The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Cisco NX-OS Security commands that begin with K to P.
To create a key or to enter the configuration mode for an existing key, use the key command. To remove the key, use the no form of this command.
ID of the key to configure. This ID must be a whole number between 0 and 65535. |
|
|
This example shows how to enter key configuration mode for key 13 in the glbp-keys keychain:
|
|
---|---|
To configure the master key for type-6 encryption, use the key config-key command. To delete the master key and stop type-6 encryption, use the no form of this command.
key config-key ascii new-master-key
The master key. The master key can be a minimum of 16 to a maximum of 32 alphanumeric characters. |
|
|
This example shows how to configure the master key for type-6 encryption:
|
|
---|---|
To configure the text for a key, use the key-string command. To remove the text, use the no form of this command.
key-string [ encryption-type ] text-string
|
|
The key-string text is a shared secret. The device stores key strings in a secure format.
You can obtain encrypted key strings by using the show key chain command on another Cisco NX-OS device.
This example shows how to enter an encrypted shared secret for key 13:
|
|
---|---|
To create a keychain or to configure an existing keychain, use the key chain command. To remove the keychain, use the no form of this command.
Name of the keychain, up to 63 alphanumeric, case-sensitive characters in length. |
|
|
This command creates the keychain if it does not already exist. A new keychain contains no keys.
Removing a keychain also removes any keys that the keychain contains.
Before you remove a keychain, ensure that no feature uses it. If a feature is configured to use a keychain that you remove, that feature is likely to fail to communicate with other devices.
This example shows how to configure a keychain named glbp-keys:
|
|
---|---|
To configure the deadtime interval for all Lightweight Directory Access Protocol (LDAP) servers, use the ldap-server deadtime command. The deadtime interval specifies the time that the Cisco NX-OS device waits, after declaring that an LDAP server is dead, before sending out a test packet to determine if the server is now alive. To remove the global deadtime interval configuration, use the no form of this command.
no ldap-server deadtime minutes
Global deadtime interval for LDAP servers. The range is from 1 to 60 minutes. |
|
|
To use this command, you must enable LDAP.
When the dead-time interval is 0 minutes, LDAP servers are not marked as dead even if they are not responding.
This example shows how to configure the global deadtime interval for LDAP servers:
|
|
---|---|
To configure Lightweight Directory Access Protocol (LDAP) server host parameters, use the ldap-server host command. To revert to the defaults, use the no form of this command.
ldap-server host { ipv4-address | ipv6-address | host-name }
[ enable-ssl ]
[ port tcp-port [ timeout seconds ]]
[ rootDN root-name [ password password ] [ port tcp-port [ timeout seconds ] | [ timeout seconds ]]]
[ test rootDN root-name [ idle-time minutes | password password [ idle-time minutes ] | username name [ password password [ idle-time minutes ]]]]
[ timeout seconds ]
no ldap-server host { ipv4-address | ipv6-address | host-name }
[ enable-ssl ]
[ port tcp-port [ timeout seconds ]]
[ rootDN root-name [ password password ] [ port tcp-port [ timeout seconds ] | [ timeout seconds ]]]
[ test rootDN root-name [ idle-time minutes | password password [ idle-time minutes ] | username name [ password password [ idle-time minutes ]]]]
[ timeout seconds ]
Server monitoring: Disabled
TCP port: The global value or 389 if a global value is not configured
Timeout: The global value or 5 seconds if a global value is not configured
Idle time: 60 minutes
Test username: test
Test password: Cisco
|
|
To use this command, you must enable LDAP and obtain the IPv4 or IPv6 address or hostname for the remote LDAP server.
If you plan to enable the SSL protocol, make sure that the LDAP server certificate is manually configured on the Cisco NX-OS device.
By default, when you configure an LDAP server IP address or hostname on the Cisco NX-OS device, the LDAP server is added to the default LDAP server group. You can also add the LDAP server to another LDAP server group.
The timeout interval value specified for an LDAP server overrides the global timeout interval value specified for all LDAP servers.
This example shows how to configure the IPv6 address for an LDAP server:
This example shows how to configure the parameters for LDAP server monitoring:
|
|
---|---|
To configure a global Lightweight Directory Access Protocol (LDAP) server port through which clients initiate TCP connections, use the ldap-server port command. To remove the LDAP server port configuration, use the no form of this command.
Global TCP port to use for LDAP messages to the server. The range is from 1 to 65535. |
|
|
This example shows how to configure a global TCP port for LDAP messages:
|
|
---|---|
To configure a global timeout interval that determines how long the Cisco NX-OS device waits for responses from all Lightweight Directory Access Protocol (LDAP) servers before declaring a timeout failure, use the ldap-server timeout command. To remove the global timeout configuration, use the no form of this command.
no ldap-server timeout seconds
Timeout interval for LDAP servers. The range is from 1 to 60 seconds. |
|
|
This example shows how to configure the global timeout interval for LDAP servers:
|
|
---|---|
To configure a Lightweight Directory Access Protocol (LDAP) search map to send a search query to the LDAP server, use the ldap search-map command. To disable the search map, use the no form of this command.
