a specified list of VLANs.


clear ip device tracking

To clear IP device tracking information, use the clear ip device tracking command.

clear ip device tracking {all | interface ethernet slot/port | ip-address ipv4-address | mac-address mac-address}

Syntax Description

all

Clears all IP device tracking information.

interface ethernet slot/port

Clears IP device tracking information for an interface.

ip-address ipv4-address

Clears IP device tracking information for an IPv4 address in the A.B.C.D format.

mac-address mac-address

Clears IP tracking information for a MAC address in the XXXX.XXXX.XXXX format.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin
VDC user

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to clear all the IP device tracking information:

switch# clear ip device tracking all
 
   

This example shows how to clear the IP device tracking information for an interface:

switch# clear ip device tracking interface ethernet 1/1
 
   

This example shows how to clear the IP device tracking information for an IP address:

switch# clear ip device tracking ip-address 10.10.1.1
 
   

This example shows how to clear the IP device tracking information for a MAC address:

switch# clear ip device tracking mac-address 000c.30da.86f4
 
   

Related Commands

Command
Description

ip device tracking

Enables IP device tracking.

show ip device tracking

Displays IP device tracking information.


clear ip dhcp snooping binding

To clear the DHCP snooping binding database, use the clear ip dhcp snooping binding command.

clear ip dhcp snooping binding

clear ip dhcp snooping binding [vlan vlan-id mac mac-address ip ip-address interface ethernet slot/port[.subinterface-number]]

clear ip dhcp snooping binding [vlan vlan-id mac mac-address ip ip-address interface port-channel channel-number[.subchannel-number]]

Syntax Description

vlan vlan-id

(Optional) Clears the DHCP snooping binding database for an entry identified with the VLAN ID specified by the vlan-id argument and the additional keywords and arguments that follow.

mac-address mac-address

Specifies the MAC address of the binding database entry to be cleared. Enter the mac-address argument in dotted hexadecimal format.

ip ip-address

Specifies the IPv4 address of the binding database entry to be cleared. Enter the ip-address argument in dotted decimal format.

interface ethernet slot/port

(Optional) Specifies the Ethernet interface of the binding database entry to be cleared.

.subinterface-number

(Optional) Number of the Ethernet-interface subinterface.

Note The dot separator is required between the port and subinterface-number arguments.

interface port-channel channel-number

(Optional) Specifies the Ethernet port-channel of the binding database entry to be cleared.

.subchannel-number

(Optional) Number of the Ethernet port-channel subchannel.

Note The dot separator is required between the channel-number and subchannel-number arguments.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin
VDC user

Command History

Release
Modification

4.0(3)

This command was modified to support clearing a specific binding database entry. The optional vlan keyword and the arguments and keywords that follow it were added.

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to clear the DHCP snooping binding database:

switch# clear ip dhcp snooping binding
switch# 
 
   

This example shows how to clear a specific entry from the DHCP snooping binding database:

switch# clear ip dhcp snooping binding vlan 23 mac 0060.3aeb.54f0 ip 10.34.54.9 interface 
ethernet 2/11
switch# 
 
   

Related Commands

Command
Description

ip dhcp snooping

Globally enables DHCP snooping on the device.

show ip dhcp snooping

Displays general information about DHCP snooping.

show ip dhcp snooping binding

Displays IP-MAC address bindings, including the static IP source entries.

show ip dhcp snooping statistics

Displays DHCP snooping statistics.

show running-config dhcp

Displays DHCP snooping configuration, including the IP Source Guard configuration.


clear ipv6 access-list counters

To clear the counters for all IPv6 access control lists (ACLs) or a single IPv6 ACL, use the clear ipv6 access-list counters command.

clear ipv6 access-list counters [access-list-name]

Syntax Description

access-list-name

(Optional) Name of the IPv6 ACL whose counters the device clears. The name can be up to 64 alphanumeric, case-sensitive characters.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.1(2)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to clear counters for all IPv6 ACLs:

switch# clear ipv6 access-list counters
switch#
 
   

This example shows how to clear counters for an IPv6 ACL named acl-ipv6-3A:

switch# clear ipv6 access-list counters acl-ipv6-3A
switch#
 
   

Related Commands

Command
Description

clear access-list counters

Clears counters for IPv4, IPv6, and MAC ACLs.

clear ip access-list counters

Clears counters for IPv4 ACLs.

clear mac access-list counters

Clears counters for MAC ACLs.

clear vlan access-list counters

Clears counters for VACLs.

show access-lists

Displays information about one or all IPv4, IPv6, and MAC ACLs.

show ipv6 access-lists

Displays information about one or all IPv6 ACLs.


clear ldap-server statistics

To clear the Lightweight Directory Access Protocol (LDAP) server statistics, use the clear ldap-server statistics command.

clear ldap-server statistics {ipv4-address | ipv6-address | host-name}

Syntax Description

ipv4-address

Server IPv4 address in the A.B.C.D format.

ipv6-address

Server IPv6 address in the X:X:X:X format.

host-name

Server name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
network-operator
vdc-admin
vdc-operator

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to clear the statistics for an LDAP server:

switch# clear ldap-server statistics 10.10.1.1
 
   

Related Commands

Command
Description

feature ldap

Enables LDAP.

ldap-server host

Specifies the IPv4 or IPv6 address or hostname for an LDAP server.

show ldap-server statistics

Displays the LDAP server statistics.


clear mac access-list counters

To clear the counters for all MAC access control lists (ACLs) or a single MAC ACL, use the clear mac access-list counters command.

clear mac access-list counters [access-list-name]

Syntax Description

access-list-name

(Optional) Name of the MAC ACL whose counters the device clears. The name can be up to 64 alphanumeric, case-sensitive characters.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to clear counters for all MAC ACLs:

switch# clear mac access-list counters
switch#
 
   

This example shows how to clear counters for a MAC ACL named acl-mac-0060:

switch# clear mac access-list counters acl-ipv4-0060
switch#
 
   

Related Commands

Command
Description

clear access-list counters

Clears counters for IPv4, IPv6, and MAC ACLs.

clear ip access-list counters

Clears counters for IPv4 ACLs.

clear ipv6 access-list counters

Clears counters for IPv6 ACLs.

clear vlan access-list counters

Clears counters for VACLs.

show access-lists

Displays information about one or all IPv4, IPv6, and MAC ACLs.

show mac access-lists

Displays information about one or all MAC ACLs.


clear port-security

To clear a single, dynamically learned, secure MAC address or to clear all dynamically learned, secure MAC addresses for a specific interface, use the clear port-security command.

clear port-security dynamic interface ethernet slot/port [vlan vlan-id]

clear port-security dynamic interface port-channel channel-number [vlan vlan-id]

clear port-security dynamic address address [vlan vlan-id]

Syntax Description

dynamic

Specifies that you want to clear dynamically learned, secure MAC addresses.

interface

Specifies the interface of the dynamically learned, secure MAC addresses that you want to clear.

ethernet slot/port

Specifies the Ethernet interface of the dynamically learned, secure MAC addresses that you want to clear.

vlan vlan-id

(Optional) Specifies the VLAN of the secure MAC addresses to be cleared. Valid VLAN IDs are from 1 to 4096.

port-channel channel-number

Specifies the port-channel interface of the dynamically learned, secure MAC addresses that you want to clear.

address address

Specifies a single MAC address to be cleared, where address is the MAC address, in dotted hexadecimal format.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.2(1)

Support was added for port-security on port-channel interfaces.

4.0(1)

This command was introduced.


Usage Guidelines

You must enable port security by using the feature port-security command before you can use the clear port-security command.

This command does not require a license.

Examples

This example shows how to remove dynamically learned, secure MAC addresses from the Ethernet 2/1 interface:

switch# configure terminal
switch(config)# clear port-security dynamic interface ethernet 2/1
 
   

This example shows how to remove the dynamically learned, secure MAC address 0019.D2D0.00AE:

switch# configure terminal
switch(config)# clear port-security dynamic address 0019.D2D0.00AE
 
   

Related Commands

Command
Description

debug port-security

Provides debugging information for port security.

feature port-security

Enables port security globally.

show port-security

Shows information about port security.

switchport port-security

Enables port security on a Layer 2 interface.


clear radius-server statistics

To clear the statistics for a RADIUS server host, use the clear radius-server statistics command.

clear radius-server statistics {ipv4-address | ipv6-address | server-name}

Syntax Description

ipv4-address

IPv4 address of a RADIUS server host in A.B.C.D format.

ipv6-address

IPv6 address of a RADIUS server host in A:B::C:D format.

server-name

Name of a RADIUS server host. The name is case sensitive.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.2(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to clear statistics for a RADIUS server:

switch# clear radius-server statistics 10.10.1.1

Related Commands

Command
Description

show radius-server statistics

Displays RADIUS server host statistics.


clear ssh hosts

To clear the Secure Shell (SSH) host sessions and the known host file for a virtual device context (VDC), use the clear ssh hosts command.

clear ssh hosts

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to clear all SSH host sessions and the known host file:

switch# clear ssh hosts

Related Commands

Command
Description

ssh server enable

Enables the SSH server.


clear tacacs-server statistics

To clear the statistics for a TACACS+ server host, use the clear tacacs-server statistics command.

clear tacacs-server statistics {ipv4-address | ipv6-address | server-name}

Syntax Description

ipv4-address

IPv4 address of a TACACS+ server host in A.B.C.D format.

ipv6-address

IPv6 address of a TACACS+ server host in A:B::C:D format.

server-name

Name of a TACACS+ server host. The name is case sensitive.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.2(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to clear statistics for a TACACS+ server:

switch# clear tacacs-server statistics 10.10.1.1
 
   

Related Commands

Command
Description

show tacacs-server statistics

Displays TACACS+ server host statistics.


clear user

To clear a user session for a virtual device context (VDC), use the clear user command.

clear user user-id

Syntax Description

user-id

User identifier.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

Use the show users command to display the current user sessions on the device.

This command does not require a license.

Examples

This example shows how to clear all SSH host sessions:

switch# clear user user1
 
   

Related Commands

Command
Description

show users

Displays the user session information.


clear vlan access-list counters

To clear the counters for all VLAN access control lists (VACLs) or a single VACL, use the clear vlan access-list counters command.

clear vlan access-list counters [access-map-name]

Syntax Description

access-map-name

(Optional) Name of the VLAN access map whose counters the device clears. The name can be up to 64 alphanumeric, case-sensitive characters.


Defaults

None

Command Modes

Privileged EXEC

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to clear counters for all VACLs:

switch# clear vlan access-list counters
switch#
 
   

This example shows how to clear counters for a VACL named vlan-map-101:

switch# clear vlan access-list counters vlan-map-101
switch#
 
   

Related Commands

Command
Description

clear access-list counters

Clears counters for IPv4, IPv6, and MAC ACLs.

clear ip access-list counters

Clears counters for IPv4 ACLs.

clear ipv6 access-list counters

Clears counters for IPv6 ACLs.

clear mac access-list counters

Clears counters for MAC ACLs.

show access-lists

Displays information about one or all IPv4, IPv6, and MAC ACLs.

show vlan access-map

Displays information about one or all VACLs.


copp copy profile

To create a copy of the Control Plane Policing (CoPP) best practice policy, use the copp clone profile command.

copp copy profile {lenient | moderate | strict} {prefix | suffix} string

Syntax Description

lenient

Specifies the lenient profile.

moderate

Specifies the moderate profile.

strict

Specifies the strict profile.

prefix

Specifies a prefix for the cloned policy.

suffix

Specifies a suffix for the cloned policy.

string

Prefix or suffix string. The suffix or prefix can be any alphanumeric string up to 20 characters.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.2(1)

This command was introduced.


Usage Guidelines

When you use the copp copy profile command, CoPP renames all class maps and policy maps with the specified prefix or suffix.

This command does not require a license.

Examples

This example shows how to create a clone of the CoPP best practice policy:

 
   
switch # copp copy profile moderate abc

Related Commands

Command
Description

copp profile

Applies the default CoPP best practice policy on the Cisco NX-OS device.

show copp status

Displays the CoPP status, including the last configuration operation and its status.

show running-config copp

Displays the CoPP configuration in the running configuration.


 
   
 
   

copp profile

To apply the default Control Plane Policing (CoPP) best practice policy on the Cisco NX-OS device without rerunning the setup utility, use the copp profile command. To remove the default CoPP policy from the Cisco NX-OS device, use the no form of this command.

copp profile {dense | lenient | moderate | strict}

no copp profile {dense | lenient | moderate | strict}

Syntax Description

dense

Specifies the dense profile.

lenient

Specifies the lenient profile.

moderate

Specifies the moderate profile.

strict

Specifies the strict profile.


Defaults

strict

Command Modes

Global configuration (config)

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.2(1)

This command was introduced.

6.0(1)

Added the dense keyword.


Usage Guidelines

In Cisco NX-OS releases prior to 5.2(1), you must use the setup utility to change or reapply the default CoPP policy. You can access the setup utility using the setup command.

Beginning with Cisco NX-OS Release 5.2, the CoPP best practice policy is read-only. If you want to modify its configuration, you must clone it using the copp clone profile command. Cloned policies are treated as user configurations.

When you use in-service software downgrade (ISSU) to upgrade to Cisco NX-OS Release 5.2, the policy attached to the control plane is treated as a user-configured policy. Check the CoPP profile using the show copp profile command and make any required changes.

If you use ISSU to downgrade from Cisco NX-OS Release 5.2, CoPP reports the incompatible configuration and instructs you to clone the CoPP profile. In the lower version, all configurations are restored in user-configuration mode.

This command does not require a license.

Examples

This example shows how to apply the default CoPP best practice policy on the Cisco NX-OS device:

switch# configure terminal
switch(config)# copp profile moderate
switch(config)#
 
   

This example shows how remove thedefault CoPP best practice policy from the Cisco NX-OS device:

switch(config)# no copp profile moderate
switch(config)#

Related Commands

Command
Description

copp copy profile

Creates a copy of the CoPP best practice policy.

show copp profile

Displays the details of the CoPP best practice policy.

show copp status

Displays the CoPP status, including the last configuration operation and its status.

show running-config copp

Displays the CoPP configuration in the running configuration.


CRLLookup

To configure the attribute name, search filter, and base-DN for the certificate revocation list (CRL) search operation in order to send a search query to the Lightweight Directory Access Protocol (LDAP) server, use the CRLLookup command. To disable this configuration, use the no form of this command.

CRLLookup attribute-name attribute-name search-filter filter base-DN base-DN-name

no CRLLookup

Syntax Description

attribute-name attribute-name

Specifies the attribute name of the LDAP search map. The name is alphanumeric, case sensitive, and has a maximum of 128 characters.

search-filter filter

Specifies the filter for the LDAP search map. The name is alphanumeric, case sensitive, and has a maximum of 128 characters.

base-DN base-DN-name

Specifies the base-designated name for the LDAP search map. The name is alphanumeric, case sensitive, and has a maximum of 128 characters.


Defaults

None

Command Modes

Lightweight Directory Access Protocol (LDAP) search map configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

To use this command, you must enable LDAP.

This command does not require a license.

Examples

This example shows how to configure the attribute name, search filter, and base-DN for the CRL search operation in order to send a search query to the LDAP server:

switch# conf t
switch(config)# ldap search-map s0
switch(config-ldap-search-map)# CRLLookup attribute-name certificateRevocationList 
search-filter (&(objectClass=cRLDistributionPoint)) base-DN CN=CDP,CN=Public Key 
Services,CN=Services,CN=Configuration,DC=mdsldaptestlab,DC=com
switch(config-ldap-search-map)#
 
   

Related Commands

Command
Description

feature ldap

Enables LDAP.

ldap search-map

Configures an LDAP search map.

show ldap-search-map

Displays the configured LDAP search maps.


crypto ca authenticate

To associate and authenticate a certificate of the certificate authority (CA) and configure its CA certificate (or certificate chain), use the crypto ca authenticate command. To remove the association and authentication, use the no form of this command.

crypto ca authenticate trustpoint-label

no crypto ca authenticate trustpoint-label

Syntax Description

trustpoint-label

Name of the trustpoint. The name The name is alphanumeric, case sensitive, and has a maximum length of 64 characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.1(2)

This command was introduced.


