Cisco Virtual Security Gateway for Nexus 1000V Series Switch Command Reference, Release 4.2(1)VSG1(2)
Nexus 1000v Commands
Downloads: This chapterpdf (PDF - 351.0KB) The complete bookPDF (PDF - 7.15MB) | Feedback

Cisco Nexus 1000V Series Switch Commands

Table Of Contents

Cisco Nexus 1000V Series Switch Commands

clear vsn connection

clear vsn statistics

switchport mode

switchport access vlan

state (port profile)

copy running-config startup-config

vnm-policy-agent

log-level

ping vsn

policy-agent-image

pop

push

registration-ip

shared-secret

show vnm-pa status

port-profile

show running-config

tcp state-checks

vn-service ip-address

org

show vsn brief

show vsn connection

show vsn detail

show vsn port vethernet

show vsn statistics

vlan

vmware port-group

vsn type vsg global


Cisco Nexus 1000V Series Switch Commands


This chapter provides information about the Cisco Virtual Security Gateway (VSG) related commands on the Cisco Nexus 1000V Series switch and the Cisco Nexus 1010 networking appliance.

clear vsn connection

To clear Cisco VSG connections, use the clear vsn connection command.

clear vsn connection [module module-number]

Syntax Description

module

(Optional) Clears a specific module.

module-number

Module number. The range is from 3 to 66.


Defaults

None

Command Modes

EXEC

Global configuration (config)

Supported User Roles

network-admin

network-operator

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Examples

This example shows how to clear Cisco VSG connections:

vsm# clear vsn connection

Related Commands

Command
Description

show vsn

Displays Cisco VSG information.


clear vsn statistics

To clear Cisco VSG statistics, use the clear vsn statistics command.

clear vsn statistics [module module-number | vlan vlan-number ip ip-address [module module-number]]

Syntax Description

module

(Optional) Clears a module.

module-number

Module number. The range of values is from 3 to 66.

vlan

(Optional) Clears a VLAN.

vlan-number

VLAN number.

ip

(Optional) Clears a device at a specific IP address.

ip-address

IP address. The format is A.B.C.D.


Defaults

None

Command Modes

EXEC

Global configuration (config)

Supported User Roles

network-admin

network-operator

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Examples

This example shows how to clear Cisco VSG statistics:

vsm# clear vsn statistics

Related Commands

Command
Description

show vsn

Displays Cisco VSG information.


switchport mode

To set the port mode of an interface, use the switchport mode command. To remove the port mode configuration, use the no form of this command.

switchport mode {access | private-vlan {host | promiscuous} | trunk}

no switchport mode {access | private-vlan {host | promiscuous} | trunk}

Syntax Description

access

Sets the port mode access.

private-vlan

Sets the port mode to private VLAN.

host

Sets the port mode private VLAN to host.

promiscuous

Sets the port mode private VLAN to promiscuous.

trunk

Sets the port mode to trunk.


Defaults

Switchport mode is not set.

Command Modes

Interface configuration (config-if)

Port profile configuration (config-port-prof)

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Examples

This example shows how to set the port mode of an interface:

vsm# configure
vsm(config)# interface vethernet 1
vsm(config-if)# switchport mode private-vlan host
vsm(config-if)#
 
   

This example shows how to remove the mode configuration:

vsm# configure
vsm(config)# interface vethernet 1
vsm(config-if)# no switchport mode private-vlan host
vsm(config-if)#

Related Commands

Command
Description

show interface

Displays interface information.


switchport access vlan

To set the access mode of an interface, use the switchport access vlan command. To remove the access mode configuration, use the no form of this command.

switchport access vlan vlan-id

no switchport access vlan vlan-id

Syntax Description

vlan-id

VLAN identification number. The range of values is from 1 to 3967.


Defaults

Access mode is not set.

Command Modes

Interface configuration (config-if)

Port profile configuration (config-port-prof)

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Examples

This example shows how to set the access mode of an interface:

vsm# configure
vsm(config)# interface vethernet 1
vsm(config-if)# switchport access vlan 100
vsm(config-if)#
 
   

This example shows how to remove the access mode configuration:

vsm# configure
vsm(config)# interface vethernet 1
vsm(config-if)# no switchport access vlan
vsm(config-if)#

Related Commands

Command
Description

show interface

Displays interface information.


state (port profile)

To enable the operational state of a port profile, use the state command. To disable the operational state of a port profile, use the no form of the command.

state enabled

no state enabled

Syntax Description

enabled

Enables or disables the port profile.


Defaults

Disabled

Command Modes

Port profile configuration (config-port-prof)

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Examples

This example shows how to enable the operational state of a port profile:

vsm# configure
vsm(config)# port-profile testprofile
vsm(config-port-prof)# state enabled
vsm(config-port-prof)#

Related Commands

Command
Description

show port-profile

Displays port profile information.


copy running-config startup-config

To copy the running configuration to the startup configuration, use the copy running-config startup-config command.

copy running-config startup-config

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any command mode

Supported User Roles

network-admin
network-operator

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Usage Guidelines

Use this command to save configuration changes in the running configuration to the startup configuration in persistent memory. When a device reload or switchover occurs, the saved configuration is applied.

