The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Cisco NX-OS security commands available on Cisco Nexus 5000 Series switches.
To configure authentication, authorization, and accounting (AAA) methods for accounting, use the aaa accounting default command. To revert to the default, use the no form of this command.
aaa accounting default {group {group-list} | local}
no aaa accounting default {group {group-list} | local}
The local database is the default.
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The group group-list method refers to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method, or local method and they fail, then the accounting authentication can fail.
This example shows how to configure any RADIUS server for AAA accounting:
switch(config)# aaa accounting default group
To configure authentication, authorization, and accounting (AAA) authentication methods for console logins, use the aaa authentication login console command. To revert to the default, use the no form of this command.
aaa authentication login console {group group-list} [none] | local | none}
no aaa authentication login console {group group-list [none] | local | none}
The local database
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The group radius, group tacacs+, and group group-list methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host or tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method or local method and they fail, then the authentication can fail. If you specify the none method alone or after the group method, then the authentication always succeeds.
This example shows how to configure the AAA authentication console login method:
switch(config)# aaa authentication login console group radius
This example shows how to revert to the default AAA authentication console login method:
switch(config)# no aaa authentication login console group radius
To configure the default authentication, authorization, and accounting (AAA) authentication methods, use the aaa authentication login default command. To revert to the default, use the no form of this command.
aaa authentication login default {group group-list} [none] | local | none}
no aaa authentication login default {group group-list} [none] | local | none}
The local database
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The group radius, group tacacs+, and group group-list methods refer to a set of previously defined RADIUS or TACACS+ servers. Use the radius-server host or tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
If you specify the group method or local method and they fail, then the authentication fails. If you specify the none method alone or after the group method, then the authentication always succeeds.
This example shows how to configure the AAA authentication console login method:
switch(config)# aaa authentication login default group radius
This example shows how to revert to the default AAA authentication console login method:
switch(config)# no aaa authentication login default group radius
To configure that the authentication, authorization, and accounting (AAA) authentication failure message displays on the console, use the aaa authentication login error-enable command. To revert to the default, use the no form of this command.
aaa authentication login error-enable
no aaa authentication login error-enable
This command has no arguments or keywords.
Disabled
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
When you log in, the login is processed by rolling over to the local user database if the remote AAA servers do not respond. In this situation, the following message is displayed if you have enabled the displaying of login failure messages:
Remote AAA servers unreachable; local authentication done. Remote AAA servers unreachable; local authentication failed.
This example shows how to enable the display of AAA authentication failure messages to the console:
switch(config)# aaa authentication login error-enable
This example shows how to disable the display of AAA authentication failure messages to the console:
switch(config)# no aaa authentication login error-enable
|
|
---|---|
show aaa authentication |
Displays the status of the AAA authentication failure message display. |
To enable Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication at login, use the aaa authentication login mschap enable command. To revert to the default, use the no form of this command.
aaa authentication login mschap enable
no aaa authentication login mschap enable
This command has no arguments or keywords.
Disabled
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to enable MS-CHAP authentication:
switch(config)# aaa authentication login mschap enable
This example shows how to disable MS-CHAP authentication:
switch(config)# no aaa authentication login mschap enable
|
|
---|---|
show aaa authentication |
Displays the status of MS-CHAP authentication. |
To configure default authentication, authorization, and accounting (AAA) authorization methods for all EXEC commands, use the aaa authorization commands default command. To revert to the default, use the no form of this command.
aaa authorization commands default [group group-list] [local | none]
no aaa authorization commands default [group group-list] [local | none]
None
Global configuration mode
|
|
---|---|
4.2(1)N1(1) |
This command was introduced. |
To use this command, you must enable the TACACS+ feature by using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.
If you specify the group method or local method and it fails, then the authorization can fail. If you specify the none method alone or after the group method, then the authorization always succeeds.
This example shows how to configure the default AAA authorization methods for EXEC commands:
switch(config)# aaa authorization commands default group TacGroup local
switch(config)#
This example shows how to revert to the default AAA authorization methods for EXEC commands:
switch(config)# no aaa authorization commands default group TacGroup local
switch(config)#
To configure the default authentication, authorization, and accounting (AAA) authorization methods for all configuration commands, use the aaa authorization config-commands default command. To revert to the default, use the no form of this command.
aaa authorization config-commands default [group group-list] [local | none]
no aaa authorization config-commands default [group group-list] [local | none]
None
Global configuration mode
|
|
---|---|
4.2(1)N1(1) |
This command was introduced. |
To use this command, you must enable the TACACS+ feature by using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.
If you specify the group method or local method and it fails, then the authorization can fail. If you specify the none method alone or after the group method, then the authorization always succeeds.
This example shows how to configure the default AAA authorization methods for configuration commands:
switch(config)# aaa authorization config-commands default group TacGroup local
switch(config)#
This example shows how to revert to the default AAA authorization methods for configuration commands:
switch(config)# no aaa authorization config-commands default group TacGroup local
switch(config)#
To create a RADIUS server group and enter RADIUS server group configuration mode, use the aaa group server radius command. To delete a RADIUS server group, use the no form of this command.
aaa group server radius group-name
no aaa group server radius group-name
group-name |
RADIUS server group name. |
None
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to create a RADIUS server group and enter RADIUS server configuration mode:
switch(config)# aaa group server radius RadServer
switch(config-radius)#
This example shows how to delete a RADIUS server group:
switch(config)# no aaa group server radius RadServer
|
|
---|---|
show aaa groups |
Displays server group information. |
To enable the default role assigned by the authentication, authorization, and accounting (AAA) server administrator for remote authentication, use the aaa user default-role command. To disable the default role, use the no form of this command.
aaa user default-role
no aaa user default-role
This command has no arguments or keywords.
Enabled
EXEC mode
|
|
---|---|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to enable the default role assigned by the AAA server administrator for remote authentication:
switch# aaa user default-role
switch#
This example shows how to disable the default role assigned by the AAA server administrator for remote authentication:
switch# no aaa user default-role
switch#
|
|
---|---|
show aaa user default-role |
Displays the status of the default user for remote authentication. |
show aaa authentication |
Displays AAA authentication information. |
To specify what the switch does when a packet matches a permit command in a VLAN access control list (VACL), use the action command. To remove an action command, use the no form of this command.
action {drop forward}
no action {drop forward}
drop |
Specifies that the switch drops the packet. |
forward |
Specifies that the switch forwards the packet to its destination port. |
None
VLAN access-map configuration
|
|
4.0(0)N1(1a) |
This command was introduced. |
The action command specifies the action that the device takes when a packet matches the conditions in the ACL specified by the match command.
This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map:
switch(config)# vlan access-map vlan-map-01
switch(config-access-map)# match ip address ip-acl-01
switch(config-access-map)# action forward
switch(config-access-map)# statistics
To clear the counters for all IPv4 access control lists (ACLs) or a single IPv4 ACL, use the clear access-list counters command.
clear access-list counters [access-list-name]
access-list-name |
(Optional) Name of the IPv4 ACL whose counters the switch clears. The name can be a maximum of 64 alphanumeric characters. |
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to clear counters for all IPv4 ACLs:
switch# clear access-list counters
This example shows how to clear counters for an IPv4 ACL named acl-ipv4-01:
switch# clear access-list counters acl-ipv4-01
To clear the accounting log, use the clear accounting log command.
clear accounting log
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to clear the accounting log:
switch# clear accounting log
|
|
---|---|
show accounting log |
Displays the accounting log contents. |
To clear the Address Resolution Protocol (ARP) table and statistics, use the clear ip arp command.
clear ip arp [vlan vlan-id [force-delete | vrf {vrf-name | all | default | management}]]
None
Any command mode
|
|
4.2(1)N1(1) |
This command was introduced. |
This example shows how to clear the ARP table statistics:
switch# clear ip arp
switch#
This example shows how to clear the ARP table statistics for VLAN 10 with the VRF vlan-vrf:
switch# clear ip arp vlan 10 vrf vlan-vrf
switch#
|
|
---|---|
show ip arp |
Displays the ARP configuration status. |
To configure the dead-time interval for a RADIUS or TACACS+ server group, use the deadtime command. To revert to the default, use the no form of this command.
deadtime minutes
no deadtime minutes
minutes |
Number of minutes for the interval. The range is from 0 to 1440 minutes. Setting the dead-time interval to 0 disables the timer. |
0 minutes
RADlUS server group configuration
TACACS+ server group configuration
|
|
4.0(0)N1(1a) |
This command was introduced. |
You must use the feature tacacs+ command before you configure TACACS.
This example shows how to set the dead-time interval to 2 minutes for a RADIUS server group:
switch(config)# aaa group server radius RadServer
switch(config-radius)# deadtime 2
This example shows how to set the dead-time interval to 5 minutes for a TACACS+ server group:
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# deadtime 5
This example shows how to revert to the dead-time interval default:
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# no deadtime 5
To create an IPv4 access control list (ACL) rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
General Syntax
[sequence-number] deny protocol source destination {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]
no deny protocol source destination {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]
no sequence-number
Internet Control Message Protocol
[sequence-number] deny icmp source destination [icmp-message] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]
Internet Group Management Protocol
[sequence-number] deny igmp source destination [igmp-message] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]
Internet Protocol v4
[sequence-number] deny ip source destination {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]
Transmission Control Protocol
[sequence-number] deny tcp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name] [flags] [established]
User Datagram Protocol
[sequence-number] deny udp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the switch assigns the rule a sequence number that is 10 greater than the last rule in the ACL.
IPv4 ACL configuration
|
|
4.0(0)N1(1a) |
This command was introduced. |
When the switch applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
Source and Destination
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
•Address and network wildcard—You can use an IPv4 address followed by a network wildcard to specify a host or a network as a source or destination. The syntax is as follows:
IPv4-address network-wildcard
This example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
switch(config-acl)# deny tcp 192.168.67.0 0.0.0.255 any
•Address and variable-length subnet mask—You can use an IPv4 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:
IPv4-address/prefix-len
This example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
switch(config-acl)# deny udp 192.168.67.0/24 any
•Host address—You can use the host keyword and an IPv4 address to specify a host as a source or destination. The syntax is as follows:
host IPv4-address
This syntax is equivalent to IPv4-address/32 and IPv4-address 0.0.0.0.
This example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:
switch(config-acl)# deny icmp host 192.168.67.132 any
•Any address—You can use the any keyword to specify that a source or destination is any IPv4 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.