Usage Guidelines

You can use this command to authenticate the CA to the Cisco NX-OS device by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you execute this command. The CA certificate or certificate chain must be available in Privacy Enhanced Mail (PEM) (base-64) encoded format.

Use this command when you initially configure certificate authority support for the device. First create the trustpoint using the crypto ca trustpoint command using the CA certificate fingerprint published by the CA. You must compare the certificate fingerprint displayed during authentication with the one published by the CA and accept the CA certificate only if it matches.

If the CA to authenticate is a subordinate CA (it is not self-signed), then another CA certifies it, which in turn may be certified by yet another CA, and so on, until there is a self-signed CA. In this case, the subordinate CA has a CA certificate chain. You must enter the entire chain during CA authentication. The maximum length that the CA certificate chain supports is ten.

The trustpoint CA is the certificate authority that you configure on the device as the trusted CA. The device accepts any peer certificate if it is signed by a locally trusted CA or its subordinates.


Note The trustpoint configuration that you create with the crypto ca trustpoint command persists across device reboots only if you save it explicitly using the copy running-config startup-config command. The certificates and CRL associated to a trustpoint are automatically persistent when you save the trustpoint configuration in the startup configuration. Otherwise, if you do not saved the trustpoint in the startup configuration, the associated certificates and CRL are not automatically persistent because they cannot exist without the corresponding trustpoint after the device reboots.

To ensure that the configured certificates, CRLs, and key pairs are persistent, always save the running configuration in the startup configuration.


This command does not require a license.

Examples

This example shows how to authenticate a CA certificate called admin-ca:

switch# configure terminal
switch(config)# crypto ca authenticate myCA
input (cut & paste) CA certificate (chain) in PEM format;
end the input with a line containing only END OF INPUT :
-----BEGIN CERTIFICATE-----
MIIC4jCCAoygAwIBAgIQBWDSiay0GZRPSRIljK0ZejANBgkqhkiG9w0BAQUFADCB
kDEgMB4GCSqGSIb3DQEJARYRYW1hbmRrZUBjaXNjby5jb20xCzAJBgNVBAYTAklO
MRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJhbmdhbG9yZTEOMAwGA1UE
ChMFQ2lzY28xEzARBgNVBAsTCm5ldHN0b3JhZ2UxEjAQBgNVBAMTCUFwYXJuYSBD
QTAeFw0wNTA1MDMyMjQ2MzdaFw0wNzA1MDMyMjU1MTdaMIGQMSAwHgYJKoZIhvcN
AQkBFhFhbWFuZGtlQGNpc2NvLmNvbTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUth
cm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQ4wDAYDVQQKEwVDaXNjbzETMBEG
A1UECxMKbmV0c3RvcmFnZTESMBAGA1UEAxMJQXBhcm5hIENBMFwwDQYJKoZIhvcN
AQEBBQADSwAwSAJBAMW/7b3+DXJPANBsIHHzluNccNM87ypyzwuoSNZXOMpeRXXI
OzyBAgiXT2ASFuUOwQ1iDM8rO/41jf8RxvYKvysCAwEAAaOBvzCBvDALBgNVHQ8E
BAMCAcYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJyjyRoMbrCNMRU2OyRhQ
GgsWbHEwawYDVR0fBGQwYjAuoCygKoYoaHR0cDovL3NzZS0wOC9DZXJ0RW5yb2xs
L0FwYXJuYSUyMENBLmNybDAwoC6gLIYqZmlsZTovL1xcc3NlLTA4XENlcnRFbnJv
bGxcQXBhcm5hJTIwQ0EuY3JsMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEB
BQUAA0EAHv6UQ+8nE399Tww+KaGr0g0NIJaqNgLh0AFcT0rEyuyt/WYGPzksF9Ea
NBG7E0oN66zex0EOEfG1Vs6mXp1//w==
-----END CERTIFICATE-----
 END OF INPUT
Fingerprint(s): MD5 Fingerprint=65:84:9A:27:D5:71:03:33:9C:12:23:92:38:6F:78:12
Do you accept this certificate? [yes/no]: y
 
   

Related Commands

Command
Description

crypto ca trustpoint

Configures the trustpoint.

show crypto ca certificates

Displays configured trustpoint certificates.

show crypto ca trustpoints

Displays trustpoint configurations.


crypto ca crl request

To configure a new certificate revocation list (CRL) downloaded from the certificate authority (CA), use the crypto ca crl request command.

crypto ca crl request trustpoint-label source-file

Syntax Description

trustpoint-label

Name of the trustpoint. The maximum size is 64 characters.

source-file

Location of the CRL in the form bootflash:filename. The maximum size is 512.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.1(2)

This command was introduced.


Usage Guidelines

The crypto ca crl request command allows you to pre-download CRLs for the trustpoints and cache the CRLs in the certificate (cert) store. The CRL file specified should contain the latest CRL in either the Privacy Enhanced Mail (PEM) format or Distinguished Encoding Rules (DER) format.


Note The trustpoint configuration that you create with the crypto ca trustpoint command persists across device reboots only if you save it explicitly using the copy running-config startup-config command. The certificates and CRL associated to a trustpoint are automatically persistent when you save the trustpoint configuration in the startup configuration. Otherwise, if you do not save the trustpoint in the startup configuration, the associated certificates and CRL are not automatically persistent because they cannot exist without the corresponding trustpoint after the device reboots.

To ensure that the configured certificates, CRLs and key pairs are persistent, always save the running configuration in the startup configuration.


This command does not require a license.

Examples

This example shows how to configure a CRL for the trustpoint or replaces the current CRL:

switch# configure teminal
switch(config)# crypto ca crl request admin-ca bootflash:admin-ca.crl

Related Commands

Command
Description

revocation-check

Configures trustpoint revocation check methods.

show crypto ca crl

Displays configured certificate revocation lists (CRL).


 
   

crypto ca enroll

To request a certificate for the device RSA key pair created for this trustpoint CA, use the crypto ca enroll command.

crypto ca enroll trustpoint-label

Syntax Description

trustpoint-label

Name of the trustpoint. The maximum size is 64 characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.1(2)

This command was introduced.


Usage Guidelines

A Cisco NX-OS device enrolls with the trustpoint CA to obtain an identity certificate. You can enroll your device with multiple trustpoints and obtain a separate identity certificate from each trustpoint.

When enrolling with a trustpoint, you must specify an RSA key pair to certify. You must generate the key pair and associate it to the trustpoint before generating the enrollment request.

Use the crypto ca enroll command to generate a request to obtain an identity certificate from each of your trustpoints that correspond to authenticated CAs. The certificate signing request (CSR) generated is per the Public-Key Cryptography Standards (PKCS) #10 standard and is displayed in the PEM format. You then cut and paste the certificate and submit it to the corresponding CA through an e-mail or on the CA website. The CA administrator issues the certificate and makes it available to you either through the website or by sending it in an e-mail. You need to import the obtained identity certificate that corresponds to the trustpoint using the crypto ca import trustpoint-label certificate command.


Note The device does not save the challenge password with the configuration. Record this password so that you can provide it if you need to revoke your certificate.


This command does not require a license.

Examples

This example shows how to generate a certificate request for an authenticated CA:

switch# configure terminal
switch(config)# crypto ca enroll myCA
 Create the certificate request ..
 Create a challenge password. You will need to verbally provide this
  password to the CA Administrator in order to revoke your certificate.
  For security reasons your password will not be saved in the configuration.
  Please make a note of it.
  Password:nbv123
 The subject name in the certificate will be: Vegas-1.cisco.com
 Include the switch serial number in the subject name? [yes/no]:no
 Include an IP address in the subject name [yes/no]:yes
ip address:209.165.200.226
 The certificate request will be displayed...
-----BEGIN CERTIFICATE REQUEST-----
MIIBqzCCARQCAQAwHDEaMBgGA1UEAxMRVmVnYXMtMS5jaXNjby5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAL8Y1UAJ2NC7jUJ1DVaSMqNIgJ2kt8rl4lKY
0JC6ManNy4qxk8VeMXZSiLJ4JgTzKWdxbLDkTTysnjuCXGvjb+wj0hEhv/y51T9y
P2NJJ8ornqShrvFZgC7ysN/PyMwKcgzhbVpj+rargZvHtGJ91XTq4WoVkSCzXv8S
VqyH0vEvAgMBAAGgTzAVBgkqhkiG9w0BCQcxCBMGbmJ2MTIzMDYGCSqGSIb3DQEJ
DjEpMCcwJQYDVR0RAQH/BBswGYIRVmVnYXMtMS5jaXNjby5jb22HBKwWH6IwDQYJ
KoZIhvcNAQEEBQADgYEAkT60KER6Qo8nj0sDXZVHSfJZh6K6JtDz3Gkd99GlFWgt
PftrNcWUE/pw6HayfQl2T3ecgNwel2d15133YBF2bktExiI6Ul88nTOjglXMjja8
8a23bNDpNsM8rklwA6hWkrVL8NUZEFJxqbjfngPNTZacJCUS6ZqKCMetbKytUx0=
-----END CERTIFICATE REQUEST-----
 
   

Related Commands% The 'show crypto ca certificate' command will also show the fingerprint.

Command
Description

crypto ca import trustpoint-label certificate

Imports the identity certificate obtained from the CA to the trustpoint.

crypto key generate rsa

Generates an RSA key pair.

rsakeypair

Configures and associates the RSA key pair details to a trustpoint.

show crypto key mypubkey rsa

Displays all RSA public key configurations.


crypto ca export

To export the RSA key pair and the associated certificates (identity and CA) of a trustpoint within a Public-Key Cryptography Standards (PKCS) #12 format file to a specified location, use the crypto ca export command.

crypto ca export trustpoint-label pkcs12 destination-file-url pkcs12-password

Syntax Description

trustpoint-label

Name of the trustpoint. The maximum size is 64 characters.

pkcs12 destination-file-url

Specifies a destination file in bootflash:filename format. The filename is alphanumeric, case sensitive, and has maximum of 512 characters.

pkcs12-password

Password to be used to protect the RSA private key in the exported file. The passwords is alphanumeric, case sensitive, and has maximum of 64 characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.1(2)

This command was introduced.


Usage Guidelines

You can export the identity certificate with the associated RSA key pair and CA certificate (or certificate chain) to a PKCS #12 format file for backup purposes. You can later import the certificate and RSA key pair to recover from a system crash on your device.

This command does not require a license.

Examples

This example shows how to export a certificate and key pair in the PKCS #12 format:

switch# configure terminal
switch(config)# crypto ca export admin-ca pkcs12 bootflash:adminid.p12 nbv123

Related Commands

Command
Description

crypto ca import trustpoint-label certificate

Imports the identity certificate obtained from the CA to the trustpoint.

crypto ca import trustpoint-label pkcs12

Imports the identity certificate and associated RSA key pair and CA certificate (chain) to a trustpoint.

crypto key generate rsa

Generates an RSA key pair.

rsakeypair

Configures and associates the RSA key pair details to a trustpoint.

show crypto key mypubkey rsa

Displays any RSA public key configurations.


crypto ca import

To import the identity certificate in the Privacy Enhanced Mail (PEM) format or the identity certificate and associated RSA key pair and CA certificate (or certificate chain) in the Public-Key Cryptography Standards (PKCS) #12 format, use the crypto ca import command.

crypto ca import trustpoint-label {certificate | pkcs12 source-file-url pkcs12-password}

Syntax Description

trustpoint-label

Name of the trustpoint. The maximum size is 64 characters.

certificate

Specifies that you will paste the trustpoint certificate at the command-line interface (CLI) prompt.

pkcs12 source-file-url

Specifies a source file containing the trustpoint certificate in bootflash:filename format. The filename is case sensitive.

pkcs12-password

Password that was used to protect the RSA private key in the imported PKCS#12 file. The password is case sensitive.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.1(2)

This command was introduced.


Usage Guidelines

Use the certificate keyword to import (by cut and paste means) the identity certificate obtained from the CA, corresponding to the enrollment request generated earlier in the trustpoint and submitted to the CA.

Use the pkcs12 source-file-url pkcs12-password keyword and argumen t to import the complete identity information, which includes the identity certificate and associated RSA key pair and CA certificate or certificate chain, into an empty trustpoint. This method allows you to restore the configuration after a system crash.


Note The trustpoint configuration that you create with the crypto ca trustpoint command persists across device reboots only if you save it explicitly using the copy running-config startup-config command. The certificates and CRL associated to a trustpoint are automatically persistent when you save the trustpoint configuration in the startup configuration. Otherwise, if you do not saved the trustpoint in the startup configuration, the associated certificates and CRL are not automatically persistent because they cannot exist without the corresponding trustpoint after the device reboots.

To ensure that the configured certificates, CRLs and key pairs are persistent, always save the running configuration in the startup configuration.


This command does not require a license.

Examples

This example shows how to install an identity certificate obtained from a CA corresponding to an enrollment request made and submitted earlier:

switch# configure terminal
switch(config)# crypto ca import myCA certificate
input (cut & paste) certificate in PEM format:
-----BEGIN CERTIFICATE-----
MIIEADCCA6qgAwIBAgIKCjOOoQAAAAAAdDANBgkqhkiG9w0BAQUFADCBkDEgMB4G
CSqGSIb3DQEJARYRYW1hbmRrZUBjaXNjby5jb20xCzAJBgNVBAYTAklOMRIwEAYD
VQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJhbmdhbG9yZTEOMAwGA1UEChMFQ2lz
Y28xEzARBgNVBAsTCm5ldHN0b3JhZ2UxEjAQBgNVBAMTCUFwYXJuYSBDQTAeFw0w
NTExMTIwMzAyNDBaFw0wNjExMTIwMzEyNDBaMBwxGjAYBgNVBAMTEVZlZ2FzLTEu
Y2lzY28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/GNVACdjQu41C
dQ1WkjKjSICdpLfK5eJSmNCQujGpzcuKsZPFXjF2UoiyeCYE8ylncWyw5E08rJ47
glxr42/sI9IRIb/8udU/cj9jSSfKK56koa7xWYAu8rDfz8jMCnIM4W1aY/q2q4Gb
x7RifdV06uFqFZEgs17/Elash9LxLwIDAQABo4ICEzCCAg8wJQYDVR0RAQH/BBsw
GYIRVmVnYXMtMS5jaXNjby5jb22HBKwWH6IwHQYDVR0OBBYEFKCLi+2sspWEfgrR
bhWmlVyo9jngMIHMBgNVHSMEgcQwgcGAFCco8kaDG6wjTEVNjskYUBoLFmxxoYGW
pIGTMIGQMSAwHgYJKoZIhvcNAQkBFhFhbWFuZGtlQGNpc2NvLmNvbTELMAkGA1UE
BhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQ4w
DAYDVQQKEwVDaXNjbzETMBEGA1UECxMKbmV0c3RvcmFnZTESMBAGA1UEAxMJQXBh
cm5hIENBghAFYNKJrLQZlE9JEiWMrRl6MGsGA1UdHwRkMGIwLqAsoCqGKGh0dHA6
Ly9zc2UtMDgvQ2VydEVucm9sbC9BcGFybmElMjBDQS5jcmwwMKAuoCyGKmZpbGU6
Ly9cXHNzZS0wOFxDZXJ0RW5yb2xsXEFwYXJuYSUyMENBLmNybDCBigYIKwYBBQUH
AQEEfjB8MDsGCCsGAQUFBzAChi9odHRwOi8vc3NlLTA4L0NlcnRFbnJvbGwvc3Nl
LTA4X0FwYXJuYSUyMENBLmNydDA9BggrBgEFBQcwAoYxZmlsZTovL1xcc3NlLTA4
XENlcnRFbnJvbGxcc3NlLTA4X0FwYXJuYSUyMENBLmNydDANBgkqhkiG9w0BAQUF
AANBADbGBGsbe7GNLh9xeOTWBNbm24U69ZSuDDcOcUZUUTgrpnTqVpPyejtsyflw
E36cIZu4WsExREqxbTk8ycx7V5o=
-----END CERTIFICATE-----
 
   

This example shows how to import a certificate and key pair in a Public-Key Cryptography Standards (PKCS) #12 format file:

switch# configure terminal
witch(config)# crypto ca import admin-ca pkcs12 bootflash:adminid.p12 nbv123
 
   

Related Commands

Command
Description

crypto ca export trustpoint-label pkcs12

Exports the RSA key pair and associated certificates of a trustpoint.

crypto ca enroll

Generates a certificate signing request for a trustpoint.

crypto key generate rsa

Generates the RSA key pair.

rsakeypair

Configures trustpoint RSA key pair details.

show crypto ca certificates

Displays the identity and CA certificate details.

show crypto key mypubkey rsa

Displays any RSA public key configurations.


crypto ca lookup

To specify the cert-store to be used for certificate authentication, use the crypto ca lookup command.

crypto ca lookup {local | remote | both}

Syntax Description

local

Specifies the local cert-store for certificate authentication.

remote

Specifies the remote cert-store for certificate authentication.

both

Specifies the local cert-store for certificate authentication, but if the authentication fails or the CA certificate is not found, the remote cert-store is used.