Examples

This example shows how to save the running configuration to the startup configuration:

vsm# copy running-config startup-config
[########################################] 100%

Related Commands

Command
Description

show running-config

Displays the running configuration.

show running-config diff

Displays the differences between the running configuration and the startup configuration.

show startup-config

Displays the startup configuration.

write erase

Erases the startup configuration in the persistent memory.


vnm-policy-agent

To enter Cisco Virtual Network Management Center (VNMC) policy agent mode, use the vnm-policy-agent command.

vnm-policy-agent

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Global configuration (config)

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Usage Guidelines

Use the Cisco VNMC policy agent configuration mode to configure policy agents.

Examples

This example shows how enter policy agent mode:

vsm# configure
vsm(config)# vnm-policy-agent
vsm(config-vnm-policy-agent)# 

Related Commands

Command
Description

configure

Enters global configuration mode.


log-level

To set logging severity levels for the Cisco Virtual Network Management Center (VNMC) policy agent, use the log-level command. To reset logging levels, use the no form of this command.

log-level {critical | debug0 | debug1 | debug2 | debug3 | debug4 | info | major | minor | warn}

no {critical | debug0 | debug1 | debug2 | debug3 | debug4 | info | major | minor | warn}

Syntax Description

critical

Sets the logging level to critical.

debug0

Sets the logging level to debug 0.

debug1

Sets the logging level to debug 1.

debug2

Sets the logging level to debug 2.

debug3

Sets the logging level to debug 3.

debug4

Sets the logging level to debug 4.

info

Sets the logging level to information.

major

Sets the logging level to major.

minor

Sets the logging level to minor.

warn

Sets the logging level to warning.


Command Default

None

Command Modes

Cisco VNMC policy agent configuration (config-vnm-policy-agent)

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Examples

This example shows how to set the logging level to critical:

vsm# configure
vsm(config)# vnm-policy-agent
vsm(config-vnm-policy-agent)# log-level critical

Related Commands

Command
Description

vnm-policy-agent

Enables the Cisco VNMC policy agent configuration mode.


ping vsn

To ping the virtual service nodes (VSN) (including the Cisco VSG) from the vPath, use the ping vsn command. There is no no form of this command.

ping vsn {ip vsn-ip-addr [vlan vsn-vlan-num] | all} {src-module {module-num | all | vpath-all} [timeout secs] [count count]

Syntax Description

ip

Designates that a specific IP address is to be pinged.

vsn-ip-addr

IP address of the specific VSN.

vlan

(Optional) Designates a specific VLAN is to be pinged.

vsn-vlan-num

Specific VLAN number.

all

Indicates that all VSNs must be pinged.

src-module

Designates the source module for the ping.

module-num

Module number for the source path.

vpath all

Designates that all source vPaths will be used.

timeout

(Optional) Designates a timeout.

secs

Duration of the pinging operation in seconds.

count

(Optional) Designates a count of pings.

count

Number of pings to be counted.


Command Default

None

Command Modes

EXEC

Supported User Roles

network-admin

Command History

Release
Modification

4.2(1)VSG1(2)

This command was introduced.


Usage Guidelines

There is no no form of this command.

Examples

This example show how to ping a Cisco VSG.

vsm# ping ?
  <CR>
  A.B.C.D or Hostname  IP address of remote system
  WORD               Enter Hostname
  mpls               Ping an MPLS network
  multicast          Multicast ping
  vsn                VSNs to be pinged
 
   
vsm# ping vsn
 
   
Input parameters:
·	vsn : VSNs to be pinged.
o	all : All VSNs that are currently associated to at least one VM. In other words, all 
VSNs specified in port-profiles that are bound to at least one VM.
o	ip-addr <ip-addr> : All VSNs configured with this IP address.
o	vlan <vlan-num> : All VSNs configured on this VLAN.
·	src-module : Source modules to orginate ping request from.
o	all : All online modules.
o	vpath-all : All modules having VMs associated to port-profiles that has vn-service 
defined.
o	<module-num> : A online module number.
·	timeout <secs> : Time to wait for response from VSNs, in seconds. Default is 1 sec.
·	count : Number of ping packets to be sent.
o	<count> : Sepcifies number of ping packets to be sent. Default is 5. Min 1, Max 
2147483647.
o	unlimited : Send ping packets until command is stopped.
   

Specify both ip-addr and vlan if the VSN to be ping is not associated to any VMs yet.

In the output, status of ping request for each VSN for each module is shown. On success, round-trip-time of ping request/response for a VSN, is shown in micro-seconds next to module number. On failure, failure message is shown next to module number.

 
   
Various forms:
ping vsn all src-module all                (Ping all VSNs from all modules)
ping vsn all src-module vpath-all              (Ping all VSNs from all modules having
                                                VMs associated to VSNs)
ping vsn all src-module 3                      (Ping all VSNs from the specified module)
ping vsn ip 106.1.1.1 src-module all           (Ping specified VSN from all modules)
ping vsn ip 106.1.1.1 vlan 54  src-module all (Ping specified VSN from all modules)
ping vsn ip 106.1.1.1 src-module vpath-all   (Ping specified VSN from all modules 
                                                having VMs associated to VSNs)
ping vsn ip 106.1.1.1 vlan 54 src-module 3     (Ping specified VSN from specified 
                                                module)
 
   

Options timeout & count are applicable to all of the above commands:

ping vsn all src-vpath all timeout 2 count 10
ping vsn all ip 106.1.1.1 count unlimited
ping vsn ip 106.1.1.1 vlan 54 src-vpath 3 count 10
 
   
Errors:
VSN response timeout - VSN is down, not reachable or not responding.
VSN ARP not resolved - VEM couldn't resolve MAC address of VSN.
no response from VEM - VEM is not sending ping response to VSM. Can happen when VEM
                       is down and VSM not detected it yet.
 