Name of the LDAP search map. The name is alphanumeric, case sensitive, and has a maximum of 128 characters. |
|
|
This example shows how to configure an LDAP search map:
To configure the threshold value for dropped packets and generate a syslog if the drop count exceeds the configured threshold in a policy map for Control Plane Policing (CoPP), use the logging drop threshold command.
logging drop threshold [drop-count [ level syslog-level]]
|
|
Ensure that you are in the default VDC.
Ensure that you have configured the IP ACLs if you want to use ACE hit counters in the class maps.
This example shows how to configure the threshold value for dropped packets and generate a syslog if the drop count exceeds the configured threshold in a policy map for CoPP:
|
|
---|---|
Configures a control plane policy map and enters policy map configuration mode. |
To specify a less-than group member for an IP port object group, use the lt command. A less-than group member matches port numbers that are less than (and not equal to) the port number specified in the entry. To remove a greater-than group member from port object group, use the no form of this command.
[ sequence-number ] lt port-number
no { sequence-number | lt port-number }
IP port object group configuration
|
|
IP port object groups are not directional. Whether a lt command matches a source or destination port or whether it applies to inbound or outbound traffic depends upon how you use the object group in an ACL.
This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 1 through port 49151:
To create a MAC access control list (ACL) or to enter MAC access list configuration mode for a specific ACL, use the mac access-list command. To remove a MAC ACL, use the no form of this command.
mac access-list access-list-name
no mac access-list access-list-name
Name of the MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters long but cannot contain a space or a quotation mark. |
|
|
No MAC ACLs are defined by default.
Use MAC ACLs to filter non-IP traffic. If you disable packet classification, you can use MAC ACLs to filter all traffic.
When you use the mac access-list command, the device enters MAC access list configuration mode, where you can use the MAC deny and permit commands to configure rules for the ACL. If the ACL specified does not exist, the device creates it when you enter this command.
Use the mac port access-group command to apply the ACL to an interface.
Every MAC ACL has the following implicit rule as its last rule:
This implicit rule ensures that the device denies the unmatched traffic, regardless of the protocol specified in the Layer 2 header of the traffic.
Use the statistics per-entry command to configure the device to record statistics for each rule in a MAC ACL. The device does not record statistics for implicit rules. To record statistics for packets that would match the implicit rule, you must explicitly configure a rule to deny the packets.
This example shows how to enter MAC access list configuration mode for a MAC ACL named mac-acl-01:
|
|
---|---|
To enable MAC packet classification on a Layer 2 interface, use the mac packet-classify command. To disable MAC packet classification, use the no form of this command.
|
|
This command does not require a license.
MAC packet classification allows you to control whether a MAC ACL that is on a Layer 2 interface applies to all traffic entering the interface, including IP traffic, or to non-IP traffic only.
When MAC packet classification is enabled on a Layer 2 interface, a MAC ACL that is on the interface applies to all traffic entering the interface, including IP traffic. Also, you cannot apply an IP port ACL on the interface.
When MAC packet classification is disabled on a Layer 2 interface, a MAC ACL that is on the interface applies only to non-IP traffic entering the interface. Also, you can apply an IP port ACL on the interface.
To configure an interface as a Layer 2 interface, use the switchport command.
This example shows how to configure an Ethernet interface to operate as a Layer 2 interface and to enable MAC packet classification:
This example shows how to view the configuration of an Ethernet interface and the error message that appears if you try to apply an IP port ACL to the interface when MAC packet classification is enabled:
|
|
---|---|
To apply a MAC access control list (ACL) to an interface, use the mac port access-group command. To remove a MAC ACL from an interface, use the no form of this command.
mac port access-group access-list-name
no mac port access-group access-list-name
Name of the MAC ACL, which can be up to 64 alphanumeric, case-sensitive characters. |
|
|
By default, no MAC ACLs are applied to an interface.
MAC ACLs apply to non-IP traffic, unless the device is configured to not classify traffic based on Layer 3 headers. If packet classification is disabled, MAC ACLs apply to all traffic.
You can use the mac port access-group command to apply a MAC ACL as a port ACL to the following interface types:
You can also apply a MAC ACL as a VLAN ACL. For more information, see the match (VLAN access-map) command.
