- interface policy deny
- ip access-class
- ip access-group
- ip access-list
- ip arp event-history errors
- ip arp inspection log-buffer
- ip arp inspection validate
- ip arp inspection vlan
- ip arp inspection trust
- ip dhcp packet strict-validation
- ip dhcp relay information option
- ip dhcp snooping
- ip dhcp snooping information option
- ip dhcp snooping trust
- ip dhcp snooping verify mac-address
- ip dhcp snooping vlan
- ip radius source-interface
- ip telnet source-interface
- ip tftp source-interface
- ntp source-interface
- ip helper-address
- ip port access-group
- ip source binding
- ip verify source dhcp-snooping-vlan
- ip verify unicast source reachable-via
- ipv6 access-class
- ipv6 access-list
- ipv6 dhcp ldra
- ipv6 dhcp-ldra attach-policy (interface)
- ipv6 dhcp-ldra attach-policy vlan
- ipv6 port traffic-filter
- ipv6 traffic-filter
I Commands
This chapter describes the Cisco NX-OS security commands that begin with I.
interface policy deny
To enter interface policy configuration mode for a user role, use the interface policy deny command. To revert to the default interface policy for a user role, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to enter interface policy configuration mode for a user role:
This example shows how to revert to the default interface policy for a user role:
Related Commands
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
ip access-class
To create or configure an IPv4 access class to restrict incoming or outgoing traffic on a virtual terminal line (VTY), use the ip access-class command. To remove the access class, use the no form of this command.
ip access-class access-list-name { in | out }
no ip access-class access-list-name { in | out }
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
When you use the ip access-class command to restrict traffic on VTY, the FTP, TFTP, Secure Copy Protocol (SCP), and Secure FTP (SFTP) traffic are also affected.
Examples
This example shows how to configure an IP access class on a VTY line to restrict inbound packets:
This example shows how to remove an IP access class that restricts inbound packets:
Related Commands
|
|
---|---|
Copies the running configuration to the startup configuration file. |
|
ip access-group
To apply an IPv4 access control list (ACL) to a Layer 3 interface as a router ACL, use the ip access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip access-group access-list-name in
no ip access-group access-list-name in
Syntax Description
Name of the IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
|
---|---|
Command Default
Command Modes
Interface configuration mode
Subinterface configuration mode
Command History
|
|
---|---|
Usage Guidelines
By default, no IPv4 ACLs are applied to a Layer 3 routed interface.
You can use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface types:
- VLAN interfaces
- Layer 3 Ethernet interfaces
- Layer 3 Ethernet subinterfaces
- Layer 3 Ethernet port-channel interfaces and subinterfaces
- Loopback interfaces
- Management interfaces
You can also use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface types:
However, an ACL applied to a Layer 2 interface with the ip access-group command is inactive unless the port mode changes to routed (Layer 3) mode.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply an IPv4 ACL named ip-acl-01 to the Layer 3 Ethernet interface 2/1:
This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 2/1:
Related Commands
|
|
---|---|
Shows the running configuration of all interfaces or of a specific interface. |
ip access-list
To create an IPv4 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ip access-list command. To remove an IPv4 ACL, use the no form of this command.
ip access-list access-list-name
no ip access-list access-list-name
Syntax Description
Name of the IPv4 ACL, which can be up to 64 alphanumeric characters long. The name cannot contain a space or quotation mark. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
Use IPv4 ACLs to filter IPv4 traffic.
When you use the ip access-list command, the switch enters IP access list configuration mode, where you can use the IPv4 deny and permit commands to configure rules for the ACL. If the specified ACL does not exist, the switch creates it when you enter this command.
Use the ip access-group command to apply the ACL to an interface.
Every IPv4 ACL has the following implicit rule as its last rule:
This implicit rule ensures that the switch denies unmatched IP traffic.