   

The following example shows the ping vsn command being used to display all of the source module traffic.

 
   
vsm# ping vsn all src-module all
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=0 timeout=1-sec
  module(usec)   :  3(156)  5(160)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=0 timeout=1-sec
  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)
 
   
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=1 timeout=1-sec
  module(usec)   :  3(230)  5(151)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=1 timeout=1-sec
  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)
 
   
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=2 timeout=1-sec
  module(usec)   :  3(239)  5(131)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=2 timeout=1-sec
  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)
 
   
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=3 timeout=1-sec
  module(usec)   :  3(248)  5(153)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=3 timeout=1-sec
  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)
 
   
ping vsn 106.1.1.1 vlan 54 from module 3 5, seq=4 timeout=1-sec
  module(usec)   :  3(259)  5(126)
ping vsn 110.1.1.1 vlan 54 from module 3 5, seq=4 timeout=1-sec
  module(failed) :  3(VSN ARP not resolved)  5(VSN ARP not resolved)

Related Commands

Command
Description

ping

Activates a signal to verify connections with other devices on a path.


policy-agent-image

To designate the policy agent image local URL as bootflash, use the policy-agent-image command. To remove the designation, use the no form of the command.

policy-agent-image bootflash:

no policy-agent-image bootflash:

Syntax Description

bootflash:

Designates the policy agent image local URL as bootflash.


Command Default

None

Command Modes

VNMC policy agent configuration (config-vnm-policy-agent)

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Examples

This example shows how to designate the local URL that contains the policy agent image:

vsm# configure
vsm(config)# vnm-policy-agent
vsm(config-vnm-policy-agent)# policy-agent-image bootflash:

Related Commands

Command
Description

vnm-policy-agent

Enables the VNM policy agent configuration mode.


pop

To pop a mode off the stack or to restore a mode, use the pop command.

pop file-name

Syntax Description

file-name

File name.


Command Default

None

Command Modes

EXEC

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Examples

This example shows how to restore from a file called file1:

vsm# pop file1

Related Commands

Command
Description

push

Pushes the current mode onto the stack.


push

To push the current mode onto stack or to save it, use the push command.

push file-name

Syntax Description

file-name

File name.


Command Default

None

Command Modes

EXEC

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Examples

This example shows how to push file1 onto the stack:

vsm# push file1

Related Commands

Command
Description

pop

Pops the current mode off the stack.


registration-ip

To set the service registry IP address, use the registration-ip command. To discard the service registry IP address, use the no form of this command.

registration-ip ip-address

no registration-ip ip-address

Syntax Description

ip-address

Service registry IP address. The format is A.B.C.D.


Command Default

None

Command Modes

Cisco VNMC policy agent configuration mode (config-vnm-policy-agent)

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Examples

This example shows how to set the service registry IP address:

vsm# configure
vsm(config)# vnm-policy-agent
vsm(config-vnm-policy-agent)# registration-ip 209.165.200.233
vsm(config-vnm-policy-agent)# 

Related Commands

Command
Description

vnm-policy-agent

Enters the Cisco VNMC policy agent configuration mode.


shared-secret

To set the shared secret password for communication between the Cisco Virtual Security Gateway (VSG), the Virtual Supervisor Module (VSM), and the Cisco Virtual Network Management Center (VNMC), use the shared-secret command. To discard the shared secret password, use the no form of this command.

shared-secret shared-secret-password

no shared-secret shared-secret-password

Syntax Description

shared-secret-password

Shared secret password. The range of valid values is from 1 to 64. You must use at least one uppercase character.


Command Default

None

Command Modes

Cisco VNMC policy agent configuration mode (config-vnm-policy-agent)

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Examples

This example shows how to set the shared secret password:

vsm# configure
vsm(config)# vnm-policy-agent
vsm(config-vnm-policy-agent)# shared-secret Password123
vsm(config-vnm-policy-agent)# 

Related Commands

Command
Description

vnm-policy-agent

Enters VNM policy agent configuration mode.


show vnm-pa status

To display the installation status of a policy agent, use the show vnm-pa status command.

show vnm-pa status

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Global configuration (config)

Supported User Roles

network-admin

network-operator

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Usage Guidelines

You can use the following operators with the show vnm-pa status command:

>—Redirects the output to a file.

>>—Redirects the output to a file in append mode.

|—Pipes the command output to a filter.

Examples

This example shows how to display the installation status of the policy agent:

vsm# configure
vsm(config)# show vnm-pa status
VNM Policy-Agent status is - Installed Successfully. Version 1.0(0.512)-vsm
vsm(config)#

Related Commands

Command
Description

vnm-policy-agent

Enters the Cisco VNMC policy agent configuration mode.


port-profile

To create a port profile and enter port profile configuration mode, use the port-profile command. To remove the port profile configuration, use the no form of this command.

port-profile profile-name

no port-profile profile-name

Syntax Description

profile-name

Port profile name. The range of valid values is from 1 to 80.


