- identity policy
- identity profile eapoudp
- interface policy deny
- ip access-class
- ip access-group
- ip access-list
- ip arp inspection filter
- ip arp inspection log-buffer
- ip arp inspection trust
- ip arp inspection validate
- ip arp inspection vlan
- ip dhcp packet strict-validation
- ip dhcp relay
- ip dhcp relay address
- ip dhcp relay information option
- ip dhcp relay information option vpn
- ip dhcp relay subnet-broadcast
- ip dhcp relay sub-option type cisco
- ip dhcp smart-relay
- ip dhcp smart-relay global
- ip dhcp snooping
- ip dhcp snooping information option
- ip dhcp snooping trust
- ip dhcp snooping verify mac-address
- ip dhcp snooping vlan
- ip forward-protocol udp
- ip port access-group
- ip radius source-interface
- ip source binding
- ip tacacs source-interface
- ip udp relay addrgroup
- ip udp relay subnet-broadcast
- ip verify source dhcp-snooping-vlan
- ip verify unicast source reachable-via
- ipv6 access-class
- ipv6 access-class
- ipv6 access-list
- ipv6 dhcp-ldra
- ipv6 dhcp-ldra (interface)
- ipv6 dhcp-ldra attach-policy vlan
- ipv6 dhcp relay
- ipv6 dhcp-ldra
- ipv6 dhcp-ldra attach policy (interface)
- ipv6 dhcp-ldra attach-policy vlan
- ipv6 dhcp relay address
- ipv6 port traffic-filter
- ipv6 traffic-filter
I Commands
This chapter describes the Cisco NX-OS Security commands that begin with I.
identity policy
To create or specify an identity policy and enter identity policy configuration mode, use the identity policy command. To remove an identity policy, use the no form of this command.
no identity policy policy-name
Syntax Description
Name for the identity policy. The name is case sensitive, alphanumeric, and has a maximum of 100 characters. |
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
Examples
This example shows how to create an identity policy and enter identity policy configuration mode:
This example shows how to remove an identity policy:
Related Commands
|
|
|
|---|---|
identity profile eapoudp
To create the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) identity profile and enter identity profile configuration mode, use the identity profile eapoupd command. To remove the EAPoUPD identity profile configuration, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
Examples
This example shows how to create the EAPoUDP identity profile and enter identity profile configuration mode:
This example shows how to remove the EAPoUDP identity profile configuration:
Related Commands
|
|
|
|---|---|
interface policy deny
To enter interface policy configuration mode for a user role, use the interface policy deny command. To revert to the default interface policy for a user role, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
This command denies all interfaces to the user role except for those that you allow using the permit interface command in user role interface policy configuration mode.
Examples
This example shows how to enter user role interface policy configuration mode for a user role:
This example shows how to revert to the default interface policy for a user role:
Related Commands
|
|
|
|---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
ip access-class
To configure a virtual teletype (VTY) access control list (ACL) to control access to all IPv4 traffic over all VTY lines in the ingress or egress direction, use the ip access-class command. To remove the VTY ACL, use the no form of this command.
ip access-class name {in | out}
no ip access-class name {in | out}
Syntax Description
Access class name. The name can be up to 64 alphanumeric, case-sensitive characters. Names cannot contain a space or quotation mark. |
|
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
The VTY ACL feature restricts all traffic for all VTY lines. You cannot specify different traffic restrictions for different VTY lines.
Examples
This example shows how to configure a VTY ACL to control access to all IPv4 traffic over all VTY lines :
Related Commands
|
|
|
|---|---|
Shows the running configuration of all interfaces or of a specific interface. |
ip access-group
To apply an IPv4 access control list (ACL) to an interface as a router ACL, use the ip access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip access-group access-list-name { in | out }
no ip access-group access-list-name { in | out }
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
By default, no IPv4 ACLs are applied to an interface.
You can use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface types:
Note
You must enable VLAN interfaces globally before you can configure a VLAN interface. For more information, see the feature interface-vlan command in the Cisco Nexus 7000 Series NX-OS Interfaces Command Reference.
- Layer 3 Ethernet interfaces
- Layer 3 Ethernet subinterfaces
- Layer 3 Ethernet port-channel interfaces and subinterfaces
- Tunnels
- Loopback interfaces
- Management interfaces
You can also use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface types:
However, an ACL applied to a Layer 2 interface with the ip access-group command is inactive unless the port mode changes to routed (Layer 3) mode. To apply an IPv4 ACL as a port ACL, use the ip port access-group command.
The device applies router ACLs on either outbound or inbound traffic. When the device applies an ACL to inbound traffic, the device checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the device continues to process the packet. If the first matching rule denies the packet, the device drops the packet and returns an ICMP host-unreachable message.
For outbound access lists, after receiving and routing a packet to an interface, the device checks the ACL. If the first matching rule permits the packet, the device sends the packet to its destination. If the first matching rule denies the packet, the device drops the packet and returns an ICMP host unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply an IPv4 ACL named ip-acl-01 to Ethernet interface 2/1:
This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 2/1:
Related Commands
|
|
|
|---|---|
Shows the running configuration of all interfaces or of a specific interface. |
ip access-list
To create an IPv4 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ip access-list command. To remove an IPv4 ACL, use the no form of this command.
ip access-list access-list-name
no ip access-list access-list-name
Syntax Description
Name of the IPv4 ACL. The name has a maximum of 64 alphanumeric, case-sensitive characters but cannot contain a space or quotation mark. |
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
No IPv4 ACLs are defined by default.
