Table Of Contents
aaa authentication cts default group
aaa authentication dot1x default group
aaa authentication eou default group
aaa authentication login ascii-authentication
aaa authentication login chap enable
aaa authentication login console
aaa authentication login default
aaa authentication login error-enable
aaa authentication login mschap enable
aaa authentication login mschapv2 enable
aaa authorization commands default
aaa authorization config-commands default
aaa authorization cts default group
aaa authorization ssh-certificate
aaa authorization ssh-publickey
A Commands
This chapter describes the Cisco NX-OS security commands that begin with A.
aaa accounting default
To configure authentication, authorization, and accounting (AAA) methods for accounting, use the aaa accounting default command. To revert to the default, use the no form of this command.
aaa accounting default {group group-list | local}
no aaa accounting default {group group-list | local}
Syntax Description
Defaults
local
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The group group-list methods refer to a set of previously defined servers. Use the radius-server host and tacacs-server host commands to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the RADIUS server groups on the device.
If you specify the group method, the local method, or both, and they fail, then the accounting authentication fails.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
This command does not require a license.
Examples
This example shows how to configure any RADIUS server for AAA accounting:
switch# configure terminalswitch(config)# aaa accounting default group radiusRelated Commands
aaa accounting dot1x
To configure authentication, authorization, and accounting (AAA) methods for accounting for 802.1X authentication, use the aaa accounting dot1x command. To revert to the default, use the no form of this command.
aaa accounting dot1x {group group-list | local}
no aaa accounting dot1x {group group-list | local}
Syntax Description
Defaults
local
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The group group-list methods refer to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the RADIUS server groups on the device.
If you specify the group method, the local method, or both, and they fail, then the accounting authentication fails.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
This command does not require a license.
Examples
This example shows how to configure authentication, authorization, and accounting (AAA) methods for accounting for 802.1X authentication:
switch# configure terminalswitch(config)# aaa accounting dot1x default group group-list
Related Commands
aaa authentication cts default group
To configure the default authentication, authorization, and accounting (AAA) RADIUS server groups for Cisco TrustSec authentication, use the aaa authentication cts default group command. To remove a server group from the default AAA authentication server group list, use the no form of this command.
aaa authentication cts default group group-list
no aaa authentication cts default group group-list
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
The group-list refers to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the RADIUS server groups on the device.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
This command requires the Advanced Services license.
Examples
This example shows how to configure the default AAA authentication RADIUS server group for Cisco TrustSec:
switch# configure terminalswtich(config)# aaa authentication cts default group RadGroupRelated Commands
aaa authentication dot1x default group
To configure AAA authentication methods for 802.1X, use the aaa authentication dot1x default group command. To revert to the default, use the no form of this command.
aaa authentication dot1x default group group-list
no aaa authentication dot1x default group group-list
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must use the feature dot1x command before you configure 802.1X.
The group-list refers to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the RADIUS server groups on the device.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
This command does not require a license.
Examples
This example shows how to configure methods for 802.1X authentication:
switch# configure terminalswitch(config)# aaa authentication do1x default group Dot1xGroupThis example shows how to revert to the default methods for 802.1X authentication:
switch# configure terminalswitch(config)# no aaa authentication do1x default group Dot1xGroupRelated Commands
aaa authentication eou default group
To configure AAA authentication methods for EAP over UDP (EoU), use the aaa authentication eou default group command. To revert to the default, use the no form of this command.
aaa authentication eou default group group-list
no aaa authentication eou default group group-list
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
Before configuring EAPoUDP default authentication methods, you must enable EAPoUDP using the feature eou command.
The group-list refers to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the RADIUS server groups on the device.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
This command does not require a license.