Defaults

Local

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

If you plan to configure a remote cert-store, you must set up an LDAP server in a remote device and make sure that the CA certificates that are used for authentication are loaded to the Active Directory.

This command does not require a license.

Examples

This example shows how to specify the remote cert-store for certificate authentication:

switch(config)# crypto ca lookup remote
 
   

Related Commands

Command
Description

crypto ca remote ldap crl-refresh-time

Configures the refresh time to update the certificate revocation list from the remote cert-store.

crypto ca remote ldap server-group

Configures the LDAP server group to be used while communicating with LDAP.

show crypto ca certstore

Displays the configured cert-store.

show crypto ca remote-certstore

Displays the remote cert-store configuration.


crypto ca remote ldap crl-refresh-time

To configure the refresh time to update the certificate revocation list (CRL) from the remote cert-store, use the crypto ca remote ldap crl-refresh-time command.

crypto ca remote ldap crl-refresh-time hours

Syntax Description

hours

Refresh time value in hours. The range is from 0 to 744 hours. If you enter 0, the refresh routine runs once.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

To use this command, you must configure a remote cert-store and the LDAP server group.

This command does not require a license.

Examples

This example shows how to configure the refresh time to update the CRL from the remote cert-store:

switch(config)# crypto ca remote ldap crl-refresh-time 10
 
   

Related Commands

Command
Description

crypto ca lookup

Specifies the cert-store to be used for certificate authentication.

crypto ca remote ldap server-group

Configures the LDAP server group to be used while communicating with LDAP.


crypto ca remote ldap server-group

To configure the Lightweight Directory Access Protocol (LDAP) server group to be used while communicating with LDAP, use the crypto ca remote ldap server-group command.

crypto ca remote ldap server-group group-name

Syntax Description

group-name

Server group name. You can enter up to 64 alphanumeric characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

To use this command, you must configure a remote cert-store.

This command does not require a license.

Examples

This example shows how to configure the LDAP server group to be used while communicating with LDAP:

switch(config)# crypto ca remote ldap server-group group1
 
   

Related Commands

Command
Description

crypto ca lookup

Specifies the cert-store to be used for certificate authentication.

crypto ca remote ldap crl-refresh-time

Configures the refresh time to update the certificate revocation list from the remote cert-store.


crypto ca test verify

To verify a certificate file, use the crypto ca test verify command.

crypto ca test verify certificate-file

Syntax Description

certificate-file

Certificate filename in the form bootflash:filename. The filename is case sensitive.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.1(2)

This command was introduced.


Usage Guidelines

Use this command to verify the specified certificate in the PEM format by using the trusted CAs configured and by consulting the certificate revocation list (CRL), if needed, as indicated by the revocation checking configuration.

This command does not require a license.

Examples

This example shows how to verify a certificate file:

switch(config)# crypto ca test verify bootflash:id1.pem
verify status oode:0
verify error msg:
 
   

Note The verify status code value of 0 indicates that the verification is successful.


Related Commands

Command
Description

show crypto ca certificates

Displays configured trustpoint certificates.


crypto ca trustpoint

To create a trustpoint certificate authority (CA) that the device should trust and enter trustpoint configuration mode, use the crypto ca trustpoint command. To remove the trustpoint, use the no form of this command.

crypto ca trustpoint trustpoint-label

no crypto ca trustpoint trustpoint-label

Syntax Description

trustpoint-label

Name of the trustpoint. The name is alphanumeric, case sensitive, and has a maximum of 64 characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.1(2)

This command was introduced.


Usage Guidelines

Trustpoints have the following characteristics:

A trustpoint corresponds to a single CA, which a Cisco NX-OS device trusts for peer certificate verification for any application.

A CA must be explicitly associated to a trustpoint using the crypto ca authenticate command.

A Cisco NX-OS device can have many trustpoints and all applications on the device can trust a peer certificate issued by any of the trustpoint CAs.

A trustpoint is not restricted to a specific application.

The Cisco NX-OS device can optionally enroll with a trustpoint CA to get an indemnity certificate for itself.

You do not need to designate one or more trustpoints to an application. Any application should be able to use any certificate issued by any trustpoint as long as the certificate satisfies the application requirement.

You do not need more than one identity certificate from a trustpoint or more than one key pair associated to a trustpoint. A CA certifies a given identity (name) only once and does not issue multiple certificates with the same subject name. If you need more than one identity certificate for a CA, define another trustpoint for the same CA, associate another key pair to it, and have it certified if the CA allows multiple certificates with the same subject name.


Note Before using the no crypto ca trustpoint command to remove the trustpoint, you must first delete the identity certificate and CA certificate (or certificate chain) and then disassociate the RSA key pair from the trustpoint. The device enforces this sequence of actions to prevent the accidental removal of the trustpoint with the certificates.


This command does not require a license.

Examples

This example shows how to declare a trustpoint CA that the device should trust and enter trustpoint configuration mode:

switch# configure terminal 
switch(config)# crypto ca trustpoint admin-ca
switch(config-trustpoint)# 
 
   
 
   

This example shows how to remove the trustpoint CA:

switch# configure terminal 
switch(config)# no crypto ca trustpoint admin-ca
 
   

Related Commands

Command
Description

crypto ca authenticate

Authenticates the certificate of the certificate authority.

crypto ca enroll

Generates a certificate signing request for a trustpoint.

show crypto ca certificates

Displays the identity and CA certificate details.

show crypto ca trustpoints

Displays trustpoint configurations.


crypto certificatemap mapname

To create a filter map, use the crypto certificatemap mapname command.

crypto certificatemap mapname map-name

Syntax Description

map-name

Name of the filter map. You can enter up to 64 alphanumeric characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

To use this command, you must configure a cert-store for certificate authentication.

This command does not require a license.

Examples

This example shows how to create a new filter map:

switch(config)# crypto certificatemap mapname filtermap1
 
   

Related Commands

Command
Description

filter

Configures one or more certificate mapping filters within the filter map.

show crypto certificatemap

Displays the certificate mapping filters.


crypto cert ssh-authorize

To configure a certificate mapping filter for the SSH protocol, use the crypto cert ssh-authorize command.

crypto cert ssh-authorize [default | issuer-CAname] [map map-name1 [map-name2]]

Syntax Description

default

Specifies the default filter map for SSH authorization.

issuer-CAname

Issuer of the CA certificate. You can enter up to 64 alphanumeric characters. You can enter up to 64 alphanumeric characters.

map

Specifies the mapping filter to be applied.

map-name1, map-name2

Name of the default mapping filter, which is already configured. You can enter up to 64 alphanumeric characters.

If you do not use the default map, you can specify one or two filter maps for authorization.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

To use this command, you must create a filter map.

This command does not require a license.

Examples

This example shows how to configure a certificate mapping filter for the SSH protocol:

switch(config)# crypto cert ssh-authorize default map filtermap1
 
   

Related Commands

Command
Description

crypto certificatemap mapname

Creates a filter map.

filter

Configures one or more certificate mapping filters within the filter map.

show crypto ssh-auth-map

Displays the mapping filters configured for SSH authentication.


cts device-id

To configure a Cisco TrustSec device identifier, use the cts device-id command.

cts device-id device-id password [7] password

Syntax Description

device-id

Cisco TrustSec device identifier name. The name is alphanumeric and case-sensitive. The maximum length is 32 characters.

7

(Optional) Encrypts the password.

password password

Specifies the password to use during EAP-FAST processing. The name is alphanumeric and case-sensitive. The maximum length is 32 characters.


Defaults

No Cisco TrustSec device identifier
Clear text password

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

The Cisco TrustSec device identifier name must be unique in your Cisco TrustSec network cloud.

This command requires the Advanced Services license.

Examples

This example shows how to configure a Cisco TrustSec device identifier:

switch# configure terminal
swtich(config)# cts device-id DeviceA password Cisco321
 
   

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts credentials

Displays the Cisco TrustSec credentials information.


cts dot1x

To enable Cisco TrustSec authentication on an interface and enter Cisco TrustSec 802.1X configuration mode, use the cts dot1x command. To revert to the default, use the no form of this command.

cts dot1x

no cts dot1x

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command is not supported for F1 Series modules and F2 Series modules.

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.

This command requires the Advanced Services license.

Examples

This example shows how to enable Cisco TrustSec authentication on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/3
switch(config-if)# cts dot1x
switch(config-if-cts-dot1x)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown
 
   

This example shows how to disable Cisco TrustSec authentication on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/3
switch(config-if)# no cts dot1x
switch(config-if)# shutdown
switch(config-if)# no shutdown
 
   

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts interface

Displays Cisco TrustSec configuration information for interfaces.


cts manual

To enter Cisco TrustSec manual configuration for an interface, use the cts manual command. To remove the manual configuration, use the no form of this command.

cts manual

no cts manual

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.

This command requires the Advanced Services license.

Examples

This example shows how to enter Cisco TrustSec manual configuration mode for an interface:

switch# configure terminal
switch(config)# interface etherent 2/4
switch(config-if)# cts manual
switch(config-if-cts-manual)# 
 
   

This example shows how to remove the Cisco TrustSec manual configuration from an interface:

switch# configure terminal
switch(config)# interface etherent 2/4
switch(config-if)# no cts manual
switch(config-if)# shutdown
switch(config-if)# no shutdown
 
   

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts interface

Displays Cisco TrustSec configuration information for interfaces.


cts refresh role-based-policy

To refresh the Cisco TrustSec security group access control list (SGACL) policies downloaded from the Cisco Secure ACS, use the cts refresh role-based-policy command.

cts refresh role-based-policy

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to enter Cisco TrustSec manual configuration mode for an interface:

switch# cts refresh role-based-policy
 
   

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts role-based policy

Displays Cisco TrustSec SGACL policy configuration.


cts rekey

To rekey an interface for Cisco TrustSec policies, use the cts rekey command.

cts rekey ethernet slot/port

Syntax Description

ethernet slot/port

Specifies an Ethernet interface.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to rekey an interface for Cisco TrustSec:

switch# cts rekey ethernet 2/3

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts interface

Displays Cisco TrustSec configuration information for interfaces.


cts role-based access-list

To create or specify a Cisco TrustSec security group access control list (SGACL) and enter role-based access control list configuration mode, use the cts role-based access-list command. To remove an SGACL, use the no form of this command.

cts role-based access-list list-name

no cts role-based access-list list-name

Syntax Description

list-name

Name for the SGACL. The name is alphanumeric and case-sensitive. The maximum length is 32 characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to create a Cisco TrustSec SGACL and enter role-based access list configuration mode:

switch# configure terminal
switch(config)# cts role-based access-list MySGACL
switch(config-rbacl)#
 
   

This example shows how to remove a Cisco TrustSec SGACL:

switch# configure terminal
switch(config)# no cts role-based access-list MySGACL
 
   

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts role-based access-list

Displays the Cisco TrustSec SGACL configuration.


cts role-based counters enable

To enable role-based access control list (RBACL) statistics, use the cts role-based counters enable command. To disabled RBACL statistics, use the no form of this command.

cts role-based counters enable

no cts role-based counters enable

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

To use this command, you must enable RBACL policy enforcement on the VLAN and VRF.

When you enable RBACL statistics, each policy requires one entry in the . If you do not have enough space remaining in the , an error message appears, and you cannot enable the statistics.

When you modify an RBACL policy, statistics for the previously assigned access control entry (ACE) are displayed, and the newly assigned ACE statistics are initialized to 0.

RBACL statistics are lost only when the Cisco NX-OS device reloads or you deliberately clear the statistics.

This command requires the Advanced Services license.

Examples

This example shows how to enable RBACL statistics:

switch# configure terminal
switch(config)# cts role-based counters enable
 
   

This example shows how to disable RBACL statistics:

switch# configure terminal
switch(config)# no cts role-based counters enable
 
   

Related Commands

Command
Description

clear cts role-based counters

Clears the RBACL statistics so that all counters are reset to 0.

show cts role-based counters

Displays the configuration status of RBACL statistics and lists statistics for all RBACL policies.


 
   

cts role-based enforcement

To enable Cisco TrustSec security group access control list (SGACL) enforcement in a VLAN or Virtual Routing and Forwarding instance (VRF), use the cts role-based enforcement command. To revert to the default, use the no form of this command.

cts role-based enforcement

no cts role-based enforcement

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration
VLAN configuration
VRF configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to enable Cisco TrustSec SGACL enforcement in the default VRF:

switch# configure terminal
switch(config)# cts role-based enforcement
 
   

This example shows how to enable Cisco TrustSec SGACL enforcement in a VLAN:

switch# configure terminal
switch(config)# vlan 1
switch(config-vlan)# cts role-based enforcement
 
   

This example shows how to enable Cisco TrustSec SGACL enforcement in a nondefault VRF:

switch# configure terminal
switch(config)# vrf context MyVRF
switch(config-vrf)# cts role-based enforcement
 
   

This example shows how to disable Cisco TrustSec SGACL enforcement:

switch# configure terminal
switch(config)# no cts role-based enforcement
 
   

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts role-based enable

Displays the Cisco TrustSec SGACL policy enforcement configuration.


 
   

cts role-based sgt

To manually configure mapping of Cisco TrustSec security group tags (SGTs) to a security group access control list (SGACL), use the cts role-based sgt command. To remove the SGT mapping to an SGACL, use the no form of this command.

cts role-based sgt {sgt-value | any | unknown} dgt {dgt-value | unknown}
access-list list-name

no cts role-based sgt {sgt-value | any | unknown} dgt {dgt-value | unknown}

Syntax Description

sgt-value

Source SGT value. The range is 0 to 65533.

any

Specifies any SGT.

unknown

Specifies an unknown SGT.

dgt

Specifies the destination SGT.

dgt-value

Destination SGT value. The range is 0 to 65533.

access-list list-name

Specifies the name for the SGACL.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

You must configure the SGACL before you can configure SGT mapping.

This command requires the Advanced Services license.

Examples

This example shows how to configure SGT mapping for an SGACL:

switch# configure terminal
switch(config)# cts role-based sgt 3 dgt 10 access-list MySGACL
 
   

This example shows how to remove SGT mapping for an SGACL

switch# configure terminal
switch(config)# no cts role-based sgt 3 sgt 10

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts role-based policy

Displays the Cisco TrustSec SGT mapping for an SGACL.


 
   

cts role-based sgt-map

To manually configure the Cisco TrustSec security group tag (SGT) mapping to IP addresses, use the cts role-based sgt-map command. To remove an SGT, use the no form of this command.

cts role-based sgt-map ipv4-address sgt-value

no cts role-based sgt-map ipv4-address

Syntax Description

ipv4-address

IPv4 address. The format is A.B.C.D

sgt-value

SGT value. The range is 0 to 65533.


Defaults

None

Command Modes

Global configuration
VLAN configuration
VRF configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

You can use only IPv4 addressing with Cisco TrustSec.