The device applies MAC ACLs only to inbound traffic. When the device applies a MAC ACL, the device checks packets against the rules in the ACL. If the first matching rule permits the packet, the device continues to process the packet. If the first matching rule denies the packet, the device drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
This example shows how to apply a MAC ACL named mac-acl-01 to Ethernet interface 2/1:
This example shows how to remove a MAC ACL named mac-acl-01 from Ethernet interface 2/1:
|
|
---|---|
Shows the running configuration of all interfaces or of a specific interface. |
To configure match criteria for control place class maps, use the match command. To delete match criteria for a control plane policy map, use the no form of the command.
match access-group name access-list
match exception {[ ip [ unicast rpf-failure ] | ipv6 ] { icmp { redirect | unreachable } | option }}
match redirect { arp-inspect | dhcp-snoop }
no match access-group name access-list
no match exception {[ ip [ unicast rpf-failure ] | ipv6 ] { icmp { redirect | unreachable } | option }}
no match redirect { arp-inspect | dhcp-snoop }
(Optional) Matches IPv4 Unicast Reverse Path Forwarding (Unicast RPF) packets. |
|
Matches dynamic ARP inspection or DHCP snooping redirect packets. |
|
|
|
You must create the IP ACLs or MAC ACLs before you reference them in this command.
This example shows how to specify a match criteria for a control plane class map:
This example shows how to remove a criteria for a control plane class map:
|
|
---|---|
Creates or specifies a control plane class map and enters class map configuration mode. |
|
Displays configuration information for control plane policy maps. |
To specify an access control list (ACL) for traffic filtering in a VLAN access map, use the match command. To remove a match command from a VLAN access map, use the no form of this command.
match { ip | ipv6 | mac } address access-list-name
no match { ip | ipv6 | mac } address access-list-name
Specifies the ACL by name, which can be up to 64 alphanumeric, case-sensitive characters. |
|
|
You can specify one or more match commands per entry in a VLAN access map.
By default, the device classifies traffic and applies IPv4 ACLs to IPv4 traffic, IPv6 ACLs to IPv6 traffic, and MAC ACLs to all other traffic.
This example shows how to create a VLAN access map named vlan-map-01 and add two entries that each have two match commands and one action command:
|
|
---|---|
Specifies an action for traffic filtering in a VLAN access map. |
|
Displays information about how a VLAN access map is applied. |
|
To configure an access control list (ACL) capture session in order to selectively monitor traffic on an interface or VLAN, use the monitor session command.
monitor session session type acl-capture
|
|
This example shows how to configure an ACL capture session:
|
|
---|---|
Enables access control list (ACL) capture on all virtual device contexts (VDCs). |
|
To enable Network Admission Control (NAC) on an interface, use the nac enable command. To disable NAC, use the no form of this command.
|
|
You must use the feature eou command and set the switchport mode to access before using the nac enable command.
This example shows how to enable NAC on an interface:
This example shows how to disable NAC on an interface:
|
|
---|---|
To specify a not-equal-to group member for an IP port object group, use the neq command. To remove a not-equal-to group member from port object group, use the no form of this command.
[ sequence-number ] neq port-number
no { sequence-number | neq port-number }
IP port object group configuration
|
|
A not-equal-to group member matches port numbers that are not equal to the port number specified in the entry.
IP port object groups are not directional. Whether an neq command matches a source or destination port or whether it applies to inbound or outbound traffic depends upon how you use the object group in an ACL.
This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to any port except port 80:
To specify a MAC access control list (ACL) for an identity policy, use the object-group command. To remove ACL from the identity policy, use the no form of this command.
|
|
Use the mac access-list command to create the MAC ACL to assign to the identity policy.
This example shows how to configure an ACL for an identity policy:
This example shows how to remove an ACL from an identity policy:
|
|
---|---|
Creates or specifies an identity policy and enters identity policy configuration mode. |
|
To define an IPv4 address object group or to enter object-group configuration mode for a specific IPv4-address object group, use the object-group ip address command. To remove an IPv4-address object group, use the no form of this command.
no object-group ip address name
Name of the IPv4 address object group, which can be up to 64 alphanumeric, case-sensitive characters. |
|
|
You can use IPv4 object groups in permit and deny commands for IPv4 access control lists (ACLs).
IPv4 address object groups are not directional. Whether group members match a source or destination address or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an IPv4 ACL.
This example shows how to configure an IPv4 address object group named ipv4-addr-group-13 with two group members that are specific IPv4 addresses and one group member that is the 10.23.176.0 subnet:
|
|
---|---|
To define an IP port object group or to enter object-group configuration mode for a specific IP port object group, use the object-group ip port command. To remove an IP port object group, use the no form of this command.
Name of the IP port object group, which can be up to 64 alphanumeric, case-sensitive characters. |
|
|
You can use IP port object groups in permit and deny commands for IPv4 and IPv6 access control lists (ACLs).
IP port object groups are not directional. Whether group members match a source or destination port or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an ACL.
This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 443:
To define an IPv6 address object group or to enter IPv6 address object group configuration mode for a specific IPv6 address object group, use the object-group ipv6 address command. To remove an IPv6 address object group, use the no form of this command.
object-group ipv6 address name
no object-group ipv6 address name
Name of the IPv6 address group object, which can be up to 64 alphanumeric, case-sensitive characters. |
|
|
You can use IPv6 object groups in permit and deny commands for IPv6 ACLs.