Examples
This example shows how to configure methods for EAPoUDP authentication:
switch# configure terminalswitch(config)# aaa authentication eou default group EoUGroupThis example shows how to revert to the default methods for EAPoUDP authentication:
switch# configure terminalswitch(config)# no aaa authentication eou default group EoUGroupRelated Commands
aaa authentication login ascii-authentication
To enable ASCII authentication for passwords on a TACACS+ server, use the aaa authentication login ascii-authentication command. To revert to the default, use the no form of this command.
aaa authentication login ascii-authentication
no aaa authentication login ascii-authentication
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
Only the TACACS+ protocol supports this feature.
This command does not require a license.
Examples
This example shows how to enable ASCII authentication for passwords on TACACS+ servers:
switch# configure terminal
switch(config)# aaa authentication login ascii-authentication
This example shows how to disable ASCII authentication for passwords on TACACS+ servers:
switch# configure terminal
switch(config)# no aaa authentication login ascii-authentication
Related Commands
Command Descriptionshow aaa authentication login ascii-authentication
Displays the status of the ASCII authentication for passwords.
aaa authentication login chap enable
To enable Challenge Handshake Authentication Protocol (CHAP) authentication at login, use the aaa authentication login chap enable command. To revert to the default, use the no form of this command.
aaa authentication login chap enable
no aaa authentication login chap enable
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You cannot enable both CHAP and MSCHAP or MSCHAP V2 on your Cisco NX-OS device.
This command does not require a license.
Examples
This example shows how to enable CHAP authentication:
switch# configure terminalswitch(config)# aaa authentication login chap enableThis example shows how to disable CHAP authentication:
switch# configure terminalswitch(config)# no aaa authentication login chap enableRelated Commands
aaa authentication login console
To configure AAA authentication methods for console logins, use the aaa authentication login console command. To revert to the default, use the no form of this command.
aaa authentication login console {fallback error local | group group-list [none] | local | none}
no aaa authentication login console {fallback error local | group group-list [none] | local | none}
Syntax Description
Defaults
local
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Release Modification5.0(2)
Support for LDAP server groups was added.
5.0(2)
The fallback error local keyword was added.
4.0(1)
This command was introduced.
Usage Guidelines
The group radius, group tacacs+, group ldap, and group group-list methods refer to a set of previously defined RADIUS, TACACS+, or LDAP servers. Use the radius-server host, tacacs-server host, or ldap-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the server groups on the device.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
If you specify the group method or local method and they fail, the authentication can fail. If you specify the none method alone or after the group method, the authentication always succeeds.
The command operates only in the default VDC (VDC 1).
This command does not require a license.
Examples
This example shows how to configure the AAA authentication console login methods:
switch# configure terminalswitch(config)# aaa authentication login console group radiusThis example shows how to revert to the default AAA authentication console login method:
switch# configure terminalswitch(config)# no aaa authentication login console group radiusRelated Commands
aaa authentication login default
To configure the default AAA authentication methods, use the aaa authentication login default command. To revert to the default, use the no form of this command.
aaa authentication login default {fallback error local | group group-list [none] | local | none}
no aaa authentication login default {fallback error local | group group-list [none] | local | none}
Syntax Description
Defaults
local
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Release Modification5.0(2)
Support for LDAP server groups was added.
5.0(2)
The fallback error local keyword was added.
4.0(1)
This command was introduced.
Usage Guidelines
The group radius, group tacacs+, group ldap, and group group-list methods refer to a set of previously defined RADIUS, TACACS+, or LDAP servers. Use the radius-server host, tacacs-server host, or ldap-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the server groups on the device.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
If you specify the group method or local method and they fail, the authentication fails. If you specify the none method alone or after the group method, the authentication always succeeds.
This command does not require a license.
Examples
This example shows how to configure the AAA authentication default login method:
switch# configure terminalswitch(config)# aaa authentication login default group radiusThis example shows how to revert to the default AAA authentication default login method:
switch# configure terminalswitch(config)# no aaa authentication login default group radiusRelated Commands
aaa authentication login error-enable
To configure that the AAA authentication failure message displays on the console, use the aaa authentication login error-enable command. To revert to the default, use the no form of this command.
aaa authentication login error-enable
no aaa authentication login error-enable
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
When you log in, the login is processed by rolling over to the local user database if the remote AAA servers do not respond. In such cases, the following message is displayed on the user's terminal—if you have enabled the displaying of login failure messages:
Remote AAA servers unreachable; local authentication done.Remote AAA servers unreachable; local authentication failed.This command does not require a license.