IPv4 ACLs do not include additional implicit rules to enable the neighbor discovery process. The Address Resolution Protocol (ARP), which is the IPv4 equivalent of the IPv6 neighbor discovery process, uses a separate data link layer protocol. By default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Examples
This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01:
Related Commands
|
|
---|---|
ip arp event-history errors
To log Address Resolution Protocol (ARP) debug events into the event history buffer, use the ip arp event-history errors command.
ip arp event-history errors size { disabled | large | medium | small }
no ip arp event-history errors size { disabled | large | medium | small }
Syntax Description
Specifies that the event history buffer size is small. This is the default buffer size. |
Command Default
Command Modes
Command History
|
|
---|---|
Examples
This example shows how to configure a medium ARP event history buffer:
This example shows how to set the ARP event history buffer to the default:
Related Commands
|
|
---|---|
Displays the ARP configuration, including the default configurations. |
ip arp inspection log-buffer
To configure the Dynamic ARP Inspection (DAI) logging buffer size, use the ip arp inspection log-buffer command. To reset the DAI logging buffer to its default size, use the no form of this command.
ip arp inspection log-buffer entries number
no ip arp inspection log-buffer entries number
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
Before you use this command, make sure that you enable Dynamic Host Configuration Protocol (DHCP) snooping on the switch by using the feature dhcp command.
Examples
This example shows how to configure the DAI logging buffer size:
Related Commands
|
|
---|---|
Displays DHCP snooping configuration, including the DAI configuration. |
ip arp inspection validate
To enable additional Dynamic ARP Inspection (DAI) validation, use the ip arp inspection validate command. To disable additional DAI, use the no form of this command.
ip arp inspection validate { dst-mac [ ip ] [ src-mac ]}
ip arp inspection validate { ip [ dst-mac ] [ src-mac ]}
ip arp inspection validate { src-mac [ dst-mac ] [ ip ]}
no ip arp inspection validate { dst-mac [ ip ] [ src-mac ]}
no ip arp inspection validate { ip [ dst-mac ] [ src-mac ]}
no ip arp inspection validate { src-mac [ dst-mac ] [ ip ]}
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
Before you use this command, make sure that you enable Dynamic Host Configuration Protocol (DHCP) snooping on the switch by using the feature dhcp command.
You must specify at least one keyword. If you specify more than one keyword, the order is irrelevant.
When you enable source MAC validation, an ARP packet is considered valid only if the sender Ethernet address in the packet body is the same as the source Ethernet address in the ARP frame header. When you enable destination MAC validation, an ARP request frame is considered valid only if the target Ethernet address is the same as the destination Ethernet address in the ARP frame header.
Examples
This example shows how to enable additional DAI validation:
This example shows how to disable additional DAI validation:
Related Commands
|
|
---|---|
Displays DHCP snooping configuration, including DAI configuration. |
ip arp inspection vlan
To enable Dynamic ARP Inspection (DAI) for a list of VLANs, use the ip arp inspection vlan command. To disable DAI for a list of VLANs, use the no form of this command.
ip arp inspection vlan vlan-list [ logging dhcp-bindings { permit | all | none }]
no ip arp inspection vlan vlan-list [ logging dhcp-bindings { permit | all | none }]
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
By default, the device logs dropped packets inspected by DAI.
Examples
This example shows how to enable DAI on VLANs 13, 15, and 17 through 23:
Related Commands
|
|
---|---|
Displays DHCP snooping configuration, including DAI configuration. |
ip arp inspection trust
To configure a Layer 2 interface as a trusted ARP interface, use the ip arp inspection trust command. To configure a Layer 2 interface as an untrusted ARP interface, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
You can configure only Layer 2 Ethernet interfaces as trusted ARP interfaces.
Examples
This example shows how to configure a Layer 2 interface as a trusted ARP interface:
Related Commands
ip dhcp packet strict-validation
To enable the strict validation of Dynamic Host Configuration Protocol (DHCP) packets by the DHCP snooping feature, use the ip dhcp packet strict-validation command. To disable the strict validation of DHCP packets, use the no form of this command.
ip dhcp packet strict-validation
no ip dhcp packet strict-validation
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
You must enable DHCP snooping before you can use the ip dhcp packet strict-validation command.