IPv6 address object groups are not directional. Whether group members match a source or destination address or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an IPv6 ACL.
This example shows how to configure an IPv6 address object group named ipv6-addr-group-A7 with two group members that are specific IPv6 addresses and one group member that is the 2001:db8:0:3ab7:: subnet:
|
|
---|---|
To configure an object group that consists of destination IP addresses to which the packets are forwarded, use the object-group udp relay ip address command.
object-group udp relay ip address object-grp-name
no object-group udp relay ip address object-grp-name
|
|
To use this command, you must enable the UDP relay feature by using the ip forward-protocol udp command. You can create up to 4096 object groups.
This example shows how to configure the object group:
This example shows how to delete the the object group:
|
|
---|---|
To enable secure mode for password changing, use the password secure-mode command. To disable the secure mode for password changing, use the no form of this command.
|
|
This example shows how to enable secure mode for changing password:
This example shows how to disable secure mode for changing password:
|
|
---|---|
To enable password-strength checking, use the password strength-check command. To disable password-strength checking, use the no form of this command.
|
|
When you enable password-strength checking, the Cisco NX-OS software only allows you to create strong passwords. The characteristics for strong passwords include the following:
The following are examples of strong passwords:
Note When you enable password-strength checking, the Cisco NX-OS software does not check the strength of existing passwords.
This example shows how to enable password-strength checking:
This example shows how to disable password-strength checking:
|
|
---|---|
Displays security feature configuration in the running configuration. |
To specify a time range that is active one or more times per week, use the periodic command. To remove a periodic time range, use the no form of this command.
[ sequence-number ] periodic weekday time to [ weekday ] time
no { sequence-number | periodic weekday time to [ weekday ] time }
[ sequence-number ] periodic list-of-weekdays time to time
no { sequence-number | periodic list-of-weekdays time to time }
|
|
This example shows how to create a time range named weekend-remote-access-times and configure a periodic rule that allows traffic between 4:00 a.m. and 10:00 p.m. on Saturday and Sunday:
This example shows how to create a time range named mwf-evening and configure a periodic rule that allows traffic between 6:00 p.m. and 10:00 p.m. on Monday, Wednesday, and Friday:
|
|
---|---|
Configures a time range that you can use in IPv4 and IPv6 ACLs. |
To enable a capture session for the access control entries (ACEs) of the access control list, use the permit command.
permit protocol { 0-255 | ahp | eigrp | esp | gre | icmp | igmp | ip | nos | ospf | pcp | pim | tcp | udp } | { source | addrgroup | any | host } | { destination | addrgroup | any | eq | gt | host | lt | neq | portgroup | range } capture session session
(Optional) Specifies KA9Q NOS compatible IP over IP tunneling. |
|
(Optional) Matches only packets in the range of port numbers. |
|
ACL configuration mode (config-acl)
|
|
This example shows how to enable a capture session for the access control entries (ACEs) of the access control list:
|
|
---|---|
To create an ARP ACL rule that permits ARP traffic that matches its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ log ]
[ sequence-number ] permit request ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ log ]
[ sequence-number ] permit response ip { any | host sender-IP | sender-IP sender-IP-mask } { any | host target-IP | target-IP target-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ any | host target-MAC | target-MAC target-MAC-mask ] [ log ]
no permit ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ log ]
no permit request ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ log ]
no permit response ip { any | host sender-IP | sender-IP sender-IP-mask } { any | host target-IP | target-IP target-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ any | host target-MAC | target-MAC target-MAC-mask ] [ log ]
|
|
A newly created ARP ACL contains no rules.
If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
When the device applies an ARP ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
If you do not specify either the response or request keyword, the rule applies to packets that contain any ARP message.
