V Commands
Download this chapter
V CommandsV Commands
 Feedback

Table Of Contents

V Commands

vlan access-map

vlan filter

vlan policy deny

vrf policy deny


V Commands

This chapter describes the Cisco NX-OS security commands that begin with V.

vlan access-map

To create a new VLAN access-map entry or to configure an existing VLAN access-map entry, use the vlan access-map command. To remove a VLAN access-map entry, use the no form of this command.

vlan access-map map-name [sequence-number]

no vlan access-map map-name [sequence-number]

Syntax Description

sequence-number

(Optional) Sequence number of the VLAN access-map entry that you are creating or editing.

A sequence number can be any integer between 1 and 4294967295.

By default, the first entry in a VLAN access map has a sequence number of 10.

If you do not specify a sequence number, the device adds the rule to the end of the VLAN access map and assigns a sequence number that is 10 greater than the sequence number of the preceding entry.

When you use the no form of the command, use the sequence-number argument to specify an entry that you want to remove. Omit the sequence-number argument if you want to remove the entire VLAN access map.

map-name

Name of the VLAN access map that you want to create or configure. The map-name argument can be up to 64 alphanumeric, case-sensitive characters.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

Each VLAN access-map entry can include one action command and one or more match command.

Use the statistics per-entry command to configure the device to record statistics for a VLAN access-map entry.

This command does not require a license.

Examples

This example shows how to create a VLAN access map named vlan-map-01, add two entries that each have two match commands and one action command, and enable statistics for the packets matched by the second entry: 


switch(config)# vlan access-map vlan-map-01

switch(config-access-map)# match ip address ip-acl-01

switch(config-access-map)# action forward

switch(config-access-map)# match mac address mac-acl-00f


switch(config-access-map)# vlan access-map vlan-map-01

switch(config-access-map)# match ip address ip-acl-320

switch(config-access-map)# match mac address mac-acl-00e

switch(config-access-map)# action drop

switch(config-access-map)# statistics per-entry


switch(config-access-map)# show vlan access-map


Vlan access-map vlan-map-01 10

        match ip: ip-acl-01

        match mac: mac-acl-00f

        action: forward

Vlan access-map vlan-map-01 20

        match ip: ip-acl-320

        match mac: mac-acl-00e

        action: drop

        statistics per-entry

Related Commands

Command
Description

action

Specifies an action for traffic filtering in a VLAN access map.

match

Specifies an ACL for traffic filtering in a VLAN access map.

show vlan access-map

Displays all VLAN access maps or a VLAN access map.

show vlan filter

Displays information about how a VLAN access map is applied.

statistics per-entry

Enables collection of statistics for each entry in an ACL.

vlan filter

Applies a VLAN access map to one or more VLANs.


vlan filter

To apply a VLAN access map to one or more VLANs, use the vlan filter command. To unapply a VLAN access map, use the no form of this command.

vlan filter map-name vlan-list VLAN-list

no vlan filter map-name vlan-list VLAN-list

Syntax Description

map-name

Name of the VLAN access map that you want to create or configure.

vlan-list VLAN-list

Specifies the ID of one or more VLANs that the VLAN access map filters. Valid VLAN IDs are from 1 to 4096.

Use a hyphen (-) to separate the beginning and ending IDs of a range of VLAN IDs; for example, use 70-100.

Use a comma (,) to separate individual VLAN IDs and ranges of VLAN IDs; for example, use 20,70-100,142.

Note When you use the no form of this command, the VLAN-list argument is optional. If you omit this argument, the device removes the access map from all VLANs where the access map is applied.


Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You can apply a VLAN access map to one or more VLANs.

You can apply only one VLAN access map to a VLAN.

The no form of this command enables you to unapply a VLAN access map from all or part of the VLAN list that you specified when you applied the access map. To unapply an access map from all VLANs where it is applied, you can omit the VLAN-list argument. To unapply an access map from a subset of the VLANs where it is currently applied, use the VLAN-list argument to specify the VLANs where the access map should be removed.

This command does not require a license.

Examples

This example shows how to apply a VLAN access map named vlan-map-01 to VLANs 20 through 45: 

switch# config t

switch(config)# vlan filter vlan-map-01 20-45

This example show how to use the no form of the command to unapply the VLAN access map named vlan-map-01 from VLANs 30 through 32, which leaves the access map applied to VLANs 20 through 29 and 33 through 45: 

switch# show vlan filter


vlan map vlan-map-01:

        Configured on VLANs:    20-45

switch(config)# no vlan filter vlan-map-01 30-32

switch# show vlan filter


vlan map vlan-map-01:

        Configured on VLANs:    20-29,33-45

Related Commands

Command
Description

action

Specifies an action for traffic filtering in a VLAN access map.

match

Specifies an ACL for traffic filtering in a VLAN access map.

show vlan access-map

Displays all VLAN access maps or a VLAN access map.

show vlan filter

Displays information about how a VLAN access map is applied.

vlan access-map

Configures a VLAN access map.


vlan policy deny

To enter VLAN policy configuration mode for a user role, use the vlan policy deny command. To revert to the default VLAN policy for a user role, use the no form of this command.

vlan policy deny

no vlan policy deny

Syntax Description

This command has no arguments or keywords.

Defaults

All VLANs

Command Modes

User role configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command denies all VLANs to the user role except for those that you allow using the permit vlan command in user role VLAN policy configuration mode.

This command does not require a license.

Examples

This example shows how to enter user role VLAN policy configuration mode for a user role: 

switch# config t

switch(config)# role name MyRole

switch(config-role)# vlan policy deny

switch(config-role-vlan)#

This example shows how to revert to the default VLAN policy for a user role: 

switch# config t

switch(config)# role name MyRole

switch(config-role)# no vlan policy deny

Related Commands

Command
Description

permit vlan

Allows a VLAN in a user role VLAN policy.

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.



vrf policy deny

To enter virtual forwarding and routing instance (VRF) policy configuration mode for a user role, use the vrf policy deny command. To revert to the default VRF policy for a user role, use the no form of this command.

vrf policy deny

no vrf policy deny

Syntax Description

This command has no arguments or keywords.

Defaults

All VRFs

Command Modes

User role configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command denies all VRFs to the user role except for those that you allow using the permit vrf command in user role VRF policy configuration mode.

This command does not require a license.

Examples

This example shows how to enter VRF policy configuration mode for a user role: 

switch# config t

switch(config)# role name MyRole

switch(config-role)# vrf policy deny

switch(config-role-vrf)#

This example shows how to revert to the default VRF policy for a user role: 

switch# config t

switch(config)# role name MyRole

switch(config-role)# no vrf policy deny

Related Commands

Command
Description

vrf permit

Permits VRFs in a user role VRF policy.

role name

Creates or specifies a user role and enters user role configuration mode.

show role

Displays user role information.