Catalyst 6500 Series Command Reference, 7.6
set rgmp to set spantree portvlanpri
Download this chapter
set rgmp to set spantree portvlanpriset rgmp to set spantree portvlanpri
Download the complete book
Book-level PDF: Catalyst 6500 Series Command Reference, 7.6Book-level PDF: Catalyst 6500 Series Command Reference, 7.6 (PDF - 9 MB)
give_us_feedback

Table Of Contents

set rgmp

set rspan

set security acl adjacency

set security acl arp-inspection

set security acl capture-ports

set security acl feature ratelimit

set security acl ip

set security acl ipx

set security acl log

set security acl mac

set security acl map

set snmp

set snmp access

set snmp access-list

set snmp buffer

set snmp chassis-alias

set snmp community

set snmp community-ext

set snmp extendedrmon netflow

set snmp group

set snmp ifalias

set snmp notify

set snmp rmon

set snmp rmonmemory

set snmp targetaddr

set snmp targetparams

set snmp trap

set snmp user

set snmp view

set span

set spantree backbonefast

set spantree bpdu-filter

set spantree bpdu-guard

set spantree bpdu-skewing

set spantree channelcost

set spantree channelvlancost

set spantree defaultcostmode

set spantree disable

set spantree enable

set spantree fwddelay

set spantree global-default

set spantree guard

set spantree hello

set spantree link-type

set spantree macreduction

set spantree maxage

set spantree mode

set spantree mst

set spantree mst config

set spantree mst link-type

set spantree mst maxhops

set spantree mst vlan

set spantree portcost

set spantree portfast

set spantree portfast bpdu-filter

set spantree portfast bpdu-guard

set spantree portinstancecost

set spantree portinstancepri

set spantree portpri

set spantree portvlancost

set spantree portvlanpri


22

set rgmp

To enable or disable the Router-Ports Group Management Protocol (RGMP) feature on the switch, use the set rgmp command.

set rgmp {enable | disable}

Syntax Description 

enable

Enables RGMP on the switch.

disable

Disables RGMP on the switch.


Defaults

The default is RGMP is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The set rgmp command affects the entire switch. You cannot enable or disable RGMP on a per-VLAN basis.

The RGMP feature is operational only if IGMP snooping is enabled on the switch. (See the set igmp command.)

Examples

This example shows how to enable RGMP on the switch: 

Console> (enable) set rgmp enable

RGMP is enabled.

Console> (enable)

This example shows how to disable RGMP on the switch: 

Console> (enable) set rgmp disable

RGMP is disabled.

Console> (enable)

Related Commands

clear rgmp statistics
set igmp
show rgmp group
show rgmp statistics

set rspan

To create remote Switched Port Analyzer (SPAN) sessions, use the set rspan command.

set rspan disable source [rspan_vlan | all]

set rpsan disable destination [mod/port | all]

set rspan source {src_mod/src_ports... | vlans... | sc0} {rspan_vlan} [rx | tx | both]
[multicast {enable | disable}] [filter vlans...] [create]

set rspan destination mod/port {rspan_vlan} [inpkts {enable | disable}]
[learning {enable | disable}] [create]

Syntax Description

disable source

Disables remote SPAN source information.

rspan_vlan

(Optional) Remote SPAN VLAN.

all

(Optional) Disables all remote SPAN source or destination sessions.

disable destination

Disables remote SPAN destination information.

mod/port

(Optional) Remote SPAN destination port.

src_mod/src_ports...

Monitored ports (remote SPAN source).

vlans...

Monitored VLANs (remote SPAN source).

sc0

Specifies the inband port is a valid source.

rx

(Optional) Specifies that information received at the source (ingress SPAN) is monitored.

tx

(Optional) Specifies that information transmitted from the source (egress SPAN) is monitored.

both

(Optional) Specifies that information both transmitted from the source (ingress SPAN) and received (egress SPAN) at the source are monitored.

multicast enable

(Optional) Enables monitoring multicast traffic (egress traffic only).

multicast disable

(Optional) Disables monitoring multicast traffic (egress traffic only).

filter vlans

(Optional) Monitors traffic on selected VLANs on source trunk ports.

create

(Optional) Creates a new remote SPAN session instead of overwriting the previous SPAN session.

inpkts enable

(Optional) Allows the remote SPAN destination port to receive normal ingress traffic (from the network to the bus) while forwarding the remote SPAN traffic.

inpkts disable

(Optional) Disables the receiving of normal inbound traffic on the remote SPAN destination port.

learning enable

(Optional) Enables learning for the remote SPAN destination port.

learning disable

(Optional) Disables learning for the remote SPAN destination port.


