Table Of Contents

set rcp username

set rgmp

set rspan

set security acl capture-ports

set security acl ip

set security acl ipx

set security acl mac

set security acl map

set snmp access

set snmp community

set snmp extendedrmon netflow

set snmp group

set snmp notify

set snmp rmon

set snmp targetaddr

set snmp targetparams

set snmp trap

set snmp user

set snmp view

set span

set spantree backbonefast

set spantree disable

set spantree enable

set spantree fwddelay

set spantree hello

set spantree maxage

set spantree portcost

set spantree portfast

set spantree portfast bpdu-guard

set spantree portpri

set spantree portstate

set spantree portvlancost

set spantree portvlanpri

set spantree priority

set spantree root

set spantree uplinkfast

22

set rcp username

Use the set rcp username command to specify your username for rcp file transfers.

set rcp username username

Syntax Description

username

Username up to 14 characters long.

Defaults

There are no default settings for this command.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The username must be different from "root" and not a null string. The only case where you cannot configure the rcp username is for the VMPS database where you will use an rcp VMPS username.

Examples

This example shows how to set the username for rcp:

Console> (enable) set rcp username jdoe

Console> (enable) 

set rgmp

Use the set rgmp command to enable or disable the RGMP feature on the switch.

set rgmp {enable | disable}

Syntax Description 

enable	Keyword to enable RGMP on the switch.
disable	Keyword to disable RGMP on the switch.

Defaults

The default is RGMP is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

RGMP is a global command. You cannot enable or disable RGMP on a per-VLAN basis.

The RGMP feature is operational only if IGMP snooping is enabled on the switch (see the set igmp command).

Examples

This example shows how to enable RGMP on the switch:

Console> (enable) set rgmp enable

RGMP is enabled.

Console> (enable)

This example shows how to disable RGMP on the switch:

Console> (enable) set rgmp disable

RGMP is disabled.

Console> (enable)

Related Commands

show rgmp group
show rgmp statistics
clear rgmp statistics
set igmp

set rspan

Use the set rspan command set to create remote SPAN sessions.

set rspan disable source [rspan_vlan | all]

set rpsan disable destination [mod/port | all]

set rspan source {src_mod/src_ports... | vlans... | sc0} {rspan_vlan} [rx | tx | both]
[multicast {enable | disable}] [filter vlans...] [create]

set rspan destination {mod/port} {rspan_vlan} [inpkts {enable | disable}]
[learning {enable | disable}] [create]

Syntax Description

disable source	Keywords to disable remote SPAN source information.
rspan_vlan	(Optional) Remote SPAN VLAN.
all	(Optional) Keyword to disable all remote SPAN source or destination sessions.
disable destination	Keywords to disable remote SPAN destination information.
mod/port	(Optional) Remote SPAN destination port.
src_mod/src_ports...	Monitored ports (remote SPAN source).
vlans...	Monitored VLANs (remote SPAN source).
sc0	Keyword to specify the inband port is a valid source.
rx	(Optional) Keyword to specify that information received at the source (ingress SPAN) is monitored.
tx	(Optional) Keyword to specify that information transmitted from the source (egress SPAN) is monitored.
both	(Optional) Keyword to specify that information both transmitted from the source (ingress SPAN) and received (egress SPAN) at the source are monitored.
multicast enable	(Optional) Keywords to enable monitoring multicast traffic (egress traffic only).
multicast disable	(Optional) Keywords to disable monitoring multicast traffic (egress traffic only).
filter vlans	(Optional) Keywords to monitor traffic on selected VLANs on source trunk ports.
create	(Optional) Keyword to create a new remote SPAN session instead of overwriting the previous SPAN session.
inpkts enable	(Optional) Keywords to allow the remote SPAN destination port to receive normal ingress traffic (from the network to the bus) while forwarding the remote SPAN traffic.
inpkts disable	(Optional) Keywords to disable the receiving of normal inbound traffic on the remote SPAN destination port.
learning enable	(Optional) Keywords to enable learning for the remote SPAN destination port.
learning disable	(Optional) Keywords to disable learning for the remote SPAN destination port.

Defaults

The defaults are as follows:

•Remote SPAN is disabled.

•No VLAN filtering.