ICMP Message Types
The icmp-message argument can be the ICMP message number, which is an integer from 0 to 255. It can also be one of the following keywords:
•administratively-prohibited—Administratively prohibited
•alternate-address—Alternate address
•conversion-error—Datagram conversion
•dod-host-prohibited—Host prohibited
•dod-net-prohibited—Net prohibited
•echo—Echo (ping)
•echo-reply—Echo reply
•general-parameter-problem—Parameter problem
•host-isolated—Host isolated
•host-precedence-unreachable—Host unreachable for precedence
•host-redirect—Host redirect
•host-tos-redirect—Host redirect for ToS
•host-tos-unreachable—Host unreachable for ToS
•host-unknown—Host unknown
•host-unreachable—Host unreachable
•information-reply—Information replies
•information-request—Information requests
•mask-reply—Mask replies
•mask-request—Mask requests
•mobile-redirect—Mobile host redirect
•net-redirect—Network redirect
•net-tos-redirect—Net redirect for ToS
•net-tos-unreachable—Network unreachable for ToS
•net-unreachable—Net unreachable
•network-unknown—Network unknown
•no-room-for-option—Parameter required but no room
•option-missing—Parameter required but not present
•packet-too-big—Fragmentation needed and DF set
•parameter-problem—All parameter problems
•port-unreachable—Port unreachable
•precedence-unreachable—Precedence cutoff
•protocol-unreachable—Protocol unreachable
•reassembly-timeout—Reassembly timeout
•redirect—All redirects
•router-advertisement—Router discovery advertisements
•router-solicitation—Router discovery solicitations
•source-quench—Source quenches
•source-route-failed—Source route failed
•time-exceeded—All time-exceeded messages
•timestamp-reply—Time-stamp replies
•timestamp-request—Time-stamp requests
•traceroute—Traceroute
•ttl-exceeded—TTL exceeded
•unreachable—All unreachables
TCP Port Names
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
bgp—Border Gateway Protocol (179)
chargen—Character generator (19)
cmd—Remote commands (rcmd, 514)
daytime—Daytime (13)
discard—Discard (9)
domain—Domain Name Service (53)
drip—Dynamic Routing Information Protocol (3949)
echo—Echo (7)
exec—EXEC (rsh, 512)
finger—Finger (79)
ftp—File Transfer Protocol (21)
ftp-data—FTP data connections (2)
gopher—Gopher (7)
hostname—NIC hostname server (11)
ident—Ident Protocol (113)
irc—Internet Relay Chat (194)
klogin—Kerberos login (543)
kshell—Kerberos shell (544)
login—Login (rlogin, 513)
lpd—Printer service (515)
nntp—Network News Transport Protocol (119)
pim-auto-rp—PIM Auto-RP (496)
pop2—Post Office Protocol v2 (19)
pop3—Post Office Protocol v3 (11)
smtp—Simple Mail Transport Protocol (25)
sunrpc—Sun Remote Procedure Call (111)
tacacs—TAC Access Control System (49)
talk—Talk (517)
telnet—Telnet (23)
time—Time (37)
uucp—Unix-to-Unix Copy Program (54)
whois—WHOIS/NICNAME (43)
www—World Wide Web (HTTP, 8)
UDP Port Names
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
biff—Biff (mail notification, comsat, 512)
bootpc—Bootstrap Protocol (BOOTP) client (68)
bootps—Bootstrap Protocol (BOOTP) server (67)
discard—Discard (9)
dnsix—DNSIX security protocol auditing (195)
domain—Domain Name Service (DNS, 53)
echo—Echo (7)
isakmp—Internet Security Association and Key Management Protocol (5)
mobile-ip—Mobile IP registration (434)
nameserver—IEN116 name service (obsolete, 42)
netbios-dgm—NetBIOS datagram service (138)
netbios-ns—NetBIOS name service (137)
netbios-ss—NetBIOS session service (139)
non500-isakmp—Internet Security Association and Key Management Protocol (45)
ntp—Network Time Protocol (123)
pim-auto-rp—PIM Auto-RP (496)
rip—Routing Information Protocol (router, in.routed, 52)
snmp—Simple Network Management Protocol (161)
snmptrap—SNMP Traps (162)
sunrpc—Sun Remote Procedure Call (111)
syslog—System Logger (514)
tacacs—TAC Access Control System (49)
talk—Talk (517)
tftp—Trivial File Transfer Protocol (69)
time—Time (37)
who—Who service (rwho, 513)
xdmcp—X Display Manager Control Protocol (177)
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules that deny all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network and a final rule that permits all other IPv4 traffic:
switch(config)# ip access-list acl-lab-01
switch(config-acl)# deny tcp 10.23.0.0/16 10.176.0.0/16
switch(config-acl)# deny udp 10.23.0.0/16 10.176.0.0/16
switch(config-acl)# deny tcp 192.168.37.0/16 10.176.0.0/16
switch(config-acl)# deny udp 192.168.37.0/16 10.176.0.0/16
switch(config-acl)# permit ip any any
To create an IPv6 access control list (ACL) rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.To create an IPv6 ACL rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
General Syntax
[sequence-number] deny protocol source destination [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]
no deny protocol source destination [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]
no sequence-number
Internet Control Message Protocol
[sequence-number | no] deny icmp source destination [icmp-message] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]
Internet Protocol v6
[sequence-number] deny ipv6 source destination [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]
Stream Control Transmission Protocol
[sequence-number | no] deny sctp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]
Transmission Control Protocol
[sequence-number] deny tcp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name] [flags] [established]
User Datagram Protocol
[sequence-number | no] deny udp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]
None
IPv6 ACL configuration
|
|
4.0(1a)N1(1) |
This command was introduced. |
A newly created IPv6 ACL contains no rules.
When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
Source and Destination
You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
•Address and variable-length subnet mask—You can use an IPv6 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:
IPv6-address/prefix-len
This example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network:
switch(config-acl)# deny udp 2001:0db8:85a3::/48 any
•Host address—You can use the host keyword and an IPv6 address to specify a host as a source or destination. The syntax is as follows:
host IPv6-address
This syntax is equivalent to IPv6-address/128.
This example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address:
switch(config-acl)# deny icmp host 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 any
•Any address—You can use the any keyword to specify that a source or destination is any IPv6 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.
ICMPv6 Message Types
The icmp-message argument can be the ICMPv6 message number, which is an integer from 0 to 255. It can also be one of the following keywords:
•beyond-scope—Destination beyond scope
•destination-unreachable—Destination address is unreachable
•echo-reply—Echo reply
•echo-request—Echo request (ping)
•header—Parameter header problems
•hop-limit—Hop limit exceeded in transit
•mld-query—Multicast Listener Discovery Query
•mld-reduction—Multicast Listener Discovery Reduction
•mld-report—Multicast Listener Discovery Report
•nd-na—Neighbor discovery neighbor advertisements
•nd-ns—Neighbor discovery neighbor solicitations
•next-header—Parameter next header problems
•no-admin—Administration prohibited destination
•no-route—No route to destination
•packet-too-big—Packet too big
•parameter-option—Parameter option problems
•parameter-problem—All parameter problems
•port-unreachable—Port unreachable
•reassembly-timeout—Reassembly timeout
•redirect—Neighbor redirect
•renum-command—Router renumbering command
•renum-result—Router renumbering result
•renum-seq-number—Router renumbering sequence number reset
•router-advertisement—Neighbor discovery router advertisements
•router-renumbering—All router renumbering
•router-solicitation—Neighbor discovery router solicitations
•time-exceeded—All time exceeded messages
•unreachable—All unreachable
TCP Port Names
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
•bgp—Border Gateway Protocol (179)
•chargen—Character generator (19)
•cmd—Remote commands (rcmd, 514)
•daytime—Daytime (13)
•discard—Discard (9)
•domain—Domain Name Service (53)
•drip—Dynamic Routing Information Protocol (3949)
•echo—Echo (7)
•exec—Exec (rsh, 512)
•finger—Finger (79)
•ftp—File Transfer Protocol (21)
•ftp-data—FTP data connections (2)
•gopher—Gopher (7)
•hostname—NIC hostname server (11)
•ident—Ident Protocol (113)
•irc—Internet Relay Chat (194)
•klogin—Kerberos login (543)
•kshell—Kerberos shell (544)
•login—Login (rlogin, 513)
•lpd—Printer service (515)
•nntp—Network News Transport Protocol (119)
•pim-auto-rp—PIM Auto-RP (496)
•pop2—Post Office Protocol v2 (19)
•pop3—Post Office Protocol v3 (11)
•smtp—Simple Mail Transport Protocol (25)
•sunrpc—Sun Remote Procedure Call (111)
•tacacs—TAC Access Control System (49)
•talk—Talk (517)
•telnet—Telnet (23)
•time—Time (37)
•uucp—Unix-to-Unix Copy Program (54)
•whois—WHOIS/NICNAME (43)
•www—World Wide Web (HTTP, 8)
UDP Port Names
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
•biff—Biff (mail notification, comsat, 512)
•bootpc—Bootstrap Protocol (BOOTP) client (68)
•bootps—Bootstrap Protocol (BOOTP) server (67)
•discard—Discard (9)
•dnsix—DNSIX security protocol auditing (195)
•domain—Domain Name Service (DNS, 53)
•echo—Echo (7)
•isakmp—Internet Security Association and Key Management Protocol (5)
•mobile-ip—Mobile IP registration (434)
•nameserver—IEN116 name service (obsolete, 42)
•netbios-dgm—NetBIOS datagram service (138)
•netbios-ns—NetBIOS name service (137)
•netbios-ss—NetBIOS session service (139)
•non500-isakmp—Internet Security Association and Key Management Protocol (45)
•ntp—Network Time Protocol (123)
•pim-auto-rp—PIM Auto-RP (496)
•rip—Routing Information Protocol (router, in.routed, 52)
•snmp—Simple Network Management Protocol (161)
•snmptrap—SNMP Traps (162)
•sunrpc—Sun Remote Procedure Call (111)
•syslog—System Logger (514)
•tacacs—TAC Access Control System (49)
•talk—Talk (517)
•tftp—Trivial File Transfer Protocol (69)
•time—Time (37)
•who—Who service (rwho, 513)
•xdmcp—X Display Manager Control Protocol (177)
This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules denying all TCP and UDP traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network:
switch# configure terminal
switch(config)# ipv6 access-list acl-lab13-ipv6
switch(config-ipv6-acl)# deny tcp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64
switch(config-ipv6-acl)# deny udp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64
switch(config-ipv6-acl)# deny tcp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64
switch(config-ipv6-acl)# deny udp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64
This example shows how to configure an IPv6 ACL named ipv6-eng-to-marketing with a rule that denies all IPv6 traffic from an IPv6-address object group named eng_ipv6 to an IPv6-address object group named marketing_group:
switch# configure terminal
switch(config)# ipv6 access-list ipv6-eng-to-marketing
switch(config-ipv6-acl)# deny ipv6 addrgroup eng_ipv6 addrgroup marketing_group
|
|
---|---|
ipv6 access-list |
Configures an IPv6 ACL. |
permit (IPv6) |
Configures a permit rule in an IPv6 ACL. |
remark |
Configures a remark in an ACL. |
time-range |
Configures a time range. |
To create a Media Access Control (MAC) access control list (ACL)+ rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
[sequence-number] deny source destination [protocol] [cos cos-value] [vlan vlan-id]
no deny source destination [protocol] [cos cos-value] [vlan vlan-id]
no sequence-number
A newly created MAC ACL contains no rules.
If you do not specify a sequence number, the switch assigns the rule a sequence number that is 10 greater than the last rule in the ACL.
MAC ACL configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
When the switch applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
Source and Destination
You can specify the source and destination arguments in one of two ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
•Address and mask—You can use a MAC address followed by a mask to specify a single address or a group of addresses. The syntax is as follows:
MAC-address MAC-mask
This example specifies the source argument with the MAC address 00c0.4f03.0a72:
switch(config-acl)# deny 00c0.4f03.0a72 0000.0000.0000 any
This example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:
switch(config-acl)# deny any 0060.3e00.0000 0000.0000.0000
•Any address—You can use the any keyword to specify that a source or destination is any MAC address. For examples of the use of the any keyword, see the examples in this section. Each of the examples shows how to specify a source or destination by using the any keyword.