Defaults

The defaults are as follows:

Remote SPAN is disabled.

No VLAN filtering.

Monitoring multicast traffic is enabled.

Learning is enabled.

inpkts is disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The rspan_vlan variable is optional in the set rspan disable source command and required in the set rspan source and set rspan destination command set.

After you enable SPAN, system defaults are used if no parameters were ever set. If you changed parameters, these are stored in NVRAM, and the new parameters are used.

Use a network analyzer to monitor ports.

Use the inpkts keyword with the enable option to allow the remote SPAN destination port to receive normal incoming traffic in addition to the traffic mirrored from the remote SPAN source. Use the disable option to prevent the remote SPAN destination port from receiving normal incoming traffic.

You can specify an Multilayer Switch Module (MSM) port as the remote SPAN source port. However, you cannot specify an MSM port as the remote SPAN destination port.

When you enable the inpkts option, a warning message notifies you that the destination port does not join STP and may cause loops if this option is enabled.

If you do not specify the keyword create and you have only one session, the session will be overwritten. If a matching rspan_vlan or destination port exists, the particular session will be overwritten (with or without specifying create). If you specify the keyword create and there is no matching rspan_vlan or destination port, the session will be created.

Each switch can source only one remote SPAN session (ingress, egress, or both). When you configure a remote ingress or bidirectional SPAN session in a source switch, the limit for local ingress or bidirectional SPAN session is reduced to one. There are no limits on the number of remote SPAN sessions carried across the network within the remote SPAN session limits.

You can configure any VLAN as a remote SPAN VLAN as long as these conditions are met:

The same remote SPAN VLAN is used for a remote SPAN session in the switches.

All the participating switches have appropriate hardware and software.

No unwanted access port is configured in the remote SPAN VLAN.

Examples

This example shows how to disable all enabled source sessions: 

Console> (enable) set rspan disable source all

This command will disable all remote span source session(s).

Do you want to continue (y/n) [n]? y

Disabled monitoring of all source(s) on the switch for remote span.

Console> (enable)

This example shows how to disable one source session to a specific VLAN: 

Console> (enable) set rspan disable source 903

Disabled monitoring of all source(s) on the switch for rspan_vlan 903.

Console> (enable)

This example shows how to disable all enabled destination sessions: 

Console> (enable) set rspan disable destination all

This command will disable all remote span destination session(s).

Do you want to continue (y/n) [n]? y

Disabled monitoring of remote span traffic on ports 9/1,9/2,9/3,9/4,9/5,9/6.

Console> (enable)

This example shows how to disable one destination session to a specific port: 

Console> (enable) set rspan disable destination 4/1

Disabled monitoring of remote span traffic on port 4/1.

Console> (enable)

Related Commands

show rspan

set security acl adjacency

To set an entry for the adjacency table, use the set security acl adjacency command.

set security acl adjacency adjacency_name dest_vlan dest_mac [source_mac [mtu mtu_size] |
mtu mtu_size]

Syntax Description 

adjacency_name

Name of the adjacency table entry.

dest_vlan

Name of the destination VLAN.

dest_mac

Destination MAC address.

source_mac

(Optional) Source MAC address.

mtu mtu_size

(Optional) Specifies packet size in bytes.


Defaults

The default size for the MTU is 9600 bytes.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The order of ACEs in a policy-based forwarding (PBF) VACL is important. The adjacency table entry has to be defined in the VACL before the redirect ACE because the redirect ACE uses it to redirect traffic. Refer to the Catalyst 6500 Series Switch Software Configuration Guide for detailed information on configuring PBF VACLs.

You can set the MTU when jumbo frames are sent using PBF.

Examples

This example shows how to set an entry for the adjacency table: 

Console> (enable) set security acl adjacency ADJ1 11 0-0-0-0-0-B 0-0-0-0-0-A

Console> (enable)

This example shows how to set an entry for the adjacency table with a specific MTU size: 

Console> (enable) set security acl adjacency a_1 2 0-0a-0a-0a-0a-0a 9000

Console> (enable)

Related Commands

clear security acl
commit
show security acl

set security acl arp-inspection

To configure Address Resolution Protocol (ARP) inspection features, use the set security acl arp-inspection command.

set security acl arp-inspection {match-mac | address-validation}
{enable | [drop [log]] | disable}

Syntax Description

match-mac

Specifies the MAC address matching feature.

address-validation

Specifies the address validation feature.

enable

Enables the specified ARP inspection feature.

drop

(Optional) Indicates to drop packets.

log

(Optional) Enables logging.

disable

Disables the specified ARP inspection feature.


