H Commands

This chapter describes the Cisco NX-OS security commands that begin with H.

hardware access-list lou resource threshold

To configure the threshold value for logical operation units (LOUs), use the hardware access-list lou resource threshold command. To remove the threshold value and revert to the default value, use the no form of this command.

hardware access-list lou resource threshold value

no hardware access-list lou resource threshold value

 
Syntax Description

value

Threshold value. Valid values are from 1 to 32. The default is 5.

 
Command Default

Threshold value of 5.

 
Command Modes

Global configuration mode

 
Command History

Release
Modification

6.0(2)N1(1)

This command was introduced.

 
Usage Guidelines

None.

Examples

The following example shows how to configure the maximum threshold value of 15 for LOUs.

switch# configuration terminal
switch(config)# hardware access-list lou resource threshold 15

 

hardware profile tcam resource service-template

To commit a template in the running image, use the hardware profile tcam resource service-template command. To commit a default template, use the no form of this command.

hardware profile tcam resource service-template user-defined-template

no hardware profile tcam resource service-template currently-committed- template

 
Syntax Description

user-defined-template

Name of the user defined template.

currently-committed- template

Name of the currently committed template.

 
Command Default

None

 
Command Modes

EXEC mode

 
Command History

Release
Modification

7.0(0)N1(1)

This command was introduced.

7.1(4)N1(1)

The output of the command was modified to include the system prompt that provides an option to proceed with copying the running configuration to the startup configuration and rebooting the switch.

 
Usage Guidelines

Use the show hardware profile tcam resource template command to list the template names to use in this command.

Examples

This example shows how to commit a user defined template:

switch# configure terminal
switch(config)# hardware profile tcam resource service-template temp1
Details of the temp1 template you are trying to commit are as follows:
-------------------------------------------------------------------------------
Template name: temp1
1
Committing a User-Defined Template
REVIEW DRAFT - CISCO CONFIDENTIAL
Current state: Created
Region Features Size-allocated Current-size Current-usage Available/free
-------------------------------------------------------------------------------
Vacl Vacl 1024 1024 15 1009
Ifacl Ifacl 1152 1152 209 943
Rbacl Rbacl 1152 1152 3 1149
Qos Qos 448 448 30 418
Span Span 64 64 2 62
Sup Sup 256 256 58 198
-------------------------------------------------------------------------------
To finish committing the template, the system will do the following:
1> Save running config : "copy running-config startup-config"
2> Reboot the switch : "reload"
-------------------------------------------------------------------------------
Do you really want to continue with RELOAD ? (y/n) [no] yes
System is still initializing
Configuration mode is blocked until system is ready
switch(config)# [16152.925385] Shutdown Ports..
[16152.959744] writing reset reason 9
[snip]
 

 
Related Commands

Command
Description

show hardware profile tcam resource template

Displays all templates.

 

hardware sup-tcam correction asic

To rewrite a corrupted supervisor-region Ternary Content-Addressable Memory (TCAM) entry content with the content stored in the database, use the hardware sup-tcam correction asic command. To disable continuous periodic detection, use the no form of this command.

hardware sup-tcam correction asic {ASIC-ID | all } entry {TCAM-INDEX | all }

 
Syntax Description

ASIC-ID

Global ASIC-ID. The range is from 0 to 64.

all

All ASICs.

TCAM-INDEX

Sup-TCAM entry index. The range is from 0 to 4096.

all

All TCAM entries.

 
Command Default

None.

 
Command Modes

EXEC mode

 
Command History

Release
Modification

7.1(4)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

Examples

This example shows how to rewrite a corrupted supervisor-region TCAM entry content with the content stored in the database:

switch# hardware sup-tcam correction asic 2 entry 5

 
Related Commands

Command
Description

hardware sup-tcam monitoring enable

Enables a continuous periodic detection of corrupted supervisor-region TCAM entries.

hardware sup-tcam monitoring trigger-detection

Initiates an on-demand verification iteration that involves reading each supervisor-region TCAM entry and comparing this TCAM entry data with the stored content.

show platform afm info sup-tcam monitoring info

Displays details about supervisor-region TCAM monitoring.

show platform afm info tcam access stats

Displays write access statistics per TCAM entry per ASIC per slot, along with the number of writes, clears and timestamps of the writes and clears since the previous switch reload.

 

hardware sup-tcam monitoring enable

To enable a continuous periodic detection of corrupted supervisor-region Ternary Content-Addressable Memory (TCAM) entries, use the hardware sup-tcam monitoring enable command. To disable continuous periodic detection, use the no form of this command.

hardware sup-tcam monitoring enable

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

By default, the periodic corruption detection mechanism is set to run once every 1440 minutes or 1 day.