This example shows how to enter ARP access list configuration mode for an ARP ACL named arp-acl-01 and add a rule that permits ARP request messages that contain a sender IP address that is within the 10.32.143.0 subnet:
|
|
---|---|
To create an IPv4 access control list (ACL) rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit protocol source destination [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
no permit protocol source destination [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
Internet Control Message Protocol
[ sequence-number ] permit icmp source destination [ icmp-message | icmp-type [ icmp-code ] ] [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
Internet Group Management Protocol
[ sequence-number ] permit igmp source destination [ igmp-message ] [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
[ sequence-number ] permit ip source destination [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
[ sequence-number ] permit tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ flags ] [ established ] [ packet-length operator packet-length [ packet-length ]]
[ sequence-number ] permit udp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
(Optional) Sequence number of the permit command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
|
Name or number of the protocol of packets that the rule matches. For details about the methods that you can use to specify this argument, see “Protocol” in the “Usage Guidelines” section. |
|
Source IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
|
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
|
(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:
|
|
(Optional) Specifies that the rule matches only packets that have an IP Precedence field with the value specified by the precedence argument. The precedence argument can be a number or a keyword, as follows:
|
|
(Optional) Specifies that the rule matches only those packets that are noninitial fragments. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. |
|
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: |
|
(Optional) Specifies the time range that applies to this rule. |
|
(ICMP only: Optional) ICMP message that the rule matches. This argument can be one of the keywords listed under “ICMP Message Types” in the “Usage Guidelines” section. |
|
(ICMP only: Optional) ICMP message type that the rule matches. Valid values for the icmp-type argument are an integer from 0 to 255. If the ICMP message type supports message codes, you can use the icmp-code argument to specify the code that the rule matches. For more information about ICMP message types and codes, see http://www.iana.org/assignments/icmp-parameters. |
|
(IGMP only: Optional) IGMP message type that the rule matches. The igmp-message argument can be the IGMP message number, which is an integer from 0 to 15. It can also be one of the following keywords: |
|
(Optional; TCP and UDP only) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see “TCP Port Names” and “UDP Port Names” in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
|
|
(Optional; TCP and UDP only) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port object group specified by the portgroup argument, which can be up to 64 alphanumeric, case-sensitive characters. Whether the IP port object group applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument. Use the object-group ip port command to create and change IP port object objects. |
|
(TCP only; Optional) TCP control bit flags that the rule matches. The value of the flags argument must be one or more of the following keywords: |
|
(TCP only; Optional) Specifies that the rule matches only packets that belong to an established TCP connection. The device considers TCP packets with the ACK or RST bits set to belong to an established connection. |
|
(Optional) Rule matches only packets that have a length in bytes that satisfies the condition specified by the operator and packet-length arguments. Valid values for the packet-length argument are whole numbers from 20 to 9210. The operator argument must be one of the following keywords:
|
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
|
|
When the device applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
This command does not require a license.
You can specify the protocol of packets that the rule applies to by the protocol name or the number of the protocol. If you want the rule to apply to all IPv4 traffic, use the ip keyword.
The protocol keyword that you specify affects the additional keywords and arguments that are available. Unless otherwise specified, only the other keywords that apply to all IPv4 protocols are available. Those keywords include the following:
Valid protocol numbers are from 0 to 255.
Valid protocol names are the following keywords:
You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
The following example shows how to use an IPv4 address object group named lab-gateway-svrs to specify the destination argument:
The following example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
The following example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
This syntax is equivalent to IPv4-address /32 and IPv4-address 0.0.0.0.
The following example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:
The icmp-message argument can be one of the following keywords:
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
bgp —Border Gateway Protocol (179)
chargen —Character generator (19)
cmd —Remote commands (rcmd, 514)
domain —Domain Name Service (53)
drip —Dynamic Routing Information Protocol (3949)
ftp —File Transfer Protocol (21)
ftp-data —FTP data connections (20)
hostname —NIC hostname server (11)
irc —Internet Relay Chat (194)
nntp —Network News Transport Protocol (119)
pim-auto-rp —PIM Auto-RP (496)
pop2 —Post Office Protocol v2 (19)
pop3 —Post Office Protocol v3 (11)
smtp —Simple Mail Transport Protocol (25)
sunrpc —Sun Remote Procedure Call (111)
tacacs —TAC Access Control System (49)
uucp —UNIX-to-UNIX Copy Program (54)
www —World Wide Web (HTTP, 80)
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
biff —Biff (mail notification, comsat, 512)
bootpc —Bootstrap Protocol (BOOTP) client (68)
bootps —Bootstrap Protocol (BOOTP) server (67)
dnsix —DNSIX security protocol auditing (195)
domain —Domain Name Service (DNS, 53)
isakmp —Internet Security Association and Key Management Protocol (5)
mobile-ip —Mobile IP registration (434)
nameserver —IEN116 name service (obsolete, 42)
netbios-dgm —NetBIOS datagram service (138)
netbios-ns —NetBIOS name service (137)
netbios-ss —NetBIOS session service (139)
non500-isakmp —Internet Security Association and Key Management Protocol (45)
ntp —Network Time Protocol (123)
pim-auto-rp —PIM Auto-RP (496)
rip —Routing Information Protocol (router, in.routed, 52)
snmp —Simple Network Management Protocol (161)
sunrpc —Sun Remote Procedure Call (111)
tacacs —TAC Access Control System (49)
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules permitting all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network:
This example shows how to configure an IPv4 ACL named acl-eng-to-marketing with a rule that permits all IP traffic from an IP-address object group named eng_workstations to an IP-address object group named marketing_group:
|
|
---|---|
To create an IPv6 ACL rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit protocol source destination [ dscp dscp ] [ flow-label flow-label-value ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
no permit protocol source destination [ dscp dscp ] [ flow-label flow-label-value ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
Internet Control Message Protocol
[ sequence-number | no ] permit icmp source destination [ icmp-message | icmp-type [ icmp-code ] ] [ dscp dscp ] [ flow-label flow-label-value ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
[ sequence-number ] permit ipv6 source destination [ dscp dscp ] [ flow-label flow-label-value ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
Stream Control Transmission Protocol
[ sequence-number | no ] permit sctp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp ] [ flow-label flow-label-value ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
[ sequence-number ] permit tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp ] [ flow-label flow-label-value ] [ fragments ] [ log ] [ time-range time-range-name ] [ flags ] [ established ] [ packet-length operator packet-length [ packet-length ]]
[ sequence-number | no ] permit udp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp ] [ flow-label flow-label-value ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
(Optional) Sequence number of the permit command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
|
Name or number of the protocol of packets that the rule matches. Valid numbers are from 0 to 255. Valid protocol names are the following keywords:
|
|
Source IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
|
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
|
(Optional) Specifies that the rule matches only packets with the specified 6-bit differentiated services value in the DSCP field of the IPv6 header. The dscp argument can be one of the following numbers or keywords:
|
|
(Optional) Specifies that the rule matches only IPv6 packets whose Flow Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575. |
|
(Optional) Specifies that the rule matches noninitial fragmented packets only. The device considers noninitial fragmented packets to be packets with a fragment extension header that contains a fragment offset that is not equal to zero. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. |
|
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: |
|
(Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command. |
|
(ICMP only: Optional) ICMPv6 message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under “ICMPv6 Message Types” in the “Usage Guidelines” section. |
|
(ICMP only: Optional) ICMP message type that the rule matches. Valid values for the icmp-type argument are an integer from 0 to 255. If the ICMP message type supports message codes, you can use the icmp-code argument to specify the code that the rule matches. For more information about ICMP message types and codes, see http://www.iana.org/assignments/icmp-parameters. |
|
(Optional; TCP, UDP, and SCTP only) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see “TCP Port Names” and “UDP Port Names” in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
|
|
(Optional; TCP, UDP, and SCTP only) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument. Use the object-group ip port command to create and change IP port-group objects. |
|
(TCP only; Optional) Specifies that the rule matches only packets that belong to an established TCP connection. The device considers TCP packets with the ACK or RST bits set to belong to an established connection. |
|
(TCP only; Optional) Rule matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords: |
|
(Optional) Rule matches only packets that have a length in bytes that satisfies the condition specified by the operator and packet-length arguments. Valid values for the packet-length argument are whole numbers from 20 to 9210. The operator argument must be one of the following keywords:
|
|
|
A newly created IPv6 ACL contains no rules.
When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
This command does not require a license.
You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
The following example shows how to use an IPv6 address object group named lab-svrs-1301 to specify the destination argument:
The following example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network:
This syntax is equivalent to IPv6-address /128.
The following example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address:
The icmp-message argument can be one of the following keywords:
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
bgp —Border Gateway Protocol (179)
chargen —Character generator (19)
cmd —Remote commands (rcmd, 514)
domain —Domain Name Service (53)
drip —Dynamic Routing Information Protocol (3949)
ftp —File Transfer Protocol (21)
ftp-data —FTP data connections (20)
hostname —NIC hostname server (11)
irc —Internet Relay Chat (194)
nntp —Network News Transport Protocol (119)
pim-auto-rp —PIM Auto-RP (496)
pop2 —Post Office Protocol v2 (19)
pop3 —Post Office Protocol v3 (11)
smtp —Simple Mail Transport Protocol (25)
sunrpc —Sun Remote Procedure Call (111)
tacacs —TAC Access Control System (49)
uucp —Unix-to-Unix Copy Program (54)
www —World Wide Web (HTTP, 80)
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
biff —Biff (mail notification, comsat, 512)
bootpc —Bootstrap Protocol (BOOTP) client (68)
bootps —Bootstrap Protocol (BOOTP) server (67)
dnsix —DNSIX security protocol auditing (195)
domain —Domain Name Service (DNS, 53)
isakmp —Internet Security Association and Key Management Protocol (5)
mobile-ip —Mobile IP registration (434)
nameserver —IEN116 name service (obsolete, 42)
netbios-dgm —NetBIOS datagram service (138)
netbios-ns —NetBIOS name service (137)
netbios-ss —NetBIOS session service (139)
non500-isakmp —Internet Security Association and Key Management Protocol (45)
ntp —Network Time Protocol (123)
pim-auto-rp —PIM Auto-RP (496)
rip —Routing Information Protocol (router, in.routed, 52)
snmp —Simple Network Management Protocol (161)
sunrpc —Sun Remote Procedure Call (111)
tacacs —TAC Access Control System (49)
This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules permitting all TCP and UDP traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network:
This example shows how to configure an IPv6 ACL named ipv6-eng-to-marketing with a rule that permits all IPv6 traffic from an IPv6-address object group named eng_ipv6 to an IPv6-address object group named marketing_group:
|
|
---|---|
To create a MAC ACL rule that permits traffic matching its conditions, use the permit command. To remove a rule, use the no form of this command.