Defaults

The MAC address matching feature and the address validation feature are disabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

When you enter the set security acl arp-inspection match-mac enable command, the system drops packets in which the source Ethernet address in the Ethernet header is not the same as the source MAC address in the ARP header.

When you enter the set security acl arp-inspection address-validation enable command, the system drops packets that have illegal IP or MAC addresses.

The following IP addresses are illegal:

0.0.0.0

255.255.255.255

Class D multicast IP addresses

The following MAC addresses are illegal:

00-00-00-00-00-00

Multicast MAC addresses

ff-ff-ff-ff-ff-ff

Note If you do not enter the drop keyword, the system only generates a syslog message.

Use the set security acl arp-inspection command in conjunction with the set security acl ip arp-inspection command. For more information about configuring ARP inspection features, refer to the "Configuring Access Control" chapter of the Catalyst 6500 Series Switch Software Configuration Guide.

Examples

This example shows how to enable the MAC address matching feature: 

Console> (enable) set security acl arp-inspection match-mac enable

ARP Inspection match-mac feature enabled.

Console> (enable)

This example shows how to enable the address validation feature: 

Console> (enable) set security acl arp-inspection address-validation enable

ARP Inspection address-validation feature enabled.

Console> (enable)

Related Commands

set port arp-inspection
set security acl ip

set security acl capture-ports

To set the ports (specified with the capture option in the set security acl ip, set security acl ipx, and set security acl mac commands) to show traffic captured on these ports, use the set security acl capture-ports command.

set security acl capture-ports {mod/ports...}

Syntax Description

mod/ports...

Module and port number.


Defaults

This command has no default settings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved in NVRAM. This command does not require that you enter the commit command.

The module and port specified in this command are added to the current ports configuration list.

This command works with Ethernet ports only; you cannot set ATM ports.

The ACL capture will not work unless the capture port is in the spanning tree forwarding state for the VLAN.

Examples

This example shows how to set a port to capture traffic: 

Console> (enable) set security acl capture-ports 3/1

Successfully set 3/1 to capture ACL traffic.

Console> (enable)

This example shows how to set multiple ports to capture traffic: 

Console> (enable) set security acl capture-ports 1/1-10

Successfully set the following ports to capture ACL traffic: 1/1-2.

Console> (enable)

Related Commands

clear security acl capture-ports
show security acl capture-ports

set security acl feature ratelimit

To specify a rate limit for the number of packets that are sent to the CPU on a global basis, use the set security acl feature ratelimit command.

set security acl feature ratelimit rate

Syntax Description

rate

Number of packets; valid values are from 0 to 1000 packets per second.


Defaults

The rate is 500 pps.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

The rate limiting option might be shared by multiple features. To display the features sharing rate limiting, enter the show security acl feature ratelimit command.

To specify the rate limit for the number of ARP inspection packets that are sent to the CPU on a per-port basis, use the set port arp-inspection command.

Examples

This example shows how to set the global rate limit to 600 

Console> (enable) set security acl feature ratelimit 600

ARP Inspection global rate limit set to 600 pps.

Console> (enable)

Related Commands

set port arp-inspection
show security acl feature ratelimit

set security acl ip

To create a new entry in a standard IP VACL and append the new entry at the end of the VACL, use the set security acl ip command.

set security acl ip {acl_name} {permit | deny} {src_ip_spec} [before editbuffer_index |
modify editbuffer_index] [log]

set security acl ip {acl_name} [permit | deny] arp

set security acl ip {acl_name} {permit | deny | redirect {adj_name | mod_num/port_num}} {protocol} {src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [fragment] [capture] [before editbuffer_index | modify editbuffer_index] [log]

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [ip]
{src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [fragment] [capture]
[before editbuffer_index | modify editbuffer_index] [log]

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [icmp | 1]
{src_ip_spec} {dest_ip_spec} [icmp_type] [icmp_code] | [icmp_message]
[precedence precedence] [tos tos] [fragment] [capture] [before editbuffer_index |
modify editbuffer_index] [log]