 
Command Modes

Global configuration mode

 
Command History

Release
Modification

7.1(4)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

Examples

This example shows how to enable continuous periodic detection of corrupted supervisor-region TCAM entries:

switch# configure terminal
switch(config)# hardware sup-tcam monitoring enable
 

This example shows how to disable continuous periodic detection of corrupted supervisor-region TCAM entries:

switch# configure terminal
switch(config)# no hardware sup-tcam monitoring enable

 
Related Commands

Command
Description

hardware sup-tcam correction asic

Rewrites a corrupted supervisor-region TCAM entry content with the content stored in the database.

hardware sup-tcam monitoring timer-expiry

Changes the periodic corruption detection mechanism timer value.

hardware sup-tcam monitoring trigger-detection

Initiates an on-demand verification iteration that involves reading each supervisor-region TCAM entry and comparing this TCAM entry data with the stored content.

show platform afm info sup-tcam monitoring info

Displays details about supervisor-region TCAM monitoring.

show platform afm info tcam access stats

Displays write access statistics per TCAM entry per ASIC per slot, along with the number of writes, clears and timestamps of the writes and clears since the previous switch reload.

 

hardware sup-tcam monitoring timer-expiry

To change the periodic corruption detection mechanism timer value, use the hardware sup-tcam monitoring timer-expiry command. To remove the configuration, use the no form of this command.

hardware sup-tcam monitoring timer-expiry timeout-in-minutes

no hardware sup-tcam monitoring timer-expiry

 
Syntax Description

timeout-in-minutes

Periodic corruption detection mechanism timer value in minutes. The range for the timer is from 5 to 2880 minutes (2 days).

 
Command Default

None.

 
Command Modes

Global configuration mode

 
Command History

Release
Modification

7.1(4)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

Examples

This example shows how to change the periodic corruption detection mechanism timer value:

switch# configure terminal
switch(config)# hardware sup-tcam monitoring timer-expiry 10

 

This example shows how to remove the configured periodic corruption detection mechanism timer value:

switch# configure terminal
switch(config)# no hardware sup-tcam monitoring timer-expiry

 
Related Commands

Command
Description

hardware sup-tcam correction asic

Rewrites a corrupted supervisor-region TCAM entry content with the content stored in the database.

hardware sup-tcam monitoring enable

Enables a continuous periodic detection of corrupted supervisor-region TCAM entries.

hardware sup-tcam monitoring trigger-detection

Initiates an on-demand verification iteration that involves reading each supervisor-region TCAM entry and comparing this TCAM entry data with the stored content.

show platform afm info sup-tcam monitoring info

Displays details about supervisor-region TCAM monitoring.

show platform afm info tcam access stats

Displays write access statistics per TCAM entry per ASIC per slot, along with the number of writes, clears and timestamps of the writes and clears since the previous switch reload.

 

hardware sup-tcam monitoring trigger-detection

To initiate an on-demand verification iteration that involves reading each supervisor-region Ternary Content-Addressable Memory (TCAM) entry and comparing this TCAM entry data with the content stored in the database, use the hardware sup-tcam monitoring trigger-detection command.

hardware sup-tcam monitoring trigger-detection

 
Syntax Description

This command has no arguments or keywords.

 
Command Default

None

 
Command Modes

EXEC mode

 
Command History

Release
Modification

7.1(4)N1(1)

This command was introduced.

 
Usage Guidelines

This command does not require a license.

A syslog is generated if there is a mismatch between the supervisor-region Ternary Content-Addressable Memory (TCAM) entry content and the content stored in the database.

Examples

This example shows how to initiate an on-demand verification iteration that involves reading each sup-region TCAM entry and comparing this TCAM entry data with content stored in the database:

switch# hardware sup-tcam monitoring trigger detection

 
Related Commands

Command
Description

hardware sup-tcam correction asic

Rewrites a corrupted supervisor-region TCAM entry content with the content stored in the database.

hardware sup-tcam monitoring enable

Enables a continuous periodic detection of corrupted supervisor-region TCAM entries.

show platform afm info sup-tcam monitoring info

Displays details about supervisor-region TCAM monitoring.

show platform afm info tcam access stats

Displays write access statistics per TCAM entry per ASIC per slot, along with the number of writes, clears and timestamps of the writes and clears since the previous switch reload.

 

host (IPv4)

To specify a host or a subnet as a member of an IPv4-address object group, use the host command. To remove a group member from an IPv4-address object group, use the no form of this command.

[ sequence-number ] host IPv4-address

no { sequence-number | host IPv4-address }

[ sequence-number ] IPv4-address network-wildcard

no IPv4-address network-wildcard

[ sequence-number ] IPv4-address / prefix-len

no IPv4-address / prefix-len

 
Syntax Description

sequence-number

(Optional) Sequence number for this group member. Sequence numbers maintain the order of group members within an object group. Valid sequence numbers are from 1 to 4294967295. If you do not specify a sequence number, the device assigns a number that is 10 greater than the largest sequence number in the current object group.

host IPv4-address

Specifies that the group member is a single IPv4 address. Enter IPv4-address in dotted-decimal format.