•Monitoring multicast traffic is enabled.

•Learning is enabled.

•inpkts is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The rspan_vlan variable is optional in the set rspan disable source command and required in the set rspan source and set rspan destination command set.

After you enable SPAN, system defaults are used if no parameters were ever set. If you changed parameters, these are stored in NVRAM, and the new parameters are used.

Use a network analyzer to monitor ports.

Use the inpkts keyword with the enable option to allow the remote SPAN destination port to receive normal incoming traffic in addition to the traffic mirrored from the remote SPAN source. Use the disable option to prevent the remote SPAN destination port from receiving normal incoming traffic.

You can specify an MSM port as the remote SPAN source port. However, you cannot specify an MSM port as the remote SPAN destination port.

When you enable the inpkts option, a warning message notifies you that the destination port does not join STP and may cause loops if this option is enabled.

If you do not specify the keyword create and you have only one session, the session will be overwritten. If a matching rspan_vlan or destination port exists, the particular session will be overwritten (with or without specifying create). If you specify the keyword create and there is no matching rspan_vlan or destination port, the session will be created.

Each switch can source only one remote SPAN session (ingress, egress, or both). When you configure a remote ingress or bidirectional SPAN session in a source switch, the limit for local ingress or bidirectional SPAN session is reduced to one. There are no limits on the number of remote SPAN sessions carried across the network within the remote SPAN session limits.

You can configure any VLAN as a remote SPAN VLAN as long as these conditions are met:

•The same remote SPAN VLAN is used for a remote SPAN session in the switches.

•All the participating switches have appropriate hardware and software.

•No unwanted access port is configured in the remote SPAN VLAN.

Examples

This example shows how to disable all enabled source sessions:

Console> (enable) set rspan disable source all

This command will disable all remote span source session(s).

Do you want to continue (y/n) [n]? y

Disabled monitoring of all source(s) on the switch for remote span.

Console> (enable) 

This example shows how to disable one source session to a specific VLAN:

Console> (enable) set rspan disable source 903

Disabled monitoring of all source(s) on the switch for rspan_vlan 903.

Console> (enable) 

This example shows how to disable all enabled destination sessions:

Console> (enable) set rspan disable destination all

This command will disable all remote span destination session(s).

Do you want to continue (y/n) [n]? y

Disabled monitoring of remote span traffic on ports 9/1,9/2,9/3,9/4,9/5,9/6.

Console> (enable) 

This example shows how to disable one destination session to a specific port:

Console> (enable) set rspan disable destination 4/1

Disabled monitoring of remote span traffic on port 4/1.

Console> (enable) 

Related Commands

show rspan

set security acl capture-ports

Use the set security acl capture-ports command to set the ports (specified with the capture option in the set security acl ip, set security acl ipx, and set security acl mac commands) to show traffic captured on these ports.

set security acl capture-ports {mod/ports...}

Syntax Description

mod/ports...

Module and port number.

Defaults

This command has no default setting.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved in NVRAM. This command does not require that you enter the commit command.

The module and port specified in this command are added to the current ports configuration list.

This command works with Ethernet ports only; you cannot set ATM ports.

The ACL capture will not work unless the capture port is in the spanning tree forwarding state for the VLAN.

Examples

This example shows how to set a port to capture traffic:

Console> (enable) set security acl capture 3/1

Successfully set 3/1 to capture ACL traffic.

Console> (enable) 

This example shows how to set multiple ports to capture traffic:

Console> (enable) set security acl capture 1/1-10

Successfully set the following ports to capture ACL traffic: 1/1-2.

Console> (enable) 

Related Commands

clear security acl capture-ports
show security acl capture-ports

set security acl ip

Use the set security acl ip command set to create a new entry in a standard IP VACL and append the new entry at the end of VACL.

set security acl ip {acl_name} {permit | deny} {src_ip_spec} [before editbuffer_index |
modify editbuffer_index]

set security acl ip {acl_name} {permit | deny | redirect mod_num/port_num} {protocol}
{src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [capture] [before editbuffer_index | modify editbuffer_index]

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [ip | 0]
{src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [capture]
[before editbuffer_index | modify editbuffer_index]