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [tcp | 6]
{src_ip_spec} [operator port [port]] {dest_ip_spec} [operator port [port]] [established]
[precedence precedence] [tos tos] [fragment] [capture] [before editbuffer_index |
modify editbuffer_index] [log]

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [udp | 17]
{src_ip_spec} [operator port [port]] {dest_ip_spec} [operator port [port]]
[precedence precedence] [tos tos] [fragment] [capture] [before editbuffer_index |
modify editbuffer_index] [log]

set security acl ip {acl_name} {permit | deny} arp-inspection {host ip_addr}
{mac_addr | any [log]}

set security acl ip {acl_name} {permit | deny} arp-inspection any any [log]

set security acl ip {acl_name} {permit | deny} arp-inspection {host ip_addr} {ip_mask} any [log]

set security acl ip {acl_name} permit dot1x-dhcp [before editbuffer_index | modify editbuffer_index]

set security acl ip {acl_name} permit any

Syntax Description

acl_name

Unique name that identifies the lists to which the entry belongs.

permit

Allows traffic from the source IP address.

deny

Blocks traffic from the source IP address.

src_ip_spec

Source IP address and the source mask. See the "Usage Guidelines" section for the format.

before editbuffer_index

(Optional) Inserts the new ACE in front of another ACE.

modify editbuffer_index

(Optional) Replaces an ACE with the new ACE.

log

(Optional) Logs denied packets.

arp

Specifies ARP.

redirect

Specifies to which switched ports the packet is redirected.

mod_num/port_num

Number of the module and port.

adj_name

Name of the adjacency table entry.

protocol

Keyword or number of an IP protocol; valid numbers are from 0 to 255 representing an IP protocol number. See the "Usage Guidelines" section for the list of valid keywords.

dest_ip_spec

Destination IP address and the destination mask. See the "Usage Guidelines" section for the format.

precedence precedence

(Optional) Specifies the precedence level; valid values are from 0 to 7 or by name. See the "Usage Guidelines" section for a list of valid names.

tos tos

(Optional) Specifies the type of service level; valid values are from 0 to 15 or by name. See the "Usage Guidelines" section for a list of valid names.

fragment

(Optional) Filters IP traffic that carries fragments.

capture

(Optional) Specifies packets are switched normally and captured; permit must also be enabled.

ip

(Optional) Matches any Internet Protocol packet.

icmp | 1

(Optional) Matches ICMP packets.

icmp-type

(Optional) ICMP message type name or a number; valid values are from 0 to 255. See the "Usage Guidelines" section for a list of valid names.

icmp-code

(Optional) ICMP message code name or a number; valid values are from 0 to 255. See the "Usage Guidelines" section for a list of valid names.

icmp-message

(Optional) ICMP message type name or ICMP message type and code name. See the "Usage Guidelines" section for a list of valid names.

tcp | 6

(Optional) Matches TCP packets.

operator

(Optional) Operands; valid values include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

port

(Optional) Number or name of a TCP or UDP port; valid port numbers are from 0 to 65535. See the "Usage Guidelines" section for a list of valid names.

established

(Optional) Specifies an established connection; used only for TCP protocol.

udp | 17

(Optional) Matches UDP packets.

arp-inspection

Specifies ARP inspection.

host ip_addr

Specifies the host and host's IP address.

mac_addr

Specifies the MAC address.

any

Matches any IP address or MAC address.

ip_mask

Specifies the IP mask.

dot1x-dhcp

Specifies dot1x authentication for the DHCP Relay Agent.


Defaults

There are no default ACLs and no default ACL-VLAN mappings. By default, ARP is enabled.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved to NVRAM and hardware only after you enter the commit command. Enter ACEs in batches, and then enter the commit command to save them in NVRAM and in the hardware.

The arp keyword is supported on switches configured with the Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2). The arp keyword is supported on a per-ACL basis only; either ARP is allowed or ARP is denied.

If you use the fragment keyword in an ACE, this ACE applies to nonfragmented traffic and to the fragment with offset equal to zero in a fragmented flow.

A fragmented ACE that permits Layer 4 traffic from host A to host B also permits fragmented traffic from host A to host B regardless of the Layer 4 port.

If you use the capture keyword, the ports that capture the traffic and transmit out are specified by entering the set security acl capture-ports command.