Defaults

None

Command Modes

Global configuration (config)

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Usage Guidelines

The port profile name must be unique for each port profile.

Examples

This example shows how to create a port profile called AccessProf:

vsm# configure
vsm(config)# port-profile AccessProf
vsm(config-port-prof)#
 
   

This example shows how to remove the port profile called AccessProf:

vsm# configure
vsm(config)# no port-profile AccessProf
vsm(config)#

Related Commands

Command
Description

show port-profile

Displays information about the port profiles.


show running-config

To display the running configuration, use the show running-config command.

show running-config [aaa | aclmgr | all | am | arp | cdp | diff | exclude | expand-port-profile | icmpv6 | igmp | interface | ip | ipqos | ipv6 | l3vm | license | monitor | ntp | port-profile | port-security | radius | rpm | security | snmp | vdc-all | vlan | vshd]

Syntax Description

aaa

(Optional) Displays the Authentication, Authorization and Accounting (AAA) configuration.

aclmgr

(Optional) Displays the running configuration for Access Control List (ACL) manager.

all

(Optional) Displays the current operating configurations.

am

(Optional) Displays Application Management (AM) information.

arp

(Optional) Displays Address Resolution Protocol (ARP) information.

cdp

(Optional) Displays the Cisco Discovery Protocol (CDP) configuration.

diff

(Optional) Displays the difference between the running and startup configurations.

exclude

(Optional) Excludes the running configuration of specified features.

expand-port-profile

(Optional) Displays port profile information.

icmpv6

(Optional) Displays Internet Control Message Protocol (ICMPv6) information.

igmp

(Optional) Displays Internet Group Management Protocol (IGMP) information.

interface

(Optional) Displays interface configurations.

ip

(Optional) Displays Internet Protocol (IP) information.

ipqos

(Optional) Displays the running configuration for the IP Quality of Service (QoS) manager.

ipv6

(Optional) Displays IPv6 information.

l3vm

(Optional) Displays Layer 3 Virtual Machine (L3VM) information.

license

(Optional) Displays the licensing configuration.

monitor

(Optional) Displays Ethernet Switched Port Ananlyzer (SPAN) session information.

ntp

(Optional) Displays Network Time Protocol (NTP) information.

port-profile

(Optional) Displays port-profile configurations.

port-security

(Optional) Displays port-security configurations.

radius

(Optional) Displays the Remote Authentication Dial In User Service (RADIUS) configuration.

rpm

(Optional) Displays RPM information.

security

(Optional) Displays the security configurations.

snmp

(Optional) Displays the Simple Network Management Protocol (SNMP) configuration.

vdc-all

(Optional) Displays all Virtual Device Context (VDC) configurations.

vlan

(Optional) Displays virtual large area network (VLAN) information.

vshd

(Optional) Displays the running configuration for virtual shared hardware device (VSHD).


Command Default

None

Command Modes

EXEC

Supported User Roles

network-admin

network-operator

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Usage Guidelines

You can use the following operators with the show running-config command:

>—Redirects the output to a file.

>>—Redirects the output to a file in append mode.

|—Pipes the command output to a filter.

Examples

This example shows how to display the running configuration:

vsm# show running-config
 
   
!Command: show running-config
!Time: Tue Jan  4 17:20:05 2011
 
   
version 4.2(1)SV1(4)
no feature telnet
 
   
username admin password 5 $1$z3M0/3no$j77mpF9f/mqmd7/mEZ6RR1  role network-admin
username adminbackup password 5 $1$Oip/C5Ci$oOdx7oJSlBCFpNRmQK4na.  role network-operator
 
   
banner motd #Nexus 1000v Switch#
 
   
ip domain-lookup
ip domain-lookup
switchname vsm
vem 3
  host vmware id 765186a7-eb7c-11de-b059-8843e1389748
vem 4
  host vmware id 90a97ac6-31d7-11df-ad65-68efbdf622ca
vem 5
  host vmware id 833fe152-3f8b-11df-bd70-68efbdf64970
snmp-server user admin network-admin auth md5 0x5ed3cfea7c44550ac3d18475f28b118b
 priv 0x5ed3cfea7c44550ac3d18475f28b118b localizedkey
 