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [icmp | 1]
{src_ip_spec} {dest_ip_spec} [icmp_type] [icmp_code] | [icmp_message]
[precedence precedence] [tos tos] [capture] [before editbuffer_index |
modify editbuffer_index]

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [igmp | 2]
{src_ip_spec} {dest_ip_spec} [igmp_type] [precedence precedence] [tos tos] [capture]
[before editbuffer_index | modify editbuffer_index]

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [tcp | 6]
{src_ip_spec} [operator port [port]] {dest_ip_spec} [operator port [port]] [established]
[precedence precedence] [tos tos] [capture] [before editbuffer_index |
modify editbuffer_index]

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [udp | 17]
{src_ip_spec} [operator port [port]] {dest_ip_spec} [operator port [port]]
[precedence precedence] [tos tos] [capture] [before editbuffer_index |
modify editbuffer_index]

Syntax Description

acl_name	Unique name that identifies the lists to which the entry belongs.
permit	Keyword to allow traffic from the source IP address.
deny	Keyword to block traffic from the source IP address.
src_ip_spec	Source IP address and the source mask. See the "Usage Guidelines" section for the format.
before editbuffer_index	(Optional) Keyword and variable to insert the new ACE in front of another ACE.
modify editbuffer_index	(Optional) Keyword and variable to replace an ACE with the new ACE.
redirect	Keyword to specify to which switched ports the packet is redirected.
mod_num/port_num	Number of the module and port.
protocol	Keyword or number of an IP protocol; valid numbers are from 0 to 255 representing an IP protocol number. See the "Usage Guidelines" section for the list of valid keywords.
dest_ip_spec	Destination IP address and the destination mask. See the "Usage Guidelines" section for the format.
precedence precedence	(Optional) Keyword and variable to specify the precedence level; valid values are from 0 to 7 or by name. See the "Usage Guidelines" section for a list of valid names.
tos tos	(Optional) Keyword and variable to specify the type of service level; valid values are from 0 to 15 or by name. See the "Usage Guidelines" section for a list of valid names.
capture	(Optional) Keyword to specify packets are switched normally and captured; permit must also be enabled.
ip | 0	(Optional) Keyword or number to match any Internet Protocol packets.
icmp | 1	(Optional) Keyword or number to match ICMP packets.
icmp-type	(Optional) ICMP message type name or a number; valid values are from 0 to 255. See the "Usage Guidelines" section for a list of valid names.
icmp-code	(Optional) ICMP message code name or a number; valid values are from 0 to 255. See the "Usage Guidelines" section for a list of valid names.
icmp-message	(Optional) ICMP message type name or ICMP message type and code name. See the "Usage Guidelines" section for a list of valid names.
igmp | 2	(Optional) Keyword or number to match IGMP packets.
igmp-type	(Optional) IGMP message type or message name; valid message type numbers are from 0 to 15. See the "Usage Guidelines" section for a list of valid names and corresponding numbers.
tcp | 6	(Optional) Keyword or number to match TCP packets.
operator	(Optional) Operands; valid values include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
port	(Optional) Number or name of a TCP or UDP port; valid port numbers are from 0 to 65535. See the "Usage Guidelines" section for a list of valid names.
established	(Optional) Keyword to specify an established connection; used only for TCP protocol.
udp | 17	(Optional) Keyword or number to match UDP packets.

Defaults

There are no default ACLs and no default ACL-VLAN mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved to NVRAM and hardware only after you enter the commit command. Enter ACEs in batches and then enter the commit command to save them in NVRAM and in the hardware.

If you use the redirect keyword, the destination must be 255.255.255.255.

If you use the capture keyword, the ports that capture the traffic and transmit out are specified by entering the set security acl capture-ports command.

When you enter the ACL name, follow these naming conventions:

•Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

•Must start with an alpha character and must be unique across all ACLs of all types

•Case sensitive

•Cannot be a number

•Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

When you specify the source IP address and the source mask, use the form source_ip_address source_mask and follow these guidelines:

•The source_mask is required; 0 indicates a care bit, 1 indicates a don't-care bit.

•Use a 32-bit quantity in four-part dotted-decimal format.

•Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

•Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

When you enter a destination IP address and the destination mask, use the form destination_ip_address destination_mask. The destination mask is required.