MAC Protocols
The protocol argument can be the MAC protocol number or a keyword. Protocol numbers are a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:
•aarp—Appletalk ARP (0x80f3)
•appletalk—Appletalk (0x809b)
•decnet-iv—DECnet Phase IV (0x6003)
•diagnostic—DEC Diagnostic Protocol (0x6005)
•etype-6000—EtherType 0x6000 (0x6000)
•etype-8042—EtherType 0x8042 (0x8042)
•ip—Internet Protocol v4 (0x0800)
•lat—DEC LAT (0x6004)
•lavc-sca—DEC LAVC, SCA (0x6007)
•mop-console—DEC MOP Remote console (0x6002)
•mop-dump—DEC MOP dump (0x6001)
•vines-echo—VINES Echo (0x0baf)
This example shows how to configure a MAC ACL named mac-ip-filter with rules that permit any non-IPv4 traffic between two groups of MAC addresses:
switch(config)# mac access-list mac-ip-filter
switch(config-mac-acl)# deny 00c0.4f00.0000 0000.00ff.ffff 0060.3e00.0000 0000.00ff.ffff ip
switch(config-mac-acl)# permit any any
To configure a description for a user role, use the description command. To revert to the default, use the no form of this command.
description text
no description
text |
Text string that describes the user role. The maximum length is 128 alphanumeric characters. |
None
User role configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
You can include blank spaces in the user role description text.
This example shows how to configure the description for a user role:
switch(config)# role name MyRole
switch(config-role)# description User role for my user account.
This example shows how to remove the description from a user role:
switch(config)# role name MyRole
switch(config-role)# no description
|
|
---|---|
show role |
Displays information about the user role configuration. |
To configure a feature in a user role feature group, use the feature command. To delete a feature in a user role feature group, use the no form of this command.
feature feature-name
no feature feature-name
feature-name |
Switch feature name as listed in the show role feature command output. |
None
User role feature group configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
Use the show role feature command to list the valid feature names to use in this command.
This example shows how to add features to a user role feature group:
switch(config)# role feature-group name SecGroup
switch(config-role-featuregrp)# feature aaa
switch(config-role-featuregrp)# feature radius
switch(config-role-featuregrp)# feature tacacs
This example shows how to remove a feature from a user role feature group:
switch(config)# role feature-group name MyGroup
switch(config-role-featuregrp)# no feature callhome
|
|
---|---|
role feature-group name |
Creates or configures a user role feature group. |
show role feature-group |
Displays the user role feature groups. |
To enter interface policy configuration mode for a user role, use the interface policy deny command. To revert to the default interface policy for a user role, use the no form of this command.
interface policy deny
no interface policy deny
This command has no arguments or keywords.
All interfaces
User role configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to enter interface policy configuration mode for a user role:
switch(config)# role name MyRole
switch(config-role)# interface policy deny
switch(config-role-interface)#
This example shows how to revert to the default interface policy for a user role:
switch(config)# role name MyRole
switch(config-role)# no interface policy deny
|
|
---|---|
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |
To create an IPv4 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ip access-list command. To remove an IPv4 ACL, use the no form of this command.
ip access-list access-list-name
no ip access-list access-list-name
access-list-name |
Name of the IPv4 ACL, which can be up to 64 alphanumeric characters long. The name cannot contain a space or quotation mark. |
No IPv4 ACLs are defined by default.
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
Use IPv4 ACLs to filter IPv4 traffic.
When you use the ip access-list command, the switch enters IP access list configuration mode, where you can use the IPv4 deny and permit commands to configure rules for the ACL. If the specified ACL does not exist, the switch creates it when you enter this command.
Use the ip access-group command to apply the ACL to an interface.
Every IPv4 ACL has the following implicit rule as its last rule:
deny ip any any
This implicit rule ensures that the switch denies unmatched IP traffic.
IPv4 ACLs do not include additional implicit rules to enable the neighbor discovery process. The Address Resolution Protocol (ARP), which is the IPv4 equivalent of the IPv6 neighbor discovery process, uses a separate data link layer protocol. By default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01:
switch(config)# ip access-list ip-acl-01
switch(config-acl)#
To apply an IPv4 access control list (ACL) to an interface as a port ACL, use the ip port access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip port access-group access-list-name in
no ip port access-group access-list-name in
access-list-name |
Name of the IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters long. |
in |
Specifies that the ACL applies to inbound traffic. |
None
Interface configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
By default, no IPv4 ACLs are applied to an interface.
You can use the ip port access-group command to apply an IPv4 ACL as a port ACL to the following interface types:
•Layer 2 Ethernet interfaces
•Layer 2 EtherChannel interfaces
You can also apply an IPv4 ACL as a VLAN ACL. For more information, see the match command.
The switch applies port ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the switch without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
This example shows how to apply an IPv4 ACL named ip-acl-01 to Ethernet interface 1/2 as a port ACL:
switch(config)# interface ethernet 1/2
switch(config-if)# ip port access-group ip-acl-01 in
This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 1/2:
switch(config)# interface ethernet 1/2
switch(config-if)# no ip port access-group ip-acl-01 in
To create an IPv6 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ipv6 access-list command. To remove an IPv6 ACL, use the no form of this command.
ipv6 access-list access-list-name
no ipv6 access-list access-list-name
access-list-name |
Name of the IPv6 ACL, which can be up to 64 alphanumeric characters long. The name cannot contain a space or quotation mark. |
No IPv6 ACLs are defined by default.
Global configuration mode
|
|
4.0(1a)N1(1) |
This command was introduced. |
Use IPv6 ACLs to filter IPv6 traffic.
When you use the ipv6 access-list command, the switch enters IP access list configuration mode, where you can use the IPv6 deny and permit commands to configure rules for the ACL. If the specified ACL does not exist, the switch creates it when you enter this command.
Every IPv6 ACL has the following implicit rule as its last rule:
deny ipv6 any any
This implicit rule ensures that the switch denies unmatched IP traffic.
This example shows how to enter IP access list configuration mode for an IPv6 ACL named ipv6-acl-01:
switch(config)# ipv6 access-list ipv6-acl-01
switch(config-ipv6-acl)#
|
|
---|---|
deny (IPv6) |
Configures a deny rule in an IPv6 ACL. |
permit (IPv6) |
Configures a permit rule in an IPv6 ACL. |
To apply an IPv6 access control list (ACL) to an interface as a port ACL, use the ipv6 port traffic-filter command. To remove an IPv6 ACL from an interface, use the no form of this command.
ipv6 port traffic-filter access-list-name in
no ipv6 port traffic-filter access-list-name in
access-list-name |
Name of the IPv6 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
in |
Specifies that the device applies the ACL to inbound traffic. |
None
Interface configuration mode
|
|
4.0(1a)N1(1) |
This command was introduced. |
By default, no IPv6 ACLs are applied to an interface.
You can use the ipv6 port traffic-filter command to apply an IPv6 ACL as a port ACL to the following interface types:
•Ethernet interfaces
•EtherChannel interfaces
You can also use the ipv6 port traffic-filter command to apply an IPv6 ACL as a port ACL to the following interface types:
•VLAN interfaces
Note You must enable VLAN interfaces globally before you can configure a VLAN interface. For more information, see the feature interface-vlan command.
The switch applies port ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
This example shows how to apply an IPv6 ACL named ipv6-acl to Ethernet interface 1/3:
switch# configure terminal
switch(config)# interface ethernet 1/3
switch(config-if)# ipv6 port traffic-filter ipv6-acl in
This example shows how to remove an IPv6 ACL named ipv6-acl from Ethernet interface 1/3:
switch# configure terminal
switch(config)# interface ethernet 1/3
switch(config-if)# no ipv6 port traffic-filter ipv6-acl in
|
|
---|---|
ipv6 access-list |
Configures an IPv6 ACL. |
show access-lists |
Displays all ACLs. |
show ipv6 access-lists |
Shows either a specific IPv6 ACL or all IPv6 ACLs. |
To create a Media Access Control (MAC) access control list (ACL) or to enter MAC access list configuration mode for a specific ACL, use the mac access-list command. To remove a MAC ACL, use the no form of this command.
mac access-list access-list-name
no mac access-list access-list-name
access-list-name |
Name of the MAC ACLACL, which can be up to 64 alphanumeric, case-sensitive characters long. |
No MAC ACLs are defined by default.
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
Use MAC ACLs to filter non-IP traffic.
When you use the mac access-list command, the switch enters MAC access list configuration mode, where you can use the MAC deny and permit commands to configure rules for the ACL. If the ACL specified does not exist, the switch creates it when you enter this command.
Use the mac access-group command to apply the ACL to an interface.
Every MAC ACL has the following implicit rule as its last rule:
deny any any protocol
This implicit rule ensures that the switch denies the unmatched traffic, regardless of the protocol specified in the Layer 2 header of the traffic.
This example shows how to enter MAC access list configuration mode for a MAC ACL named mac-acl-01:
switch(config)# mac access-list mac-acl-01
switch(config-acl)#
To apply a MAC access control list (ACL) to an interface, use the mac port access-group command. To remove a MAC ACL from an interface, use the no form of this command.
mac port access-group access-list-name
no mac port access-group access-list-name
access-list-name |
Name of the MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters long. |
None
Interface configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
By default, no MAC ACLs are applied to an interface.
MAC ACLs apply to non-IP traffic.
You can use the mac port access-group command to apply a MAC ACL as a port ACL to the following interface types:
•Layer 2 interfaces
•Layer 2 EtherChannel interfaces
You can also apply a MAC ACL as a VLAN ACL. For more information, see the match command.
The switch applies MAC ACLs only to inbound traffic. When the switch applies a MAC ACL, the switch checks packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the switch without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
This example shows how to apply a MAC ACL named mac-acl-01 to Ethernet interface 1/2:
switch(config)# interface ethernet 1/2
switch(config-if)# mac port access-group mac-acl-01
This example shows how to remove a MAC ACL named mac-acl-01 from Ethernet interface 1/2:
switch(config)# interface ethernet 1/2
switch(config-if)# no mac port access-group mac-acl-01
To specify an access control list (ACL) for traffic filtering in a VLAN access map, use the match command. To remove a match command from a VLAN access map, use the no form of this command.
match {ip | ipv6 | mac} address access-list-name
no match {ip | ipv6 | mac} address access-list-name
By default, the switch classifies traffic and applies IPv4 ACLs to IPv4 traffic and MAC ACLs to all other traffic.
VLAN access-map configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
You can specify only one match command per access map.
This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map:
switch(config)# vlan access-map vlan-map-01
switch(config-access-map)# match ip address ip-acl-01
switch(config-access-map)# action forward
switch(config-access-map)# statistics
To create an IPv4 access control list (ACL) rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
General Syntax
[sequence-number] permit protocol source destination {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]
no permit protocol source destination {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]
no sequence-number
Internet Control Message Protocol
[sequence-number] permit icmp source destination [icmp-message] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]
Internet Group Management Protocol
[sequence-number] permit igmp source destination [igmp-message] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]
Internet Protocol v4
[sequence-number] permit ip source destination {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]
Transmission Control Protocol
[sequence-number] permit tcp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name] [flags] [established]
User Datagram Protocol
[sequence-number] permit udp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] {[dscp dscp] | [precedence precedence]} [fragments] [time-range time-range-name]
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
IPv4 ACL configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
When the switch applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
Source and Destination
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
•Address and network wildcard—You can use an IPv4 address followed by a network wildcard to specify a host or a network as a source or destination. The syntax is as follows:
IPv4-address network-wildcard
This example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
switch(config-acl)# permit tcp 192.168.67.0 0.0.0.255 any
•Address and variable-length subnet mask—You can use an IPv4 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:
IPv4-address/prefix-len
This example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
switch(config-acl)# permit udp 192.168.67.0/24 any
•Host address—You can use the host keyword and an IPv4 address to specify a host as a source or destination. The syntax is as follows:
host IPv4-address
This syntax is equivalent to IPv4-address/32 and IPv4-address 0.0.0.0.