When you enter the ACL name, follow these naming conventions:

Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

Must start with an alpha character and must be unique across all ACLs of all types

Case sensitive

Cannot be a number

Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

When you specify the source IP address and the source mask, use the form source_ip_address source_mask and follow these guidelines:

The source_mask is required; 0 indicates a care bit, 1 indicates a don't-care bit.

Use a 32-bit quantity in four-part dotted-decimal format.

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

When you enter a destination IP address and the destination mask, use the form destination_ip_address destination_mask. The destination mask is required.

Use a 32-bit quantity in a four-part dotted-decimal format.

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host/source as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

The log keyword is an option of deny only. If you want to change an existing VACL configuration to deny with log, you must first clear the VACL and then set it again.

The log keyword is supported on systems configured with Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2) only.

Valid names for precedence are critical, flash, flash-override, immediate, internet, network, priority, and routine.

Valid names for tos are max-reliability, max-throughput, min-delay, min-monetary-cost, and normal.

Valid protocol keywords include icmp (1), ip, ipinip (4), tcp (6), udp (17), igrp (9), eigrp (88), gre (47), nos (94), ospf (89), ahp (51), esp (50), pcp (108), and pim (103). The IP number is displayed in parentheses. Use the keyword ip to match any Internet Protocol.

ICMP packets that are matched by ICMP message type can also be matched by the ICMP message code.

Valid names for icmp_type and icmp_code are administratively-prohibited, alternate-address, conversion-error, dod-host-prohibited, dod-net-prohibited, echo, echo-reply, general-parameter-problem, host-isolated, host-precedence-unreachable, host-redirect, host-tos-redirect, host-tos-unreachable, host-unknown, host-unreachable, information-reply, information-request, mask-reply, mask-request, mobile-redirect, net-redirect, net-tos-redirect, net-tos-unreachable, net-unreachable, network-unknown, no-room-for-option, option-missing, packet-too-big, parameter-problem, port-unreachable, precedence-unreachable, protocol-unreachable, reassembly-timeout, redirect, router-advertisement, router-solicitation, source-quench, source-route-failed, time-exceeded, timestamp-reply, timestamp-request, traceroute, ttl-exceeded, and unreachable.

If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.

TCP port names can be used only when filtering TCP. Valid names for TCP ports are bgp, chargen, daytime, discard, domain, echo, finger, ftp, ftp-data, gopher, hostname, irc, klogin, kshell, lpd, nntp, pop2, pop3, smtp, sunrpc, syslog, tacacs-ds, talk, telnet, time, uucp, whois, and www.

UDP port names can be used only when filtering UDP. Valid names for UDP ports are biff, bootpc, bootps, discard, dns, dnsix, echo, mobile-ip, nameserver, netbios-dgm, netbios-ns, ntp, rip, snmp, snmptrap, sunrpc, syslog, tacacs-ds, talk, tftp, time, who, and xdmcp.

The number listed with the protocol type is the layer protocol number (for example, udp | 17).

If no layer protocol number is entered, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny} {src_ip_spec} [before editbuffer_index |
modify editbuffer_index]

If a Layer 4 protocol is specified, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect mod_num/port_num} {protocol}
{src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [capture]
[before editbuffer_index | modify editbuffer_index]

For IP, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [ip]
{src_ip_spec} {dest_ip_spec} [precedence precedence] [tos tos] [capture]
[before editbuffer_index | modify editbuffer_index]

For ICMP, you can enter the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [icmp | 1]
{src_ip_spec} {dest_ip_spec} [icmp_type] [icmp_code] | [icmp_message]
[precedence precedence] [tos tos] [capture] [before editbuffer_index |
modify editbuffer_index]

For TCP, you can use the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [tcp | 6]
{src_ip_spec} [operator port [port]] {dest_ip_spec} [operator port [port]] [established]
[precedence precedence] [tos tos] [capture] [before editbuffer_index |
modify editbuffer_index]

For UDP, you can use the following syntax:

set security acl ip {acl_name} {permit | deny | redirect {mod_num/port_num}} [udp | 17]
{src_ip_spec} [operator port [port]] {dest_ip_spec} [operator port [port]]
[precedence precedence] [tos tos] [capture] [before editbuffer_index |
modify editbuffer_index]

Examples

These examples show different ways to use the set security acl ip commands to configure IP security ACL: 

Console> (enable) set security acl ip IPACL1 deny 1.2.3.4 0.0.0.0

IPACL1 editbuffer modified.  Use `commit' command to apply changes.