•Use a 32-bit quantity in a four-part dotted-decimal format.

•Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

•Use host/source as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

Valid names for precedence are critical, flash, flash-override, immediate, internet, network, priority, and routine.

Valid names for tos are max-reliability, max-throughput, min-delay, min-monetary-cost, and normal.

Valid protocol keywords include icmp (1), igmp (2), ip (0), ipinip (4), tcp (6), udp (17), igrp (9), eigrp (88), gre (47), nos (94), ospf (89), ahp (51), esp (50), pcp (108), and pim (103). The IP number is displayed in parentheses. Use the keyword ip to match any Internet Protocol.

ICMP packets that are matched by ICMP message type can also be matched by the ICMP message code.

Valid names for icmp_type and icmp_code are administratively-prohibited, alternate-address, conversion-error, dod-host-prohibited, dod-net-prohibited, echo, echo-reply, general-parameter-problem, host-isolated, host-precedence-unreachable, host-redirect, host-tos-redirect, host-tos-unreachable, host-unknown, host-unreachable, information-reply, information-request, mask-reply, mask-request, mobile-redirect, net-redirect, net-tos-redirect, net-tos-unreachable, net-unreachable, network-unknown, no-room-for-option, option-missing, packet-too-big, parameter-problem, port-unreachable, precedence-unreachable, protocol-unreachable, reassembly-timeout, redirect, router-advertisement, router-solicitation, source-quench, source-route-failed, time-exceeded, timestamp-reply, timestamp-request, traceroute, ttl-exceeded, and unreachable.

Valid names and corresponding numbers for igmp_message are dvmrp (3), host-query (1), host-report (2), pim (4), and trace (5).

If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.

TCP port names can be used only when filtering TCP. Valid names for TCP ports are bgp, chargen, daytime, discard, domain, echo, finger, ftp, ftp-data, gopher, hostname, irc, klogin, kshell, lpd, nntp, pop2, pop3, smtp, sunrpc, syslog, tacacs-ds, talk, telnet, time, uucp, whois, and www.

UDP port names can be used only when filtering UDP. Valid names for UDP ports are biff, bootpc, bootps, discard, dns, dnsix, echo, mobile-ip, nameserver, netbios-dgm, netbios-ns, ntp, rip, snmp, snmptrap, sunrpc, syslog, tacacs-ds, talk, tftp, time, who, and xdmcp.

The number listed with the protocol type is the layer protocol number (for example, udp | 17).

If no layer protocol number is entered, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny} {src_ip_spec} [before editbuffer_index |
modify editbuffer_index]

If a Layer 4 protocol is specified, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect mod_num/port_num} {protocol}
{src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [capture]
[before editbuffer_index | modify editbuffer_index]

For IP, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [ip | 0]
{src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [capture]
[before editbuffer_index | modify editbuffer_index]

For ICMP, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [icmp | 1]
{src_ip_spec} {dest_ip_spec} [icmp_type] [icmp_code] | [icmp_message]
[precedence precedence] [tos tos] [capture] [before editbuffer_index |
modify editbuffer_index]

For IGMP, you can use the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [igmp | 2]
{src_ip_spec} {dest_ip_spec} [igmp_type] [precedence precedence] [tos tos] [capture]
[before editbuffer_index | modify editbuffer_index]

For TCP, you can use the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [tcp | 6]
{src_ip_spec} [operator port [port]] {dest_ip_spec} [operator port [port]] [established]
[precedence precedence] [tos tos] [capture] [before editbuffer_index |
modify editbuffer_index]

For UDP, you can use the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [udp | 17]
{src_ip_spec} [operator port [port]] {dest_ip_spec} [operator port [port]]
[precedence precedence] [tos tos] [capture] [before editbuffer_index |
modify editbuffer_index]

Examples

These examples show different ways to use the set security acl ip commands to configure IP security ACL:

Console> (enable) set security acl ip IPACL1 deny 1.2.3.4 0.0.0.0

IPACL1 editbuffer modified.  Use `commit' command to apply changes.