This example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:
switch(config-acl)# permit icmp host 192.168.67.132 any
•Any address—You can use the any keyword to specify that a source or destination is any IPv4 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.
ICMP Message Types
The icmp-message argument can be the ICMP message number, which is an integer from 0 to 255. It can also be one of the following keywords:
•administratively-prohibited—Administratively prohibited
•alternate-address—Alternate address
•conversion-error—Datagram conversion
•dod-host-prohibited—Host prohibited
•dod-net-prohibited—Net prohibited
•echo—Echo (ping)
•echo-reply—Echo reply
•general-parameter-problem—Parameter problem
•host-isolated—Host isolated
•host-precedence-unreachable—Host unreachable for precedence
•host-redirect—Host redirect
•host-tos-redirect—Host redirect for ToS
•host-tos-unreachable—Host unreachable for ToS
•host-unknown—Host unknown
•host-unreachable—Host unreachable
•information-reply—Information replies
•information-request—Information requests
•mask-reply—Mask replies
•mask-request—Mask requests
•mobile-redirect—Mobile host redirect
•net-redirect—Network redirect
•net-tos-redirect—Net redirect for ToS
•net-tos-unreachable—Network unreachable for ToS
•net-unreachable—Net unreachable
•network-unknown—Network unknown
•no-room-for-option—Parameter required but no room
•option-missing—Parameter required but not present
•packet-too-big—Fragmentation needed and DF set
•parameter-problem—All parameter problems
•port-unreachable—Port unreachable
•precedence-unreachable—Precedence cutoff
•protocol-unreachable—Protocol unreachable
•reassembly-timeout—Reassembly timeout
•redirect—All redirects
•router-advertisement—Router discovery advertisements
•router-solicitation—Router discovery solicitations
•source-quench—Source quenches
•source-route-failed—Source route failed
•time-exceeded—All time-exceeded messages
•timestamp-reply—Time-stamp replies
•timestamp-request—Time-stamp requests
•traceroute—Traceroute
•ttl-exceeded—TTL exceeded
•unreachable—All unreachables
TCP Port Names
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
bgp—Border Gateway Protocol (179)
chargen—Character generator (19)
cmd—Remote commands (rcmd, 514)
daytime—Daytime (13)
discard—Discard (9)
domain—Domain Name Service (53)
drip—Dynamic Routing Information Protocol (3949)
echo—Echo (7)
exec—EXEC (rsh, 512)
finger—Finger (79)
ftp—File Transfer Protocol (21)
ftp-data—FTP data connections (2)
gopher—Gopher (7)
hostname—NIC hostname server (11)
ident—Ident Protocol (113)
irc—Internet Relay Chat (194)
klogin—Kerberos login (543)
kshell—Kerberos shell (544)
login—Login (rlogin, 513)
lpd—Printer service (515)
nntp—Network News Transport Protocol (119)
pim-auto-rp—PIM Auto-RP (496)
pop2—Post Office Protocol v2 (19)
pop3—Post Office Protocol v3 (11)
smtp—Simple Mail Transport Protocol (25)
sunrpc—Sun Remote Procedure Call (111)
tacacs—TAC Access Control System (49)
talk—Talk (517)
telnet—Telnet (23)
time—Time (37)
uucp—Unix-to-Unix Copy Program (54)
whois—WHOIS/NICNAME (43)
www—World Wide Web (HTTP, 8)
UDP Port Names
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
biff—Biff (mail notification, comsat, 512)
bootpc—Bootstrap Protocol (BOOTP) client (68)
bootps—Bootstrap Protocol (BOOTP) server (67)
discard—Discard (9)
dnsix—DNSIX security protocol auditing (195)
domain—Domain Name Service (DNS, 53)
echo—Echo (7)
isakmp—Internet Security Association and Key Management Protocol (5)
mobile-ip—Mobile IP registration (434)
nameserver—IEN116 name service (obsolete, 42)
netbios-dgm—NetBIOS datagram service (138)
netbios-ns—NetBIOS name service (137)
netbios-ss—NetBIOS session service (139)
non500-isakmp—Internet Security Association and Key Management Protocol (45)
ntp—Network Time Protocol (123)
pim-auto-rp—PIM Auto-RP (496)
rip—Routing Information Protocol (router, in.routed, 52)
snmp—Simple Network Management Protocol (161)
snmptrap—SNMP Traps (162)
sunrpc—Sun Remote Procedure Call (111)
syslog—System Logger (514)
tacacs—TAC Access Control System (49)
talk—Talk (517)
tftp—Trivial File Transfer Protocol (69)
time—Time (37)
who—Who service (rwho, 513)
xdmcp—X Display Manager Control Protocol (177)
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules permitting all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network:
switch(config)# ip access-list acl-lab-01
switch(config-acl)# permit tcp 10.23.0.0/16 10.176.0.0/16
switch(config-acl)# permit udp 10.23.0.0/16 10.176.0.0/16
switch(config-acl)# permit tcp 192.168.37.0/16 10.176.0.0/16
switch(config-acl)# permit udp 192.168.37.0/16 10.176.0.0/16
To create an IPv6 access control list (ACL) rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
General Syntax
[sequence-number] permit protocol source destination [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]
no permit protocol source destination [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]
no sequence-number
Internet Control Message Protocol
[sequence-number | no] permit icmp source destination [icmp-message] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]
Internet Protocol v6
[sequence-number] permit ipv6 source destination [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]
Stream Control Transmission Protocol
[sequence-number | no] permit sctp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]
Transmission Control Protocol
[sequence-number] permit tcp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name] [flags] [established]
User Datagram Protocol
[sequence-number | no] permit udp source [operator port [port] | portgroup portgroup] destination [operator port [port] | portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [time-range time-range-name]
None
IPv6 ACL configuration mode
|
|
4.0(1a)N1(1) |
This command was introduced. |
A newly created IPv6 ACL contains no rules.
When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
Source and Destination
You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
•Address and variable-length subnet mask—You can use an IPv6 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:
IPv6-address/prefix-len
This example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network:
switch(config-acl)# permit udp 2001:0db8:85a3::/48 any
•Host address—You can use the host keyword and an IPv6 address to specify a host as a source or destination. The syntax is as follows:
host IPv6-address
This syntax is equivalent to IPv6-address/128.
This example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address:
switch(config-acl)# permit icmp host 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 any
•Any address—You can use the any keyword to specify that a source or destination is any IPv6 address. For examples of the use of the any keyword, see the examples in this section. Each example shows how to specify a source or destination by using the any keyword.
ICMPv6 Message Types
The icmp-message argument can be the ICMPv6 message number, which is an integer from 0 to 255. It can also be one of the following keywords:
•beyond-scope—Destination beyond scope
•destination-unreachable—Destination address is unreachable
•echo-reply—Echo reply
•echo-request—Echo request (ping)
•header—Parameter header problems
•hop-limit—Hop limit exceeded in transit
•mld-query—Multicast Listener Discovery Query
•mld-reduction—Multicast Listener Discovery Reduction
•mld-report—Multicast Listener Discovery Report
•nd-na—Neighbor discovery neighbor advertisements
•nd-ns—Neighbor discovery neighbor solicitations
•next-header—Parameter next header problems
•no-admin—Administration prohibited destination
•no-route—No route to destination
•packet-too-big—Packet too big
•parameter-option—Parameter option problems
•parameter-problem—All parameter problems
•port-unreachable—Port unreachable
•reassembly-timeout—Reassembly timeout
•redirect—Neighbor redirect
•renum-command—Router renumbering command
•renum-result—Router renumbering result
•renum-seq-number—Router renumbering sequence number reset
•router-advertisement—Neighbor discovery router advertisements
•router-renumbering—All router renumbering
•router-solicitation—Neighbor discovery router solicitations
•time-exceeded—All time exceeded messages
•unreachable—All unreachable
TCP Port Names
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
•bgp—Border Gateway Protocol (179)
•chargen—Character generator (19)
•cmd—Remote commands (rcmd, 514)
•daytime—Daytime (13)
•discard—Discard (9)
•domain—Domain Name Service (53)
•drip—Dynamic Routing Information Protocol (3949)
•echo—Echo (7)
•exec—Exec (rsh, 512)
•finger—Finger (79)
•ftp—File Transfer Protocol (21)
•ftp-data—FTP data connections (2)
•gopher—Gopher (7)
•hostname—NIC hostname server (11)
•ident—Ident Protocol (113)
•irc—Internet Relay Chat (194)
•klogin—Kerberos login (543)
•kshell—Kerberos shell (544)
•login—Login (rlogin, 513)
•lpd—Printer service (515)
•nntp—Network News Transport Protocol (119)
•pim-auto-rp—PIM Auto-RP (496)
•pop2—Post Office Protocol v2 (19)
•pop3—Post Office Protocol v3 (11)
•smtp—Simple Mail Transport Protocol (25)
•sunrpc—Sun Remote Procedure Call (111)
•tacacs—TAC Access Control System (49)
•talk—Talk (517)
•telnet—Telnet (23)
•time—Time (37)
•uucp—Unix-to-Unix Copy Program (54)
•whois—WHOIS/NICNAME (43)
•www—World Wide Web (HTTP, 8)
UDP Port Names
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
•biff—Biff (mail notification, comsat, 512)
•bootpc—Bootstrap Protocol (BOOTP) client (68)
•bootps—Bootstrap Protocol (BOOTP) server (67)
•discard—Discard (9)
•dnsix—DNSIX security protocol auditing (195)
•domain—Domain Name Service (DNS, 53)
•echo—Echo (7)
•isakmp—Internet Security Association and Key Management Protocol (5)
•mobile-ip—Mobile IP registration (434)
•nameserver—IEN116 name service (obsolete, 42)
•netbios-dgm—NetBIOS datagram service (138)
•netbios-ns—NetBIOS name service (137)
•netbios-ss—NetBIOS session service (139)
•non500-isakmp—Internet Security Association and Key Management Protocol (45)
•ntp—Network Time Protocol (123)
•pim-auto-rp—PIM Auto-RP (496)
•rip—Routing Information Protocol (router, in.routed, 52)
•snmp—Simple Network Management Protocol (161)
•snmptrap—SNMP Traps (162)
•sunrpc—Sun Remote Procedure Call (111)
•syslog—System Logger (514)
•tacacs—TAC Access Control System (49)
•talk—Talk (517)
•tftp—Trivial File Transfer Protocol (69)
•time—Time (37)
•who—Who service (rwho, 513)
•xdmcp—X Display Manager Control Protocol (177)
This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules permitting all TCP and UDP traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network:
switch# configure terminal
switch(config)# ipv6 access-list acl-lab13-ipv6
switch(config-ipv6-acl)# permit tcp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64
switch(config-ipv6-acl)# permit udp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64
switch(config-ipv6-acl)# permit tcp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64
switch(config-ipv6-acl)# permit udp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64
This example shows how to configure an IPv6 ACL named ipv6-eng-to-marketing with a rule that permits all IPv6 traffic from an IPv6-address object group named eng_ipv6 to an IPv6-address object group named marketing_group:
switch# configure terminal
switch(config)# ipv6 access-list ipv6-eng-to-marketing
switch(config-ipv6-acl)# permit ipv6 addrgroup eng_ipv6 addrgroup marketing_group
|
|
---|---|
deny (IPv6) |
Configures a deny rule in an IPv6 ACL. |
ipv6 access-list |
Configures an IPv6 ACL. |
remark |
Configures a remark in an ACL. |
To create a MAC access control list (ACL) rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[sequence-number] permit source destination [protocol] [cos cos-value] [vlan vlan-id]
no permit source destination [protocol] [cos cos-value] [vlan vlan-id]
no sequence-number
A newly created MAC ACL contains no rules.
