Cisco Nexus 5500 Series NX-OS Security Command Reference

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Book Contents

Find Matches in This Book

Available Languages

Download Options

Book Title

Cisco Nexus 5500 Series NX-OS Security Command Reference

Chapter Title

C Commands

PDF - Complete Book (2.56 MB) PDF - This Chapter (134.0 KB)
View with Adobe Reader on a variety of devices
ePub - Complete Book (247.0 KB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi - Complete Book (731.0 KB)
View on Kindle device or Kindle app on multiple devices

Results

Updated:: January 25, 2018

C Commands

This chapter describes the Cisco NX-OS security commands that begin with C.

checkpoint

To take a snapshot of the current running configuration and store the snapshot in the file system in an ASCII format, use the checkpoint command.

checkpoint [ checkpoint-name [ description descp-text [... description descp-text ]] | description descp-text | file { bootflash: | volatile: }[ // server ][ directory / ][ filename ]]

no checkpoint [ checkpoint-name | description descp-text | file { bootflash: | volatile: }[ // server ][ directory / ][ filename ]]

Syntax Description

checkpoint-name	(Optional) Checkpoint name. The name can be a maximum of 32 characters.
description descp-text	(Optional) Specifies a description for the given checkpoint. The text can be a maximum of 80 characters and can contain spaces.
file	(Optional) Specifies that a file be created to store the configuration rollback checkpoint.
bootflash:	Specifies the bootflash local writable storage file system.
volatile:	Specifies the volatile local writable storage file system.
// server	(Optional) Name of the server. Valid values are ///, //module-1/, //sup-1/, //sup-active/, or //sup-local/. The double slash (//) is required.
directory /	(Optional) Name of a directory. The directory name is case sensitive.
filename	(Optional) Name of the checkpoint configuration file. The filename is case sensitive.

Note There can be no spaces in the filesystem://server/directory/filename string. Individual elements of this string are separated by colons (:) and slashes (/).

Command Default

Automatically generates checkpoint name (user-checkpoint- number).

Command Modes

EXEC mode

Command History

Release	Modification
5.2(1)N1(1)	This command was introduced.

Usage Guidelines

Checkpoints are local to a switch. When you create a checkpoint, a snapshot of the current running configuration is stored in a checkpoint file. If you do not provide a checkpoint name, Cisco NX-OS sets the checkpoint name to user-checkpoint- number, where the number is from 1 to 10.

If Fibre Channel over Ethernet (FCoE) is enabled on the switch, you cannot restore the active configuration to the checkpoint state. The following error message appears when you create a checkpoint on a FCoE-enabled switch:

switch# checkpoint chkpoint-1

ERROR: ascii-cfg: FCOE is enabled. Disbaling rollback module (err_id 0x405F004C)

switch#

On a switch that has FCoE disabled, you see the following message when you create the checkpoint:

switch# checkpoint chkpoint-1

...Done

switch#

You can create up to ten checkpoints of your configuration per switch. When the number of checkpoints reaches the maximum limit, the oldest entry is removed.

You cannot apply the checkpoint file of one switch into another switch. You cannot start a checkpoint filename with the word system.

The checkpoint files are stored as text files that you cannot directly access or modify. When a checkpoint is cleared from the system, the associated checkpoint configuration file is deleted.

Examples

This example shows how to create a checkpoint:

switch# checkpoint

...

user-checkpoint-4 created Successfully

Done

switch#

This example shows how to create a checkpoint, named chkpnt-1, and define its purpose:

switch# checkpoint chkpnt-1 description Checkpoint to save current configuration, Sep 9 10:02 A.M.

switch#

This example shows how to create a checkpoint configuration file named chkpnt_configSep9-1.txt in the bootflash storage system:

switch# checkpoint file bootflash:///chkpnt_configSep9-1.txt

switch#

This example shows how to delete a checkpoint named chkpnt-1:

switch# no checkpoint chkpnt-1

switch#

Related Commands

Command	Description
clear checkpoint	Clears the checkpoints on the switch.
rollback	Rolls back the switch to any of the saved checkpoints.
show checkpoint all	Displays all checkpoints configured in the switch.
show checkpoint summary	Displays a summary of all checkpoints configured in the switch.
show checkpoint summary user	Displays all checkpoints created by an user.
show checkpoint system	Displays all checkpoints that were automatically created in the system.

clear aaa local user blocked

To clear the blocked local user, use the clear local user blocked command.

clear local user blocked username {all | username}

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Command History

Release	Modification
7.3(0)N1(1)	This command was introduced.

Usage Guidelines

None.