Use IPv4 ACLs to filter IPv4 traffic.
When you use the ip access-list command, the device enters IP access list configuration mode, where you can use the IPv4 deny and permit commands to configure rules for the ACL. If the ACL specified does not exist, the device creates it when you enter this command.
Use the ip access-group command to apply the ACL to an interface as a router ACL. Use the ip port access-group command to apply the ACL to an interface as a port ACL.
Every IPv4 ACL has the following implicit rule as its last rule:
This implicit rule ensures that the device denies unmatched IP traffic.
Unlike IPv6 ACLs, IPv4 ACLs do not include additional implicit rules to enable the neighbor discovery process. The Address Resolution Protocol (ARP), which is the IPv4 equivalent of the IPv6 neighbor discovery process, uses a separate data link layer protocol. By default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Use the statistics per-entry command to configure the device to record statistics for each rule in an IPv4 ACL. The device does not record statistics for implicit rules. To record statistics for packets that would match the implicit deny ip any any rule, you must explicitly configure an identical rule.
Examples
This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01:
|
|
|
|---|---|
ip arp inspection filter
To apply an ARP access control list (ACL) to a list of VLANs, use the ip arp inspection filter command. To remove the ARP ACL from the list of VLANs, use the no form of this command.
ip arp inspection filter acl-name vlan vlan-list
no ip arp inspection filter acl-name vlan vlan-list
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
Examples
This example shows how to apply an ARP ACL named arp-acl-01 to VLANs 15 and 37 through 48:
Related Commands
|
|
|
|---|---|
Enables Dynamic ARP Inspection (DAI) for a specified list of VLANs. |
|
Displays DHCP snooping configuration, including the DAI configuration. |
ip arp inspection log-buffer
To configure the Dynamic ARP Inspection (DAI) logging buffer size or the number of logs per interval, use the ip arp inspection log-buffer command. To reset the DAI logging buffer to its default size, use the no form of this command.
ip arp inspection log-buffer {entries number | logs number }
no ip arp inspection log-buffer {entries number | logs number }
Syntax Description
Specifies the number of logs per interval in a range of 0 to 1024 entries. |
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
Examples
This example shows how to configure the DAI logging buffer size:
This example shows how to configure the number of logs for Dynamic ARP Inspection:
Related Commands
|
|
|
|---|---|
Displays DHCP snooping configuration, including DAI configuration. |
ip arp inspection trust
To configure a Layer 2 interface as a trusted ARP interface, use the ip arp inspection trust command. To configure a Layer 2 interface as an untrusted ARP interface, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
You can configure only Layer 2 Ethernet interfaces as trusted ARP interfaces.
Examples
This example shows how to configure a Layer 2 interface as a trusted ARP interface:
Related Commands
ip arp inspection validate
To enable additional Dynamic ARP Inspection (DAI) validation, use the ip arp inspection validate command. To disable additional DAI, use the no form of this command.
ip arp inspection validate { dst-mac [ ip ] [ src-mac ]}
ip arp inspection validate {[ dst-mac ] ip [ src-mac ]}
ip arp inspection validate {[ dst-mac ] [ ip ] src-mac }
no ip arp inspection validate { dst-mac [ ip ] [ src-mac ]}
no ip arp inspection validate {[ dst-mac ] ip [ src-mac ]}
no ip arp inspection validate {[ dst-mac ] [ ip ] src-mac }
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
You must specify at least one keyword. If you specify more than one keyword, the order is irrelevant.
Examples
This example shows how to enable additional DAI validation:
Related Commands
|
|
|
|---|---|
Displays DHCP snooping configuration, including DAI configuration. |
ip arp inspection vlan
To enable Dynamic ARP Inspection (DAI) for a list of VLANs, use the ip arp inspection vlan command. To disable DAI for a list of VLANs, use the no form of this command.
ip arp inspection vlan vlan-list [ logging dhcp-bindings { permit | all | none }]
no ip arp inspection vlan vlan-list [ logging dhcp-bindings { permit | all | none }]
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
By default, the device does not log packets inspected by DAI.
Examples
This example shows how to enable DAI on VLANs 13, 15, and 17 through 23:
Related Commands
|
|
|
|---|---|
Displays DHCP snooping configuration, including DAI configuration. |
ip dhcp packet strict-validation
To enable the strict validation of DHCP packets by the DHCP snooping feature, use the ip dhcp packet strict-validation command. To disable the strict validation of DHCP packets, use the no form of this command.
ip dhcp packet strict-validation
no ip dhcp packet strict-validation
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
This command does not require a license.
You must enable DHCP snooping before you can use the ip dhcp packet strict-validation command.
Strict validation of DHCP packets checks that the DHCP options field in DCHP packets is valid, including the “magic cookie” value in the first four bytes of the options field. When strict validation of DHCP packets is enabled, the device drops DHCP packets that fail validation.