If you do not specify a sequence number, the switch assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
MAC ACL configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
When the switch applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number.
Source and Destination
You can specify the source and destination arguments in one of two ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
Address and mask—You can use a MAC address followed by a mask to specify a single address or a group of addresses. The syntax is as follows:
MAC-address MAC-mask
This example specifies the source argument with the MAC address 00c0.4f03.0a72:
switch(config-acl)# permit 00c0.4f03.0a72 0000.0000.0000 any
This example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:
switch(config-acl)# permit any 0060.3e00.0000 0000.0000.0000
•Any address—You can use the any keyword to specify that a source or destination is any MAC address. For examples of the use of the any keyword, see the examples in this section. Each of the examples shows how to specify a source or destination by using the any keyword.
MAC Protocols
The protocol argument can be the MAC protocol number or a keyword. The protocol number is a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:
•aarp—Appletalk ARP (0x80f3)
•appletalk—Appletalk (0x809b)
•decnet-iv—DECnet Phase IV (0x6003)
•diagnostic—DEC Diagnostic Protocol (0x6005)
•etype-6000—Ethertype 0x6000 (0x6000)
•etype-8042—Ethertype 0x8042 (0x8042)
•ip—Internet Protocol v4 (0x0800)
•lat—DEC LAT (0x6004)
•lavc-sca—DEC LAVC, SCA (0x6007)
•mop-console—DEC MOP Remote console (0x6002)
•mop-dump—DEC MOP dump (0x6001)
•vines-echo—VINES Echo (0x0baf)
This example shows how to configure a MAC ACL named mac-ip-filter with a rule that permits all IPv4 traffic between two groups of MAC addresses:
switch(config)# mac access-list mac-ip-filter
switch(config-mac-acl)# permit 00c0.4f00.0000 0000.00ff.ffff 0060.3e00.0000 0000.00ff.ffff ip
switch(config-mac-acl)#
To add interfaces for a user role interface policy, use the permit interface command. To remove interfaces, use the no form of this command.
permit interface interface-list
no permit interface
interface-list |
List of interfaces that the user role has permission to access. |
All interfaces
Interface policy configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
For permit interface statements to work, you need to configure a command rule to allow interface access, as shown in the following example:
switch(config-role)# rule number permit command configure terminal ; interface *
This example shows how to configure a range of interfaces for a user role interface policy:
switch(config)# role name MyRole
switch(config-role)# interface policy deny
switch(config-role-interface)# permit interface ethernet 1/2 - 8
This example shows how to configure a list of interfaces for a user role interface policy:
switch(config)# role name MyRole
switch(config-role)# interface policy deny
switch(config-role-interface)# permit interface ethernet 1/1, ethernet 1/3, ethernet 1/5
This example shows how to remove an interface from a user role interface policy:
switch(config)# role name MyRole
switch(config-role)# interface policy deny
switch(config-role-interface)# no permit interface ethernet 1/2
To add VLANs for a user role VLAN policy, use the permit vlan command. To remove VLANs, use the no form of this command.
permit vlan vlan-list
no permit vlan
vlan-list |
List of VLANs that the user role has permission to access. |
All VLANs
VLAN policy configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
For permit vlan statements to work, you need to configure a command rule to allow VLAN access, as shown in the following example:
switch(config-role)# rule number permit command configure terminal ; vlan *
This example shows how to configure a range of VLANs for a user role VLAN policy:
switch(config)# role name MyRole
switch(config-role)# vlan policy deny
switch(config-role-vlan)# permit vlan 1-8
This example shows how to configure a list of VLANs for a user role VLAN policy:
switch(config)# role name MyRole
switch(config-role)# vlan policy deny
switch(config-role-vlan)# permit vlan 1, 10, 12, 20
This example shows how to remove a VLAN from a user role VLAN policy:
switch(config)# role name MyRole
switch(config-role)# vlan policy deny
switch(config-role-vlan)# no permit vlan 2
To add virtual routing and forwarding instances (VRFs) for a user role VRF policy, use the permit vrf command. To remove VRFs, use the no form of this command.
permit vrf vrf-list
no permit vrf
vrf-list |
List of VRFs that the user role has permission to access. |
All VRFs
VRF policy configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to configure a range of VRFs for a user role VRF policy:
switch(config)# role name MyRole
switch(config-role)# vrf policy deny
switch(config-role-vrf)# permit vrf management
To permit access to a VSAN policy for a user role, use the permit vsan command. To revert to the default VSAN policy configuration for a user role, use the no form of this command.
permit vsan vsan-list
no permit vsan vsan-list
None
User role configuration mode
|
|
---|---|
4.0(0)N1(1a) |
This command was introduced. |
This command is enabled only after you deny a VSAN policy by using the vsan policy deny command.
This example shows how to permit access to a VSAN policy for a user role:
switch(config)# role name MyRole
switch(config-role)# vsan policy deny
switch(config-role-vsan)# permit vsan 10, 12, 100-104
switch(config-role-vsan)#
To configure the dead-time interval for all RADIUS servers on a Cisco Nexus 5000 Series switch, use the radius-server deadtime command. To revert to the default, use the no form of this command.
radius-server deadtime minutes
no radius-server deadtime minutes
minutes |
Number of minutes for the dead-time interval. The range is from 1 to 1440 minutes. |
0 minutes
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The dead-time interval is the number of minutes before the switch checks a RADIUS server that was previously unresponsive.
Note When the idle time interval is 0 minutes, periodic RADIUS server monitoring is not performed.
This example shows how to configure the global dead-time interval for all RADIUS servers to perform periodic monitoring:
switch(config)# radius-server deadtime 5
This example shows how to revert to the default for the global dead-time interval for all RADIUS servers and disable periodic server monitoring:
switch(config)# no radius-server deadtime 5
|
|
---|---|
show radius-server |
Displays RADIUS server information. |
To allow users to send authentication requests to a specific RADIUS server when logging in, use the radius-server directed request command. To revert to the default, use the no form of this command.
radius-server directed-request
no radius-server directed-request
This command has no arguments or keywords.
Sends the authentication request to the configured RADIUS server group.
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
You can specify the username@vrfname:hostname during login, where vrfname is the VRF to use and hostname is the name of a configured RADIUS server. The username is sent to the RADIUS server for authentication.
This example shows how to allow users to send authentication requests to a specific RADIUS server when logging in:
switch(config)# radius-server directed-request
This example shows how to disallow users to send authentication requests to a specific RADIUS server when logging in:
switch(config)# no radius-server directed-request
|
|
---|---|
show radius-server directed-request |
Displays the directed request RADIUS server configuration. |
To configure RADIUS server parameters, use the radius-server host command. To revert to the default, use the no form of this command.
radius-server host {hostname | ipv4-address | ipv6-address}
[key [0 | 7] shared-secret [pac]] [accounting]
[acct-port port-number] [auth-port port-number] [authentication] [retransmit count]
[test {idle-time time | password password | username name}]
[timeout seconds [retransmit count]]
no radius-server host {hostname | ipv4-address | ipv6-address}
[key [0 | 7] shared-secret [pac]] [accounting]
[acct-port port-number] [auth-port port-number] [authentication] [retransmit count]
[test {idle-time time | password password | username name}]
[timeout seconds [retransmit count]]
Accounting port: 1813
Authentication port: 1812
Accounting: enabled
Authentication: enabled
Retransmission count: 1
Idle-time: 0
Server monitoring: disabled
Timeout: 5 seconds
Test username: test
Test password: test
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
When the idle time interval is 0 minutes, periodic RADIUS server monitoring is not performed.
This example shows how to configure RADIUS server authentication and accounting parameters:
switch(config)# radius-server host 192.168.2.3 key HostKey
switch(config)# radius-server host 192.168.2.3 auth-port 2003
switch(config)# radius-server host 192.168.2.3 acct-port 2004
switch(config)# radius-server host 192.168.2.3 accounting
switch(config)# radius-server host radius2 key 0 abcd
switch(config)# radius-server host radius3 key 7 1234
switch(config)# radius-server host 192.168.2.3 test idle-time 10
switch(config)# radius-server host 192.168.2.3 test username tester
switch(config)# radius-server host 192.168.2.3 test password 2B9ka5
|
|
---|---|
show radius-server |
Displays RADIUS server information. |
To configure a RADIUS shared secret key, use the radius-server key command. To remove a configured shared secret, use the no form of this command.
radius-server key [0 | 7] shared-secret
no radius-server key [0 | 7] shared-secret
Clear text authentication
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
You must configure the RADIUS preshared key to authenticate the switch to the RADIUS server. The length of the key is restricted to 65 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all RADIUS server configurations on the switch. You can override this global key assignment by using the key keyword in the radius-server host command.
This example shows how to provide various scenarios to configure RADIUS authentication:
switch(config)# radius-server key AnyWord
switch(config)# radius-server key 0 AnyWord
switch(config)# radius-server key 7 public pac
|
|
---|---|
show radius-server |
Displays RADIUS server information. |
To specify the number of times that the switch should try a request with a RADIUS server, use the radius-server retransmit command. To revert to the default, use the no form of this command.
radius-server retransmit count
no radius-server retransmit count
count |
Number of times that the switch tries to connect to a RADIUS server before reverting to local authentication. The range is from 1 to 5 times. |
1 retransmission
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to configure the number of retransmissions to RADIUS servers:
switch(config)# radius-server retransmit 3
This example shows how to revert to the default number of retransmissions to RADIUS servers:
switch(config)# no radius-server retransmit 3
|
|
---|---|
show radius-server |
Displays RADIUS server information. |
To specify the time between retransmissions to the RADIUS servers, use the radius-server timeout command. To revert to the default, use the no form of this command.
radius-server timeout seconds
no radius-server timeout seconds
seconds |
Number of seconds between retransmissions to the RADIUS server. The range is from 1 to 60 seconds. |
1 second
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to configure the timeout interval:
switch(config)# radius-server timeout 30
This example shows how to revert to the default interval:
switch(config)# no radius-server timeout 30
|
|
---|---|
show radius-server |
Displays RADIUS server information. |
To enter a comment into an IPv4 or MAC access control list (ACL), use the remark command. To remove a remark command, use the no form of this command.
[sequence-number] remark remark
no {sequence-number | remark remark}
No ACL contains a remark by default.
IPv4 ACL configuration mode
MAC ACL configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The remark argument can be up to 100 characters. If you enter more than 100 characters for the remark argument, the switch accepts the first 100 characters and drops any additional characters.
This example shows how to create a remark in an IPv4 ACL and display the results:
switch(config)# ip access-list acl-ipv4-01
switch(config-acl)# 100 remark this ACL denies the marketing department access to the lab
switch(config-acl)# show access-list acl-ipv4-01
|
|
---|---|
ip access-list |
Configures an IPv4 ACL. |
mac access-list |
Configures a MAC ACL. |
show access-list |
Displays all ACLs or one ACL. |
To reassign sequence numbers to all rules in an access control list (ACL) or a time range, use the resequence command.
resequence access-list-type access-list access-list-name starting-number increment
resequence time-range time-range-name starting-number increment
None
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The resequence command allows you to reassign sequence numbers to the rules of an ACL or time range. The new sequence number for the first rule is determined by the starting-number argument. Each additional rule receives a new sequence number determined by the increment argument. If the highest sequence number would exceed the maximum possible sequence number, then no sequencing occurs and the following message appears:
ERROR: Exceeded maximum sequence number.
The maximum sequence number is 4294967295.