This command requires the Advanced Services license.

Examples

This example shows how to configure mapping for a Cisco TrustSec SGT:

switch# configure terminal
switch(config)# cts role-based sgt-map 10.10.1.1 3
switch(config-rbacl)#
 
   

This example shows how to remove a Cisco TrustSec SGT mapping:

switch# configure terminal
switch(config)# no ccts role-based sgt-map 10.10.1.1
 
   
 
   
 
   

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts role-based sgt-map

Displays the Cisco TrustSec SGT mapping.


cts sgt

To configure the security group tag (SGT) for Cisco TrustSec, use the cts sgt command.

cts sgt tag

Syntax Description

tag

Local SGT for the device that is a hexadecimal value with the format 0xhhhh. The range is from 0x0 to 0xffff.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to configure the Cisco TrustSec SGT for the device:

switch# configure terminal
switch(config)# cts sgt 0x3
 
   

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts environment-data

Displays the Cisco TrustSec environment data.


 
   

cts sxp connection peer

To configure a Security Group Tag (SGT) Exchange Protocol (SXP) peer connection for Cisco TrustSec, use the cts sxp connection peer command. To remove the SXP connection, use the no form of this command.

cts sxp connection peer peer-ipv4-addr [source src-ipv4-addr] password {default | none | required {password | 7 encrypted-password}} mode {speaker | listener} [vrf vrf-name]

no cts sxp connection peer peer-ipv4-addr [vrf vrf-name]

Syntax Description

peer-ipv4-addr

IPv4 address of the peer device.

source src-ipv4-addr

(Optional) Specifies the IPv4 address of the source device.

password

Specifies the password option to use for the SXP authentication.

default

Specifies that SXP should use the default SXP password for the peer connection.

none

Specifies that SXP should not use a password.

required

Specifies the password that SXP should use for this peer connection.

password

Clear text password. The password is alphanumeric and case-sensitive. The maximum length is 32 characters.

7 encrypted password

Specifies an encrypted password. The maximum length is 32 characters.

mode

Specifies the mode of the peer device.

speaker

Specifies that the peer is the speaker.

listener

Specifies that the peer is the listener.

vrf vrf-name

(Optional) Specifies the VRF for the peer.


Defaults

Configured default SXP password for the device
Configured default SXP source IPv4 address for the device
Default VRF

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.1(3)

Added the 7 option to allow encrypted passwords.

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

You can use only IPv4 addressing with Cisco TrustSec.

If you do not specify a source IPv4 address, you must configure a default SXP source IPv4 address using the cts sxp default source-ip command.

If you specify default as the password mode, you must configure a default SXP password using the cts sxp default password command.

This command requires the Advanced Services license.

Examples

This example shows how to configure an SXP peer connection:

switch# configure terminal
switch(config)# cts sxp connection peer 10.10.1.1 source 10.10.2.2 password default mode 
listener
 
   

This example shows how to remove an SXP peer connection:

switch# configure terminal
switch(config)# no cts sxp connection peer 10.10.1.1
 
   

Related Commands

Command
Description

cts sxp default password

Configures the default SXP password for the device.

cts sxp default source-ip

Configures the default SXP source IPv4 address for the device.

feature cts

Enables the Cisco TrustSec feature.

show cts sxp connection

Displays the Cisco TrustSec SXP peer connection information.


 
   

cts sxp default password

To configure the default Security Group Tag (SGT) Exchange Protocol (SXP) password for the device, use the cts sxp default password command. To remove the default, use the no form of this command.

cts sxp default password {password | 7 encrypted-password}

no cts sxp default password

Syntax Description

password

Clear text password. The password is alphanumeric and case-sensitive. The maximum length is 32 characters.

7 encrypted password

Specifies an encrypted password. The maximum length is 32 characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.1(3)

Added the 7 option to allow encrypted passwords.

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to configure the default SXP password for the device:

switch# configure terminal
switch(config)# cts sxp default password Cisco654
 
   

This example shows how to remove the default SXP password:

switch# configure terminal
switch(config)# no cts sxp default password
 
   

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts sxp

Displays the Cisco TrustSec SXP configuration information.


 
   

cts sxp default source-ip

To configure the default Security Group Tag (SGT) Exchange Protocol (SXP) source IPv4 address for the device, use the cts sxp default source-ip command. To revert to the default, use the no form of this command.

cts sxp default source-ip ipv4-address

no cts sxp default source-ip ipv4-address

Syntax Description

ipv4-address

Default SXP IPv4 address for the device.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

You can use only IPv4 addressing with Cisco TrustSec.

This command requires the Advanced Services license.

Examples

This example shows how to configure the default SXP source IP address for the device:

switch# configure terminal
switch(config)# cts sxp default source-ip 10.10.3.3 
 
   

This example shows how to remove the default SXP source IP address:

switch# configure terminal
switch(config)# no cts sxp default source-ip
 
   

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts sxp

Displays the Cisco TrustSec SXP configuration information.


 
   

cts sxp enable

To enable the Security Group Tag (SGT) Exchange Protocol (SXP) peer on a device, use the cts sxp enable command. To revert to the default, use the no form of this command.

cts sxp enable

no cts sxp enable

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

This command requires the Advanced Services license.

Examples

This example shows how to enable SXP:

switch# configure terminal
switch(config)# cts sxp enable
 
   

This example shows how to disable SXP:

switch# configure terminal
switch(config)# no cts sxp enable
 
   

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts sxp

Displays the Cisco TrustSec SXP configuration information.


 
   

cts sxp reconcile-period

To configure a Security Group Tag (SGT) Exchange Protocol (SXP) reconcile period timer, use the cts sxp reconcile-period command. To revert to the default, use the no form of this command.

cts sxp reconcile-period seconds

no cts sxp reconcile-period

Syntax Description

seconds

Number of seconds. The range is from 0 to 64000.


Defaults

60 seconds (1 minute)

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

After a peer terminates an SXP connection, an internal hold down timer starts. If the peer reconnects before the internal hold down timer expires, the SXP reconcile period timer starts. While the SXP reconcile period timer is active, the Cisco NX-OS software retains the SGT mapping entries learned from the previous connection and removes invalid entries.


Note Setting the SXP reconcile period to 0 seconds disables the timer and causes all entries from the previous connection to be removed.


This command requires the Advanced Services license.

Examples

This example shows how to configure the SXP reconcile period:

switch# configure terminal
switch(config)# cts sxp reconcile-period 120
 
   

This example shows how to revert to the default SXP reconcile period value:

switch# configure terminal
switch(config)# no cts sxp reconcile-period
 
   

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts sxp connection

Displays the Cisco TrustSec SXP configuration information.


 
   

cts sxp retry-period

To configure a Security Group Tag (SGT) Exchange Protocol (SXP) retry period timer, use the cts sxp retry-period command. To revert to the default, use the no form of this command.

cts sxp retry-period seconds

no cts sxp retry-period

Syntax Description

seconds

Number of seconds. The range is from 0 to 64000.


Defaults

120 seconds (2 minutes)

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

The SXP retry period determines how often the Cisco NX-OS software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco NX-OS software makes a new attempt to set up the connection after the SXP retry period timer expires.


Note Setting the SXP retry period to 0 seconds disables the timer and retries are not attempted.


This command requires the Advanced Services license.

Examples

This example shows how to configure the SXP retry period:

switch# configure terminal
switch(config)# cts sxp retry-period 120
 
   

This example shows how to revert to the default SXP retry period value:

switch# configure terminal
switch(config)# no cts sxp retry-period
 
   

Related Commands

Command
Description

feature cts

Enables the Cisco TrustSec feature.

show cts sxp connection

Displays the Cisco TrustSec SXP peer connection information.


 
   

deadtime

To configure the dead-time interval for a RADIUS or TACACS+ server group, use the deadtime command. To revert to the default, use the no form of this command.

deadtime minutes

no deadtime minutes

Syntax Description

minutes

Number of minutes for the interval. The range is from 0 to 1440 minutes.

Note Setting the dead-time interval to 0 disables the timer.


Defaults

0 minutes

Command Modes

RADlUS server group configuration
TACACS+ server group configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must use the feature tacacs+ command before you configure TACACS+.

This command does not require a license.

Examples

This example shows how to set the dead-time interval to 2 minutes for a RADIUS server group:

switch# configure terminal
switch(config)# aaa group server radius RadServer
switch(config-radius)# deadtime 2
 
   

This example shows how to set the dead-time interval to 5 minutes for a TACACS+ server group:

switch# configure terminal
switch(config)# feature tacacs+
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# deadtime 5
 
   

This example shows how to revert to the dead-time interval default:

switch# configure terminal
switch(config)# feature tacacs+
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# no deadtime 5
 
   

Related Commands

Command
Description

aaa group server

Configures AAA server groups.

radius-server host

Configures a RADIUS server.

show radius-server groups

Displays RADIUS server group information.

show tacacs-server groups

Displays TACACS+ server group information.

feature tacacs+

Enables TACACS+.

tacacs-server host

Configures a TACACS+ server.


delete ca-certificate

To delete certificate authority certificates, use the delete ca-certificate command.

delete ca-certificate

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Trustpoint configuration

Command History

Release
Modification

4.1(2)

This command was introduced.


Usage Guidelines

This command deletes the CA certificate or certificate chain corresponding to the trustpoint CA. As a result, the trustpoint CA is no longer trusted. If there is an identity certificate form the CA, you must delete it before you can delete the CA certificate. This prevents the accidental deletion of a CA certificate when you have not yet deleted the identity certificate obtained from that CA. Deleting the CA certificate may be necessary when you no longer want to trust the CA because the CA is compromised or the CA certificate has expired.


Note The trustpoint configuration, certificates, and key pair configurations are persistent only after saving to the startup configuration. Deletions become persistent only after you save the running configuration to the startup configuration.

Enter the copy running-config startup-config command to make the certificate and key pair deletions persistent.


This command does not require a license.

Examples

This example shows how to delete a certificate authority certificate:

switch# configure terminal
switch(config)# crypto ca trustpoint admin-ca
switch(config-trustpoint)# delete ca-certificate 

Related Commands

Command
Description

delete certificate

Deletes the identity certificate.

delete crl

Deletes the CRL from the trustpoint.


delete certificate

To delete the identity certificate, use the delete certificate command.

delete certificate [force]

Syntax Description

force

(Optional) Forces the deletion of the identity certificate.


Defaults

None

Command Modes

Trustpoint configuration

Command History

Release
Modification

4.1(2)

This command was introduced.


Usage Guidelines

Use the delete certificate command to delete the identity certificate obtained from the trustpoint CA when the identity certificate expires or the corresponding key pair is compromised. Applications on the device are left without any identity certificate to use after you delete the last or the only identity certificate present. The Cisco NX-OS software generates an error message if the certificate being deleted is the only certificate present or is the last identity certificate in a chain. You can use the optional force keyword to remove the certificate.


Note The trustpoint configuration, certificates, and key pair configurations are persistent only after saving to the startup configuration. Deletions become persistent only after you save the running configuration to the startup configuration.

Enter the copy running-config startup-config command to make the certificate and key pair deletions persistent.


This command does not require a license.

Examples

This example shows how to delete the identity certificate:

switch# configure terminal
switch(config)# crypto ca trustpoint admin-ca
switch(config-trustpoint)# delete certificate 
 
   

This example shows how to force the deletion of the identity certificate:

switch# configure terminal
switch(config)# crypto ca trustpoint admin-ca
switch(config-trustpoint)# delete certificate force
 
   

Related Commands

Command
Description

delete ca-certificate

Deletes the certificate authority certificate.

delete crl

Deletes the CRL from the trustpoint.


delete crl

To delete the certificate revocation list (CRL) from the trustpoint, use the delete crl command.

delete crl

Syntax Description

This command has no argument or keywords.

Defaults

None

Command Modes

Trustpoint configuration

Command History

Release
Modification

4.1(2)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to delete the CRL from the trustpoint:

switch# configure terminal
switch(config)# crypto ca trustpoint admin-ca
switch(config-trustpoint)# delete crl

Related Commands

Command
Description

delete ca-certificate

Deletes the certificate authority certificate.

delete certificate

Deletes the identity certificate.


deny (ARP)

To create an ARP ACL rule that denies ARP traffic that matches its conditions, use the deny command. To remove a rule, use the no form of this command.

General Syntax

[sequence-number] deny ip {any | host sender-IP | sender-IP sender-IP-mask} mac {any | host sender-MAC | sender-MAC sender-MAC-mask} [log]

[sequence-number] deny request ip {any | host sender-IP | sender-IP sender-IP-mask} mac {any | host sender-MAC | sender-MAC sender-MAC-mask} [log]

[sequence-number] deny response ip {any | host sender-IP | sender-IP sender-IP-mask} {any | host target-IP | target-IP target-IP-mask} mac {any | host sender-MAC | sender-MAC sender-MAC-mask} [any | host target-MAC | target-MAC target-MAC-mask] [log]

no sequence-number

no deny ip {any | host sender-IP | sender-IP sender-IP-mask} mac {any | host sender-MAC | sender-MAC sender-MAC-mask} [log]

no deny request ip {any | host sender-IP | sender-IP sender-IP-mask} mac {any | host sender-MAC | sender-MAC sender-MAC-mask} [log]

no deny response ip {any | host sender-IP | sender-IP sender-IP-mask} {any | host target-IP | target-IP target-IP-mask} mac {any | host sender-MAC | sender-MAC sender-MAC-mask} [any | host target-MAC | target-MAC target-MAC-mask] [log]

Syntax Description

sequence-number

(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL.

A sequence number can be any integer between 1 and 4294967295.

By default, the first rule in an ACL has a sequence number of 10.

If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule.

Use the resequence command to reassign sequence numbers to rules.

ip

Introduces the IP address portion of the rule.

any

(Optional) Specifies that any host matches the part of the rule that contains the any keyword. You can use the any to specify the sender IP address, target IP address, sender MAC address, and target MAC address.

host sender-IP

(Optional) Specifies that the rule matches ARP packets only when the sender IP address in the packet matches the value of the sender-IP argument. Valid values for the sender-IP argument are IPv4 addresses in dotted-decimal format.

sender-IP sender-IP-mask

(Optional) IPv4 address and mask for the set of IPv4 addresses that the sender IP address in the packet can match. The sender-IP and sender-IP-mask argument must be given in dotted-decimal format. Specifying 255.255.255.255 as the sender-IP-mask argument is the equivalent of using the host keyword.

mac

Introduces the MAC address portion of the rule.

host sender-MAC

(Optional) Specifies that the rule matches ARP packets only when the sender MAC address in the packet matches the value of the sender-MAC argument. Valid values for the sender-MAC argument are MAC addresses in dotted-hexadecimal format.

sender-MAC sender-MAC-mask

(Optional) MAC address and mask for the set of MAC addresses that the sender MAC address in the packet can match. The sender-MAC and sender-MAC-mask argument must be given in dotted-hexadecimal format. Specifying ffff.ffff.ffff as the sender-MAC-mask argument is the equivalent of using the host keyword.

log

(Optional) Specifies that the device logs ARP packets that match the rule.

request

(Optional) Specifies that the rule applies only to packets containing ARP request messages.

Note If you omit both the request and the response keywords, the rule applies to all ARP messages.

response

(Optional) Specifies that the rule applies only to packets containing ARP response messages.

Note If you omit both the request and the response keywords, the rule applies to all ARP messages.

host target-IP

(Optional) Specifies that the rule matches ARP packets only when the target IP address in the packet matches the value of the target-IP argument. You can specify host target-IP only when you use the response keyword. Valid values for the target-IP argument are IPv4 addresses in dotted-decimal format.

target-IP target-IP-mask

(Optional) IPv4 address and mask for the set of IPv4 addresses that the target IP address in the packet can match. You can specify target-IP target-IP-mask only when you use the response keyword. The target-IP and target-IP-mask argument must be given in dotted-decimal format. Specifying 255.255.255.255 as the target-IP-mask argument is the equivalent of using the host keyword.

host target-MAC

(Optional) Specifies that the rule matches ARP packets only when the target MAC address in the packet matches the value of the target-MAC argument. You can specify host target-MAC only when you use the response keyword. Valid values for the target-MAC argument are MAC addresses in dotted-hexadecimal format.

target-MAC target-MAC-mask

(Optional) MAC address and mask for the set of MAC addresses that the target MAC address in the packet can match. You can specify target-MAC target-MAC-mask only when you use the response keyword. The target-MAC and target-MAC-mask argument must be given in dotted-hexadecimal format. Specifying ffff.ffff.ffff as the target-MAC-mask argument is the equivalent of using the host keyword.