Examples

The following example shows how to clear all the blocked users.

switch# clear aaa local user blocked all

Related Commands

Command	Description
aaa authentication rejected	Configures the login block per user.
show aaa authentication	Displays the AAA authentication configuration.
show aaa local user blocked	Displays the blocked local users.

clear access-list counters

To clear the counters for all IPv4 access control lists (ACLs) or a single IPv4 ACL, use the clear access-list counters command.

clear access-list counters [ access-list-name ]

Syntax Description

access-list-name

(Optional) Name of the IPv4 ACL whose counters the switch clears. The name can be a maximum of 64 alphanumeric characters.

Command Default

None

Command Modes

EXEC mode

Command History

Release	Modification
5.2(1)N1(1)	This command was introduced.

Examples

This example shows how to clear counters for all IPv4 ACLs:

switch# clear access-list counters

This example shows how to clear counters for an IPv4 ACL named acl-ipv4-01:

switch# clear access-list counters acl-ipv4-01

Related Commands

Command	Description
access-class	Applies an IPv4 ACL to a VTY line.
ip access-group	Applies an IPv4 ACL to an interface.
ip access-list	Configures an IPv4 ACL.
show access-lists	Displays information about one or all IPv4, IPv6, and MAC ACLs.
show ip access-lists	Displays information about one or all IPv4 ACLs.

clear accounting log

To clear the accounting log, use the clear accounting log command.

clear accounting log

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

EXEC mode

Command History

Release	Modification
5.2(1)N1(1)	This command was introduced.

Examples

This example shows how to clear the accounting log:

switch# clear accounting log

Related Commands

Command	Description
show accounting log	Displays the accounting log contents.

clear checkpoint database

To clear the checkpoints configured on the switch, use the clear checkpoint database command.

clear checkpoint database [ system | user ]

Syntax Description

system	Clears the configuration rollback checkpoint database for system checkpoints.
user	Clears the configuration rollback checkpoint database for user checkpoints.

Command Default

None

Command Modes

EXEC mode

Command History

Release	Modification
5.2(1)N1(1)	This command was introduced.

Examples

This example shows how to clear the configured checkpoints:

switch# clear checkpoint database

.Done

switch#

Related Commands

Command	Description
checkpoint	Creates a checkpoint.
show checkpoint	Displays all configured checkpoints.

clear ip arp

To clear the Address Resolution Protocol (ARP) table and statistics, use the clear ip arp command.

clear ip arp [ vlan vlan-id [ force-delete | vrf { vrf-name | all | default | management }]]

Syntax Description

vlan vlan-id	(Optional) Clears the ARP information for a specified VLAN. The range is from 1 to 4094, except for the VLANs reserved for internal use.
force-delete	(Optional) Clears the entries from ARP table without refresh.
vrf	(Optional) Specifies the virtual routing and forwarding (VRF) to clear from the ARP table.
vrf-name	VRF name. The name can be a maximum of 32 alphanumeric characters and is case sensitive.
all	Specifies that all VRF entries be cleared from the ARP table.
default	Specifies that the default VRF entry be cleared from the ARP table.
management	Specifies that the management VRF entry be cleared from the ARP table.

Command Default

None

Command Modes

Any command mode

Command History

Release	Modification
5.2(1)N1(1)	This command was introduced.

Examples

This example shows how to clear the ARP table statistics:

switch# clear ip arp

switch#

This example shows how to clear the ARP table statistics for VLAN 10 with the VRF vlan-vrf:

switch# clear ip arp vlan 10 vrf vlan-vrf

switch#

Related Commands

Command	Description
show ip arp	Displays the ARP configuration status.

clear ip arp inspection log

To clear the Dynamic ARP Inspection (DAI) logging buffer, use the clear ip arp inspection log command.

clear ip arp inspection log

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History

Release	Modification
5.2(1)N1(1)	This command was introduced.

Examples

This example shows how to clear the DAI logging buffer:

switch# clear ip arp inspection log

switch#

Related Commands

Command	Description
ip arp inspection log-buffer entries	Configures the DAI logging buffer size.
show ip arp inspection	Displays the DAI configuration status.
show ip arp inspection log	Displays the DAI log configuration.
show ip arp inspection statistics	Displays the DAI statistics.

clear ip arp inspection statistics vlan

To clear the Dynamic ARP Inspection (DAI) statistics for a specified VLAN, use the clear ip arp inspection statistics vlan command.

clear ip arp inspection statistics vlan vlan-list

Syntax Description

vlan vlan-list

Specifies the VLANs whose DAI statistics this command clears. The vlan-list argument allows you to specify a single VLAN ID, a range of VLAN IDs, or comma-separated IDs and ranges. Valid VLAN IDs are from 1 to 4094, except for the VLANs reserved for the internal switch use.