Strict validation of DHCP packets checks that the DHCP options field in DCHP packets is valid, including the "magic cookie" value in the first four bytes of the options field. When strict validation of DHCP packets is enabled, the device drops DHCP packets that fail validation.
Examples
This example shows how to enable the strict validation of DHCP packets:
Related Commands
|
|
---|---|
ip dhcp relay information option
To enable the device to insert and remove option-82 information on DHCP packets forwarded by the relay agent, use the ip dhcp relay information option command. To disable the insertion and removal of option-82 information, use the no form of this command.
ip dhcp relay information option
no ip dhcp relay information option
Syntax Description
Command Default
By default, the device does not insert and remove option-82 information on DHCP packets forwarded by the relay agent.
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
Examples
This example shows how to enable the DHCP relay agent to insert and remove option-82 information to and from packets it forwards:
Related Commands
ip dhcp snooping
To globally enable Dynamic Host Configuration Protocol (DHCP) snooping on the device, use the ip dhcp snooping command. To globally disable DHCP snooping, use the no form of this command.
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
The device preserves DHCP snooping configuration when you disable DHCP snooping with the no ip dhcp snooping command.
Examples
This example shows how to globally enable DHCP snooping:
Related Commands
ip dhcp snooping information option
To enable the insertion and removal of option-82 information for Dynamic Host Configuration Protocol (DHCP) packets, use the ip dhcp snooping information option command. To disable the insertion and removal of option-82 information, use the no form of this command.
ip dhcp snooping information option
no ip dhcp snooping information option
Syntax Description
Command Default
By default, the device does not insert and remove option-82 information.
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
Examples
This example shows how to globally enable DHCP snooping:
Related Commands
|
|
---|---|
Configures an interface as a trusted source of DHCP messages. |
|
Displays DHCP snooping configuration, including IP Source Guard configuration. |
ip dhcp snooping trust
To configure an interface as a trusted source of Dynamic Host Configuration Protocol (DHCP) messages, use the ip dhcp snooping trust command. To configure an interface as an untrusted source of DHCP messages, use the no form of this command.
Syntax Description
Command Default
By default, no interface is a trusted source of DHCP messages.
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
You can configure DHCP trust on the following types of interfaces:
Examples
This example shows how to configure an interface as a trusted source of DHCP messages:
Related Commands
|
|
---|---|
Displays DHCP snooping configuration, including IP Source Guard configuration. |
ip dhcp snooping verify mac-address
To enable Dynamic Host Configuration Protocol (DHCP) snooping for MAC address verification, use the ip dhcp snooping verify mac-address command. To disable DHCP snooping MAC address verification, use the no form of this command.
ip dhcp snooping verify mac-address
no ip dhcp snooping verify mac-address
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
By default, MAC address verification with DHCP snooping is not enabled.
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
If the device receives a packet on an untrusted interface and the source MAC address and the DHCP client hardware address do not match, address verification causes the device to drop the packet.
Examples
This example shows how to enable DHCP snooping for MAC address verification:
Related Commands
|
|
---|---|
ip dhcp snooping vlan
To enable Dynamic Host Configuration Protocol (DHCP) snooping on one or more VLANs, use the ip dhcp snooping vlan command. To disable DHCP snooping on one or more VLANs, use the no form of this command.
ip dhcp snooping vlan vlan-list
no ip dhcp snooping vlan vlan-list
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature using the feature dhcp command.
Examples
This example shows how to enable DHCP snooping on VLANs 100, 200, and 250 through 252:
Related Commands
|
|
---|---|
Displays DHCP snooping configuration, including IP Source Guard configuration. |
ip radius source-interface
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Before you use this command, make sure you enable interface VLANs using the feature interface-vlan command.