[ sequence-number ] permit source destination [ protocol ] [ cos cos-value ] [ vlan VLAN-ID ] [ time-range time-range-name ]
no permit source destination [ protocol ] [ cos cos-value ] [ vlan VLAN-ID ] [ time-range time-range-name ]
|
|
A newly created MAC ACL contains no rules.
If you do not specify a sequence number, the device assigns a sequence number that is 10 greater than the last rule in the ACL.
When the device applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
This command does not require a license.
You can specify the source and destination arguments in one of two ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
The following example specifies the source argument with the MAC address 00c0.4f03.0a72:
The following example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:
The protocol argument can be the MAC protocol number or a keyword. The protocol number is a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:
This example shows how to configure a MAC ACL named mac-filter with a rule that permits traffic between two groups of MAC addresses:
|
|
---|---|
To configure a permit action in a security group access control list (SGACL), use the permit command. To remove the action, use the no form of this command.
permit { all | icmp | igmp | ip | {{ tcp | udp } [{ src | dst } {{ eq | gt | lt | neq } port-number } |
range port-number1 port-number2 }]} [ log ]
no permit { all | icmp | igmp | ip | {{ tcp | udp } [{ src | dst } {{ eq | gt | lt | neq } port-number } |
range port-number1 port-number2 }]} [ log ]
Specifies Internet Group Management Protocol (IGMP) traffic. |
|
(Optional) Specifies that packets matching this configuration be logged. |
role-based access control list
|
|
The log keyword was added to support the enabling of role-based access control list (RBACL) logging. |
|
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
To enable RBACL logging, you must enable RBACL policy enforcement on the VLAN and VRF.
To enable RBACL logging, you must set the logging level of ACLLOG syslogs to 6 and the logging level of CTS manager syslogs to 5.
This example shows how to add a permit action to an SGACL and enable RBACL logging:
This example shows how to remove a permit action from an SGACL:
|
|
---|---|
To permit interfaces for a user role interface policy, use the permit interface command. To deny interfaces, use the no form of this command.
permit interface { ethernet slot / port [ - port2 ]| interface-list }
User role interface policy configuration
|
|
The interface policy deny command denies a user role access to all interfaces except for those that you allow with the permit interface command.
This example shows how to permit a range of interfaces for a user role interface policy:
This example shows how to permit a list of interfaces for a user role interface policy:
This example shows how to deny an interface in a user role interface policy:
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
To permit VLANs for a user role VLAN policy, use the permit vlan command. To remove VLANs, use the no form of this command.
permit vlan { vlan-id [ - vlan-id2 ] | vlan-list }
Last VLAN identifier in a range. The VLAN identifier must be greater than the first VLAN identifier in the range. |
|
User role VLAN policy configuration
|
|
The vlan policy deny command denies a user role access to all VLANs except for those that you allow with the permit vlan command.
This example shows how to permit a VLAN identifier for a user role VLAN policy:
This example shows how to permit a range of VLAN identifiers for a user role VLAN policy:
This example shows how to permit a list of VLAN identifiers for a user role VLAN policy:
This example shows how to deny a VLAN from a user role VLAN policy:
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
To permit virtual routing and forwarding instances (VRFs) for a user role VRF policy, use the permit vrf command. To remove VRFs, use the no form of this command.
User role VRF policy configuration
|
|
The vrf policy deny command denies a user role access to all VRFs except for those that you allow with the permit vrf command.
You can repeat this command to allow more than on VRF name for the user role.
This example shows how to permit a VRF name for a user role VRF policy:
This example shows how to permit a VRF name from a user role VRF policy:
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
To configure how supervisor modules update I/O modules with changes to access control lists (ACLs), use the platform access-list update command. To disable atomic updates, use the no form of this command.
platform access-list update atomic | default-result permit }
no platform access-list update { atomic | default-result permit }
|
|
This command was deprecated and replace with the access-list update command. |
|
By default, a Cisco NX-OS device performs atomic ACL updates, which do not disrupt traffic that the updated ACL applies to; however, atomic updates require that the I/O modules that receive the updates have enough available resources to store each of the updated entries in the affected ACL. After the update occurs, the additional resources used for the update are freed. If the I/O module lacks the required resources, the device generates an error message and the ACL update to the I/O module fails.
If an I/O module lacks required resources, you can disable atomic updates by using the no platform access-list update atomic command; however, during the brief time required for the device to remove the old ACL and implement the updated ACL, traffic that the ACL applies to is dropped by default.
If you want to permit all traffic that the updated ACL applies during a non-atomic update, use the platform access-list update default-result permit command.