Examples
This example shows how to enable the strict validation of DHCP packets:
Related Commands
ip dhcp relay
To enable the DHCP relay agent, use the ip dhcp relay command. To disable the DHCP relay agent, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
This command was introduced to replace the service dhcp command. |
Usage Guidelines
Examples
This example shows how to globally enable DHCP snooping:
Related Commands
ip dhcp relay address
To configure the IP address of a DHCP server on an interface, use the ip dhcp relay address command. To remove the DHCP server IP address, use the no form of this command.
ip dhcp relay address IP-address [use-vrf vrf-name ]
no ip dhcp relay address IP-address [use-vrf vrf-name ]
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Up to four ip dhcp relay address commands can be added to the configuration of a Layer 3 Ethernet interface or subinterface. |
|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
You can configure up to four DHCP server IP addresses on Layer 3 Ethernet interfaces and subinterfaces, VLAN interfaces, and Layer 3 port channels. In Cisco NX-OS Release 4.0.2 and earlier releases, you can configure only one DHCP server IP address on an interface.
When an inbound DHCP BOOTREQUEST packet arrives on the interface, the relay agent forwards the packet to all DHCP server IP addresses specified on that interface. The relay agent forwards replies from all DHCP servers to the host that sent the request.
Examples
This example shows how to configure two IP addresses for DHCP servers so that the relay agent can forward BOOTREQUEST packets received on the specified Layer 3 Ethernet interface:
This example shows how to configure the IP address of a DHCP server on a VLAN interface:
This example shows how to configure the IP address of a DHCP server on a Layer 3 port-channel interface:
Related Commands
ip dhcp relay information option
To enable the device to insert and remove option-82 information on DHCP packets forwarded by the relay agent, use the ip dhcp relay information option command. To disable the insertion and removal of option-82 information, use the no form of this command.
ip dhcp relay information option
no ip dhcp relay information option
Syntax Description
Defaults
By default, the device does not insert and remove option-82 information on DHCP packets forwarded by the relay agent.
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
Examples
This example shows how to enable the DHCP relay agent to insert and remove option-82 information to and from packets it forwards:
Related Commands
ip dhcp relay information option vpn
To enable VRF support for the DHCP relay agent, use the ip dhcp relay information option vpn command. To disable VRF support, use the no form of this command.
ip dhcp relay information option vpn
no ip dhcp relay information option vpn
Syntax Description
Defaults
By default, the device does not support forwarding of DHCP requests to DHCP servers in different VRFs than the VRF that the DHCP client belongs to.
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must enable Option-82 information insertion for the DHCP relay agent (see the ip dhcp relay information option command).
You can configure the DHCP relay agent to forward DHCP broadcast messages from clients in one VRF to DHCP servers in a different VRF. By using a single DHCP server to provide DHCP support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF.
If a DHCP request arrives on an interface that you have configured with a DHCP relay address and VRF information and the address of the DCHP server belongs to a network on an interface that is a member of a different VRF, the device inserts Option-82 information in the request and forwards it to the DHCP server in the server VRF. The Option-82 information that the devices adds to a DHCP request relayed to a different VRF includes the following:
- VPN identifier—Contains the name of the VRF that the interface that receives the DHCP request is a member of.
- Link selection—Contains the subnet address of the interface that receives the DHCP request.
- Server identifier override—Contains the IP address of the interface that receives the DHCP request.
When the devices receives the DHCP response message, it strips off the Option-82 information and forwards the response to the DHCP client in the client VRF.
Examples
This example shows how to enable VRF support for the DHCP relay agent, which is dependent upon enabling Option-82 support for the DHCP relay agent, and how to configure a DHCP server address on a Layer 3 interface when the DHCP server is in a VRF named SiteA:
Related Commands
ip dhcp relay subnet-broadcast
To configure the Cisco NX-OS device to support the relaying of Dynamic Host Configuration Protocol (DHCP) packets from clients to a subnet broadcast IP address, use the ip dhcp relay subnet-broadcast command. To revert to the default behavior, use the no form of this command.
ip dhcp relay subnet-broadcast
no ip dhcp relay subnet-broadcast
Syntax Description
Defaults
Command Modes
Interface configuration mode (config-if)
Command History
|
|
|
Usage Guidelines
DHCP smart relay and DHCP subnet broadcast support are limited to the first 100 IP addresses of the interface on which they are enabled.
You must configure a helper address on the interface in order to use DHCP smart relay and DHCP subnet broadcast support.
DHCP smart relay and DHCP subnet broadcast support are limited to the first 100 IP addresses of the interface on which they are enabled.
In a vPC environment with DHCP smart relay enabled, the subnet of the primary and secondary addresses of an interface should be the same on both Cisco NX-OS devices.
Examples
This example shows how to configure the Cisco NX-OS device to support the relaying of DHCP packets from clients to a subnet broadcast IP address:
Related Commands
|
|
|
|---|---|
ip dhcp relay sub-option type cisco
To enable DHCP to use Cisco proprietary numbers 150, 152, and 151 when filling the link selection, server ID override, and VRF name/VPN ID relay agent option-82 suboptions, use the ip dhcp relay sub-option type cisco command. To disable DHCP’s use of these proprietary numbers, use the no form of this command.
ip dhcp relay sub-option type cisco
no ip dhcp relay sub-option type cisco
Syntax Description
Defaults
Disabled. DHCP uses RFC numbers 5, 11, and 151 for the link selection, server ID override, and VRF name/VPN ID suboptions, respectively.