   
vrf context management
  ip route 0.0.0.0/0 10.193.72.1
vlan 1,61-65
port-channel load-balance ethernet source-mac
port-profile default max-ports 32
port-profile default port-binding static
port-profile type vethernet vm-clear
  vmware port-group
  switchport mode access
  switchport access vlan 63
  no shutdown
  state enabled
port-profile type vethernet vsn-service
  vmware port-group
  switchport mode access
  switchport access vlan 64
  no shutdown
  max-ports 1024
  state enabled
port-profile type ethernet system-uplink
  vmware port-group
  switchport trunk allowed vlan 61-70
  switchport mode trunk
  no shutdown
  system vlan 61-62
  state enabled
port-profile type vethernet vsg129-2
  vmware port-group
  switchport mode access
  switchport access vlan 63
  org root/Canon
  vn-service ip-address 10.10.129.2 vlan 64 security-profile sp-vsg2-1
  no shutdown
  state enabled
port-profile type vethernet vsg134-1
  vmware port-group
  switchport mode access
  switchport access vlan 63
  vn-service ip-address 10.10.134.1 vlan 64 mgmt-ip-address 10.10.73.132 security-profile 
sp1
  no shutdown
  state enabled
port-profile type vethernet vsg136-1
  vmware port-group
  switchport mode access
  switchport access vlan 63
  vn-service ip-address 10.10.136.1 vlan 64 mgmt-ip-address 10.10.73.137 security-profile 
sp1
  no shutdown
  state enabled
port-profile type vethernet vsg129_2-svc-vlan65
  vmware port-group
  switchport mode access
  switchport access vlan 65
  vn-service ip-address 10.10.129.2 vlan 64 mgmt-ip-address 10.10.73.131 security-profile 
sp1
  no shutdown
  state enabled
port-profile type vethernet vm-clear-vlan65
  vmware port-group
  switchport mode access
  switchport access vlan 65
  no shutdown
  state enabled
port-profile type ethernet Unused_Or_Quarantine_Uplink
  vmware port-group
  shutdown
  description Port-group created for Nexus1000V internal usage. Do not use.
  state enabled
port-profile type vethernet Unused_Or_Quarantine_Veth
  vmware port-group
  shutdown
  description Port-group created for Nexus1000V internal usage. Do not use.
  state enabled
port-profile type vethernet vm-clear-vlan63
  vmware port-group
  switchport mode access
  switchport access vlan 63
  no shutdown
  state enabled
 
   
vdc vsm id 1
  limit-resource vlan minimum 16 maximum 2049
  limit-resource monitor-session minimum 0 maximum 2
  limit-resource vrf minimum 16 maximum 8192
  limit-resource port-channel minimum 0 maximum 768
  limit-resource u4route-mem minimum 32 maximum 32
  limit-resource u6route-mem minimum 16 maximum 16
  limit-resource m4route-mem minimum 58 maximum 58
  limit-resource m6route-mem minimum 8 maximum 8
 
   
interface mgmt0
  ip address 10.10.73.130/21
 
   
interface Vethernet1
  inherit port-profile vm-clear-vlan63
  description UD134-1,Network Adapter 2
  vmware dvport 7489 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
  vmware vm mac 0050.56BB.0029
 
   
interface Vethernet2
  inherit port-profile vsg136-1
  description UD136-1,Network Adapter 2
  vmware dvport 7458 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
  vmware vm mac 0050.56BB.0032
 
   
interface Vethernet3
  inherit port-profile vm-clear-vlan63
  description US136-1,Network Adapter 2
  vmware dvport 7492 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
  vmware vm mac 0050.56BB.0030
 
   
interface Vethernet4
  inherit port-profile vsg129-2
  description US129-1,Network Adapter 2
  vmware dvport 6563 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
  vmware vm mac 0050.56BB.003E
 
   
interface Vethernet5
  inherit port-profile vm-clear-vlan63
  description US129-2,Network Adapter 2
  vmware dvport 7491 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
  vmware vm mac 0050.56BB.0040
 
   
interface Vethernet6
  inherit port-profile vsn-service
  description VSG134-1,Network Adapter 1
  vmware dvport 3683 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
  vmware vm mac 0050.56BB.002C
 
   
interface Vethernet7
  inherit port-profile vsn-service
  description VSG129-2,Network Adapter 1
  vmware dvport 3686 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
  vmware vm mac 0050.56BB.0037
 
   
interface Vethernet8
  inherit port-profile vsn-service
  description VSG136-1,Network Adapter 1
  vmware dvport 3684 dvswitch uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c"
  vmware vm mac 0050.56BB.0034
 
   
interface Ethernet3/2
  inherit port-profile system-uplink
 
   
interface Ethernet4/6
  inherit port-profile system-uplink
 
   
interface Ethernet5/6
  inherit port-profile system-uplink
 
   
interface control0
line console
boot kickstart bootflash:/ks.bin sup-1
boot system bootflash:/sys.bin sup-1
boot kickstart bootflash:/ks.bin sup-2
boot system bootflash:/sys.bin sup-2
svs-domain
  domain id 61
  control vlan 61
  packet vlan 62
  svs mode L2  
svs connection vcenter
  protocol vmware-vim
  remote ip address 10.10.79.32 port 80
  vmware dvs uuid "90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c" datacenter-name NAME/S
  connect
vnm-policy-agent
  registration-ip 10.193.73.144
  shared-secret **********
  policy-agent-image bootflash:/vnmc-vsmpa.1.0.0.512.bin
  log-level
vsm# 

Related Commands

Command
Description

show aaa

Displays AAA information.


tcp state-checks

To configure the switch to perform TCP state checks, use the tcp state-checks command. To disable TCP state checks, use the no form of this command.

tcp state-checks

no tcp state-checks

Syntax Description

This command has no arguments or keywords.

Defaults

TCP state checks are enabled.

Command Modes

Global configuration (config)

Supported User Roles

network-admin

system-admin

Command History

Release
Modification

4.2(1)VSG1(2)

This command was introduced.