Defaults

None

Command Modes

ARP ACL configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

A newly created ARP ACL contains no rules.

If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.

When the device applies an ARP ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.

If you do not specify either the response or request keyword, the rule applies to packets that contain any ARP message.

This command does not require a license.

Examples

This example shows how to enter ARP access list configuration mode for an ARP ACL named arp-acl-01 and add a rule that denies ARP request messages that contain a sender IP address that is within the 10.32.143.0 subnet:

switch# conf t
switch(config)# arp access-list arp-acl-01
switch(config-arp-acl)# deny request ip 10.32.143.0 255.255.255.0 mac any
 
   

Related Commands

Command
Description

arp access-list

Configures an ARP ACL.

ip arp inspection filter

Applies an ARP ACL to a VLAN.

permit (ARP)

Configures a permit rule in an ARP ACL.

remark

Configures a remark in an ACL.

show arp access-list

Displays all ARP ACLs or one ARP ACL.


deny (IPv4)

To create an IPv4 ACL rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.

General Syntax

[sequence-number] deny protocol source destination [dscp dscp | precedence precedence] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [packet-length]]

no deny protocol source destination [dscp dscp | precedence precedence] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [packet-length]]

no sequence-number

Internet Control Message Protocol

[sequence-number] deny icmp source destination [icmp-message | icmp-type [icmp-code]] [dscp dscp | precedence precedence] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [packet-length]]

Internet Group Management Protocol

[sequence-number] deny igmp source destination [igmp-message] [dscp dscp | precedence precedence] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [packet-length]]

Internet Protocol v4

[sequence-number] deny ip source destination [dscp dscp | precedence precedence] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [packet-length]]

Transmission Control Protocol

[sequence-number] deny tcp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp | precedence precedence] [fragments] [log] [time-range time-range-name] [flags] [established] [packet-length operator packet-length [packet-length]]

User Datagram Protocol

[sequence-number] deny udp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp | precedence precedence] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [packet-length]]

Syntax Description

sequence-number

(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL.

A sequence number can be any integer between 1 and 4294967295.

By default, the first rule in an ACL has a sequence number of 10.

If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule.

Use the resequence command to reassign sequence numbers to rules.

protocol

Name or number of the protocol of packets that the rule matches. For details about the methods that you can use to specify this argument, see "Protocol" in the "Usage Guidelines" section.

source

Source IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

destination

Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

dscp dscp

(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:

0-63—The decimal equivalent of the 6 bits of the DSCP field. For example, if you specify 10, the rule matches only those packets that have the following bits in the DSCP field: 001010.

af11—Assured Forwarding (AF) class 1, low drop probability (001010)

af12—AF class 1, medium drop probability (001100)

af13—AF class 1, high drop probability (001110)

af21—AF class 2, low drop probability (010010)

af22—AF class 2, medium drop probability (010100)

af23—AF class 2, high drop probability (010110)

af31—AF class 3, low drop probability (011010)

af32—AF class 3, medium drop probability (011100)

af33—AF class 3, high drop probability (011110)

af41—AF class 4, low drop probability (100010)

af42—AF class 4, medium drop probability (100100)

af43—AF class 4, high drop probability (100110)

cs1—Class-selector (CS) 1, precedence 1 (001000)

cs2—CS2, precedence 2 (010000)

cs3—CS3, precedence 3 (011000)

cs4—CS4, precedence 4 (100000)

cs5—CS5, precedence 5 (101000)

cs6—CS6, precedence 6 (110000)

cs7—CS7, precedence 7 (111000)

default—Default DSCP value (000000)

ef—Expedited Forwarding (101110)

precedence precedence

(Optional) Specifies that the rule matches only packets that have an IP Precedence field with the value specified by the precedence argument. The precedence argument can be a number or a keyword, as follows:

0-7—Decimal equivalent of the 3 bits of the IP Precedence field. For example, if you specify 3, the rule matches only packets that have the following bits in the DSCP field: 011.

critical—Precedence 5 (101)

flash—Precedence 3 (011)

flash-override—Precedence 4 (100)

immediate—Precedence 2 (010)

internet—Precedence 6 (110)

network—Precedence 7 (111)

priority—Precedence 1 (001)

routine—Precedence 0 (000)

fragments

(Optional) Specifies that the rule matches only those packets that are noninitial fragments. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments.

log

(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information:

Whether the protocol was TCP, UDP, ICMP or a number

Source and destination addresses

Source and destination port numbers, if applicable

time-range time-range-name

(Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command. The time-range-name argument can be up to 64 alphanumeric, case-sensitive characters.

icmp-message

(ICMP only: Optional) ICMP message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under "ICMP Message Types" in the "Usage Guidelines" section.

icmp-type [icmp-code]

(ICMP only: Optional) ICMP message type that the rule matches. Valid values for the icmp-type argument are an integer from 0 to 255. If the ICMP message type supports message codes, you can use the icmp-code argument to specify the code that the rule matches.

For more information about ICMP message types and codes, see http://www.iana.org/assignments/icmp-parameters.

igmp-message

(IGMP only: Optional) IGMP message type that the rule matches. The igmp-message argument can be the IGMP message number, which is an integer from 0 to 15. It can also be one of the following keywords:

dvmrp—Distance Vector Multicast Routing Protocol

host-query—Host query

host-report—Host report

pim—Protocol Independent Multicast

trace—Multicast trace

operator port [port]

(Optional; TCP and UDP only) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument.

The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see "TCP Port Names" and "UDP Port Names" in the "Usage Guidelines" section.

A second port argument is required only when the operator argument is a range.

The operator argument must be one of the following keywords:

eq—Matches only if the port in the packet is equal to the port argument.

gt—Matches only if the port in the packet is greater than and not equal to the port argument.

lt—Matches only if the port in the packet is less than and not equal to the port argument.

neq—Matches only if the port in the packet is not equal to the port argument.

range—Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument.

portgroup portgroup

(Optional; TCP and UDP only) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port object group specified by the portgroup argument, which can be up to 64 alphanumeric, case-sensitive characters. Whether the IP port object group applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument.

Use the object-group ip port command to create and change IP port object groups.

flags

(TCP only; Optional) TCP control bit flags that the rule matches. The value of the flags argument must be one or more of the following keywords:

ack

fin

psh

rst

syn

urg

established

(TCP only; Optional) Specifies that the rule matches only packets that belong to an established TCP connection. The device considers TCP packets with the ACK or RST bits set to belong to an established connection.

packet-length operator packet-length [packet-length]

(Optional) Rule matches only packets that have a length in bytes that satisfies the condition specified by the operator and packet-length arguments.

Valid values for the packet-length argument are whole numbers from 20 to 9210.

The operator argument must be one of the following keywords:

eq—Matches only if the packet length in bytes is equal to the packet-length argument.

gt—Matches only if the packet length in bytes is greater than the packet-length argument.

lt—Matches only if the packet length in bytes is less than the packet-length argument.

neq—Matches only if the packet length in bytes is not equal to the packet-length argument.

range—Requires two packet-length arguments and matches only if the packet length in bytes is equal to or greater than the first packet-length argument and equal to or less than the second packet-length argument.


Defaults

A newly created IPv4 ACL contains no rules.

If you do not specify a sequence number, the device assigns the rule a sequence number that is 10 greater than the last rule in the ACL.

Command Modes

IPv4 ACL configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.1(2)

Support was added for the following:

The ahp, eigrp, esp, gre, nos, ospf, pcp, and pim protocol keywords.

The packet-length keyword.

4.0(1)

This command was introduced.


Usage Guidelines

When the device applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.

This command does not require a license.

Protocol

You can specify the protocol of packets that the rule applies to by the protocol name or the number of the protocol. If you want the rule to apply to all IPv4 traffic, use the ip keyword.

The protocol keyword that you specify affects the additional keywords and arguments that are available. Unless otherwise specified, only the other keywords that apply to all IPv4 protocols are available. Those keywords include the following:

dscp

fragments

log

packet-length

precedence

time-range

Valid protocol numbers are from 0 to 255.

Valid protocol names are the following keywords:

ahp—Specifies that the rule applies to authentication header protocol (AHP) traffic only.

eigrp—Specifies that the rule applies to Enhanced Interior Gateway Routing Protocol (EIGRP) traffic only.

esp—Specifies that the rule applies to Encapsulating Security Protocol (ESP) traffic only.

gre—Specifies that the rule applies to General Routing Encapsulation (GRE) traffic only.

icmp—Specifies that the rule applies to ICMP traffic only. When you use this keyword, the icmp-message argument is available, in addition to the keywords that are available for all valid values of the protocol argument.

igmp—Specifies that the rule applies to IGMP traffic only. When you use this keyword, the igmp-type argument is available, in addition to the keywords that are available for all valid values of the protocol argument.

ip—Specifies that the rule applies to all IPv4 traffic.

nos—Specifies that the rule applies to KA9Q NOS-compatible IP-over-IP tunneling traffic only.

ospf—Specifies that the rule applies to Open Shortest Path First (OSPF) traffic only.

pcp—Specifies that the rule applies to payload compression protocol (PCP) traffic only.

pim—Specifies that the rule applies to protocol-independent multicast (PIM) traffic only.

tcp—Specifies that the rule applies to TCP traffic only. When you use this keyword, the flags and operator arguments and the portgroup and established keywords are available, in addition to the keywords that are available for all valid values of the protocol argument.

udp—Specifies that the rule applies to UDP traffic only. When you use this keyword, the operator argument and the portgroup keyword are available, in addition to the keywords that are available for all valid values of the protocol argument.

Source and Destination

You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:

IP address group object—You can use an IPv4 address group object to specify a source or destination argument. Use the object-group ip address command to create and change IPv4 address group objects. The syntax is as follows:

addrgroup address-group-name
 
   

The following example shows how to use an IPv4 address object group named lab-gateway-svrs to specify the destination argument:

switch(config-acl)# deny ip any addrgroup lab-gateway-svrs
 
   

Address and network wildcard—You can use an IPv4 address followed by a network wildcard to specify a host or a network as a source or destination. The syntax is as follows:

IPv4-address network-wildcard
 
   

The following example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:

switch(config-acl)# deny tcp 192.168.67.0 0.0.0.255 any
 
   

Address and variable-length subnet mask—You can use an IPv4 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:

IPv4-address/prefix-len
 
   

The following example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:

switch(config-acl)# deny udp 192.168.67.0/24 any
 
   

Host address—You can use the host keyword and an IPv4 address to specify a host as a source or destination. The syntax is as follows:

host IPv4-address
 
   

This syntax is equivalent to IPv4-address/32 and IPv4-address 0.0.0.0.

The following example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:

switch(config-acl)# deny icmp host 192.168.67.132 any
 
   

Any address—You can use the any keyword to specify that a source or destination is any IPv4 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.

ICMP Message Types

The icmp-message argument can be one of the following keywords:

administratively-prohibited—Administratively prohibited

alternate-address—Alternate address

conversion-error—Datagram conversion

dod-host-prohibited—Host prohibited

dod-net-prohibited—Net prohibited

echo—Echo (ping)

echo-reply—Echo reply

general-parameter-problem—Parameter problem

host-isolated—Host isolated

host-precedence-unreachable—Host unreachable for precedence

host-redirect—Host redirect

host-tos-redirect—Host redirect for ToS

host-tos-unreachable—Host unreachable for ToS

host-unknown—Host unknown

host-unreachable—Host unreachable

information-reply—Information replies

information-request—Information requests

mask-reply—Mask replies

mask-request—Mask requests

mobile-redirect—Mobile host redirect

net-redirect—Network redirect

net-tos-redirect—Net redirect for ToS

net-tos-unreachable—Network unreachable for ToS

net-unreachable—Net unreachable

network-unknown—Network unknown

no-room-for-option—Parameter required but no room

option-missing—Parameter required but not present

packet-too-big—Fragmentation needed and DF set

parameter-problem—All parameter problems

port-unreachable—Port unreachable

precedence-unreachable—Precedence cutoff

protocol-unreachable—Protocol unreachable

reassembly-timeout—Reassembly timeout

redirect—All redirects

router-advertisement—Router discovery advertisements

router-solicitation—Router discovery solicitations

source-quench—Source quenches

source-route-failed—Source route failed

time-exceeded—All time-exceeded messages

timestamp-reply—Time-stamp replies

timestamp-request—Time-stamp requests

traceroute—Traceroute

ttl-exceeded—TTL exceeded

unreachable—All unreachables

TCP Port Names

When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:

bgp—Border Gateway Protocol (179)

chargen—Character generator (19)

cmd—Remote commands (rcmd, 514)

daytime—Daytime (13)

discard—Discard (9)

domain—Domain Name Service (53)

drip—Dynamic Routing Information Protocol (3949)

echo—Echo (7)

exec—EXEC (rsh, 512)

finger—Finger (79)

ftp—File Transfer Protocol (21)

ftp-data—FTP data connections (2)

gopher—Gopher (7)

hostname—NIC hostname server (11)

ident—Ident Protocol (113)

irc—Internet Relay Chat (194)

klogin—Kerberos login (543)

kshell—Kerberos shell (544)

login—Login (rlogin, 513)

lpd—Printer service (515)

nntp—Network News Transport Protocol (119)

pim-auto-rp—PIM Auto-RP (496)

pop2—Post Office Protocol v2 (19)

pop3—Post Office Protocol v3 (11)

smtp—Simple Mail Transport Protocol (25)

sunrpc—Sun Remote Procedure Call (111)

tacacs—TAC Access Control System (49)

talk—Talk (517)

telnet—Telnet (23)

time—Time (37)

uucp—UNIX-to-UNIX Copy Program (54)

whois—WHOIS/NICNAME (43)

www—World Wide Web (HTTP, 8)

UDP Port Names

When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:

biff—Biff (mail notification, comsat, 512)

bootpc—Bootstrap Protocol (BOOTP) client (68)

bootps—Bootstrap Protocol (BOOTP) server (67)

discard—Discard (9)

dnsix—DNSIX security protocol auditing (195)

domain—Domain Name Service (DNS, 53)

echo—Echo (7)

isakmp—Internet Security Association and Key Management Protocol (5)

mobile-ip—Mobile IP registration (434)

nameserver—IEN116 name service (obsolete, 42)

netbios-dgm—NetBIOS datagram service (138)

netbios-ns—NetBIOS name service (137)

netbios-ss—NetBIOS session service (139)

non500-isakmp—Internet Security Association and Key Management Protocol (45)

ntp—Network Time Protocol (123)

pim-auto-rp—PIM Auto-RP (496)

rip—Routing Information Protocol (router, in.routed, 52)

snmp—Simple Network Management Protocol (161)

snmptrap—SNMP Traps (162)

sunrpc—Sun Remote Procedure Call (111)

syslog—System Logger (514)

tacacs—TAC Access Control System (49)

talk—Talk (517)

tftp—Trivial File Transfer Protocol (69)

time—Time (37)

who—Who service (rwho, 513)

xdmcp—X Display Manager Control Protocol (177)

Examples

This example shows how to configure an IPv4 ACL named acl-lab-01 with rules that deny all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network and a final rule that permits all other IPv4 traffic:

switch# configure terminal
switch(config)# ip access-list acl-lab-01
switch(config-acl)# deny tcp 10.23.0.0/16 10.176.0.0/16
switch(config-acl)# deny udp 10.23.0.0/16 10.176.0.0/16
switch(config-acl)# deny tcp 192.168.37.0/16 10.176.0.0/16
switch(config-acl)# deny udp 192.168.37.0/16 10.176.0.0/16
switch(config-acl)# permit ip any any

This example shows how to configure an IPv4 ACL named acl-eng-to-marketing with a rule that denies all IP traffic from an IPv4 address object group named eng_workstations to an IP address object group named marketing_group followed by a rule that permits all other IPv4 traffic:

switch# configure terminal
switch(config)# ip access-list acl-eng-to-marketing
switch(config-acl)# deny ip addrgroup eng_workstations addrgroup marketing_group
switch(config-acl)# permit ip any any
 
   

Related Commands

Command
Description

fragments

Configures how an IP ACL processes noninitial fragments.

ip access-list

Configures an IPv4 ACL.

object-group ip address

Configures an IPv4 address object group.

object-group ip port

Configures an IP port object group.

permit (IPv4)

Configures a permit rule in an IPv4 ACL.

remark

Configures a remark in an IPv4 ACL.

show ip access-list

Displays all IPv4 ACLs or one IPv4 ACL.

statistics per-entry

Enables collection of statistics for each entry in an ACL.

time-range

Configures a time range.


deny (IPv6)

To create an IPv6 ACL rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.