Examples
Related Commands
|
|
---|---|
ip telnet source-interface
ip telnet source-interface [ vrf vrf-name ]
no ip telnet source-interface [ vrf vrf-name ]
Syntax Description
(Optional) Specifies the virtual routing and forwarding (VRF) instance. The name is case sensitive and can be a maximum of 32 alphanumeric characters. |
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Before you use this command, make sure you enable interface VLANs using the feature interface-vlan command.
Examples
Related Commands
|
|
---|---|
ip tftp source-interface
ip tftp source-interface [ vrf vrf-name ]
no ip tftp source-interface [ vrf vrf-name ]
Syntax Description
(Optional) Specifies the virtual routing and forwarding (VRF) instance. The name is case sensitive and can be a maximum of 32 alphanumeric characters. |
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Before you use this command, make sure you enable interface VLANs using the feature interface-vlan command.
Examples
Related Commands
|
|
---|---|
ntp source-interface
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Before you use this command, make sure you enable interface VLANs using the feature interface-vlan command.
Examples
Related Commands
|
|
---|---|
ip helper-address
To enable the forwarding of User Datagram Protocol (UDP) broadcasts received on an interface, use the ip helper-address command. To disable the forwarding of broadcast packets to specific addresses, use the no form of this command.
Syntax Description
Destination broadcast or host address to be used when forwarding UDP broadcasts. |
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Dynamic Host Configuration Protocol (DHCP) protocol information is carried inside of BOOTP packets. To enable BOOTP broadcast forwarding for a set of clients, configure a helper address on the interface closest to the client. The helper address should specify the address of the DHCP server.
Examples
This example shows how to define a IP helper address for a DHCP server:
Related Commands
|
|
---|---|
ip port access-group
To apply an IPv4 access control list (ACL) to an interface as a port ACL, use the ip port access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip port access-group access-list-name in
no ip port access-group access-list-name in
Syntax Description
Name of the IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters long. |
|
Command Default
Command Modes
Interface configuration mode
Virtual Ethernet interface configuration mode
Command History
|
|
Usage Guidelines
By default, no IPv4 ACLs are applied to an interface.
You can use the ip port access-group command to apply an IPv4 ACL as a port ACL to the following interface types:
You can also apply an IPv4 ACL as a VLAN ACL. For more information, see the match command.
The switch applies port ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the switch without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply an IPv4 ACL named ip-acl-01 to Ethernet interface 1/2 as a port ACL:
This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 1/2:
This example shows how to apply an IPv4 ACL named ip-acl-03 to the virtual Ethernet interface 1 as a port ACL:
Related Commands
|
|
---|---|
Shows the running configuration of all interfaces or of a specific interface. |
ip source binding
To create a static IP source entry for a Layer 2 Ethernet interface, use the ip source binding command. To disable the static IP source entry, use the no form of this command.
ip source binding IP-address MAC-address vlan vlan-id { interface ethernet slot / port | port-channel channel-no }
no ip source binding IP-address MAC-address vlan vlan-id { interface ethernet slot / port | port-channel channel-no }
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
By default, there are no static IP source entries.
To use this command, you must enable the Dynamic Host Configuration Protocol (DHCP) snooping feature using the feature dhcp command.
Examples
This example shows how to create a static IP source entry associated with VLAN 100 on Ethernet interface 2/3:
Related Commands
|
|
---|---|
ip verify source dhcp-snooping-vlan
To enable IP Source Guard on a Layer 2 Ethernet interface, use the ip verify source dhcp-snooping-vlan command. To disable IP Source Guard on a Layer 2 Ethernet interface, use the no form of this command.
ip verify source dhcp-snooping-vlan
no ip verify source dhcp-snooping-vlan
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
Before you use this command, make sure that you enable Dynamic Host Configuration Protocol (DHCP) snooping on the switch by using the feature dhcp command.
IP Source Guard limits IP traffic on an interface to only those sources that have an IP-MAC address binding table entry or static IP source entry.