Usage Guidelines`

Because TCP state checks in vPath are enabled by default, use the no form of the tcp state-checks command to disable the state checks.

Examples

This example shows how to enter the TCP statechecks submode:

vsm# config
vsm(config)# vsn type vsg global
vsm(config-vsn)#

Related Commands

Command
Description

tcp state-checks

Enables tcp state checks in the vPath.


vn-service ip-address

To assign a data IP address, a VLAN number, and a profile to a Cisco VSG, use the vn-service ip-address command. To disable the data IP address, use the no form of the command.

vn-service ip-address ip-address vlan vlan-number [fail {close | open} | security-profile profile-name]

no vn-service ip-address ip-address vlan vlan-number [fail {close | open} | security-profile profile-name]

Syntax Description

ip-address

IP address. The format is A.B.C.D.

vlan vlan-number

Specifies the service VLAN number. The range of values is from 1 to 3967 and 4048 to 4093.

fail

(Optional) Sets states to be in either fail close or fail open.

close

Drops packets if the Cisco VSG is down.

open

Passes packets through if the Cisco VSG is down.

security-profile profile-name

(Optional) Specifies the security profile name.


Command Default

Fail close

Command Modes

Port profile configuration (config-port-prof)

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Usage Guidelines

Use the vn-service ip-address command to configure the IP address, VLAN, and security profile for the Cisco VSG, and optionally to allow for a fail-safe configuration.

The fail mode specifies what the behavior is when the virtual ethernet module (VEM) does not have connectivity to the Cisco VSG. The default fail mode is close, which means that the packets are dropped. The open fail mode means that packets are passed.

The security profile name must match one of the security profiles created on the Cisco VSG.

The IP address must match the data interface IP address on the Cisco VSG.

Examples

This example shows how to assign the IP address and VLAN number and how to specify that packets are to be passed when the Cisco VSG fails:

vsm# configure
Enter configuration commands, one per line. End with CNTL/Z.
vsm(config)# port-profile pP1
vsm(config-port-prof)# vn-service ip-address 209.165.200.236 vlan 2 fail open
vsm(config-port-prof)# 

Related Commands

Command
Description

show virtual-service-domain

Displays virtual service domain information.


org

To create a Cisco VNMC organization (domain), use the org command. To delete a Cisco VNMC organization, use the no form of the command.

org organization-name

no org [organization-name]

Syntax Description

organization-name

Organization name. The range of values is from 1 to 251.


Command Default

None

Command Modes

Port profile configuration (config-port-prof)

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Usage Guidelines

Cisco VNMC organizations are Cisco VNMC domains.

You can hierarchically manage Cisco VNMC organizations. A user that is assigned at a top level organization has automatic access to all organizations under it. For example, an engineering organization can contain a software engineering organization and a hardware engineering organization. A locale containing only the software engineering organization has access to system resources only within that organization. However, a locale that contains the engineering organization has access to the resources for both the software engineering and hardware engineering organizations.

Examples

This example shows how to create an organization:

vsm# configure
Enter configuration commands, one per line. End with CNTL/Z.
vsm(config)# port-profile pP1
vsm(config-port-prof)# org orgpP1
vsm(config-port-prof)# 

Related Commands

Command
Description

vn-service

Sets the IP address for a virtual firewall.


show vsn brief

To display a brief amount of information about the Cisco Virtual Security Gateway (VSG), use the show vsn brief command.

show vsn brief

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC

Supported User Roles

network-admin

network-operator

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Usage Guidelines

You can use the following operators with the show vsn brief command:

>—Redirects the output to a file.

>>—Redirects the output to a file in append mode.

|—Pipes the command output to a filter.

Examples

This example shows how to display information about Cisco VSGs:

vsm# show vsn brief
 
   
 VLAN           IP-ADDR           MAC-ADDR  FAIL-MODE  STATE  MODULE
   64     192.168.136.1  00:50:56:bb:00:34      Close     Up  5
   64     192.168.129.2  00:50:56:bb:00:37      Close     Up  3
vsm# 

Related Commands

Command
Description

show vsn port vethernet

Displays information about the Cisco VSG.


show vsn connection

To display Cisco VSG connections, use the show vsn connection command.

show vsn connection [vlan vlan-num | ip ip-addr | module module-num]

Syntax Description

vlan

(Optional) Displays connections to a specific VLAN.

vlan-num

Specifies the VLAN number for the connection.

ip

(Optional) Displays connections to a specific IP address.

ip-addr

Specifies the IP address of the connection.

module

(Optional) Displays connections to a specific module.

module-num

Specifies the module number for the connection.


Command Default

None

Command Modes

EXEC

Supported User Roles

network-admin

network-operator

Command History

Release
Modification

4.2(1)VSG1(2)

This command was modified to show more organized and explained output.

4.0(4)SV1(1)

This command was introduced.


Usage Guidelines

You can use the following operators with the show vsn connection command:

>—Redirects the output to a file.

>>—Redirects the output to a file in append mode.

|—Pipes the command output to a filter.