General Syntax

[sequence-number] deny protocol source destination [dscp dscp] [flow-label flow-label-value] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [packet-length]]

no deny protocol source destination [dscp dscp] [flow-label flow-label-value] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [packet-length]]

no sequence-number

Internet Control Message Protocol

[sequence-number | no] deny icmp source destination [icmp-message | icmp-type [icmp-code]] [dscp dscp] [flow-label flow-label-value] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [packet-length]]

Internet Protocol v6

[sequence-number] deny ipv6 source destination [dscp dscp] [flow-label flow-label-value] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [packet-length]]

Stream Control Transmission Protocol

[sequence-number | no] deny sctp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [packet-length]]

Transmission Control Protocol

[sequence-number] deny tcp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [log] [time-range time-range-name] [flags] [established] [packet-length operator packet-length [packet-length]]

User Datagram Protocol

[sequence-number | no] deny udp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [packet-length]]

Syntax Description

sequence-number

(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL.

A sequence number can be any integer between 1 and 4294967295.

By default, the first rule in an ACL has a sequence number of 10.

If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule.

Use the resequence command to reassign sequence numbers to rules.

protocol

Name or number of the protocol of packets that the rule matches. Valid numbers are from 0 to 255. Valid protocol names are the following keywords:

ahp—Specifies that the rule applies to Authentication Header Protocol (AHP) traffic only. When you use this keyword, only the other keywords and arguments that apply to all IPv6 protocols are available.

esp—Specifies that the rule applies to Encapsulating Security Payload (ESP) traffic only. When you use this keyword, only the other keywords and arguments that apply to all IPv6 protocols are available.

icmp—Specifies that the rule applies to ICMP traffic only. When you use this keyword, the icmp-message argument is available, in addition to the keywords that are available for all valid values of the protocol argument.

ipv6—Specifies that the rule applies to all IPv6 traffic. When you use this keyword, only the other keywords and arguments that apply to all IPv6 protocols are available.

pcp—Specifies that the rule applies to Payload Compression Protocol (PCP) traffic only. When you use this keyword, only the other keywords and arguments that apply to all IPv6 protocols are available.

sctp—Specifies that the rule applies to Stream Control Transmission Protocol (SCTP) traffic only. When you use this keyword, the operator argument and the portgroup keyword are available, in addition to the keywords that are available for all valid values of the protocol argument.

tcp—Specifies that the rule applies to TCP traffic only. When you use this keyword, the flags and operator arguments and the portgroup and established keywords are available, in addition to the keywords that are available for all valid values of the protocol argument.

udp—Specifies that the rule applies to UDP traffic only. When you use this keyword, the operator argument and the portgroup keyword are available, in addition to the keywords that are available for all valid values of the protocol argument.

source

Source IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

destination

Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

dscp dscp

(Optional) Specifies that the rule matches only packets with the specified 6-bit differentiated services value in the DSCP field of the IPv6 header. The dscp argument can be one of the following numbers or keywords:

0-63—The decimal equivalent of the 6 bits of the DSCP field. For example, if you specify 10, the rule matches only packets that have the following bits in the DSCP field: 001010.

af11—Assured Forwarding (AF) class 1, low drop probability (001010)

af12—AF class 1, medium drop probability (001100)

af13—AF class 1, high drop probability (001110)

af21—AF class 2, low drop probability (010010)

af22—AF class 2, medium drop probability (010100)

af23—AF class 2, high drop probability (010110)

af31—AF class 3, low drop probability (011010)

af32—AF class 3, medium drop probability (011100)

af33—AF class 3, high drop probability (011110)

af41—AF class 4, low drop probability (100010)

af42—AF class 4, medium drop probability (100100)

af43—AF class 4, high drop probability (100110)

cs1—Class-selector (CS) 1, precedence 1 (001000)

cs2—CS2, precedence 2 (010000)

cs3—CS3, precedence 3 (011000)

cs4—CS4, precedence 4 (100000)

cs5—CS5, precedence 5 (101000)

cs6—CS6, precedence 6 (110000)

cs7—CS7, precedence 7 (111000)

default—Default DSCP value (000000)

ef—Expedited Forwarding (101110)

flow-label flow-label-value

(Optional) Specifies that the rule matches only IPv6 packets whose Flow Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575.

fragments

(Optional) Specifies that the rule matches noninitial fragmented packets only. The device considers noninitial fragmented packets to be packets with a fragment extension header that contains a fragment offset that is not equal to zero. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments.

log

(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information:

ACL name

Whether the packet was permitted or denied

Whether the protocol was TCP, UDP, ICMP or a number

Source and destination addresses and, if applicable, source and destination port numbers

time-range time-range-name

(Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command.

icmp-message

(ICMP only: Optional) ICMPv6 message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under "ICMPv6 Message Types" in the "Usage Guidelines" section.

icmp-type [icmp-code]

(ICMP only: Optional) ICMP message type that the rule matches. Valid values for the icmp-type argument are an integer from 0 to 255. If the ICMP message type supports message codes, you can use the icmp-code argument to specify the code that the rule matches.

For more information about ICMP message types and codes, see http://www.iana.org/assignments/icmp-parameters.

operator port [port]

(Optional; TCP, UDP, and SCTP only) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument.

The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see "TCP Port Names" and "UDP Port Names" in the "Usage Guidelines" section.

A second port argument is required only when the operator argument is a range.

The operator argument must be one of the following keywords:

eq—Matches only if the port in the packet is equal to the port argument.

gt—Matches only if the port in the packet is greater than and not equal to the port argument.

lt—Matches only if the port in the packet is less than and not equal to the port argument.

neq—Matches only if the port in the packet is not equal to the port argument.

range—Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument.

portgroup portgroup

(Optional; TCP, UDP, and SCTP only) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument.

Use the object-group ip port command to create and change IP port-group objects.

established

(TCP only; Optional) Specifies that the rule matches only packets that belong to an established TCP connection. The device considers TCP packets with the ACK or RST bits set to belong to an established connection.

flags

(TCP only; Optional) Rule matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords:

ack

fin

psh

rst

syn

urg

packet-length operator packet-length [packet-length]

(Optional) Rule matches only packets that have a length in bytes that satisfies the condition specified by the operator and packet-length arguments.

Valid values for the packet-length argument are whole numbers from 20 to 9210.

The operator argument must be one of the following keywords:

eq—Matches only if the packet length in bytes is equal to the packet-length argument.

gt—Matches only if the packet length in bytes is greater than the packet-length argument.

lt—Matches only if the packet length in bytes is less than the packet-length argument.

neq—Matches only if the packet length in bytes is not equal to the packet-length argument.

range—Requires two packet-length arguments and matches only if the packet length in bytes is equal to or greater than the first packet-length argument and equal to or less than the second packet-length argument.


Defaults

None

Command Modes

IPv6 ACL configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.1(2)

This command was introduced.


Usage Guidelines

A newly created IPv6 ACL contains no rules.

When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.

This command does not require a license.

Source and Destination

You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:

IPv6 address group object—You can use an IPv6 address group object to specify a source or destination argument. Use the object-group ipv6 address command to create and change IPv6 address group objects. The syntax is as follows:

addrgroup address-group-name
 
   

The following example shows how to use an IPv6 address object group named lab-svrs-1301 to specify the destination argument:

switch(config-acl)# deny ipv6 any addrgroup lab-svrs-1301
 
   

Address and variable-length subnet mask—You can use an IPv6 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:

IPv6-address/prefix-len
 
   

The following example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network:

switch(config-acl)# deny udp 2001:0db8:85a3::/48 any
 
   

Host address—You can use the host keyword and an IPv6 address to specify a host as a source or destination. The syntax is as follows:

host IPv6-address
 
   

This syntax is equivalent to IPv6-address/128.

The following example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address:

switch(config-acl)# deny icmp host 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 any
 
   

Any address—You can use the any keyword to specify that a source or destination is any IPv6 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.

ICMPv6 Message Types

The icmp-message argument can be one of the following keywords:

beyond-scope—Destination beyond scope

destination-unreachable—Destination address is unreachable

echo-reply—Echo reply

echo-request—Echo request (ping)

header—Parameter header problems

hop-limit—Hop limit exceeded in transit

mld-query—Multicast Listener Discovery Query

mld-reduction—Multicast Listener Discovery Reduction

mld-report—Multicast Listener Discovery Report

nd-na—Neighbor discovery neighbor advertisements

nd-ns—Neighbor discovery neighbor solicitations

next-header—Parameter next header problems

no-admin—Administration prohibited destination

no-route—No route to destination

packet-too-big—Packet too big

parameter-option—Parameter option problems

parameter-problem—All parameter problems

port-unreachable—Port unreachable

reassembly-timeout—Reassembly timeout

redirect—Neighbor redirect

renum-command—Router renumbering command

renum-result—Router renumbering result

renum-seq-number—Router renumbering sequence number reset

router-advertisement—Neighbor discovery router advertisements

router-renumbering—All router renumbering

router-solicitation—Neighbor discovery router solicitations

time-exceeded—All time exceeded messages

unreachable—All unreachable

TCP Port Names

When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:

bgp—Border Gateway Protocol (179)

chargen—Character generator (19)

cmd—Remote commands (rcmd, 514)

daytime—Daytime (13)

discard—Discard (9)

domain—Domain Name Service (53)

drip—Dynamic Routing Information Protocol (3949)

echo—Echo (7)

exec—Exec (rsh, 512)

finger—Finger (79)

ftp—File Transfer Protocol (21)

ftp-data—FTP data connections (2)

gopher—Gopher (7)

hostname—NIC hostname server (11)

ident—Ident Protocol (113)

irc—Internet Relay Chat (194)

klogin—Kerberos login (543)

kshell—Kerberos shell (544)

login—Login (rlogin, 513)

lpd—Printer service (515)

nntp—Network News Transport Protocol (119)

pim-auto-rp—PIM Auto-RP (496)

pop2—Post Office Protocol v2 (19)

pop3—Post Office Protocol v3 (11)

smtp—Simple Mail Transport Protocol (25)

sunrpc—Sun Remote Procedure Call (111)

tacacs—TAC Access Control System (49)

talk—Talk (517)

telnet—Telnet (23)

time—Time (37)

uucp—Unix-to-Unix Copy Program (54)

whois—WHOIS/NICNAME (43)

www—World Wide Web (HTTP, 8)

UDP Port Names

When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:

biff—Biff (mail notification, comsat, 512)

bootpc—Bootstrap Protocol (BOOTP) client (68)

bootps—Bootstrap Protocol (BOOTP) server (67)

discard—Discard (9)

dnsix—DNSIX security protocol auditing (195)

domain—Domain Name Service (DNS, 53)

echo—Echo (7)

isakmp—Internet Security Association and Key Management Protocol (5)

mobile-ip—Mobile IP registration (434)

nameserver—IEN116 name service (obsolete, 42)

netbios-dgm—NetBIOS datagram service (138)

netbios-ns—NetBIOS name service (137)

netbios-ss—NetBIOS session service (139)

non500-isakmp—Internet Security Association and Key Management Protocol (45)

ntp—Network Time Protocol (123)

pim-auto-rp—PIM Auto-RP (496)

rip—Routing Information Protocol (router, in.routed, 52)

snmp—Simple Network Management Protocol (161)

snmptrap—SNMP Traps (162)

sunrpc—Sun Remote Procedure Call (111)

syslog—System Logger (514)

tacacs—TAC Access Control System (49)

talk—Talk (517)

tftp—Trivial File Transfer Protocol (69)

time—Time (37)

who—Who service (rwho, 513)

xdmcp—X Display Manager Control Protocol (177)

Examples

This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules denying all TCP and UDP traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network:

switch# config t
switch(config)# ipv6 access-list acl-lab13-ipv6
switch(config-ipv6-acl)# deny tcp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64
switch(config-ipv6-acl)# deny udp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64
switch(config-ipv6-acl)# deny tcp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64
switch(config-ipv6-acl)# deny udp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64
 
   

This example shows how to configure an IPv6 ACL named ipv6-eng-to-marketing with a rule that denies all IPv6 traffic from an IPv6-address object group named eng_ipv6 to an IPv6-address object group named marketing_group:

switch# config t
switch(config)# ipv6 access-list ipv6-eng-to-marketing
switch(config-ipv6-acl)# deny ipv6 addrgroup eng_ipv6 addrgroup marketing_group
 
   

Related Commands

Command
Description

fragments

Configures how an IP ACL processes noninitial fragments.

ipv6 access-list

Configures an IPv6 ACL.

object-group ipv6 address

Configures an IPv6-address object group.

object-group ip port

Configures an IP-port object group.

permit (IPv6)

Configures a permit rule in an IPv6 ACL.

remark

Configures a remark in an ACL.

show ipv6 access-list

Displays all IPv6 ACLs or one IPv6 ACL.

statistics per-entry

Enables collection of statistics for each entry in an ACL.

time-range

Configures a time range.


deny (MAC)

To create a MAC access control list (ACL)+ rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.

[sequence-number] deny source destination [protocol] [cos cos-value] [vlan VLAN-ID] [time-range time-range-name]

no deny source destination [protocol] [cos cos-value] [vlan VLAN-ID] [time-range time-range-name]

no sequence-number

Syntax Description

sequence-number

(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL.

A sequence number can be any integer between 1 and 4294967295.

By default, the first rule in an ACL has a sequence number of 10.

If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule.

Use the resequence command to reassign sequence numbers to rules.

source

Source MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

destination

Destination MAC addresses that the rule matches. For details about the methods that you can use to specify this argument, see "Source and Destination" in the "Usage Guidelines" section.

protocol

(Optional) Protocol number that the rule matches. Valid protocol numbers are 0x0 to 0xffff. For listings of valid protocol names, see "MAC Protocols" in the "Usage Guidelines" section.

cos cos-value

(Optional) Specifies that the rule matches only packets with an IEEE 802.1Q header that contains the Class of Service (CoS) value given in the cos-value argument. The cos-value argument can be an integer from 0 to 7.

vlan VLAN-ID

(Optional) Specifies that the rule matches only packets with an IEEE 802.1Q header that contains the VLAN ID given. The VLAN-ID argument can be an integer from 1 to 4094.

time-range time-range-name

(Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command.


Defaults

A newly created MAC ACL contains no rules.

If you do not specify a sequence number, the device assigns the rule a sequence number that is 10 greater than the last rule in the ACL.

Command Modes

MAC ACL configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

When the device applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.

This command does not require a license.

Source and Destination

You can specify the source and destination arguments in one of two ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:

Address and mask—You can use a MAC address followed by a mask to specify a single address or a group of addresses. The syntax is as follows:

MAC-address MAC-mask
 
   

The following example specifies the source argument with the MAC address 00c0.4f03.0a72:

switch(config-acl)# deny 00c0.4f03.0a72 0000.0000.0000 any
 
   

The following example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:

switch(config-acl)# deny any 0060.3e00.0000 0000.0000.0000
 
   

Any address—You can use the any keyword to specify that a source or destination is any MAC address. For examples of the use of the any keyword, see the examples in this section. Each of the examples shows how to specify a source or destination by using the any keyword.