IP Source Guard is dependent upon DHCP snooping to build and maintain the IP-MAC address binding table or upon manual maintenance of static IP source entries.
Examples
This example shows how to enable IP Source Guard on a Layer 2 interface:
This example shows how to disable IP Source Guard on a Layer 2 interface:
Related Commands
|
|
---|---|
Creates a static IP source entry for a Layer 2 Ethernet interface. |
|
Displays the interface configuration in the running configuration. |
ip verify unicast source reachable-via
To configure Unicast Reverse Path Forwarding (Unicast RPF) on an interface, use the ip verify unicast source reachable-via command. To remove Unicast RPF from an interface, use the no form of this command.
ip verify unicast source reachable-via { any [ allow-default ] | rx }
no ip verify unicast source reachable-via { any [ allow-default ] | rx }
Syntax Description
(Optional) Specifies the MAC address to be used on the specified interface. |
|
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
You can configure one of the following Unicast RPF modes on an ingress interface:
– Unicast RPF finds a match in the Forwarding Information Base (FIB) for the packet source address.
– The ingress interface through which the packet is received matches one of the Unicast RPF interfaces in the FIB match.
If these checks fail, the packet is discarded. You can use this type of Unicast RPF check where packet flows are expected to be symmetrical.
- Loose Unicast RPF mode—A loose mode check is successful when a lookup of a packet source address in the FIB returns a match and the FIB result indicates that the source is reachable through at least one real interface. The ingress interface through which the packet is received is not required to match any of the interfaces in the FIB result.
Examples
This example shows how to configure loose Unicast RPF checking on an interface:
This example shows how to configure strict Unicast RPF checking on an interface:
Related Commands
|
|
---|---|
Displays the interface configuration in the running configuration. |
|
ipv6 access-class
To create or configure an IPv6 access class to restrict incoming or outgoing traffic on a virtual terminal line (VTY), use the ipv6 access-class command. To remove the access class, use the no form of this command.
ipv6 access-class access-list-name { in | out }
no ipv6 access-class access-list-name { in | out }
Syntax Description
Command Default
Command Modes
Command History
|
|
---|---|
Examples
This example shows how to configure an IPv6 access class on a VTY line to restrict inbound packets:
This example shows how to remove an IPv6 access class that restricts inbound packets:
Related Commands
|
|
---|---|
Copies the running configuration to the startup configuration file. |
|
ipv6 access-list
To create an IPv6 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ipv6 access-list command. To remove an IPv6 ACL, use the no form of this command.
ipv6 access-list access-list-name
no ipv6 access-list access-list-name
Syntax Description
Name of the IPv6 ACL, which can be up to 64 alphanumeric characters long. The name cannot contain a space or quotation mark. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
Use IPv6 ACLs to filter IPv6 traffic.
When you use the ipv6 access-list command, the switch enters IP access list configuration mode, where you can use the IPv6 deny and permit commands to configure rules for the ACL. If the specified ACL does not exist, the switch creates it when you enter this command.
Every IPv6 ACL has the following implicit rule as its last rule:
This implicit rule ensures that the switch denies unmatched IP traffic.
Examples
This example shows how to enter IP access list configuration mode for an IPv6 ACL named ipv6-acl-01:
Related Commands
|
|
---|---|
ipv6 dhcp ldra
To enable the Lightweight DHCPv6 Relay Agent (LDRA) feature, use the ipv6 dhcp ldra command. This command enables LDRA globally on the switch.
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable the DHCP feature by using the feature dhcp command.
Examples
This example shows how to enable the LDRA feature:
This example shows how to disable the LDRA feature:
Related Commands
|
|
---|---|
ipv6 dhcp-ldra attach-policy (interface)
To enable the Lightweight DHCPv6 Relay Agent (LDRA) feature on an interface, use the ipv6 dhcp-ldra command.
ipv6 dhcp-ldra attach-policy {client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing}
no ipv6 dhcp-ldra attach-policy {client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing}
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable the LDRA feature by using the ipv6 dhcp ldra command.