Examples

This example shows how to display Cisco VSG connections:

vsm# show vsn connection
Flags:
P - policy at src                    p - policy at dst
O - conn offloaded to vPath at src   o - conn offloaded to vPath at dst
S - seen syn from src                s - seen syn from dst
A - seen ack for syn/fin from src    a - seen ack for syn/fin from dst
F - seen fin from src                f - seen fin from dst
R - seen rst from src                r - seen rst from dst
E - tcp conn established (SasA done) T - tcp conn torn down (FafA done)
 
   
VSG IP 106.1.1.1 VLAN 54
#Module 5
Proto SrcIP[:Port]          DstIP[:Port]          VLAN Action Flags        Bytes
 tcp  100.1.1.70:32785      100.1.1.80:80           53 permit PpOoE          452 
 udp  100.1.1.70:5636       100.1.1.80:4525         53 permit PpOo          4324
 icmp 100.1.1.70            100.1.1.80              53 permit PpOo          5432
VWAAS IP 110.1.1.1 VLAN 54
#Module 3
Proto SrcIP[:Port]          DstIP[:Port]          VLAN Action Flags        Bytes
 tcp  100.1.1.70:32785      100.1.1.80:80           53 permit PpOoE          543
 udp  100.1.1.70:4785       100.1.1.80:4553         53 permit PpOo          2343
vsm#

Related Commands

Command
Description

show vsn port vethernet

Displays port information.


show vsn detail

To display detailed information about the Cisco Virtual Security Gateway (VSG), use the show vsn detail command.

show vsn detail

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC

Supported User Roles

network-admin

network-operator

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Usage Guidelines

You can use the following operators with the show vsn detail command:

>—Redirects the output to a file.

>>—Redirects the output to a file in append mode.

|—Pipes the command output to a filter.

Examples

This example shows how to display detailed information about Cisco VSGs:

vsm# show vsn detail
#VSN  VLAN: 64, IP-ADDR: 192.168.136.1
  Module: 5
#VSN  VLAN: 64, IP-ADDR: 192.168.129.2
  Module: 3
ankaa-vsm-master# show vsn detail
#VSN  VLAN: 64, IP-ADDR: 192.168.136.1
  MODULE       VSN-MAC-ADDR  FAIL-MODE   VSN-STATE
       5  00:50:56:bb:00:34      Close  No-License  
#VSN  VLAN: 64, IP-ADDR: 192.168.129.2
  MODULE       VSN-MAC-ADDR  FAIL-MODE   VSN-STATE
       3  00:50:56:bb:00:37      Close  No-License  
 
   
#VSN Ports, Port-Profile, Org and Security-Profile Association:
#VSN  VLAN: 64, IP-ADDR: 192.168.136.1
  Port-Profile: vsg136-1, Security-Profile: default, Org: Not-Available
    Module  Vethernet
         5  2
#VSN  VLAN: 64, IP-ADDR: 192.168.129.2
  Port-Profile: vsg129-2, Security-Profile: default, Org: Not-Available
    Module  Vethernet
         3  10, 4
vsm# 

Related Commands

Command
Description

show vsn port vethernet

Displays information about the Cisco VSG.


show vsn port vethernet

To display information about virtual Ethernet (vEth) ports, use the show vsn port vethernet command.

show vsn port vethernet port-number

Syntax Description

port-number

Port number. The range is from 1 to 1048575.


Command Default

None

Command Modes

EXEC

Supported User Roles

network-admin
network-operator

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Usage Guidelines

You can use the following operators with the show vsn port vethernet command:

>—Redirects the output to a file.

>>—Redirects the output to a file in append mode.

|—Pipes the command output to a filter.

Examples

This example shows how to display information about vEth port 2:

vsm# show vsn port vethernet 2
 
   
Veth             : Veth2
VM Name          : UD136-1
VM uuid          : 42 3b e1 60 17 e6 92 c4-3b 47 f4 b7 4c a0 be 1b
DV Port          : 7458
DVS uuid         : 90 33 3b 50 c2 11 2a 50-ae c5 0f 07 b2 b3 23 2c
Flags            : 0x148
VSN Data IP      : 192.168.136.1
Security Profile : sp1
Org              : Not set
VNSP id          : 1
IP addresses:
vsm# 

Related Commands

Command
Description

show vsn statistics

Displays Cisco VSG statistics.


show vsn statistics

To display Cisco VSG statistics, use the show vsn statistics command.

show vsn statistics [ip | module | vlan]

Syntax Description

ip

(Optional) Displays IP statistics.

mode

(Optional) Displays module statistics.

vlan

(Optional) Displays VLAN statistics.


Command Default

None

Command Modes

EXEC

Supported User Roles

network-admin
network-operator

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Usage Guidelines

You can use the following operators with the show vsn statistics command:

>—Redirects the output to a file.

>>—Redirects the output to a file in append mode.

|—Pipes the command output to a filter.