Command Default

None

Command Modes

Any command mode

Command History

Release	Modification
5.2(1)N1(1)	This command was introduced.

Examples

This example shows how to clear the DAI statistics for VLAN 2:

switch# clear ip arp inspection statistics vlan 2

switch#

This example shows how to clear the DAI statistics for VLANs 5 through 12:

switch# clear ip arp inspection statistics vlan 5-12

switch#

This example shows how to clear the DAI statistics for VLAN 2 and VLANs 5 through 12:

switch# clear ip arp inspection statistics vlan 2,5-12

switch#

Related Commands

Command	Description
clear ip arp inspection log	Clears the DAI logging buffer.
ip arp inspection log-buffer	Configures the DAI logging buffer size.
show ip arp inspection	Displays the DAI configuration status.
show ip arp inspection vlan	Displays DAI status for a specified list of VLANs.

clear ip dhcp snooping binding

To clear the Dynamic Host Configuration Protocol (DHCP) snooping binding database, use the clear ip dhcp snooping binding command.

clear ip dhcp snooping binding [ vlan vlan-id [ mac mac-address ip ip-address ] [ interface { ethernet slot /[QSFP-module/] port | port-channel channel-number }]]

Syntax Description

vlan vlan-id	(Optional) Specifies the VLAN ID of the DHCP snooping binding database entry to be cleared. Valid VLAN IDs are from 1 to 4094, except for the VLANs reserved for the internal switch use.
mac-address mac-address	(Optional) Specifies the MAC address of the binding database entry to be cleared. Enter the mac-address argument in dotted hexadecimal format.
ip ip-address	(Optional) Specifies the IPv4 address of the binding database entry to be cleared. Enter the ip-address argument in dotted decimal format.
interface	(Optional) Specifies the Ethernet or EtherChannel interface.
ethernet slot / [QSFP-module/] port	(Optional) Specifies the Ethernet interface and its slot number and port number. The slot number is from 1 to 255. The QSFP-module number is from 1 to 4. The port number is from 1 to 128. Note The QSFP-module number applies only to the QSFP+ Generic Expansion Module (GEM).
port-channel channel-number	(Optional) Specifies the Ethernet port channel of the binding database entry to be cleared.

Command Default

None

Command Modes

Any command mode

Command History

Release	Modification
6.0(2)N1(2)	Support for the QSFP+ GEM was added.
5.2(1)N1(1)	This command was introduced.

Examples

This example shows how to clear the DHCP snooping binding database:

switch# clear ip dhcp snooping binding

switch#

This example shows how to clear a specific entry from the DHCP snooping binding database:

switch# clear ip dhcp snooping binding vlan 23 mac 0060.3aeb.54f0 ip 10.34.54.9 interface ethernet 2/11

switch#

Related Commands

Command	Description
copy running-config startup-config	Copies the running configuration to the startup configuration.
show ip dhcp snooping binding	Displays IP-MAC address bindings, including the static IP source entries.
show running-config dhcp	Displays DHCP snooping configuration, including the IP Source Guard configuration.

clear ip dhcp snooping statistics

To clear the Dynamic Host Configuration Protocol (DHCP) snooping statistics, use the clear ip dhcp snooping statistics command.

clear ip dhcp snooping statistics

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Any command mode

Command History

Release	Modification
5.2(1)N2(1)	This command was introduced.

Examples

This example shows how to clear the DHCP snooping statistics:

switch# clear ip dhcp snooping statistics

switch#

Related Commands

Command	Description
copy running-config startup-config	Copies the running configuration to the startup configuration.
show ip dhcp snooping statistics	Displays DHCP snooping statistics.
show running-config dhcp	Displays DHCP snooping configuration, including the IP Source Guard configuration.

clear ipv6 dhcp-ldra statistics

To clear Lightweight DHCPv6 Relay Agent (LDRA) related statistics, use the clear ipv6 dhcp-ldra statistics command.

clear ipv6 dhcp-ldra statistics

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Any configuration mode

Command History

Release	Modification
7.3(0)N1(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the DHCP feature and LDRA feature.

Examples

This example shows how to clear the LDRA related statistics:

switch# clear ipv6 dhcp-ldra statistics

Related Commands

Command	Description

cts role-based batched-programming

To enable CTS batched programming, use the cts role-based batched-programming command.

cts role-based batched-programming

no cts role-based batched-programming

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Configuration mode

Command History

Release	Modification
6.0(2)N2(2)	This command was introduced.

Examples

This example shows how to enable CTS batched programming:

switch# configure terminal

switch(config)# cts role-based batched-programming

Related Commands

Command	Description

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)