This example shows how to resequence an IPv4 ACL named ip-acl-01 with a starting sequence number of 100 and an increment of 10, using the show ip access-lists command to verify sequence numbering before and after the use of the resequence command:
switch(config)# show ip access-lists ip-acl-01
IP access list ip-acl-01
7 permit tcp 128.0.0/16 any eq www
10 permit udp 128.0.0/16 any
13 permit icmp 128.0.0/16 any eq echo
17 deny igmp any any
switch(config)# resequence ip access-list ip-acl-01 100 10
switch(config)# show ip access-lists ip-acl-01
IP access list ip-acl-01
100 permit tcp 128.0.0/16 any eq www
110 permit udp 128.0.0/16 any
120 permit icmp 128.0.0/16 any eq echo
130 deny igmp any any
switch(config)#
|
|
---|---|
ip access-list |
Configures an IPv4 ACL. |
mac access-list |
Configures a MAC ACL. |
show access-lists |
Displays all ACLs or a specific ACL. |
To create or specify a user role feature group and enter user role feature group configuration mode, use the role feature-group name command. To delete a user role feature group, use the no form of this command.
role feature-group name group-name
no role feature-group name group-name
group-name |
User role feature group name. The group-name has a maximum length of 32 characters and is a case-sensitive, alphanumeric character string. |
None
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to create a user role feature group and enter user role feature group configuration mode:
switch(config)# role feature-group name MyGroup
switch(config-role-featuregrp)#
This example shows how to remove a user role feature group:
switch(config)# no role feature-group name MyGroup
switch(config)#
To create or specify a user role and enter user role configuration mode, use the role name command. To delete a user role, use the no form of this command.
role name role-name
no role name role-name
role-name |
User role name. The role-name has a maximum length of 16 characters and is a case-sensitive, alphanumeric character string. |
None
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
A Cisco Nexus 5000 Series switch provides the following default user roles:
•Network Administrator—Complete read-and-write access to the entire switch
•Complete read access to the entire switch
You cannot change or remove the default user roles.
This example shows how to create a user role and enter user role configuration mode:
switch(config)# role name MyRole
switch(config-role)#
This example shows how to remove a user role:
switch(config)# no role name MyRole
|
|
---|---|
show role |
Displays the user roles. |
To configure rules for a user role, use the rule command. To delete a rule, use the no form of this command.
rule number {deny | permit} {command command-string | {read | read-write} [feature feature-name | feature-group group-name]}
no rule number
None
User role configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
You can configure up to 256 rules for each role.
The rule number that you specify determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.
This example shows how to add rules to a user role:
switch(config)# role MyRole
switch(config-role)# rule 1 deny command clear users
switch(config-role)# rule 1 permit read-write feature-group L3
This example shows how to remove rule from a user role:
switch(config)# role MyRole
switch(config-role)# no rule 10
|
|
---|---|
role name |
Creates or specifies a user role name and enters user role configuration mode. |
show role |
Displays the user roles. |
To add a server to a RADIUS or TACACS+ server group, use the server command. To delete a server from a server group, use the no form of this command.
server {ipv4-address | ipv6-address | hostname}
no server {ipv4-address | ipv6-address | hostname}
None
RADlUS server group configuration mode
TACACS+ server group configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
You can configure up to 64 servers in a server group.
Use the aaa group server radius command to enter RADIUS server group configuration mode or aaa group server tacacs+ command to enter TACACS+ server group configuration mode.
If the server is not found, use the radius-server host command or tacacs-server host command to configure the server.
Note You must use the feature tacacs+ command before you configure TACACS+.
This example shows how to add a server to a RADIUS server group:
switch(config)# aaa group server radius RadServer
switch(config-radius)# server 192.168.1.1
This example shows how to delete a server from a RADIUS server group:
switch(config)# aaa group server radius RadServer
switch(config-radius)# no server 192.168.1.1
This example shows how to add a server to a TACACS+ server group:
switch(config)# feature tacacs+
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# server 192.168.2.2
This example shows how to delete a server from a TACACS+ server group:
switch(config)# feature tacacs+
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# no server 192.168.2.2
To display authentication, authorization, and accounting (AAA) accounting configuration, use the show aaa accounting command.
show aaa accounting
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the configuration of the accounting log:
switch# show aaa accounting
|
|
---|---|
aaa accounting default |
Configures AAA methods for accounting. |
To display authentication, authorization, and accounting (AAA) authentication configuration information, use the show aaa authentication command.
show aaa authentication login [error-enable | mschap]
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the configured authentication parameters:
switch# show aaa authentication
This example shows how to display the authentication login error enable configuration:
switch# show aaa authentication login error-enable
This example shows how to display the authentication login MS-CHAP configuration:
switch# show aaa authentication login mschap
|
|
---|---|
aaa authentication |
Configures AAA authentication methods. |
To display AAA authorization configuration information, use the show aaa authorization command.
show aaa authorization [all]
all |
(Optional) Displays configured and default values. |
None
EXEC mode
|
|
---|---|
4.2(1)N1(1) |
This command was introduced. |
This example shows how to display the configured authorization methods:
switch# show aaa authorization
AAA command authorization:
default authorization for config-commands: none
switch#
This example shows how to revert to the default AAA authorization methods for configuration commands:
switch(config)# no aaa authorization config-commands default group TacGroup local
switch(config)#
To display authentication, authorization, and accounting (AAA) server group configuration, use the show aaa groups command.
show aaa groups
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display AAA group information:
switch# show aaa groups
|
|
---|---|
aaa group server radius |
Creates a RADIUS server group. |
To display the status of the default role assigned by the authentication, authorization, and accounting (AAA) server administrator for remote authentication, use the show aaa user command.
show aaa user default-role
default-role |
Displays the status of the default AAA role. |
None
EXEC mode.
|
|
---|---|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the status of the default role assigned by the AAA server administrator for remote authentication:
switch# show aaa user default-role
enabled
switch#
|
|
---|---|
aaa user default-role |
Configures the default user for remote authentication. |
show aaa authentication |
Displays AAA authentication information. |
To display all IPv4 and MAC access control lists (ACLs) or a specific ACL, use the show access-lists command.
show access-lists [access-list-name]
access-list-name |
(Optional) Name of an ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
The switch shows all ACLs unless you use the access-list-name argument to specify an ACL.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display all IPv4 and MAC ACLs on the switch:
switch# show access-lists
To display the accounting log contents, use the show accounting log command.
show accounting log [size] [start-time year month day HH:MM:SS] [end-time year month day HH:MM:SS]
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the entire accounting log:
switch# show accounting log
This example shows how to display 400 bytes of the accounting log:
switch# show accounting log 400
This example shows how to display the accounting log starting at 16:00:00 on February 16, 2008:
switch# show accounting log start-time 2008 Feb 16 16:00:00
This example shows how to display the accounting log starting at 15:59:59 on February 1, 2008 and ending at 16:00:00 on February 29, 2008:
switch# show accounting log start-time 2008 Feb 1 15:59:59 end-time 2008 Feb 29 16:00:00
|
|
---|---|
clear accounting log |
Clears the accounting log. |
To display all IPv4 access control lists (ACLs) or a specific IPv4 ACL, use the show ip access-lists command.
show ip access-lists [access-list-name]
access-list-name |
(Optional) Name of an IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
The switch shows all IPv4 ACLs unless you use the access-list-name argument to specify an ACL.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
By default, this command displays the IPv4 ACLs configured on the switch. The command displays the statistics information for an IPv4 ACL only if the IPv4 ACL is applied to the management (mgmt0) interface. If the ACL is applied to an SVI interface or in a QoS class map, then the command does not display any statistics information.
This example shows how to display all IPv4 ACLs on the switch:
switch# show ip access-lists
IP access list BulkData
10 deny ip any any
IP access list CriticalData
10 deny ip any any
IP access list Scavenger
10 deny ip any any
IP access list deny
10 deny ip 192.168.30.1/32 192.168.40.1/32
IP access list deny4
IP access list denyv4
statistics per-entry
20 deny ip 192.168.10.0/24 10.20.10.0/24 fragments
30 permit udp 192.168.10.0/24 gt isakmp 192.168.20.0/24 lt 400
40 permit icmp any any router-advertisement
60 deny tcp 10.10.10.0/24 10.20.10.0/24 syn
70 permit igmp any any host-report
80 deny tcp any any rst
90 deny tcp any any ack
100 permit tcp any any fin
110 permit tcp any gt 300 any lt 400
130 deny tcp any range 200 300 any lt 600
IP access list dot
--More--
<--output truncated-->
switch#
|
|
---|---|
ip access-list |
Configures an IPv4 ACL. |
show access-lists |
Displays all ACLs or a specific ACL. |
show mac access-lists |
Displays all MAC ACLs or a specific MAC ACL. |
To display the Address Resolution Protocol (ARP) table statistics, use the show ip arp command.
show ip arp [detail | vlan vlan-id [vrf {vrf-name | all | default | management}]]
None
EXEC mode
|
|
---|---|
4.2(1)N1(1) |
This command was introduced. |
This example shows how to display the ARP table:
switch# show ip arp
IP ARP Table for context default
Total number of entries: 1
Address Age MAC Address Interface
90.10.10.2 00:03:11 000d.ece7.df7c Vlan900
switch#
This example shows how to display the detailed ARP table:
switch# show ip arp detail
IP ARP Table for context default
Total number of entries: 1
Address Age MAC Address Interface Physical Interface
90.10.10.2 00:02:55 000d.ece7.df7c Vlan900 Ethernet1/12
switch#
This example shows how to display the ARP table for VLAN 10 and all VRFs:
switch# show ip arp vlan 10 vrf all
|
|
---|---|
clear ip arp |
Clears the ARP cache and table. |
show running-config arp |
Displays the running ARP configuration. |
To display all IPv6 access control lists (ACLs) or a specific IPv6 ACL, use the show ipv6 access-lists command.
show ipv6 access-lists [access-list-name] [expanded | summary]
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The device shows all IPv6 ACLs, unless you use the access-list-name argument to specify an ACL.
The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following:
•Whether per-entry statistics is configured for the ACL.
•The number of rules in the ACL configuration. This number does not reflect how many entries the ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules.
•The interfaces that the ACL is applied to.
•The interfaces that the ACL is active on.
The show ipv6 access-lists command displays statistics for each entry in an ACL if the following conditions are both true:
•The ACL configuration contains the statistics per-entry command.
•The ACL is applied to an interface that is administratively up.
This example shows how to display all IPv6 ACLs on a switch:
switch# show ipv6 access-lists
|
|
---|---|
ipv6 access-list |
Configures an IPv6 ACL. |
To display all Media Access Control (MAC) access control lists (ACLs) or a specific MAC ACL, use the show mac access-lists command.
show mac access-lists [access-list-name]
access-list-name |
(Optional) Name of a MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
The switch shows all MAC ACLs unless you use the access-list-name argument to specify an ACL.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display all MAC ACLs on the switch:
switch# show mac access-lists
|
|
---|---|
mac access-list |
Configures a MAC ACL. |
show access-lists |
Displays all ACLs or a specific ACL. |
show ip access-lists |
Displays all IPv4 ACLs or a specific IPv4 ACL. |
To display RADIUS server information, use the show radius-server command.
show radius-server [hostname | ipv4-address | ipv6-address] [directed-request | groups [group-name] | sorted | statistics hostname | ipv4-address | ipv6-address]
Displays the global RADIUS server configuration.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
RADIUS preshared keys are not visible in the show radius-server command output. Use the show running-config radius command to display the RADIUS preshared keys.