Command Modes
Command History
|
|
|
Usage Guidelines
Examples
This example shows how to enable DHCP to use Cisco proprietary numbers 150, 152, and 151 when filling the link selection, server ID override, and VRF name/VPN ID relay agent option-82 suboptions:
Related Commands
ip dhcp smart-relay
To enable Dynamic Host Configuration Protocol (DHCP) smart relay on a Layer 3 interface, use the ip dhcp smart-relay command. To disable DHCP smart relay on a Layer 3 interface, use the no form of this command.
Syntax Description
Defaults
Command Modes
Interface configuration mode (config-if)
Command History
|
|
|
Usage Guidelines
The DHCP smart relay agent can be configured independently in default and nondefault VDCs.
Before using the ip dhcp smart-relay global command, you must enable the IP DHCP relay agent using the ip dhcp relay command.
DHCP smart relay and DHCP subnet broadcast support are limited to the first 100 IP addresses of the interface on which they are enabled.
You must configure a helper address on the interface in order to use DHCP smart relay and DHCP subnet broadcast support.
DHCP smart relay and DHCP subnet broadcast support are limited to the first 100 IP addresses of the interface on which they are enabled.
A maximum of 10,000 clients can use DHCP smart relay at any given time.
In a vPC environment with DHCP smart relay enabled, the subnet of the primary and secondary addresses of an interface should be the same on both Cisco NX-OS devices.
Examples
This example shows how to enable DHCP smart relay on a Layer 3 interface:
This example shows how to disable DHCP smart relay on a Layer 3 interface:
Related Commands
|
|
|
|---|---|
Enables the DHCP smart relay globally on the Cisco NX-OS device. |
|
ip dhcp smart-relay global
To enable Dynamic Host Configuration Protocol (DHCP) smart relay globally on the Cisco NX-OS device, use the ip dhcp smart-relay global command. To disable DHCP smart relay globally on the Cisco NX-OS device, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
The DHCP smart relay agent can be configured independently in default and nondefault VDCs.
Before using the ip dhcp smart-relay global command, you must enable the IP DHCP relay agent using the ip dhcp relay command.
DHCP smart relay and DHCP subnet broadcast support are limited to the first 100 IP addresses of the interface on which they are enabled.
You must configure a helper address on the interface in order to use DHCP smart relay and DHCP subnet broadcast support.
A maximum of 10,000 clients can use DHCP smart relay at any given time.
In a vPC environment with DHCP smart relay enabled, the subnet of the primary and secondary addresses of an interface should be the same on both Cisco NX-OS devices.
Examples
This example shows how to enable DHCP smart relay globally on the Cisco NX-OS device:
This example shows how to disable DHCP smart relay globally on the Cisco NX-OS device:
Related Commands
|
|
|
|---|---|
ip dhcp snooping
To globally enable DHCP snooping on the device, use the ip dhcp snooping command. To globally disable DHCP snooping, use the no form of this command.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
The device preserves DHCP snooping configuration when you disable DHCP snooping with the no ip dhcp snooping command.
Examples
This example shows how to globally enable DHCP snooping:
Related Commands
ip dhcp snooping information option
To enable the insertion and removal of option-82 information for DHCP packets, use the ip dhcp snooping information option command. To disable the insertion and removal of option-82 information, use the no form of this command.
ip dhcp snooping information option
no ip dhcp snooping information option
Syntax Description
Defaults
By default, the device does not insert and remove option-82 information.
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
Examples
This example shows how to globally enable DHCP snooping:
Related Commands
ip dhcp snooping trust
To configure an interface as a trusted source of DHCP messages, use the ip dhcp snooping trust command. To configure an interface as an untrusted source of DHCP messages, use the no form of this command.
Syntax Description
Defaults
By default, no interface is a trusted source of DHCP messages.
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
You can configure DHCP trust on the following types of interfaces:
Examples
This example shows how to configure an interface as a trusted source of DHCP messages:
Related Commands
ip dhcp snooping verify mac-address
To enable DHCP snooping MAC address verification, use the ip dhcp snooping verify mac-address command. To disable DHCP snooping MAC address verification, use the no form of this command.
ip dhcp snooping verify mac-address
no ip dhcp snooping verify mac-address
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
By default, MAC address verification with DHCP snooping is not enabled.
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
If the device receives a packet on an untrusted interface and the source MAC address and the DHCP client address do not match, address verification causes the device to drop the packet.
Examples
This example shows how to enable DHCP snooping MAC address verification:
Related Commands
ip dhcp snooping vlan
To enable DHCP snooping one or more VLANs, use the ip dhcp snooping vlan command. To disable DHCP snooping on one or more VLANs, use the no form of this command.
ip dhcp snooping vlan vlan-list
no ip dhcp snooping vlan vlan-list
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
Examples
This example shows how to enable DHCP snooping on VLANs 100, 200, and 250 through 252:
Related Commands
ip forward-protocol udp
To enable the UDP relay feature, use the ip forward-protocol udp command.
ip forward-protocol udp [port-range]
no ip forward-protocol udp [port-range]
Syntax Description
Specifies the range of UDP ports to enable the UDP relay feature. The range is from 0 to 65535. |
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must enable the DHCP feature by using the feature dhcp command.