Console> (enable) 

Console> (enable) set security acl ip IPACL1 deny host 171.3.8.2 before 2 

IPACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

Console> (enable) set security acl ip IPACL1 permit any any

IPACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable) 

Console> (enable) set security acl ip IPACL1 redirect 3/1 ip 3.7.1.2 0.0.0.255 host 
255.255.255.255 precedence 1 tos min-delay

IPACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable) 

Console> (enable) set security acl ip IPACL1 permit ip host 60.1.1.1 host 60.1.1.98 
capture 

IPACL1 editbuffer modified. Use 'commit' command to apply changes.

Related Commands

clear security acl
clear security acl capture-ports
clear security acl map
commit
show security acl
show security acl capture-ports
set security acl map
set security acl capture-ports

set security acl ipx

Use the set security acl ipx command to create a new entry in a standard IPX VACL and to append the new entry at the end of the VACL.

set security acl ipx {acl_name} {permit | deny | redirect mod_num/port_num} {protocol}
{src_net} [dest_net.[dest_node] [[dest_net_mask.]dest_node_mask]] [capture]
[before editbuffer_index | modify editbuffer_index]

Syntax Description

acl_name	Unique name that identifies the list to which the entry belongs.
permit	Keyword to allow traffic from the specified source IPX address.
deny	Keyword to block traffic from the specified source IPX address.
redirect	Keyword to redirect traffic from the specified source IPX address.
mod_num/port_num	Number of the module and port.
protocol	Keyword or number of an IPX protocol; valid values are from 0 to 255 representing an IPX protocol number. See the "Usage Guidelines" section for a list of valid keywords amd corresponding numbers.
src_net	Number of the network from which the packet is being sent. See the "Usage Guidelines" section for format guidelines.
dest_net.	(Optional) Number of the network from which the packet is being sent.
.dest_node	(Optional) Node on destination-network to which the packet is being sent.
dest_net_mask.	(Optional) Mask to be applied to the destination network. See the "Usage Guidelines" section for format guidelines.
dest_node_mask	(Optional) Mask to be applied to the destination-node. See the "Usage Guidelines" section for format guidelines.
capture	(Optional) Keyword to specify packets are switched normally and captured.
before editbuffer_index	(Optional) Keyword and variable to insert the new ACE in front of another ACE.
modify editbuffer_index	(Optional) Keyword and variable to replace an ACE with the new ACE.

Defaults

There are no default ACLs and no default ACL-VLAN mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved to NVRAM and hardware only after you enter the commit command. Enter ACEs in batches and then enter the commit command to save all of them in NVRAM and in the hardware.

If you use the capture keyword, the ports that capture the traffic and transmit out are specified by entering the set security acl capture-ports command.

When you enter the ACL name, follow these naming conventions:

•Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

•Must start with an alpha character and must be unique across all ACLs of all types

•Case sensitive

•Cannot be a number

•Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

Valid protocol keywords include ncp (17), netbios (20), rip (1), sap (4), and spx (5).

The src_net and dest_net variables are eight-digit hexadecimal numbers that uniquely identify network cable segments. When you specify the src_net or dest_net, use the following guidelines:

•It can be a number in the range 0 to FFFFFFFF. A network number of -1 or any matches all networks.

•You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA.

The .dest_node is a 48-bit value represented by a dotted triplet of 4-digit hexadecimal numbers (xxxx.xxxx.xxxx).

The dest_net_mask is an eight-digit hexadecimal mask. Place ones in the bit positions you want to mask. The mask must be immediately followed by a period, which must in turn be immediately followed by the destination-node-mask. You can enter this value only when dest_node is specified.

The dest_node_mask is a 48-bit value represented as a dotted triplet of 4-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. You can enter this value only when dest_node is specified.

The dest_net_mask is an eight-digit hexadecimal number that uniquely identifies the network cable segment. It can be a number in the range 0 to FFFFFFFF. A network number of -1 or any matches all networks. You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. Following are dest_net_mask examples:

•123A

•123A.1.2.3

•123A.1.2.3 ffff.ffff.ffff

•1.2.3.4 ffff.ffff.ffff.ffff

Use the show security acl command to display the list.