IPv4-address network-wildcard

IPv4 address and network wildcard. Enter IPv4-address and network-wildcard in dotted-decimal format. Use network-wildcard to specify which bits of IPv4-address are the network portion of the address, as follows:

switch(config-ipaddr-ogroup)# 10.23.176.0 0.0.0.255
 

A network-wildcard value of 0.0.0.0 indicates that the group member is a specific IPv4 address.

IPv4-address / prefix-len

IPv4 address and variable-length subnet mask. Enter IPv4-address in dotted-decimal format. Use prefix-len to specify how many bits of IPv4-address are the network portion of the address, as follows:

switch(config-ipaddr-ogroup)# 10.23.176.0/24
 

A prefix-len value of 32 indicates that the group member is a specific IP address.

 
Defaults

None

 
Command Modes

IPv4 address object group configuration

 
Command History

Release
Modification

7.3(0)N1(1)

This command was introduced.

 
Usage Guidelines

To specify a subnet as a group member, use either of the following forms of this command:

[ sequence-number ] IPv4-address network-wildcard

[ sequence-number ] IPv4-address / prefix-len

Regardless of the command form that you use to specify a subnet, the device shows the IP-address / prefix-len form of the group member when you use the show object-group command.

To specify a single IPv4 address as a group member, use any of the following forms of this command:

[ sequence-number ] host IPv4-address

[ sequence-number ] IPv4-address 0.0.0.0

[ sequence-number ] IPv4-address /32

Regardless of the command form that you use to specify a single IPv4 address, the device shows the host IP-address form of the group member when you use the show object-group command.

This command does not require a license.

Examples

This example shows how to configure an IPv4-address object group named ipv4-addr-group-13 with two group members that are specific IPv4 addresses and one group member that is the 10.23.176.0 subnet:

switch# config t
switch(config)# object-group ip address ipv4-addr-group-13
switch(config-ipaddr-ogroup)# host 10.121.57.102
switch(config-ipaddr-ogroup)# 10.121.57.234/32
switch(config-ipaddr-ogroup)# 10.23.176.0 0.0.0.255
switch(config-ipaddr-ogroup)# show object-group ipv4-addr-group-13
10 host 10.121.57.102
20 host 10.121.57.234
30 10.23.176.0/24
switch(config-ipaddr-ogroup)#
 

 
Related Commands

Command
Description

object-group ip address

Configures an IPv4 address group.

show object-group

Displays object groups.

host (IPv6)

To specify a host or a subnet as a member of an IPv6-address object group, use the host command. To remove a group member from an IPv6-address object group, use the no form of this command.

[ sequence-number ] host IPv6-address

no { sequence-number | host IPv6-address }

[ sequence-number ] IPv6-address / network-prefix

no IPv6-address / network-prefix

 
Syntax Description

sequence-number

(Optional) Sequence number for this group member. Sequence numbers maintain the order of group members within an object group. Valid sequence numbers are from 1 to 4294967295. If you do not specify a sequence number, the device assigns a number that is 10 greater than the largest sequence number in the current object group.

host IPv6-address

Specifies that the group member is a single IPv6 address. Enter IPv6-address in colon-separated, hexadecimal format.

IPv6-address / network-prefix

IPv6 address and a variable-length subnet mask. Enter IPv6-address in colon-separated, hexadecimal format. Use network-prefix to specify how many bits of IPv6-address are the network portion of the address, as follows:

switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab7::/96
 

A network-prefix value of 128 indicates that the group member is a specific IPv6 address.

 
Defaults

None

 
Command Modes

IPv6 address object group configuration

 
Command History

Release
Modification

7.3(0)N1(1)

This command was introduced.

 
Usage Guidelines

To specify a subnet as a group member, use the following form of this command:

[ sequence-number ] IPv6-address / network-prefix

To specify a single IP address as a group member, use any of the following forms of this command:

[ sequence-number ] host IPv6-address

[ sequence-number ] IPv6-address /128

Regardless of the command form that you use to specify a single IPv6 address, the device shows the host IPv6-address form of the group member when you use the show object-group command.

This command does not require a license.

Examples

This example shows how to configure an IPv6-address object group named ipv6-addr-group-A7 with two group members that are specific IPv6 addresses and one group member that is the 2001:db8:0:3ab7:: subnet:

switch# config t
switch(config)# object-group ipv6 address ipv6-addr-group-A7
switch(config-ipv6addr-ogroup)# host 2001:db8:0:3ab0::1
switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab0::2/128
switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab7::/96
switch(config-ipv6addr-ogroup)# show object-group ipv6-addr-group-A7
10 host 2001:db8:0:3ab0::1
20 host 2001:db8:0:3ab0::2
30 2001:db8:0:3ab7::/96
switch(config-ipv6addr-ogroup)#
 

 
Related Commands

Command
Description

object-group ipv6 address

Configures an IPv6 address group.

show object-group

Displays object groups.