Examples
This example shows how to enable the UDP relay feature:
This example shows how to disable the UDP relay feature:
Related Commands
|
|
|
|---|---|
ip port access-group
To apply an IPv4 access control list (ACL) to an interface as a port ACL, use the ip port access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip port access-group access-list-name in
no ip port access-group access-list-name in
Syntax Description
Name of the IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
|
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
By default, no IPv4 ACLs are applied to an interface.
You can use the ip port access-group command to apply an IPv4 ACL as a port ACL to the following interface types:
You can also use the ip port access-group command to apply an IPv4 ACL as a port ACL to the following interface types:
Note You must enable VLAN interfaces globally before you can configure a VLAN interface. For more information, see the feature interface-vlan command in the Cisco Nexus 7000 Series NX-OS Interfaces Command Reference.
- Layer 3 Ethernet interfaces
- Layer 3 Ethernet subinterfaces
- Layer 3 Ethernet port-channel interfaces and subinterfaces
- Tunnels
- Loopback interfaces
- Management interfaces
However, an ACL applied to a Layer 3 interface with the ip port access-group command is inactive unless the port mode changes to access or trunk (Layer 2) mode. To apply an IPv4 ACL as a router ACL, use the ip access-group command.
You can also apply an IPv4 ACL as a VLAN ACL. For more information, see the match (VLAN access-map) command.
The device applies port ACLs to inbound traffic only. The device checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the device continues to process the packet. If the first matching rule denies the packet, the device drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
If MAC packet classification is enabled on a Layer 2 interface, you cannot use the ip port access-group command on the interface.
Examples
This example shows how to apply an IPv4 ACL named ip-acl-01 to Ethernet interface 2/1 as a port ACL:
This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 2/1:
This example shows how to view the configuration of an Ethernet interface and the error message that appears if you try to apply an IPv4 port ACL to the interface when MAC packet classification is enabled:
Related Commands
|
|
|
|---|---|
Shows the running configuration of all interfaces or of a specific interface. |
|
ip radius source-interface
To assign a global source interface for the RADIUS server groups, use the ip radius source-interface command. To revert to the default, use the no form of this command.
ip radius source-interface interface
Syntax Description
Source interface. The supported interface types are ethernet, loopback, and mgmt 0. |
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
Examples
This example shows how to configure the global source interface for RADIUS server groups:
This example shows how to remove the global source interface for RADIUS server groups:
Related Commands
|
|
|
|---|---|
ip source binding
To create a static IP source entry for a Layer 2 Ethernet interface, use the ip source binding command. To disable the static IP source entry, use the no form of this command.
ip source binding IP-address MAC-address vlan vlan-id interface ethernet slot / port
no ip source binding IP-address MAC-address vlan vlan-id interface ethernet slot / port
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
Examples
This example shows how to create a static IP source entry associated with VLAN 100 on Ethernet interface 2/3:
Related Commands
|
|
|
|---|---|
Displays DHCP snooping configuration, including IP Source Guard configuration. |
ip tacacs source-interface
To assign a global source interface for the TACACS+ server groups, use the ip tacacs source-interface command. To revert to the default, use the no form of this command.
ip tacacs source-interface interface
Syntax Description
Source interface. The supported interface types are ethernet, loopback, and mgmt 0. |
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
Examples
This example shows how to configure the global source interface for TACACS+ server groups:
This example shows how to remove the global source interface for TACACS+ server groups:
Related Commands
|
|
|
|---|---|
ip udp relay addrgroup
To associate an object group with an L3 interface, use the ip udp relay addrgroup command.
ip udp relay addrgroup object-grp-name
no ip udp relay addrgroup object-grp-name
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must configure an object group by using the object-group udp relay ip address command.
Examples
This example shows how to associate an object group with an L3 interface:
This example shows how to disassociate the object group:
Related Commands
|
|
|
|---|---|
ip udp relay subnet-broadcast
To enable the UDP relay feature on subnet broadcast, use the ip udp relay subnet-broadcast command.
no ip udp relay subnet-broadcast
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must enable the UDP relay feature by using the ip forward-protocol udp command and associate the object group with an L3 interface.
Examples
This example shows how to enable the UDP relay feature on the subnet broadcast:
This example shows how to disable the UDP relay feature on the subnet broadcast:
Related Commands
|
|
|
|---|---|
ip verify source dhcp-snooping-vlan
To enable IP Source Guard on a Layer 2 Ethernet interface, use the ip verify source dhcp-snooping-vlan command. To disable IP Source Guard on an interface, use the no form of this command.
ip verify source dhcp-snooping-vlan
no ip verify source dhcp-snooping-vlan
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
By default, IP Source Guard is not enabled on any interface.