This example shows how disable atomic updates to ACLs:
This example shows how to permit affected traffic during a non-atomic ACL update:
This example shows how to revert to the atomic update method:
|
|
---|---|
Displays the running configuration, including the default configuration. |
To configure rate limits in packets per second on supervisor-bound traffic, use the platform rate-limit command. To revert to the default, use the no form of this command.
platform rate-limit { access-list-log | copy | layer-2 { port-security | storm-control } | layer-3 { control | glean | mtu | multicast { directly-connect | local-groups | rpf-leak } | ttl } | receive } packets
no platform rate-limit { access-list-log | copy | layer-2 { port-security | storm-control } | layer-3 { control | glean | mtu | multicast { directly-connect | local-groups | rpf-leak } | ttl } | receive } [ packets ]
|
|
This command was deprecated and replaced with the rate-limiter command. |
|
This example shows how to configure a rate limit for control packets:
This example shows how to revert to the default rate limit for control packets:
|
|
---|---|
To configure policing for a class map in a control plane policy map, use the police command. To remove policing for a class map in a control plane policy map, use the no form of this command.
police [ cir ] cir-rate [ bps | gbps | kbps | mbps | pps ]
police [ cir ] cir-rate [ bps | gbps | kbps | mbps ] [ bc ] burst-size [ bytes | kbytes | mbytes | ms | packets | us ]
police [ cir ] cir-rate [ bps | gbps | kbps | mbps | pps ]
conform { drop | set-cos-transmit cos-value | set-dscp-transmit dscp-value | set-prec-transmit prec-valu e | transmit } [ exceed { drop | set dscp dscp table cir-markdown-map | transmit }] [ violate { drop | set dscp dscp table pir-markdown-map | transmit }]
police [ cir ] cir-rate [ bps | gbps | kbps | mbps | pps ]
pir pir-rate [ bps | gbps | kbps | mbps ] [[ be ] extended-burst-size [ bytes | kbytes | mbytes | ms | packets | us ]]
no police [ cir ] cir-rate [ bps | gbps | kbps | mbps | pps ]
no police [ cir ] cir-rate [ bps | gbps | kbps | mbps | pps ] [ bc ] burst-size [ bytes | kbytes | mbytes | ms | packets | us ]
no police [ cir ] cir-rate [ bps | gbps | kbps | mbps | pps ]
conform { drop | set-cos-transmit cos-value | set-dscp-transmit dscp-value | set-prec-transmit prec-valu e | transmit } [ exceed { drop | set dscp dscp table cir-markdown-map | transmit }] [ violate { drop | set dscp dscp table pir-markdown-map | transmit }]
no police [ cir ] cir-rate [ bps | gbps | kbps | mbps | pps ]
pir pir-rate [ bps | gbps | kbps | mbps | pps ] [[ be ] extended-burst-size [ bytes | kbytes | mbytes | ms | packets | us ]]
|
|
This example shows how to specify a control plane policy map and enter policy map configuration mode:
This example shows how to delete a control plane policy map:
To manually configure a Cisco TrustSec authentication policy on an interface with either a Cisco TrustSec device identifier or security group tag (SGT), use the policy command. To revert to the default, use the no form of this command.
policy { dynamic identity device-id | static sgt sgt-value [ trusted ]}
no policy { dynamic | static }
Cisco TrustSec manual configuration
|
|
Removed the keywords and options following dynamic and static in the no form of this command. |
|
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown / no shutdown command sequence for the configuration to take effect.
This example shows how to manually configure a dynamic Cisco TrustSec policy on an interface:
This example shows how to remove a manually configured dynamic Cisco TrustSec policy from an interface:
This example shows how to manually configure a static Cisco TrustSec policy on an interface:
This example shows how to remove a manually configured static Cisco TrustSec policy on an interface:
|
|
---|---|
Enters Cisco TrustSec manual configuration mode for an interface. |
|
To create or specify a control plane policy map and enter policy map configuration mode, use the policy-map type control-plane command. To delete a control plane policy map, use the no form of this command.
policy-map type control-plane policy-map-name
no policy-map type control-plane policy-map-name
Name of the class map. The name is alphanumeric, case sensitive, and has a maximum of 64 characters. |
|
|
This example shows how to specify a control plane policy map and enter policy map configuration mode:
This example shows how to delete a control plane policy map:
|
|
---|---|
Displays configuration information for control plane policy maps. |
To enable SGT propagation on Layer 2 Cisco TrustSec interfaces, use the propagate-sgt command. To disable SGT propagation, use the no form of this command.
|
|
You can disable the SGT propagation feature on an interface if the peer device connected to the interface can not handle Cisco TrustSec packets tagged with an SGT.
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown / no shutdown command sequence for the configuration to take effect.
This example shows how to disable SGT propagation:
This example shows how to enable SGT propagation:
|
|
---|---|
Enters Cisco TrustSec 802.1X configuration mode for an interface. |
|