Console> (enable) 


Console> (enable) set security acl ip IPACL1 deny host 171.3.8.2 before 2 

IPACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)


Console> (enable) set security acl ip IPACL1 permit any any

IPACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable) 


Console> (enable) set security acl ip IPACL1 redirect 3/1 ip 3.7.1.2 0.0.0.255 host 
255.255.255.255 precedence 1 tos min-delay

IPACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable) 


Console> (enable) set security acl ip IPACL1 permit ip host 60.1.1.1 host 60.1.1.98 
capture 

IPACL1 editbuffer modified. Use 'commit' command to apply changes.

Related Commands

clear security acl
clear security acl capture-ports
clear security acl map
commit
set security acl map
set security acl capture-ports
show security acl
show security acl capture-ports

set security acl ipx

To create a new entry in a standard IPX VACL and to append the new entry at the end of the VACL, use the set security acl ipx command.

set security acl ipx {acl_name} {permit | deny | redirect mod_num/port_num} {protocol}
{src_net} [dest_net.[dest_node] [[dest_net_mask.]dest_node_mask]] [capture]
[before editbuffer_index | modify editbuffer_index]

Syntax Description

acl_name

Unique name that identifies the list to which the entry belongs.

permit

Allows traffic from the specified source IPX address.

deny

Blocks traffic from the specified source IPX address.

redirect

Redirects traffic from the specified source IPX address.

mod_num/port_num

Number of the module and port.

protocol

Keyword or number of an IPX protocol; valid values are from 0 to 255 representing an IPX protocol number. See the "Usage Guidelines" section for a list of valid keywords and corresponding numbers.

src_net

Number of the network from which the packet is being sent. See the "Usage Guidelines" section for format guidelines.

dest_net.

(Optional) Number of the network from which the packet is being sent.

dest_node

(Optional) Node on destination-network to which the packet is being sent.

dest_net_mask.

(Optional) Mask to be applied to the destination network. See the "Usage Guidelines" section for format guidelines.

dest_node_mask

(Optional) Mask to be applied to the destination-node. See the "Usage Guidelines" section for format guidelines.

capture

(Optional) Specifies packets are switched normally and captured.

before editbuffer_index

(Optional) Inserts the new ACE in front of another ACE.

modify editbuffer_index

(Optional) Replaces an ACE with the new ACE.


Defaults

There are no default ACLs and no default ACL-VLAN mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved to NVRAM and hardware only after you enter the commit command. Enter ACEs in batches, and then enter the commit command to save all of them in NVRAM and in the hardware.

If you use the capture keyword, the ports that capture the traffic and transmit out are specified by entering the set security acl capture-ports command.

When you enter the ACL name, follow these naming conventions:

Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

Must start with an alpha character and must be unique across all ACLs of all types

Case sensitive

Cannot be a number

Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

Valid protocol keywords include ncp (17), netbios (20), rip (1), sap (4), and spx (5).

The src_net and dest_net variables are eight-digit hexadecimal numbers that uniquely identify network cable segments. When you specify the src_net or dest_net, use the following guidelines:

It can be a number in the range 0 to FFFFFFFF. A network number of -1 or any matches all networks.

You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA.

The dest_node is a 48-bit value represented by a dotted triplet of 4-digit hexadecimal numbers (xxxx.xxxx.xxxx).

The dest_net_mask. is an eight-digit hexadecimal mask. Place ones in the bit positions you want to mask. The mask must be immediately followed by a period, which must in turn be immediately followed by the destination-node-mask. You can enter this value only when dest_node is specified.

The dest_node_mask is a 48-bit value represented as a dotted triplet of 4-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. You can enter this value only when dest_node is specified.

The dest_net_mask. is an eight-digit hexadecimal number that uniquely identifies the network cable segment. It can be a number in the range 0 to FFFFFFFF. A network number of -1 or any matches all networks. You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. Following are dest_net_mask. examples:

123A

123A.1.2.3

123A.1.2.3 ffff.ffff.ffff

1.2.3.4 ffff.ffff.ffff.ffff

Use the show security acl command to display the list.