Examples
This example shows how to enable IP Source Guard on an interface:
Related Commands
|
|
|
|---|---|
Creates a static IP source entry for the specified Ethernet interface. |
|
ip verify unicast source reachable-via
To configure Unicast Reverse Path Forwarding (Unicast RPF) on an interface, use the ip verify unicast source reachable-via command. To remove Unicast RPF from an interface, use the no form of this command.
ip verify unicast source reachable-via { any [ allow-default ] | rx }
no ip verify unicast source reachable-via { any [ allow-default ] | rx }
Syntax Description
(Optional) Specifies the MAC address to be used on the specified interface. |
|
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
You can configure one the following Unicast RPF modes on an ingress interface:
Strict Unicast RPF mode—A strict mode check is successful when the following matches occur:
- Unicast RPF finds a match in the Forwarding Information Base (FIB) for the packet source address.
- The ingress interface through which the packet is received matches one of the Unicast RPF interfaces in the FIB match.
If these checks fail, the packet is discarded. You can use this type of Unicast RPF check where packet flows are expected to be symmetrical.
Loose Unicast RPF mode—A loose mode check is successful when a lookup of a packet source address in the FIB returns a match and the FIB result indicates that the source is reachable through at least one real interface. The ingress interface through which the packet is received is not required to match any of the interfaces in the FIB result.
Examples
This example shows how to configure loose Unicast RPF checking on an interface:
This example shows how to configure strict Unicast RPF checking on an interface:
Related Commands
|
|
|
|---|---|
Displays the interface configuration in the running configuration. |
|
Displays the interface configuration in the startup configuration. |
|
ipv6 access-class
To configure a virtual type (VTY) access control list (ACL) to control access to all IPv6 traffic over all VTY lines in the ingress or egress direction, use the ipv6 access-class command. To remove the VTY ACL control access from the traffic over all VTY lines, use the no form of this command.
ipv6 access-class name {in | out}
no ipv6 access-class name {in | out}
Syntax Description
Access class name. The name can be up to 64 alphanumeric, case-sensitive characters. Names cannot contain a space or quotation mark. |
|
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
The VTY ACL feature restricts all traffic for all VTY lines. You cannot specify different traffic restrictions for different VTY lines.
Examples
This example shows how to configure VTY ACL to control access to all IPv6 traffic over all VTY lines :
This example shows how to remove the VTY ACL from the IPv6 traffic over all VTY lines :
Related Commands
|
|
|
|---|---|
Shows the running configuration of all interfaces or of a specific interface. |
ipv6 access-class
To apply an IPv6 access control list (ACL) to a virtual terminal (VTY) line, use the access-class command. To remove an IPv6 ACL from a VTY line, use the no form of this command.
ipv6 access-class access-list-name { in | out }
no ipv6 access-class access-list-name { in | out }
Syntax Description
(Optional) Specifies that the device applies the ACL to inbound traffic. |
|
(Optional) Specifies that the device applies the ACL to outbound traffic. |
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
Examples
This example shows how to remove dynamically learned, secure MAC addresses from the Ethernet 2/1 interface:
Related Commands
|
|
|
|---|---|
ipv6 access-list
To create an IPv6 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ipv6 access-list command. To remove an IPv6 ACL, use the no form of this command.
ipv6 access-list access-list-name
no ipv6 access-list access-list-name
Syntax Description
Name of the IPv6 ACL. Names cannot contain a space or quotation mark. |
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
Use IPv6 ACLs to filter IPv6 traffic.
When you use the ipv6 access-list command, the device enters IPv6 access list configuration mode, where you can use the IPv6 deny and permit commands to configure rules for the ACL. If the ACL specified does not exist, the device creates it when you enter this command.
Use the ipv6 traffic-filter command to apply the ACL to an interface as a router ACL. Use the ipv6 port traffic-filter command to apply the ACL to an interface as a port ACL.
Every IPv6 ACL has the following implicit rules as its last rules:
Unless you configured an IPv6 ACL with a rule that denies ICMPv6 neighbor discovery messages, the first four rules ensure that the device permits neighbor discovery advertisement and solicitation messages. The fifth rule ensures that the device denies unmatched IPv6 traffic.
Use the statistics per-entry command to configure the device to record statistics for each rule in an IPv6 ACL. The device does not record statistics for implicit rules. To record statistics for packets that would match implicit rules, you must explicitly configure an identical rule for each implicit rule.
Note If you explicitly configure an IPv6 ACL with a deny ipv6 any any rule, the implicit permit rules can never permit traffic. If you explicitly configure a deny ipv6 any any rule but want to permit ICMPv6 neighbor discovery messages, explicitly configure a rule for all five implicit IPv6 ACL rules.
Examples
This example shows how to enter IP access list configuration mode for an IPv6 ACL named ipv6-acl-01:
Related Commands
|
|
|
|---|---|
Enables the collection of statistics for each entry in an ACL. |
ipv6 dhcp-ldra
To enable the Lightweight DHCPv6 Relay Agent (LDRA) feature, use the ipv6 dhcp-ldra command.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must enable the DHCP feature by using the feature dhcp command.