This example shows how to display information for all RADIUS servers:
switch# show radius-server
This example shows how to display information for a specified RADIUS server:
switch# show radius-server 192.168.1.1
This example shows how to display the RADIUS directed request configuration:
switch# show radius-server directed-request
This example shows how to display information for RADIUS server groups:
switch# show radius-server groups
This example shows how to display information for a specified RADIUS server group:
switch# show radius-server groups RadServer
This example shows how to display sorted information for all RADIUS servers:
switch# show radius-server sorted
This example shows how to display statistics for a specified RADIUS servers:
switch# show radius-server statistics 192.168.1.1
|
|
---|---|
show running-config radius |
Displays the RADIUS information in the running configuration file. |
To display the user role configuration, use the show role command.
show role [name role-name]
name role-name |
(Optional) Displays information for a specific user role name. |
Displays information for all user roles.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display information for a specific user role:
switch# show role name MyRole
This example shows how to display information for all user roles:
switch# show role
|
|
---|---|
role name |
Configures user roles. |
To display the user role features, use the show role feature command.
show role feature [detail | name feature-name]
detail |
(Optional) Displays detailed information for all features. |
name feature-name |
(Optional) Displays detailed information for a specific feature. |
Displays a list of user role feature names.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the user role features:
switch# show role feature
This example shows how to display detailed information all the user role features:
switch# show role feature detail
This example shows how to display detailed information a specific user role feature:
switch# show role feature name boot-variable
|
|
---|---|
role feature-group |
Configures feature groups for user roles. |
rule |
Configures rules for user roles. |
To display the user role feature groups, use the show role feature-group command.
show role feature-group [detail | name group-name]
detail |
(Optional) Displays detailed information for all feature groups. |
name group-name |
(Optional) Displays detailed information for a specific feature group. |
Displays a list of user role feature groups.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the user role feature groups:
switch# show role feature-group
This example shows how to display detailed information about all the user role feature groups:
switch# show role feature-group detail
This example shows how to display information for a specific user role feature group:
switch# show role feature-group name SecGroup
|
|
---|---|
role feature-group |
Configures feature groups for user roles. |
rule |
Configures rules for user roles. |
To display authentication, authorization, and accounting (AAA) configuration information in the running configuration, use the show running-config aaa command.
show running-config aaa [all]
all |
(Optional) Displays configured and default information. |
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the configured AAA information in the running configuration:
switch# show running-config aaa
To display RADIUS server information in the running configuration, use the show running-config radius command.
show running-config radius [all]
all |
(Optional) Displays default RADIUS configuration information. |
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display information for RADIUS in the running configuration:
switch# show running-config radius
|
|
---|---|
show radius-server |
Displays RADIUS information. |
To display user account, Secure Shell (SSH) server, and Telnet server information in the running configuration, use the show running-config security command.
show running-config security [all]
all |
(Optional) Displays default user account, SSH server, and Telnet server configuration information. |
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display user account, SSH server, and Telnet server information in the running configuration:
switch# show running-config security
To display the Secure Shell (SSH) server key, use the show ssh key command.
show ssh key
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This command is available only when SSH is enabled using the ssh server enable command.
This example shows how to display the SSH server key:
switch# show ssh key
|
|
---|---|
ssh server key |
Configures the SSH server key. |
To display the Secure Shell (SSH) server status, use the show ssh server command.
show ssh server
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the SSH server status:
switch# show ssh server
|
|
---|---|
ssh server enable |
Enables the SSH server. |
To display authentication, authorization, and accounting (AAA) configuration information in the startup configuration, use the show startup-config aaa command.
show startup-config aaa
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the AAA information in the startup configuration:
switch# show startup-config aaa
To display RADIUS configuration information in the startup configuration, use the show startup-config radius command.
show startup-config radius
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the RADIUS information in the startup configuration:
switch# show startup-config radius
To display user account, Secure Shell (SSH) server, and Telnet server configuration information in the startup configuration, use the show startup-config security command.
show startup-config security
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the user account, SSH server, and Telnet server information in the startup configuration:
switch# show startup-config security
To display TACACS+ server information, use the show tacacs-server command.
show tacacs-server [hostname | ip4-address | ip6-address] [directed-request | groups | sorted | statistics]
Displays the global TACACS+ server configuration.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
TACACS+ preshared keys are not visible in the show tacacs-server command output. Use the show running-config tacacs+ command to display the TACACS+ preshared keys.
You must use the feature tacacs+ command before you can display TACACS+ information.
This example shows how to display information for all TACACS+ servers:
switch# show tacacs-server
This example shows how to display information for a specified TACACS+ server:
switch# show tacacs-server 192.168.2.2
This example shows how to display the TACACS+ directed request configuration:
switch# show tacacs-server directed-request
This example shows how to display information for TACACS+ server groups:
switch# show tacacs-server groups
This example shows how to display information for a specified TACACS+ server group:
switch# show tacacs-server groups TacServer
This example shows how to display sorted information for all TACACS+ servers:
switch# show tacacs-server sorted
This example shows how to display statistics for a specified TACACS+ server:
switch# show tacacs-server statistics 192.168.2.2
|
|
---|---|
show running-config tacacs+ |
Displays the TACACS+ information in the running configuration file. |
To display the Telnet server status, use the show telnet server command.
show telnet server
This command has no arguments or keywords.
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display the Telnet server status:
switch# show telnet server
|
|
---|---|
telnet server enable |
Enables the Telnet server. |
To display information about the user accounts on the switch, use the show user-account command.
show show user-account [name]
name |
(Optional) Information about the specified user account only. |
Displays information about all the user accounts defined on the switch.
EXEC mode
|
|
---|---|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display information about all the user accounts defined on the switch:
switch# show user-account
This example shows how to display information about a specific user account:
switch# show user-account admin
To display the users currently logged on the switch, use the show users command.
show users
This command has no arguments or keywords.
None
EXEC mode
|
|
---|---|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display all the users currently logged on the switch:
switch# show users
|
|
---|---|
clear user |
Logs out a specific user. |
username |
Creates and configures a user account. |
To display the contents of the IPv4 access control list (ACL) or MAC ACL associated with a specific VLAN access map, use the show vlan access-list command.
show vlan access-list map-name
map-name |
VLAN access list to show. |
None
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
For the specified VLAN access map, the switch displays the access map name and the contents of the ACL associated with the map.
This example shows how to display the contents of the ACL associated with the specified VLAN access map:
switch# show vlan access-list vlan1map
To display all VLAN access maps or a VLAN access map, use the show vlan access-map command.
show vlan access-map [map-name]
map-name |
(Optional) VLAN access map to show. |
The switch shows all VLAN access maps, unless you use the map-name argument to select a specific access map.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
For each VLAN access map displayed, the switch shows the access map name, the ACL specified by the match command, and the action specified by the action command.
Use the show vlan filter command to see which VLANs have a VLAN access map applied to them.
This example shows how to display a specific VLAN access map:
switch# show vlan access-map vlan1map
This example shows how to display all VLAN access maps:
switch# show vlan access-map
To display information about instances of the vlan filter command, including the VLAN access map and the VLAN IDs affected by the command, use the show vlan filter command.
show vlan filter [access-map map-name | vlan vlan-id]
All instances of VLAN access maps applied to a VLAN are displayed, unless you use the access-map keyword and specify an access map or you use the vlan keyword and specify a VLAN ID.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to display all VLAN access map information on the switch:
switch# show vlan filter
To create a Secure Shell (SSH) session using IPv4, use the ssh command.
ssh [username@]{ipv4-address | hostname} [vrf {vrf-name | default | management}]
Default VRF
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The switch supports SSH version 2.
This example shows how to start an SSH session using IPv4:
switch# ssh 192.168.1.1 vrf management
|
|
---|---|
clear ssh session |
Clears SSH sessions. |
ssh server enable |
Enables the SSH server. |
ssh6 |
Starts an SSH session using IPv6 addressing. |
To create a Secure Shell (SSH) session using IPv6, use the ssh6 command.
ssh6 [username@]{ipv6-address | hostname} [vrf {vrf-name | default | management}]
Default VRF
EXEC mode
|
|
4.0(1a)N1(1) |
This command was introduced. |
The switch supports SSH version 2.
This example shows how to start an SSH session using IPv6:
switch# ssh6 2001:0DB8::200C:417A vrf management
|
|
---|---|
clear ssh session |
Clears SSH sessions. |
ssh |
Starts an SSH session using IPv4 addressing. |
ssh server enable |
Enables the SSH server. |
To create a Secure Shell (SSH) server key, use the ssh key command. To remove the SSH server key, use the no form of this command.
ssh key {dsa [force] | rsa [length [force]]}
no ssh key [dsa | rsa]
1024-bit length
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The Cisco NX-OS software supports SSH version 2.
If you want to remove or replace an SSH server key, you must first disable the SSH server using the no ssh server enable command.
This example shows how to create an SSH server key using RSA with the default key length:
switch(config)# ssh key rsa
This example shows how to create an SSH server key using RSA with a specified key length:
switch(config)# ssh key rsa 768
This example shows how to replace an SSH server key using DSA with the force option:
switch(config)# no ssh server enable
switch(config)# ssh key dsa force
switch(config)# ssh server enable
This example shows how to remove the DSA SSH server key:
switch(config)# no ssh server enable
switch(config)# no ssh key dsa
switch(config)# ssh server enable
This example shows how to remove all SSH server keys:
switch(config)# no ssh server enable
switch(config)# no ssh key
switch(config)# ssh server enable
|
|
---|---|
show ssh key |
Displays the SSH server key information. |
ssh server enable |
Enables the SSH server. |
To enable the Secure Shell (SSH) server, use the ssh server enable command. To disable the SSH server, use the no form of this command.
ssh server enable
no ssh server enable
This command has no arguments or keywords.
Enabled
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The switch supports SSH version 2.
This example shows how to enable the SSH server:
switch(config)# ssh server enable
This example shows how to disable the SSH server:
switch(config)# no ssh server enable
|
|
---|---|
show ssh server |
Displays the SSH server key information. |
To set the suppression level for traffic storm control, use the storm-control level command. To turn off the suppression mode or revert to the default, use the no form of this command.
storm-control {broadcast | multicast | unicast} level percentage[.fraction]
no storm-control {broadcast | multicast | unicast} level
All packets are passed.
Interface configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
Enter the storm-control level command to enable traffic storm control on the interface, configure the traffic storm-control level, and apply the traffic storm-control level to all traffic storm-control modes that are enabled on the interface.
The period (.) is required when you enter the fractional-suppression level.
The suppression level is a percentage of the total bandwidth. A threshold value of 100 percent means that no limit is placed on traffic. A threshold value of 0 or 0.0 (fractional) percent means that all specified traffic is blocked on a port.
Use the show interfaces counters storm-control command to display the discard count.
Use one of the following methods to turn off suppression for the specified traffic type:
•Set the level to 100 percent for the specified traffic type.
•Use the no form of this command.
This example shows how to enable suppression of broadcast traffic and set the suppression threshold level:
switch(config-if)# storm-control broadcast level 30
This example shows how to disable the suppression mode for multicast traffic:
switch(config-if)# no storm-control multicast level
|
|
---|---|
show interface |
Displays the storm-control suppression counters for an interface. |
show running-config |
Displays the configuration of the interface. |
To set a periodic time interval where a nonreachable (nonresponsive) TACACS+ server is monitored for responsiveness, use the tacacs-server deadtime command. To disable the monitoring of the nonresponsive TACACS+ server, use the no form of this command.
tacacs-server deadtime minutes
no tacacs-server deadtime minutes
time |
Time interval in minutes. The range is from 1 to 1440. |
0 minutes
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
Setting the time interval to zero disables the timer. If the dead-time interval for an individual TACACS+ server is greater than zero (0), that value takes precedence over the value set for the server group.