MAC Protocols

The protocol argument can be the MAC protocol number or a keyword. The protocol number is a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:

aarp—Appletalk ARP (0x80f3)

appletalk—Appletalk (0x809b)

decnet-iv—DECnet Phase IV (0x6003)

diagnostic—DEC Diagnostic Protocol (0x6005)

etype-6000—EtherType 0x6000 (0x6000)

etype-8042—EtherType 0x8042 (0x8042)

ip—Internet Protocol v4 (0x0800)

lat—DEC LAT (0x6004)

lavc-sca—DEC LAVC, SCA (0x6007)

mop-console—DEC MOP Remote console (0x6002)

mop-dump—DEC MOP dump (0x6001)

vines-echo—VINES Echo (0x0baf)

Examples

This example shows how to configure a MAC ACL named mac-ip-filter with rules that permit any non-IPv4 traffic between two groups of MAC addresses:

switch# configure terminal
switch(config)# mac access-list mac-ip-filter
switch(config-mac-acl)# deny 00c0.4f00.0000 0000.00ff.ffff 0060.3e00.0000 0000.00ff.ffff 
ip
switch(config-mac-acl)# permit any any
 
   

Related Commands

Command
Description

mac access-list

Configures a MAC ACL.

permit (MAC)

Configures a deny rule in a MAC ACL.

remark

Configures a remark in an ACL.

show mac access-list

Displays all MAC ACLs or one MAC ACL.

statistics per-entry

Enables collection of statistics for each entry in an ACL.

time-range

Configures a time range.


deny (role-based access control list)

To configure a deny action in the security group access control list (SGACL), use the deny command. To remove the action, use the no form of this command.

deny {all | icmp | igmp | ip | {{tcp | udp} [{src | dst} {{eq | gt | lt | neq} port-number} |
range port-number1 port-number2}]} [log]

no deny {all | icmp | igmp | ip | {{tcp | udp} [{src | dst} {{eq | gt | lt | neq} port-number} |
range port-number1 port-number2}]} [log]

Syntax Description

all

Specifies all traffic.

icmp

Specifies Internet Control Message Protocol (ICMP) traffic.

igmp

Specifies Internet Group Management Protocol (IGMP) traffic.

ip

Specifies IP traffic.

tcp

Specifies TCP traffic.

udp

Specifies User Datagram Protocol (UDP) traffic.

src

Specifies the source port number.

dst

Specifies the destination port number.

eq

Specifies equal to the port number.

gt

Specifies greater than the port number.

lt

Specifies less than the port number.

neq

Specifies not equal to the port number.

port-number

Port number for TCP or UDP. The range is from 0 to 65535.

range

Specifies a port range for TCP or UDP.

port-number1

First port in the range. The range is from 0 to 65535.

port-number2

Last port in the range. The range is from 0 to 65535.

log

(Optional) Specifies that packets matching this configuration be logged.


Defaults

None

Command Modes

role-based access control list

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.0(2)

The log keyword was added to support the enabling of role-based access control list (RBACL) logging.

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

To enable RBACL logging, you must enable RBACL policy enforcement on the VLAN and VRF.

To enable RBACL logging, you must set the logging level of ACLLOG syslogs to 6 and the logging level of CTS manager syslogs to 5.

This command requires the Advanced Services license.

Examples

This example shows how to add a deny action to an SGACL and enable RBACL logging:

switch# configure terminal
switch(config)# cts role-based access-list MySGACL
switch(config-rbacl)# deny icmp log
 
   

This example shows how to remove a deny action from an SGACL:

switch# configure terminal
switch(config)# cts role-based access-list MySGACL
switch(config-rbacl)# no deny icmp log
 
   

Related Commands

Command
Description

cts role-based access-list

Configures Cisco TrustSec SGACLs.

feature cts

Enables the Cisco TrustSec feature.

show cts role-based access-list

Displays the Cisco TrustSec SGACL configuration.


 
   

description (identity policy)

To configure a description for an identity policy, use the description command. To revert to the default, use the no form of this command.

description "text"

no description

Syntax Description

"text"

Text string that describes the identity policy. The string is alphanumeric. The maximum length is 100 characters.


Defaults

None

Command Modes

Identity policy configuration

Supported User Roles

network-admin
vdc-admin
VDC user

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to configure the description for an identity policy:

switch# configure terminal
switch(config)# identity policy AdminPolicy
switch(config-id-policy)# description "Administrator identity policy"
 
   

This example shows how to remove the description from an identity policy:

switch# configure terminal
switch(config)# identity policy AdminPolicy
switch(config-id-policy)# no description
 
   

Related Commands

Command
Description

identity policy

Creates or specifies an identity policy and enters identity policy configuration mode.

show identity policy

Displays identity policy information.


description (user role)

To configure a description for a user role, use the description command. To revert to the default, use the no form of this command.

description text

no description

Syntax Description

text

Text string that describes the user role. The string is alphanumeric. The maximum length is 128 characters.


Defaults

None

Command Modes

User role configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You can include blank spaces in the user role description text.

This command does not require a license.

Examples

This example shows how to configure the description for a user role:

switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# description User role for my user account.
 
   

This example shows how to remove the description from a user role:

switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# no description
 
   

Related Commands

Command
Description

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.


destination interface

To configure a destination for ACL capture packets, use the destination interface command.

destination interface ethernet slot/port

Syntax Description

ethernet

Specifies Ethernet IEEE 802.3z.

slot/port

Slot and port identifiers for the interface. The range is from 1 to 253.


Defaults

None

Command Modes

ACL capture configuration mode (config-acl-capture)

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.2(1)

This command was introduced.


Usage Guidelines

Only the physical interface can be used for the destination. Port-channel interfaces and supervisor in-band ports are not supported.

Port channels and supervisor in-band ports are not supported as a destination for ACL capture.

ACL capture session destination interfaces do not support ingress forwarding and ingress MAC learning. If a destination interface is configured with these options, the monitor keeps the ACL capture session down. Use the show monitor session all command to see if ingress forwarding and MAC learning are enabled.


Note You can use the no switchport monitor command to disable ingress forwarding and MAC learning on the interface.


The source port of the packet and the ACL capture destination port cannot be part of the same ASIC. If both ports belong to the same ASIC, a message appears when you configure the destination ports for ACL capture, and the packet is not captured.

You can enter the destination interface command multiple times to add multiple destinations.

This command does not require a license.

Examples

This example shows how to configure a destination for ACL capture packets:

switch# configure terminal
switch(config)# monitor session 7 type acl-capture
switch(config-acl-capture)# destination interface ethernet 5/5

Related Commands

Command
Description

monitor session session type acl-capture

Configures an ACL capture session.


device

To add a supplicant device to the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) identity profile exception list, use the device command. To remove a supplicant device, use the no form of this command.

device {authenticate | not-authenticate} {ip-address ipv4-address [subnet-mask] | mac-address mac-address [mac-address-mask]} policy policy-name

no device {authenticate | not-authenticate} {ip-address ipv4-address [subnet-mask] | mac-address mac-address [mac-address-mask]} policy policy-name

Syntax Description

authenticate

Specifies to allow authentication of the device using the policy.

not-authenticate

Specifies to not allow authentication of the device using the policy.

ip-address ipv4-address

Specifies the IPv4 address for the supplicant device in the A.B.C.D format.

subnet-mask

(Optional) IPv4 subnet mask for the IPv4 address.

mac-address mac-address

Specifies the MAC address for the supplicant device in the XXXX.XXXX.XXXX format.

mac-address-mask

(Optional) Mask for the MAC address.

policy policy-name

Specifies the policy to use for the supplicant device.


Defaults

None

Command Modes

Identity policy configuration

Supported User Roles

network-admin
vdc-admin
VDC user

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to add a device to the EAPoUDP identity profile:

switch# configure terminal
switch(config)# identity profile eapoupd
switch(config-id-policy)# device authenticate 10.10.1.1 255.255.255.245 policy AdminPolicy
 
   

This example shows how to remove a device from the EAPoUDP identity profile:

switch# configure terminal
switch(config)# identity profile eapoupd
switch(config-id-policy)# no device authenticate 10.10.2.2 255.255.255.245 policy 
UserPolicy
 
   

Related Commands

Command
Description

identity policy

Creates or specifies an identity policy and enters identity policy configuration mode.

show identity policy

Displays identity policy information.


dot1x default

To reset the 802.1X global or interface configuration to the default, use the dot1x default command.

dot1x default

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Global configuration
Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must use the feature dot1x command before you configure 802.1X.

This command does not require a license.

Examples

This example shows how to set the global 802.1X parameters to the default:

switch# configure terminal
switch(config)# dot1x default
 
   

This example shows how to set the interface 802.1X parameters to the default:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# dot1x default
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x

Displays 802.1X feature status information.


dot1x host-mode

To allow 802.1X authentication for either a single supplicant or multiple supplicants on an interface, use the dot1x host-mode command. To revert to the default, use the no form of this command.

dot1x host-mode {multi-host | single-host}

no dot1x host-mode

Syntax Description

mutli-host

Allows 802.1X authentication for multiple supplicants on the interface.

single-host

Allows 802.1X authentication for only a single supplicant on the interface.


Defaults

single-host

Command Modes

Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must use the feature dot1x command before you configure 802.1X.

This command does not require a license.

Examples

This example shows how to allow 802.1X authentication of multiple supplicants on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# dot1x host-mode multi-host
 
   

This example shows how to revert to the default host mode on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# no dot1x host-mode
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x all

Displays all 802.1X information.


dot1x initialize

To initialize 802.1X authentication for supplicants, use the dot1x initialize command.

dot1x initialize [interface ethernet slot/port]

Syntax Description

interface ethernet slot/port

(Optional) Specifies the interface for 802.1X authentication initialization.


Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must use the feature dot1x command before you configure 802.1X.

This command does not require a license.

Examples

This example shows how to initialize 802.1X authentication for supplicants on the Cisco NX-OS device:

switch# dot1x initialize
 
   

This example shows how to initialize 802.1X authentication for supplicants on an interface:

switch# dot1x initialize interface ethernet 2/1
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x all

Displays all 802.1X information.


dot1x mac-auth-bypass

To enable MAC address authentication bypass on interfaces with no 802.1X supplicants, use the dot1x mac-auth-bypass command. To disable MAC address authentication bypass, use the no form of this command.

dot1x mac-auth-bypass [eap]

no dot1x mac-auth-bypass

Syntax Description

eap

Specifies that the bypass use Extensible Authentication Protocol (EAP).


Defaults

Disabled

Command Modes

Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must use the feature dot1x command before you configure 802.1X.

This command does not require a license.

Examples

This example shows how to enable MAC address authentication bypass:

switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# dot1x mac-auth-bypass
 
   

This example shows how to disable MAC address authentication bypass:

switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# no dot1x mac-auth-bypass
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x all

Displays all 802.1X information.


dot1x max-reauth-req

To change the maximum number of times that the Cisco NX-OS device retransmits reauthentication requests to supplicants on an interface before the session times out, use the dot1x max-reauth-req command. To revert to the default, use the no form of this command.

dot1x max-reauth-req retry-count

no dot1x max-reauth-req

Syntax Description

retry-count

Retry count for reauthentication requests. The range is from 1 to 10.


Defaults

2 retries

Command Modes

Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must use the feature dot1x command before you configure 802.1X.

This command does not require a license.

Examples

This example shows how to change the maximum number of reauthorization request retries for an interface:

switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# dot1x max-reauth-req 3
 
   

This example shows how to revert to the default maximum number of reauthorization request retries for an interface:

switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# no dot1x max-reauth-req
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x all

Displays all 802.1X information.


dot1x max-req

To change the maximum number of requests that the Cisco NX-OS device sends to a supplicant before restarting the 802.1X authentication, use the dot1x max-req command. To revert to the default, use the no form of this command.

dot1x max-req retry-count

no dot1x max-req

Syntax Description

retry-count

Retry count for request sent to supplicant before restarting 802.1X reauthentication. The range is from 1 to 10.


Defaults

Global configuration: 2 retries

Interface configuration: Global configuration setting

Command Modes

Global configuration
Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must use the feature dot1x command before you configure 802.1X.

This command does not require a license.

Examples

This example shows how to change the maximum number of request retries for the global 802.1X configuration:

switch# configure terminal
switch(config)# dot1x max-req 3
 
   

This example shows how to revert to the default maximum number of request retries for the global 802.1X configuration:

switch# configure terminal
switch(config)# no dot1x max-req
 
   

This example shows how to change the maximum number of request retries for an interface:

switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# dot1x max-req 4
 
   

This example shows how to revert to the default maximum number of request retries for an interface:

switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# no dot1x max-req
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x all

Displays all 802.1X information.


dot1x pae authenticator

To create the 802.1X authenticator port access entity (PAE) role for an interface, use the dot1x pae authenticator command. To remove the 802.1X authenticator PAE role, use the no form of this command.

dot1x pae authenticator

no dot1x pae authenticator

Syntax Description

This command has no arguments or keywords.

Defaults

802.1X automatically creates the authenticator PAE when you enable the feature on an interface.

Command Modes

Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.2(1)

This command was introduced.


Usage Guidelines

You must use the feature dot1x command before you configure 802.1X.

When you enable 802.1X on an interface, the Cisco NX-OS software creates an authenticator port access entity (PAE) instance. An authenticator PAE is a protocol entity that supports authentication on the interface. When you disable 802.1X on the interface, the Cisco NX-OS software does not automatically clear the authenticator PAE instances. You can explicitly remove the authenticator PAE from the interface and then reapply it, as needed.

This command does not require a license.

Examples

This example shows how to create the 802.1X authenticator PAE role on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/4
switch(config-if)# dot1x pae authenticator
 
   

This example shows how to remove the 802.1X authenticator PAE role from an interface:

switch# configure terminal
switch(config)# interface ethernet 2/4
switch(config-if)# no dot1x pae authenticator
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x interface

Displays 802.1X feature status information for an interface.


dot1x port-control

To control the 802.1X authentication performed on an interface, use the dot1x port-control command. To revert to the default, use the no form of this command.

dot1x port-control {auto | force-authorized | force-unauthorized}

no dot1x port-control {auto | force-authorized | force-unauthorized}

Syntax Description

auto

Enables 802.1X authentication on the interface.

force-authorized

Disables 802.1X authentication on the interface and allows all traffic on the interface without authentication.

force-unauthorized

Disallows all authentication on the interface.


Defaults

force-authorized

Command Modes

Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must use the feature dot1x command before you configure 802.1X.

This command does not require a license.

Examples

This example shows how to change the 802.1X authentication action performed on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# dot1x port-control auto
 
   

This example shows how to revert to the default 802.1X authentication action performed on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# dot1x port-control auto
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x interface ethernet

Displays 802.1X information for an interface.


dot1x radius-accounting

To enable RADIUS accounting for 802.1X, use the dot1x radius-accounting command. To revert to the default, use the no form of this command.

dot1x radius-accounting

no dot1x radius-accounting

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must use the feature dot1x command before you configure 802.1X.

This command does not require a license.

Examples

This example shows how to enable RADIUS accounting for 802.1X authentication:

switch# configure terminal
switch(config)# dot1x radius-accounting
 
   

This example shows how to disable RADIUS accounting for 802.1X authentication:

switch# configure terminal
switch(config)# no dot1x radius-accounting
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show running-config dot1x all

Displays all 802.1X information in the running configuration.


dot1x re-authentication (EXEC)

To manually reauthenticate 802.1X supplicants, use the dot1x re-authentication command.

dot1x re-authentication [interface ethernet slot/port]

Syntax Description

interface ethernet slot/port

(Optional) Specifies the interface for manual reauthentication.


Defaults

None

Command Modes

EXEC

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must use the feature dot1x command before you configure 802.1X.

This command does not require a license.