Examples
This example shows how to enable the LDRA feature:
This example shows how to disable the LDRA feature:
Related Commands
|
|
|
|---|---|
ipv6 dhcp-ldra (interface)
To enable the Lightweight DHCPv6 Relay Agent (LDRA) feature on an interface, use the ipv6 dhcp-ldra command.
ipv6 dhcp-ldra {client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing}
no ipv6 dhcp-ldra {client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing}
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must enable the LDRA feature by using the ipv6 dhcp-ldra command.
Examples
This example shows how to enable the LDRA feature on the specified interface:
switch(config-if)# ipv6 dhcp-ldra client-facing-trusted
This example shows how to disable the LDRA feature on the specified interface:
Related Commands
|
|
|
|---|---|
ipv6 dhcp-ldra attach-policy vlan
To enable the Lightweight DHCPv6 Relay Agent (LDRA) feature on a VLAN, use the ipv6 dhcp-ldra attach-policy vlan command.
ipv6 dhcp-ldra attach-policy vlan vlan-id {client-facing-trusted | client-facing-untrusted}
no ipv6 dhcp-ldra attach-policy vlan vlan-id {client-facing-trusted | client-facing-untrusted}
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must enable the LDRA feature by using the ipv6 dhcp-ldra command.
Examples
This example shows how to enable the LDRA feature on the specified interface:
This example shows how to disable the LDRA feature on the specified interface:
Related Commands
|
|
|
|---|---|
ipv6 dhcp relay
To enable the DHCPv6 relay agent, use the ipv6 dhcp relay command. To disable the DHCPv6 relay agent, use the no form of this command.
ipv6 dhcp relay [option {type cisco | vpn} | source-interface interface}]
no ipv6 dhcp relay [option {type cisco | vpn} | source-interface]
Syntax Description
(Optional) Inserts DHCPv6 relay information in relay forward. |
|
Source interface. The supported interface types are ethernet, loopback, port-channel, and VLAN. |
Defaults
DHCPv6 relay agent is enabled by default but option type cisco is disabled.
Command Modes
Command History
|
|
|
Usage Guidelines
You can use the ipv6 dhcp relay option vpn command to relay DHCPv6 requests that arrive on an interface in one VRF to a DHCPv6 server in a different VRF.
The ipv6 dhcp relay option type cisco command causes the DHCPv6 relay agent to insert virtual subnet selection (VSS) details as part of the vendor-specific option. The no option causes the DHCPv6 relay agent to insert VSS details as part of the VSS option (68), which is defined in RFC 6607. This command is useful when you want to use DHCPv6 servers that do not support RFC 6607 but allocate IPv6 addresses based on the client VRF name.
The ipv6 dhcp relay source-interface command configures the source interface for the DHCPv6 relay. By default, the DHCPv6 relay agent uses the relay agent address as the source address of the outgoing packet. Configuring the source interface enables you to use a more stable address (such as the loopback interface address) as the source address of relayed messages.
The DHCPv6 relay source interface can be configured globally, per interface, or both. When both the global and interface levels are configured, the interface-level configuration overrides the global configuration.
Examples
This example shows how to enable VRF support for the DHCPv6 relay agent:
This example shows how to enable the DHCPv6 relay agent using option type Cisco:
switch(config)# ipv6 dhcp relay option type cisco
This example shows how to configure the source interface for the DHCPv6 relay:
switch(config)# ipv6 dhcp relay option source-interface ethernet 25
Related Commands
|
|
|
|---|---|
Configures an IPv6 address of a DHCPv6 server on an interface. |
ipv6 dhcp-ldra
To enable the Lightweight DHCPv6 Relay Agent (LDRA) feature, use the ipv6 dhcp-ldra command.
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must enable the DHCP feature by using the feature dhcp command.
Examples
This example shows how to enable the LDRA feature:
This example shows how to disable the LDRA feature:
Related Commands
|
|
|
|---|---|
ipv6 dhcp-ldra attach policy (interface)
To enable the Lightweight DHCPv6 Relay Agent (LDRA) feature on an interface, use the ipv6 dhcp-ldra command.
ipv6 dhcp-ldra attach-policy {client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing}
no ipv6 dhcp-ldra attach-policy {client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing}
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must enable the LDRA feature by using the ipv6 dhcp-ldra command.
Examples
This example shows how to enable the LDRA feature on the specified interface:
switch(config-if)# ipv6 dhcp-ldra attach-policy client-facing-trusted
This example shows how to disable the LDRA feature on the specified interface:
switch(config-if)# no ipv6 dhcp-ldra attach-policy client-facing-trusted
Related Commands
|
|
|
|---|---|
ipv6 dhcp-ldra attach-policy vlan
To enable the Lightweight DHCPv6 Relay Agent (LDRA) feature on a VLAN, use the ipv6 dhcp-ldra attach-policy vlan command.
ipv6 dhcp-ldra attach-policy vlan vlan-id {client-facing-trusted | client-facing-untrusted}
no ipv6 dhcp-ldra attach-policy vlan vlan-id {client-facing-trusted | client-facing-untrusted}
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
To use this command, you must enable the LDRA feature by using the ipv6 dhcp-ldra command.