Examples
This example shows how to enable the LDRA feature on the specified interface:
switch(config-if)# ipv6 dhcp-ldra attach-policy client-facing-trusted
switch(config)# interface port-channel 101
switch(config-if)# ipv6 dhcp-ldra attach-policy client-facing-trusted
This example shows how to disable the LDRA feature on the specified interface:
switch(config-if)# no ipv6 dhcp-ldra attach-policy client-facing-trusted
Related Commands
|
|
---|---|
ipv6 dhcp-ldra attach-policy vlan
To enable the Lightweight DHCPv6 Relay Agent (LDRA) feature on a VLAN, use the ipv6 dhcp-ldra attach-policy vlan command.
ipv6 dhcp-ldra attach-policy vlan vlan-id {client-facing-trusted | client-facing-untrusted}
no ipv6 dhcp-ldra attach-policy vlan vlan-id {client-facing-trusted | client-facing-untrusted}
Syntax Description
Defaults
Command Modes
Command History
|
|
Usage Guidelines
To use this command, you must enable the LDRA feature by using the ipv6 dhcp ldra command.
Examples
This example shows how to enable the LDRA feature on the specified interface:
This example shows how to disable the LDRA feature on the specified interface:
Related Commands
|
|
---|---|
ipv6 port traffic-filter
To apply an IPv6 access control list (ACL) to an interface as a port ACL, use the ipv6 port traffic-filter command. To remove an IPv6 ACL from an interface, use the no form of this command.
ipv6 port traffic-filter access-list-name in
no ipv6 port traffic-filter access-list-name in
Syntax Description
Name of the IPv6 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
|
Specifies that the device applies the ACL to inbound traffic. |
Command Default
Command Modes
Interface configuration mode
Virtual Ethernet interface configuration mode
Command History
|
|
Usage Guidelines
By default, no IPv6 ACLs are applied to an interface.
You can use the ipv6 port traffic-filter command to apply an IPv6 ACL as a port ACL to the following interface types:
You can also use the ipv6 port traffic-filter command to apply an IPv6 ACL as a port ACL to the following interface types:
Note You must enable VLAN interfaces globally before you can configure a VLAN interface. For more information, see the feature interface-vlan command.
The switch applies port ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply an IPv6 ACL named ipv6-acl to Ethernet interface 1/3:
This example shows how to remove an IPv6 ACL named ipv6-acl from Ethernet interface 1/3:
This example shows how to apply an IPv6 ACL named ipv6-acl-03 to a specific virtual Ethernet interface:
Related Commands
|
|
---|---|
ipv6 traffic-filter
To apply an IPv6 access control list (ACL) to an interface, use the ipv6 traffic-filter command. To remove an IPv6 ACL from an interface, use the no form of this command.
ipv6 traffic-filter access-list-name in
no ipv6 traffic-filter access-list-name in
Syntax Description
Name of the IPv6 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
|
Specifies that the device applies the ACL to inbound traffic. |
Command Default
Command Modes
Interface configuration mode
Virtual Ethernet interface configuration mode
Command History
|
|
Usage Guidelines
By default, no IPv6 ACLs are applied to an interface.
You can use the ipv6 traffic-filter command to apply an IPv6 ACL to the following interface types:
Note You must enable VLAN interfaces globally before you can configure a VLAN interface. For more information, see the feature interface-vlan command.
The switch applies ACLs to inbound traffic only. The switch checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the switch continues to process the packet. If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply an IPv6 ACL named ipv6-acl to Ethernet interface 1/3:
This example shows how to remove an IPv6 ACL named ipv6-acl from Ethernet interface 1/3:
This example shows how to apply an IPv6 ACL named ipv6-acl-03 to a specific virtual Ethernet interface:
Related Commands
|
|
---|---|