Examples

This example shows how to display statistics for a module:

vsm# show vsn statistics module 3
#VSN  VLAN: 64, IP-ADDR: 192.168.129.2
  Module: 3
    #VPath Packet Statistics     Ingress         Egress           Total
    Total Seen                      8249          24572           32821
    Policy Redirects                7796          23260           31056
    No-Policy Passthru               441           1267            1708
    Policy-Permits Rcvd             7796          23260           31056
    Policy-Denies  Rcvd                0              0               0
    Permit Hits                       10             45              55
    Deny   Hits                        0              0               0
    Decapsulated                    7796          23260           31056
    Fail-Open                          0              0               0
    Badport Err                        0              0               0
    VSN Config Err                     0              0               0
    ARP Resolve Err                    2              0               2
    Encap Err                          0              0               0
    All-Drops                          2              0               2
    Total Rcvd From VSN                                           31056
    Non-Cisco Encap Rcvd                                              0
    VNS-Port Drops                                                    0
    Policy-Action Err                                                 0
    Decap Err                                                         0
    L2-Frag Sent                                                      0
    L2-Frag Rcvd                                                      0
    L2-Frag Coalesced                                                 0
 
   
    #VPath Flow Statistics
    Active Flows                       0  Active Connections                 0
    Forward Flow Create             7799  Forward Flow Destroy            7799
    Reverse Flow Create             7799  Reverse Flow Destroy            7799
    Flow ID Alloc                  15598  Flow ID Free                   15598
    Connection ID Alloc             7799  Connection ID Free              7799
    L2 Flow Create                     0  L2 Flow Destroy                    0
    L3 Flow Create                     4  L3 Flow Destroy                    4
    L4 TCP Flow Create                 0  L4 TCP Flow Destroy                0
    L4 UDP Flow Create             15594  L4 UDP Flow Destroy            15594
    L4 Oth Flow Create                 0  L4 Oth Flow Destroy                0
    Embryonic Flow Create              0  Embryonic Flow Bloom               0
    L2 Flow Timeout                    0  L2 Flow Offload                    0
    L3 Flow Timeout                    5  L3 Flow Offload                    2
    L4 TCP Flow Timeout                0  L4 TCP Flow Offload                0
    L4 UDP Flow Timeout            23393  L4 UDP Flow Offload            31054
    L4 Oth Flow Timeout                0  L4 Oth Flow Offload                0
    Flow Lookup Hit                23314  Flow Lookup Miss               15598
    Flow Dual Lookup               38912  L4 TCP Tuple-reuse                 0
    Flow Classify Err                  0  Flow ID Alloc Err                  0
    Conn ID Alloc Err                  0  Hash Alloc Err                     0
    Flow Exist                         0  Flow Entry Exhaust                 0
    Flow Removal Err                   0  Bad Flow ID Receive                0
    Flow Entry Miss                    0  Flow Full Match Err                0
    Bad Action Receive                 0  Invalid Flow Pair                  0
    Invalid Connection                 0
    Hash Alloc                         0  Hash Free                          0
    InvalFID Lookup                    0  InvalFID Lookup Err                0
    Deferred Delete                    0
vsm# 

Related Commands

Command
Description

show vsn port vethernet

Displays information about the Cisco VSG.


vlan

To create a VLAN and enter the VLAN configuration mode, use the vlan command. To remove a VLAN, use the no form of this command.

vlan {id | dot1Q tag native}

no vlan {id | dot1Q tag native}

Syntax Description

id

VLAN identification number. The range is from 1 to 4094.

dot1Q tag native

Specifies an IEEE 802.1Q virtual LAN.


Defaults

VLAN 1

Command Modes

Global configuration (config)

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Usage Guidelines

Specify a VLAN range by using a dash. For example, 1-9 or 20-30.

Examples

This example shows how to create a VLAN and enter the VLAN configuration mode:

vsm# configure
vsm (config)# vlan 100
vsm (config-vlan)# 
 
   

This example shows how to remove a VLAN:

switch# configure
switch(config)# no vlan 100
switch(config)#

Related Commands

Command
Description

show vlan

Displays the VTP VLAN status.


vmware port-group

To create a VMware port group, use the vmware port-group command. To remove the VMware port group, use the no form of this command.

vmware port-group name

no vmware port-group name

Syntax Description

name

Name of the VMware port group.


Defaults

None

Command Modes

Port profile configuration (config-port-prof)

Supported User Roles

network-admin

Command History

Release
Modification

4.0(4)SV1(1)

This command was introduced.


Usage Guidelines

To create the VMware port group, you must be in port profile configuration mode.

Examples

This example shows how to create a VMware port group:

vsm# configure
vsm(config)# port-profile testprofile
vsm(config-port-prof)# vmware port-group testgroup
vsm(config-port-prof)#

The following example shows how to remove the VMware port group:

vsm# configure
vsm(config)# port-profile testprofile
vsm(config-port-prof)# no vmware port-group testgoup
vsm(config-port-prof)#

Related Commands

Command
Description

show port-profile name

Displays configuration information about a particular port profile.


vsn type vsg global

To enter the tcp state-checks configuration submode, use the vsn type vsg global command.

vsn type vsg global

Syntax Description

This command has no arguments or keywords.

Defaults

TCP state checks are enabled.

Command Modes

Global configuration (config)

Supported User Roles

network-admin

system-admin

Command History

Release
Modification

4.2(1)VSG1(2)

This command was introduced.


Usage Guidelines`

Because TCP state checks in vPath are enabled by default, use the no form of the tcp state-checks command to disable the state checks.

Examples

This example shows how to enter the VSN configuration submode:

vsm# config
vsm(config)# vsn type vsg global
vsm(config-vsn)#

Related Commands

Command
Description

tcp state-checks

Enables TCP state checks in the vPath.