When the dead-time interval is 0 minutes, TACACS+ server monitoring is not performed unless the TACACS+ server is part of a server group and the dead-time interval for the group is greater than 0 minutes.
You must use the feature tacacs+ command before you configure TACACS+.
This example shows how to configure the dead-time interval and enable periodic monitoring:
switch(config)# tacacs-server deadtime 10
This example shows how to revert to the default dead-time interval and disable periodic monitoring:
switch(config)# no tacacs-server deadtime 10
To allow users to send authentication requests to a specific TACACS+ server when logging in, use the tacacs-server directed request command. To revert to the default, use the no form of this command.
tacacs-server directed-request
no tacacs-server directed-request
This command has no arguments or keywords.
Sends the authentication request to the configured TACACS+ server groups.
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
You must use the feature tacacs+ command before you configure TACACS+.
During login, the user can specify the username@vrfname:hostname, where vrfname is the VRF to use and hostname is the name of a configured TACACS+ server. The username is sent to the server name for authentication.
This example shows how to allow users to send authentication requests to a specific TACACS+ server when logging in:
switch(config)# tacacs-server directed-request
This example shows how to disallow users to send authentication requests to a specific TACACS+ server when logging in:
switch(config)# no tacacs-server directed-request
|
|
---|---|
feature tacacs+ |
Enables TACACS+. |
show tacacs-server directed request |
Displays a directed request TACACS+ server configuration. |
To configure TACACS+ server host parameters, use the tacacs-server host command. To revert to the defaults, use the no form of this command.
tacacs-server host {hostname | ipv4-address | ipv6-address} [key [0 | 7] shared-secret] [port port-number] [test {idle-time time | password password | username name}] [timeout seconds]
no tacacs-server host {hostname | ipv4-address | ipv6-address} [key [0 | 7] shared-secret] [port port-number] [test {idle-time time | password password | username name}] [timeout seconds]
Idle time: disabled.
Server monitoring: disabled.
Timeout: 1 second.
Test username: test.
Test password: test.
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
You must use the feature tacacs+ command before you configure TACACS+.
When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.
This example shows how to configure TACACS+ server host parameters:
switch(config)# tacacs-server host 192.168.2.3 key HostKey
switch(config)# tacacs-server host tacacs2 key 0 abcd
switch(config)# tacacs-server host tacacs3 key 7 1234
switch(config)# tacacs-server host 192.168.2.3 test idle-time 10
switch(config)# tacacs-server host 192.168.2.3 test username tester
switch(config)# tacacs-server host 192.168.2.3 test password 2B9ka5
|
|
---|---|
feature tacacs+ |
Enables TACACS+. |
show tacacs-server |
Displays TACACS+ server information. |
To configure a global TACACS+ shared secret key, use the tacacs-server key command. To remove a configured shared secret, use the no form of this command.
tacacs-server key [0 | 7] shared-secret
no tacacs-server key [0 | 7] shared-secret
None
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
You must configure the TACACS+ preshared key to authenticate the switch to the TACACS+ server. The length of the key is restricted to 65 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all TACACS+ server configurations on the switch. You can override this global key assignment by using the key keyword in the tacacs-server host command.
You must use the feature tacacs+ command before you configure TACACS+.
This example shows how to display configure TACACS+ server shared keys:
switch(config)# tacacs-server key AnyWord
switch(config)# tacacs-server key 0 AnyWord
switch(config)# tacacs-server key 7 public
|
|
---|---|
feature tacacs+ |
Enables TACACS+. |
show tacacs-server |
Displays TACACS+ server information. |
To specify the time between retransmissions to the TACACS+ servers, use the tacacs-server timeout command. To revert to the default, use the no form of this command.
tacacs-server timeout seconds
no tacacs-server timeout seconds
seconds |
Seconds between retransmissions to the TACACS+ server. The valid range is 1 to 60 seconds. |
1 second
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
You must use the feature tacacs+ command before you configure TACACS+.
This example shows how to configure the TACACS+ server timeout value:
switch(config)# tacacs-server timeout 3
This example shows how to revert to the default TACACS+ server timeout value:
switch(config)# no tacacs-server timeout 3
|
|
---|---|
feature tacacs+ |
Enables TACACS+. |
show tacacs-server |
Displays TACACS+ server information. |
To create a Telnet session using IPv4 on a Cisco Nexus 5000 Series switch, use the telnet command.
telnet {ipv4-address | hostname} [port-number] [vrf {vrf-name | default | management}]
Port 23 is the default port.
EXEC mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
To create a Telnet session with IPv6 addressing, use the telnet6 command.
This example shows how to start a Telnet session using IPv4:
switch# telnet 192.168.1.1 vrf management
switch#
|
|
---|---|
clear line |
Clears Telnet sessions. |
telnet server enable |
Enables the Telnet server. |
telnet6 |
Creates a Telnet session using IPv6 addressing. |
To enable the Telnet server, use the telnet server enable command. To disable the Telnet server, use the no form of this command.
telnet server enable
no telnet server enable
This command has no arguments or keywords.
Enable
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to enable the Telnet server:
switch(config)# telnet server enable
This example shows how to disable the Telnet server:
switch(config)# no telnet server enable
|
|
---|---|
show telnet server |
Displays the Telnet server status. |
To create a Telnet session using IPv6 on the Cisco NX-OS switch, use the telnet6 command.
telnet6 {ipv6-address | hostname} [port-number] [vrf {vrf-name | default | management}]
Port 23 is the default port. The default VRF is used.
EXEC mode
|
|
4.0(1a)N1(1) |
This command was introduced. |
To use this command, you must enable the Telnet server using the telnet server enable command.
To create a Telnet session with IPv4 addressing, use the telnet command.
This example shows how to start a Telnet session using an IPv6 address:
switch# telnet6 2001:0DB8:0:0:E000::F vrf management
switch#
|
|
---|---|
clear line |
Clears Telnet sessions. |
telnet |
Creates a Telnet session using IPv4 addressing. |
telnet server enable |
Enables the Telnet server. |
To specify a virtual routing and forwarding instance (VRF) instance for a RADIUS or TACACS+ server group, use the use-vrf command. To remove the VRF instance, use the no form of this command.
use-vrf {vrf-name | default | management}
no use-vrf {vrf-name | default | management}
vrf-name |
VRF instance name. The name is case sensitive, and can be a maximum of 32 alphanumeric characters. |
default |
Specifies the default VRF. |
management |
Specifies the management VRF. |
None
RADlUS server group configuration mode
TACACS+ server group configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
You can configure only one VRF instance for a server group.
Use the aaa group server radius command RADIUS server group configuration mode or the aaa group server tacacs+ command to enter TACACS+ server group configuration mode.
If the server is not found, use the radius-server host command or tacacs-server host command to configure the server.
You must use the feature tacacs+ command before you configure TACACS+.
This example shows how to specify a VRF instance for a RADIUS server group:
switch(config)# aaa group server radius RadServer
switch(config-radius)# use-vrf management
This example shows how to specify a VRF instance for a TACACS+ server group:
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# use-vrf management
This example shows how to remove the VRF instance from a TACACS+ server group:
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# no use-vrf management
To create and configure a user account, use the username command. To remove a user account, use the no form of this command.
username user-id [expire date] [password password] [role role-name]
username user-id sshkey {key | filename filename}
no username user-id
No expiration date, password, or SSH key.
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
The switch accepts only strong passwords. The characteristics of a strong password include the following:
•At least eight characters long
•Does not contain many consecutive characters (such as "abcd")
•Does not contain many repeating characters (such as "aaabbb")
•Does not contain dictionary words
•Does not contain proper names
•Contains both uppercase and lowercase characters
•Contains numbers
This example shows how to create a user account with a password:
switch(config)# username user1 password Ci5co321
This example shows how to configure the SSH key for a user account:
switch(config)# username user1 sshkey file bootflash:key_file
|
|
---|---|
show user-account |
Displays the user account configuration. |
To create a new VLAN access map or to configure an existing VLAN access map, use the vlan access-map command. To remove a VLAN access map, use the no form of this command.
vlan access-map map-name
no vlan access-map map-name
map-name |
Name of the VLAN access map that you want to create or configure. The name can be up to 64 alphanumeric, case-sensitive characters. |
None
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
Each VLAN access map can include one match command and one action command.
This example shows how to create a VLAN access map named vlan-map-01, assign an IPv4 ACL named ip-acl-01 to the map, specify that the switch forwards packets matching the ACL, and enable statistics for traffic matching the map:
switch(config)# vlan access-map vlan-map-01
switch(config-access-map)# match ip address ip-acl-01
switch(config-access-map)# action forward
switch(config-access-map)# statistics
To apply a VLAN access map to one or more VLANs, use the vlan filter command. To unapply a VLAN access map, use the no form of this command.
vlan filter map-name vlan-list VLAN-list
no vlan filter map-name [vlan-list VLAN-list]
None
Global configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
You can apply a VLAN access map to one or more VLANs.
You can apply only one VLAN access map to a VLAN.
The no form of this command enables you to unapply a VLAN access map from all or part of the VLAN list that you specified when you applied the access map. To unapply an access map from all VLANs where it is applied, you can omit the VLAN-list argument. To unapply an access map from a subset of the VLANs where it is currently applied, use the VLAN-list argument to specify the VLANs where the access map should be removed.
This example shows how to apply a VLAN access map named vlan-map-01 to VLANs 20 through 45:
switch(config)# vlan filter vlan-map-01 20-45
To enter VLAN policy configuration mode for a user role, use the vlan policy deny command. To revert to the default VLAN policy for a user role, use the no form of this command.
vlan policy deny
no vlan policy deny
This command has no arguments or keywords.
All VLANs
User role configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to enter VLAN policy configuration mode for a user role:
switch(config)# role name MyRole
switch(config-role)# vlan policy deny
switch(config-role-vlan)#
This example shows how to revert to the default VLAN policy for a user role:
switch# configure terminal
switch(config)# role name MyRole
switch(config-role)# no vlan policy deny
|
|
---|---|
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |
To configure the deny access to a virtual forwarding and routing instance (VRF) policy for a user role, use the vrf policy deny command. To revert to the default VRF policy configuration for a user role, use the no form of this command.
vrf policy deny
no vrf policy deny
This command has no arguments or keywords.
None
User role configuration mode
|
|
4.0(0)N1(1a) |
This command was introduced. |
This example shows how to enter VRF policy configuration mode for a user role:
switch(config)# role name MyRole
switch(config-role)# vrf policy deny
switch(config-role-vrf)#
This example shows how to revert to the default VRF policy for a user role:
switch(config)# role name MyRole
switch(config-role)# no vrf policy deny
|
|
---|---|
role name |
Creates or specifies a user role and enters user role configuration mode. |
show role |
Displays user role information. |
To configure the deny access to a VSAN policy for a user role, use the vsan policy deny command. To revert to the default VSAN policy configuration for a user role, use the no form of this command.
vsan policy deny
no vsan policy deny
This command has no arguments or keywords.
None
User role configuration mode
|
|
---|---|
4.0(0)N1(1a) |
This command was introduced. |
To permit access to the VSAN policy, use the permit vsan comand.
This example shows how to deny access to a VSAN policy for a user role:
switch(config)# role name MyRole
switch(config-role)# vsan policy deny
switch(config-role-vsan)#
This example shows how to revert to the default VSAN policy configuration for a user role:
switch(config)# role name MyRole
switch(config-role)# vsan policy deny
switch(config-role-vsan)# no vsan policy deny
switch(config-role)#