Examples
This example shows how to enable the LDRA feature on the specified interface:
This example shows how to disable the LDRA feature on the specified interface:
Related Commands
|
|
|
|---|---|
ipv6 dhcp relay address
To configure the IPv6 address of a DHCPv6 server on an interface, use the ip dhcp relay address command. To remove the DHCPv6 server IPv6 address, use the no form of this command.
ipv6 dhcp relay address ipv6-address [use-vrf vrf-name ] [interface interface]
no ipv6 dhcp relay address ipv6-address [use-vrf vrf-name ] [interface interface]
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
The ipv6 dhcp relay address command configures an IPv6 address for a DHCPv6 server to which the relay agent forwards BOOTREQUEST packets received on the configured interface.
Use the use-vrf option to specify the VRF name of the server if it is in a different VRF and the other argument interface is used to specify the output interface for the destination.
The server address can either be a link-scoped unicast or multicast address or a global or site-local unicast or multicast address. The interface option is mandatory for a link-scoped server address and multicast address. It is not allowed for a global or site-scoped server address.
To configure more than one IP address, use the ipv6 dhcp relay address command once per address.
Examples
This example shows how to configure the IPv6 addresses for the DHCPv6 server so that the relay agent can forward BOOTREQUEST packets to the VLAN 25:
Related Commands
|
|
|
|---|---|
ipv6 port traffic-filter
To apply an IPv6 access control list (ACL) to an interface as a port ACL, use the ipv6 port traffic-filter command. To remove an IPv6 ACL from an interface, use the no form of this command.
ipv6 port traffic-filter access-list-name in
no ipv6 port traffic-filter access-list-name in
Syntax Description
Name of the IPv6 ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
|
Specifies that the device applies the ACL to inbound traffic. |
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
By default, no IPv6 ACLs are applied to an interface.
You can use the ipv6 port traffic-filter command to apply an IPv6 ACL as a port ACL to the following interface types:
You can also use the ipv6 port traffic-filter command to apply an IPv6 ACL as a port ACL to the following interface types:
Note You must enable VLAN interfaces globally before you can configure a VLAN interface. For more information, see the feature interface-vlan command in the Cisco Nexus 7000 Series NX-OS Interfaces Command Reference.
- Layer 3 Ethernet interfaces and subinterfaces
- Layer 3 Ethernet port-channel interfaces and subinterfaces
- Tunnels
- Management interfaces
However, an ACL applied to a Layer 3 interface with the ipv6 port traffic-filter command is inactive unless the port mode changes to access or trunk (Layer 2) mode. To apply an IPv6 ACL as a router ACL, use the ipv6 traffic-filter command.
You can also apply an IPv6 ACL as a VLAN ACL. For more information, see the match (VLAN access-map) command.
The device applies port ACLs to inbound traffic only. The device checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the device continues to process the packet. If the first matching rule denies the packet, the device drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
If MAC packet classification is enabled on a Layer 2 interface, you cannot use the ipv6 port traffic-filter command on the interface.
Examples
This example shows how to apply an IPv6 ACL named ipv6-acl-L2 to Ethernet interface 1/3:
This example shows how to remove an IPv6 ACL named ipv6-acl-L2 from Ethernet interface 1/3:
Related Commands
|
|
|
|---|---|
Shows the running configuration of all interfaces or of a specific interface. |
ipv6 traffic-filter
To apply an IPv6 access control list (ACL) to an interface as a router ACL, use the ipv6 traffic-filter command. To remove an IPv6 ACL from an interface, use the no form of this command.
ipv6 traffic-filter access-list-name { in | out }
no ipv6 traffic-filter access-list-name { in | out }
Syntax Description
Defaults
Command Modes
Command History
|
|
|
Usage Guidelines
By default, no IPv6 ACLs are applied to an interface.
You can use the ipv6 traffic-filter command to apply an IPv6 ACL as a router ACL to the following interface types:
Note You must enable VLAN interfaces globally before you can configure a VLAN interface. For more information, see the feature interface-vlan command in the Cisco Nexus 7000 Series NX-OS Interfaces Command Reference.
- Layer 3 Ethernet interfaces and subinterfaces
- Layer 3 Ethernet port-channel interfaces and subinterfaces
- Tunnels
- Management interfaces
You can also use the ipv6 traffic-filter command to apply an IPv6 ACL as a router ACL to the following interface types:
However, an ACL applied to a Layer 2 interface with the ipv6 traffic-filter command is inactive unless the port mode changes to routed (Layer 3) mode. To apply an IPv6 ACL as a port ACL, use the ipv6 port traffic-filter command.
You can also apply an IPv6 ACL as a VLAN ACL. For more information, see the match (VLAN access-map) command.
The device applies router ACLs on either outbound or inbound traffic. When the device applies an ACL to inbound traffic, the device checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the device continues to process the packet. If the first matching rule denies the packet, the device drops the packet and returns an ICMP host-unreachable message.
For outbound access lists, after receiving and routing a packet to an interface, the device checks the ACL. If the first matching rule permits the packet, the device continues to process the packet. If the first matching rule denies the packet, the device drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
Examples
This example shows how to apply an IPv6 ACL named ipv6-acl-3A to Ethernet interface 2/1:
This example shows how to remove an IPv6 ACL named ipv6-acl-3A from Ethernet interface 2/1:
Related Commands
|
|
|
|---|---|
Shows the running configuration of all interfaces or of a specific interface. |
Feedback