Examples

This example shows how to block traffic from a specified source IP address:

Console> (enable) set security acl ipx IPXACL1 deny 1.a

IPXACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

Related Commands

clear security acl
clear security acl capture-ports
clear security acl map
commit
show security acl
show security acl capture-ports
set security acl map
set security acl capture-ports

set security acl mac

Use the set security acl mac command to create a new entry in a non-IP or non-IPX protocol VACL and to append the new entry at the end of the VACL.

set security acl mac {acl_name} {permit | deny} {src_mac_addr_spec}
{dest_mac_addr_spec} [ether-type] [capture] [before editbuffer_index |
modify editbuffer_index]

Syntax Description

acl_name	Unique name that identifies the list to which the entry belongs.
permit	Keyword to allow traffic from the specified source MAC address.
deny	Keyword to block traffic from the specified source MAC address.
src_mac_addr_spec	Source MAC address and mask in the form source_mac_address source_mac_address_mask.
dest_mac_addr_spec	Destination MAC address and mask.
ether-type	(Optional) Number or name that matches the ethertype for Ethernet-encapsulated packets; valid values are 0x0600, 0x0601, 0x0BAD, 0x0BAF, 0x6000-0x6009, 0x8038-0x8042, 0x809b, and 0x80f3. See the "Usage Guidelines" section for a list of valid names.
capture	(Optional) Keyword to specify packets are switched normally and captured.
before editbuffer_index	(Optional) Keyword and variable to insert the new ACE in front of another ACE.
modify editbuffer_index	(Optional) Keyword and variable to replace an ACE with the new ACE.

Defaults

There are no default ACLs and no default ACL-VLAN mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved to NVRAM and hardware only after you enter the commit command. Enter ACEs in batches and then enter the commit command to save all of them in NVRAM and in the hardware.

If you use the capture keyword, the ports that capture the traffic and transmit out are specified by entering the set security acl capture-ports command.

When you enter the ACL name, follow these naming conventions:

•Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

•Must start with an alpha character and must be unique across all ACLs of all types

•Case sensitive

•Cannot be a number

•Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

The src_mac_addr_spec is a 48-bit source MAC address and mask and entered in the form of source_mac_address source_mac_address_mask (for example, 08-11-22-33-44-55 ff-ff-ff-ff-ff-ff). Place ones in the bit positions you want to mask. When you specify the src_mac_addr_spec, follow these guidelines:

•The source_mask is required; 0 indicates a care bit, 1 indicates a don't care bit.

•Use a 32-bit quantity in four-part dotted-decimal format.

•Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

•Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

The dest_mac_spec is a 48-bit destination MAC address and mask and entered in the form of dest_mac_address dest_mac_address_mask (for example, 08-00-00-00-02-00/ff-ff-ff-00-00-00). Place ones in the bit positions you want to mask. The destination mask is mandatory. When you specify the dest_mac_spec, use the following guidelines:

•Use a 48-bit quantity in 6-part dotted-hexadecimal format for source address and mask.

•Use the keyword any as an abbreviation for a source and source-wildcard of 0-0-0-0-0-0-0 ff-ff-ff-ff-ff-ff.

•Use host source as an abbreviation for a destination and destination-wildcard of destination 0-0-0-0-0-0.

Valid names for Ethertypes (and corresponding numbers) are Ethertalk (0x809B), AARP (0x8053), dec-mop-dump (0x6001), dec-mop-remote-console (0x6002), dec-phase-iv (0x6003), dec-lat (0x6004), dec-diagnostic-protocol (0x6005), dec-lavc-sca (0x6007), dec-amber (0x6008), dec-mumps (0x6009), dec-lanbridge (0x8038), dec-dsm (0x8039), dec-netbios (0x8040), dec-msdos (0x8041), banyan-vines-echo (0x0baf), xerox-ns-idp (0x0600), and xerox-address-translation (0x0601).

Use the show security acl command to display the list.

Examples

This example shows how to block traffic to an IP address:

Console> (enable) set security acl mac MACACL1 deny 01-02-02-03-04-05

MACACL1 editbuffer modified. User `commit' command to apply changes.

Console> (enable)

Related Commands

clear security acl
clear security acl capture-ports
clear security acl map
commit
show security acl
show security acl capture-ports
set security acl map
set security acl capture-ports

set security acl map

Use the set security acl map command to map an existing VACL to a VLAN.

set security acl map acl_name vlan

Syntax Description

acl_name	Unique name that identifies the list to which the entry belongs.
vlan	Number of the VLAN to be mapped to the VACL.