Examples

This example shows how to reauthenticate 802.1X supplicants manually:

switch# dot1x re-authentication
 
   

This example shows how to reauthenticate the 802.1X supplicant on an interface manually:

switch# dot1x re-authentication interface ethernet 2/1
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x all

Displays all 802.1X information.


dot1x re-authentication (global configuration and interface configuration)

To enable periodic reauthenticate of 802.1X supplicants, use the dot1x re-authentication command. To revert to the default, use the no form of this command.

dot1x re-authentication

no dot1x re-authentication

Syntax Description

This command has no arguments or keywords.

Defaults

Global configuration: Disabled

Interface configuration: Global configuration setting

Command Modes

Global configuration
Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You must use the feature dot1x command before you configure 802.1X.

In global configuration mode, this command configures periodic reauthentication for all supplicants on the Cisco NX-OS device. In interface configuration mode, this command configures periodic reauthentication only for supplicants on the interface.

This command does not require a license.

Examples

This example shows how to enable periodic reauthentication of 802.1X supplicants:

switch# configure terminal
switch(config)# dot1x re-authentication
 
   

This example shows how to disable periodic reauthentication of 802.1X supplicants:

switch# configure terminal
switch(config)# no dot1x re-authentication
 
   

This example shows how to enable periodic reauthentication of 802.1X supplicants on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# dot1x re-authentication
 
   

This example shows how to disable periodic reauthentication of 802.1X supplicants on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# no dot1x re-authentication
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x all

Displays all 802.1X information.


dot1x system-auth-control

To enable 802.1X authentication, use the dot1x system-auth-control command. To disable 802.1X authentication, use the no form of this command.

dot1x system-auth-control

no dot1x system-auth-control

Syntax Description

This command has no arguments or keywords.

Defaults

Enabled

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The dot1x system-auth-control command does not delete the 802.1X configuration.

You must use the feature dot1x command before you configure 802.1X.

This command does not require a license.

Examples

This example shows how to disable 802.1X authentication:

switch# configure terminal
switch(config)# no dot1x system-auth-control
 
   

This example shows how to enable 802.1X authentication:

switch# configure terminal
switch(config)# dot1x system-auth-control
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x

Displays 802.1X feature status information.


dot1x timeout quiet-period

To configure the 802.1X quiet-period timeout globally or for an interface, use the dot1x timeout quiet-period command. To revert to the default, use the no form of this command.

dot1x timeout quiet-period seconds

no dot1x timeout quiet-period

Syntax Description

seconds

Number of seconds for the 802.1X quiet-period timeout. The range is from 1 to 65535.


Defaults

Global configuration: 60 seconds

Interface configuration: The value of the global configuration

Command Modes

Global configuration
Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The 802.1X quiet-period timeout is the number of seconds that the device remains in the quiet state following a failed authentication exchange with a supplicant.

You must use the feature dot1x command before you configure 802.1X.


Note You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.


This command does not require a license.

Examples

This example shows how to configure the global 802.1X quiet-period timeout:

switch# configure terminal
switch(config)# dot1x timeout quiet-period 45
 
   

This example shows how to revert to the default global 802.1X quiet-period timeout:

switch# configure terminal
switch(config)# no dot1x timeout quiet-period
 
   

This example shows how to configure the 802.1X quiet-period timeout for an interface:

switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# dot1x timeout quiet-period 50
 
   

This example shows how to revert to the default 802.1X quiet-period timeout for an interface:

switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# no dot1x timeout quiet-period
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x all

Displays all 802.1X information.


dot1x timeout ratelimit-period

To configure the 802.1X rate-limit period timeout for the supplicants on an interface, use the dot1x timeout ratelimit-period command. To revert to the default, use the no form of this command.

dot1x timeout ratelimit-period seconds

no dot1x timeout ratelimit-period

Syntax Description

seconds

Number of seconds for the 802.1X rate-limit period timeout. The range is from 1 to 65535.


Defaults

0 seconds

Command Modes

Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The 802.1X rate-limit timeout period is the number of seconds that the authenticator ignores EAPOL-Start packets from supplicants that have successfully authenticated. This value overrides the global quiet period timeout.

You must use the feature dot1x command before you configure 802.1X.


Note You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.


This command does not require a license.

Examples

This example shows how to configure the 802.1X rate-limit period timeout on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# dot1x timeout ratelimit-period 60
 
   

This example shows how to revert to the default 802.1X rate-limit period timeout on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# dot1x timeout ratelimit-period 60
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x interface ethernet

Displays 802.1X information for an interface.


dot1x timeout re-authperiod

To configure the 802.1X reauthentication-period timeout either globally or on an interface, use the dot1x timeout re-authperiod command. To revert to the default, use the no form of this command.

dot1x timeout re-authperiod seconds

no dot1x timeout re-authperiod

Syntax Description

seconds

Number of seconds for the 802.1X reauthentication-period timeout. The range is from 1 to 65535.


Defaults

Global configuration: 3600 seconds

Interface configuration: Global configuration setting

Command Modes

Global configuration
Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The 802.1X reauthentication timeout period is the number of seconds between reauthentication attempts.

You must use the feature dot1x command before you configure 802.1X.


Note You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.


This command does not require a license.

Examples

This example shows how to configure the global 802.1X reauthentication-period timeout:

switch# configure terminal
switch(config)# dot1x timeout re-authperiod 3000
 
   

This example shows how to configure the 802.1X reauthentication-period timeout on an interface:

switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# dot1x timeout re-authperiod 3300
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x all

Displays all 802.1X information.


dot1x timeout server-timeout

To configure the 802.1X server timeout for an interface, use the dot1x timeout server-timeout command. To revert to the default, use the no form of this command.

dot1x timeout server-timeout seconds

no dot1x timeout server-timeout

Syntax Description

seconds

Number of seconds for the 802.1X server timeout. The range is from 1 to 65535.


Defaults

30 seconds

Command Modes

Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The 802.1X server timeout for an interface is the number of seconds that the Cisco NX-OS device waits before retransmitting a packet to the authentication server. This value overrides the global reauthentication period timeout.

You must use the feature dot1x command before you configure 802.1X.


Note You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.


This command does not require a license.

Examples

This example shows how to configure the global 802.1X server timeout interval:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# dot1x timeout server-timeout 45
 
   

This example shows how to revert to the default global 802.1X server timeout interval:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# dot1x timeout server-timeout 45
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x interface ethernet

Displays 802.1X information for an interface.


dot1x timeout supp-timeout

To configure the 802.1X supplicant timeout for an interface, use the dot1x timeout supp-timeout command. To revert to the default, use the no form of this command.

dot1x timeout supp-timeout seconds

no dot1x timeout supp-timeout

Syntax Description

seconds

Number of seconds for the 802.1X supplicant timeout. The range is from 1 to 65535.


Defaults

30 seconds

Command Modes

Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The 802.1X supplicant timeout for an interface is the number of seconds that the Cisco NX-OS device waits for the supplicant to respond to an EAP request frame before the Cisco NX-OS device retransmits the frame.

You must use the feature dot1x command before you configure 802.1X.


Note You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.


This command does not require a license.

Examples

This example shows how to configure the 802.1X server timeout interval on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# dot1x timeout supp-timeout 45
 
   

This example shows how to revert to the default 802.1X server timeout interval on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# no dot1x timeout supp-timeout
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x interface ethernet

Displays 802.1X information for an interface.


dot1x timeout tx-period

To configure the 802.1X transmission-period timeout either globally or for an interface, use the dot1x timeout tx-period command. To revert to the default, use the no form of this command.

dot1x timeout tx-period seconds

no dot1x timeout tx-period

Syntax Description

seconds

Number of seconds for the 802.1X transmission-period timeout. The range is from 1 to 65535.


Defaults

Global configuration: 60 seconds

Interface configuration: Global configuration setting

Command Modes

Global configuration
Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The 802.1X transmission-timeout period is the number of seconds that the Cisco NX-OS device waits for a response to an EAP-request/identity frame from the supplicant before retransmitting the request.

You must use the feature dot1x command before you configure 802.1X.


Note You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.


This command does not require a license.

Examples

This example shows how to configure the global 802.1X transmission-period timeout:

switch# configure terminal
switch(config)# dot1x timeout tx-period 45
 
   

This example shows how to revert to the default global 802.1X transmission-period timeout:

switch# configure terminal
switch(config)# no dot1x timeout tx-period
 
   

This example shows how to configure the 802.1X transmission-period timeout for an interface:

switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# dot1x timeout tx-period 45
 
   

This example shows how to revert to the default 802.1X transmission-period timeout for an interface:

switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# no dot1x timeout tx-period
 
   

Related Commands

Command
Description

feature dot1x

Enables the 802.1X feature.

show dot1x all

Displays all 802.1X information.


enable Cert-DN-match

To enable LDAP users to login only if the user profile lists the subject-DN of the user certificate as authorized for login, use the enable Cert-DN-match command. To disable this configuration, use the no form of this command.

enable Cert-DN-match

no enable Cert-DN-match

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

LDAP server group configuration

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to enable LDAP users to login only if the user profile lists the subject-DN of the user certificate as authorized for login:

switch# configure terminal
switch(config)# aaa group server ldap LDAPServer1
switch(config-ldap)# server 10.10.2.2
switch(config-ldap)# enable Cert-DN-match
switch(config-ldap)
 
   

Related Commands

Command
Description

aaa group server ldap

Creates an LDAP server group and enters the LDAP server group configuration mode for that group.

enable user-server-group

Enables group validation for an LDAP server group.

server

Configures the LDAP server as a member of the LDAP server group.

show ldap-server groups

Displays the LDAP server group configuration.


enable

To enable a user to move to a higher privilege level after being prompted for a secret password, use the enable command.

enable level

Syntax Description

level

Privilege level to which the user must log in. The only available level is 15.


Defaults

Privilege level 15

Command Modes

EXEC configuration

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

To use this command, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command.

This command does not require a license.

Examples

This example shows how to enable the user to move to a higher privilege level after being prompted for a secret password:

switch# enable 15

Related Commands

Command
Description

enable secret priv-lvl

Enables a secret password for a specific privilege level.

feature privilege

Enables the cumulative privilege of roles for command authorization on TACACS+ servers.

show privilege

Displays the current privilege level, username, and status of cumulative privilege support.

username user-id priv-lvl

Enables a user to use privilege levels for authorization.


enable secret

To enable a secret password for a specific privilege level, use the enable secret command. To disable the password, use the no form of this command.

enable secret [0 | 5] password [priv-lvl priv-lvl | all]

no enable secret [0 | 5] password [priv-lvl priv-lvl | all]

Syntax Description

0

(Optional) Specifies that the password is in clear text.

5

(Optional) Specifies that the password is in encrypted format.

password

Password for user privilege escalation. It contains up to 64 alphanumeric, case-sensitive characters.

priv-lvl priv-lvl

(Optional) Specifies the privilege level to which the secret belongs. The range is from 1 to 15.

all

Adds or removes all privilege level secrets.


Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

To use this command, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command.

This command does not require a license.

Examples

This example shows how to enable a secret password for a specific privilege level:

switch# configure terminal
switch(config)# feature privilege
switch(config)# enable secret 5 def456 priv-lvl 15
switch(config)# username user2 priv-lvl 15
switch(config)#

Related Commands

Command
Description

enable level

Enables the user to move to a higher privilege level after being prompted for a secret password.

feature privilege

Enables the cumulative privilege of roles for command authorization on TACACS+ servers.

show privilege

Displays the current privilege level, username, and status of cumulative privilege support.

username user-id priv-lvl

Enables a user to use privilege levels for authorization.


enable user-server-group

To enable group validation for an LDAP server group, use the enable user-server-group command. To disable group validation, use the no form of this command.

enable user-server-group

no enable user-server-group

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

LDAP server group configuration

Command History

Release
Modification

5.0(2)

This command was introduced.


Usage Guidelines

To use this command, you must configure the LDAP server group name in the LDAP server.

Users can login through public-key authentication only if the username is listed as a member of this configured group in the LDAP server.

This command does not require a license.

Examples

This example shows how to enable group validation for an LDAP server group:

switch# configure terminal
switch(config)# aaa group server ldap LDAPServer1
switch(config-ldap)# server 10.10.2.2
switch(config-ldap)# enable user-server-group
switch(config-ldap)
 
   

Related Commands

Command
Description

aaa group server ldap

Creates an LDAP server group and enters the LDAP server group configuration mode for that group.

enable Cert-DN-match

Enables LDAP users to login only if the user profile lists the subject-DN of the user certificate as authorized for login.

server

Configures the LDAP server as a member of the LDAP server group.

show ldap-server groups

Displays the LDAP server group configuration.


encryption decrypt type6

To convert type-6 encrypted passwords back to their original state, use the encryption decrypt type6 command.

encryption decrypt type6

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Release
Modification

5.2(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to convert type6 encrypted passwords back to their original state:

switch # encryption decrypt type6
Please enter current Master Key:
 
   

Related Commands

Command
Description

encryption re-encrypt obfuscated

Converts the existing obfuscated passwords to type6 encrypted passwords.

key config-key

Configures the master key for the type-6 encryption.


encrypt pause-frame

To configure pause frame encryption for Cisco Trusted Security (Cisco TrustSec) on an interface, use the encrypt pause-frame command. To remove the pause frame encryption, use the no form of this command.

encrypt pause-frame

no encrypt pause-frame

Syntax Description

This command has no arguments or keywords.

Defaults

Enabled on the line cards that support the encryption of pause frames

Command Modes

Cisco TrustSec 802.1X configuration mode (config-if-cts-manual)
Cisco TrustSec manual configuration mode (config-if-cts-dotx1)

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

5.2(1)

This command was introduced.


Usage Guidelines

You must enable flow control on the interface by using the flowcontrol {send | receive} command.

When you enter the no encrypt pause-frame command, the pause frames are sent in unencypted. When you enter the encrypt pause-frame command, pause frames are sent encrypted over the Cisco TrustSec link.

You cannot enable Cisco TrustSec on interfaces in half-duplex mode. Use the show interface command to determine if an interface is configured for half-duplex mode.


Note F1 Series modules, F2 Series modules and the N7K-M132XP-12(L) module support only clear pause frames. All other M1 Series modules support both secure (encrypted and decrypted) and clear pause frames.



Caution For the pause frame encryption or decryption configuration to take effect, you must enable and disable the interface, which disrupts traffic on the interface.

This command does not require a license.

Examples

This example shows how to decrypt an interface:

switch# configure terminal
switch(config)# interface ethernet 2/2
switch(config-if)# cts dot1x
switch(config-if-cts-dot1x)# no encrypt pause-frame
switch(config-if-cts-dot1x)exit
switch(config-if)# shutdown
switch(config-if)# no shutdown
switch(config-if)# exit
switch(config)#

Related Commands

Command
Description

cts dot1x

Enables Cisco TrustSec authentication on an interface and enters Cisco TrustSec 802.1X configuration mode.

cts manual

Enters Cisco TrustSec manual configuration mode for an interface.

show cts interface

Displays the Cisco TrustSec configuration information for interfaces.


encryption delete type6

To delete strongly encrypted passwords on the NX-OS device, use the encryption delete type6 command.

encryption delete type6

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Release
Modification

5.2(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to delete strongly encrypted passwords:

switch# configure terminal
encryption delete type6
Please enter current Master Key:
switch(config)# 

Related Commands

Command
Description

encryption re-encrypt obfuscated

Converts the existing obfuscated passwords to type-6 encrypted passwords

key config-key

Configures the master key for the type-6 encryption.


encryption re-encrypt obfuscated

To convert the existing obfuscated passwords to type-6 encrypted passwords, use the encryption re-encrypt obfuscated command.

encryption re-encrypt obfuscated

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Release
Modification

5.2(1)

This command was introduced.


Usage Guidelines

When you use the encryption re-encrypt obfuscated command, the encrypted secrets such as, plain or weakly-encrypted passwords, are converted to type-6 encryption if the encryption service is enabled with a master key.

This command does not require a license.

Examples

This example shows how to convert the existing obfuscated passwords to type-6 encrypted passwords:

switch # encryption re-encrypt obfuscated

Related Commands