Examples

This example shows how to block traffic from a specified source IPX address: 

Console> (enable) set security acl ipx IPXACL1 deny 1.a

IPXACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

This example shows how to deny traffic from hosts in specific subnet (10.1.2.0/8): 

Console> (enable) set security acl ipx SERVER deny ip 10.1.2.0 0.0.0.255 host 10.1.1.100

IPXACL1 editbuffer modified. Use `commit' command to apply changes.

Console> (enable)

Related Commands

clear security acl
clear security acl capture-ports
clear security acl map
commit
set security acl map
set security acl capture-ports
show security acl
show security acl capture-ports

set security acl log

To configure the security ACL log table, use the set security acl log command.

set security acl log maxflow max_number

set security acl log ratelimit pps

Syntax Description

maxflow max_number

Specifies the maximum flow pattern number in packets per second; valid values are from 256 to 2048.

ratelimit pps

Specifies the redirect rate in packets per second; valid values are from 500 to 5000.


Defaults

The default max_number is 500 packets per second and the default ratelimit is 2500 packets per second.

Command Types

Switch command.

Command Modes

Normal.

Usage Guidelines

The command is supported on systems configured with Supervisor Engine 2 with Layer 3 Switching Engine II (PFC2) only.

The set security acl log maxflow command tries to allocate a new log table based on the maximum flow pattern number to store logged packet information. If successful, the new buffer replaces the old one and all flows in the old table are cleared. If either memory is not enough or the maximum number is over the limit, an error message is displayed and the command is dropped.

The set security acl log ratelimit command tries to set the redirect rate in packets per second. If the configuration is over the range, the command is discarded and the range is displayed on the console.

Examples

This example shows how to set the maximum flow: 

Console> (enable) set security acl log maxflow 322

Log table size set to 322 flow entries.

Console> (enable)

This example shows how to set the rate limit: 

Console> (enable) set security acl log ratelimit 3444

Max logging eligible packet rate set to 3444pps.

Console> (enable)

Related Commands

clear security acl log flow
set security acl log
show security acl log

set security acl mac

To create a new entry in a non-IP or non-IPX protocol VACL and to append the new entry at the end of the VACL, use the set security acl mac command.

set security acl mac {acl_name} {permit | deny} {src_mac_addr_spec}
{dest_mac_addr_spec} [ether-type] [capture] [before editbuffer_index |
modify editbuffer_index]

Syntax Description

acl_name

Unique name that identifies the list to which the entry belongs.

permit

Allows traffic from the specified source MAC address.

deny

Blocks traffic from the specified source MAC address.

src_mac_addr_spec

Source MAC address and mask in the form source_mac_address source_mac_address_mask.

dest_mac_addr_spec

Destination MAC address and mask.

ether-type

(Optional) Number or name that matches the Ethertype for Ethernet-encapsulated packets; valid values are 0x0600, 0x0601, 0x0BAD, 0x0BAF, 0x6000-0x6009, 0x8038-0x8042, 0x809b, and 0x80f3. See the "Usage Guidelines" section for a list of valid names.

capture

(Optional) Specifies packets are switched normally and captured.

before editbuffer_index

(Optional) Inserts the new ACE in front of another ACE.

modify editbuffer_index

(Optional) Replaces an ACE with the new ACE.


Defaults

There are no default ACLs and no default ACL-VLAN mappings.

Command Types

Switch command.

Command Modes

Privileged.

Usage Guidelines

Configurations you make by entering this command are saved to NVRAM and hardware only after you enter the commit command. Enter ACEs in batches, and then enter the commit command to save all of them in NVRAM and in the hardware.

If you use the capture keyword, the ports that capture the traffic and transmit out are specified by entering the set security acl capture-ports command.

When you enter the ACL name, follow these naming conventions:

Maximum of 32 characters long and may include a-z, A-Z, 0-9, the dash character (-), the underscore character (_), and the period character (.)

Must start with an alpha character and must be unique across all ACLs of all types

Case sensitive

Cannot be a number

Must not be a keyword; keywords to avoid are all, default-action, map, help, and editbuffer

The src_mac_addr_spec is a 48-bit source MAC address and mask and entered in the form of source_mac_address source_mac_address_mask (for example, 08-11-22-33-44-55 ff-ff-ff-ff-ff-ff). Place ones in the bit positions you want to mask. When you specify the src_mac_addr_spec, follow these guidelines:

The source_mask is required; 0 indicates a care bit; 1 indicates a don't-care bit.

Use a 32-bit quantity in four-part dotted-decimal format.

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.