Defaults

There are no default ACLs and no default ACL-VLAN mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved in NVRAM. This command does not require that you enter the commit command. Each VLAN can be mapped to only one ACL of each type (IP, IPX, and MAC). An ACL can be mapped to a VLAN only after you have committed the ACL.

When you enter the ACL name, follow these naming conventions:

•Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

•Must start with an alpha character and must be unique across all ACLs of all types

•Case sensitive

•Cannot be a number

•Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

---

Caution Use the copy command to save the ACL configuration to Flash memory.

---

Examples

This example shows how to map an existing VACL to a VLAN:

Console> (enable) set security acl map IPACL1 1

ACL IPACL1 mapped to vlan 1

Console> (enable)

This example shows the output if you try to map an ACL that has not been committed:

Console> (enable) set security acl map IPACL1 1

Commit ACL IPACL1 before mapping.

Console> (enable)

This example shows the output if you try to map an ACL that is already mapped to a VLAN for the ACL type (IP, IPX, or MAC):

Console> (enable) set security acl map IPACL2 1

Mapping for this type already exists for this VLAN.

Console> (enable)

Related Commands

clear security acl
clear security acl map
commit
show security acl

set snmp access

Use the set snmp access command set to define the access rights of an SNMP group with a specific security model in different security levels.

set snmp access [-hex] {groupname} {security-model {v1 | v2c}}
[read [-hex] {readview}] [write [-hex] {writeview}] [notify [-hex] {notifyview}]
[volatile | nonvolatile]

set snmp access [-hex] {groupname} {security-model v3 {noauthentication |
authentication | privacy}} [read [-hex] {readview}] [write [-hex] {writeview}]
[notify [-hex] {notifyview}] [volatile | nonvolatile]

Syntax Description

-hex	(Optional) Keyword to display the groupname, readview, writeview, and notifyview in a hexadecimal format.
groupname	Name of the SNMP group.
security-model v1 | v2c	Keywords to specify security-model v1 or v2c.
read readview	(Optional) Keyword and variable to specify the name of the view that allows you to see the MIB objects.
write writeview	(Optional) Keyword and variable to specify the name of the view that allows you to configure the contents of the agent.
notify notifyview	(Optional) Keyword and variable to specify the name of the view that allows you to send a trap about MIB objects.
v3	Keyword to specify security model v3.
noauthentication	Keyword to specify security model is not set to use authentication protocol.
authentication	Keyword to specify the type of authentication protocol.
privacy	Keyword to specify that the messages sent on behalf of the user are protected from disclosure.
volatile	(Optional) Keyword to specify that the storage type is defined as temporary memory and the content is deleted if the device is turned off.
nonvolatile	(Optional) Keyword to specify that the storage type is defined as persistent memory and the content remains after the device is turned off and on again.

Defaults

The defaults are as follows:

•storage type is nonvolatile.

•read readview is Internet OID space.

•write writeview is NULL OID.

•notify notifyview is NULL OID.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

If you use special characters for groupname, readview, writeview, and notifyview (nonprintable delimiters for these parameters), you must use a hexadecimal keyword, which is one or two hexadecimal digits separated by a colon (:); for example, 00:ab:34.

readview is assumed to be every object belonging to the Internet (1.3.6.1) OID space; you can use the read option to override this state.

For writeview, you must also configure write access.

For notifyview, if a view is specified, any notifications in that view are sent to all users associated with the group (an SNMP server host configuration must exist for the user).

Examples

This example shows how to set the SNMP access rights for a group:

Console> (enable) set snmp access cisco-group security-model v3 authentication

SNMP access group was set to cisco-group version v3 level authentication, readview 
internet, nonvolatile.

Console> (enable) 

Related Commands

clear snmp access
show snmp access

set snmp community

Use the set snmp community command to set SNMP communities and associated access types.

set snmp community {read-only | read-write | read-write-all} [community_string]

Syntax Description

read-only	Keyword to assign read-only access to the specified SNMP community.
read-write	Keyword to assign read-write access to the specified SNMP community.
read-write-all	Keyword to assign read-write access to the specified SNMP community.
community_string	(Optional) Name of the SNMP community.