Examples
This example shows how to enable the display of AAA authentication failure messages to the console:
switch# configure terminalswitch(config)# aaa authentication login error-enableThis example shows how to disable the display of AAA authentication failure messages to the console:
switch# configure terminalswitch(config)# no aaa authentication login error-enableRelated Commands
Command Descriptionshow aaa authentication login error-enable
Displays the status of the AAA authentication failure message display.
aaa authentication login mschap enable
To enable Microsoft Challenge Handshake Authentication Protocol (MSCHAP) authentication at login, use the aaa authentication login mschap enable command. To revert to the default, use the no form of this command.
aaa authentication login mschap enable
no aaa authentication login mschap enable
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You cannot enable both MSCHAP and CHAP or MSCHAP V2 on your Cisco NX-OS device.
This command does not require a license.
Examples
This example shows how to enable MSCHAP authentication:
switch# configure terminalswitch(config)# aaa authentication login mschap enableThis example shows how to disable MSCHAP authentication:
switch# configure terminalswitch(config)# no aaa authentication login mschap enableRelated Commands
Command Descriptionshow aaa authentication login mschap
Displays the status of MSCHAP authentication.
aaa authentication login mschapv2 enable
To enable Microsoft Challenge Handshake Authentication Protocol Version 2 (MSCHAP V2) authentication at login, use the aaa authentication login mschapv2 enable command. To revert to the default, use the no form of this command.
aaa authentication login mschapv2 enable
no aaa authentication login mschapv2 enable
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You cannot enable both MSCHAP V2 and CHAP or MSCHAP on your Cisco NX-OS device.
This command does not require a license.
Examples
This example shows how to enable MSCHAP V2 authentication:
switch# configure terminalswitch(config)# aaa authentication login mschapv2 enableThis example shows how to disable MSCHAP V2 authentication:
switch# configure terminalswitch(config)# no aaa authentication login mschapv2 enableRelated Commands
Command Descriptionshow aaa authentication login mschapv2
Displays the status of MSCHAP V2 authentication.
aaa authorization commands default
To configure default AAA authorization methods for all EXEC commands, use the aaa authorization commands default command. To revert to the default, use the no form of this command.
aaa authorization commands default [group group-list [local] | local]
no aaa authorization commands default [group group-list [local] | local]
Syntax Description
Defaults
local
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the TACACS+ feature using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
If you specify the group method or local method and it fails, then the authorization can fail. If you have not configured a fallback method after the TACACS+ server group method, authorization fails if all server groups fail to respond.
Caution Command authorization disables user role based authorization control (RBAC), including the default roles.
Note Command authorization is available only to non-console sessions. If you use a console to login to the server, command authorization is disabled.
Note By default, context sensitive help and command tab completion show only the commands supported for a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.
This command does not require a license.
Examples
This example shows how to configure the default AAA authorization methods for EXEC commands:
switch# configure terminalswitch(config)# aaa authorization commands default group TacGroup localPer command authorization will disable RBAC for all users. Proceed (y/n)?
Note If you press Enter at the confirmation prompt, the default response is n.
This example shows how to revert to the default AAA authorization methods for EXEC commands:
switch# configure terminalswitch(config)# no aaa authorization commands default group TacGroup localRelated Commands
aaa authorization config-commands default
To configure default AAA authorization methods for all configuration commands, use the aaa authorization config-commands default command. To revert to the default, use the no form of this command.
aaa authorization config-commands default [group group-list [local] | local]
no aaa authorization config-commands default [group group-list [local] | local]
Syntax Description
Defaults
local
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the TACACS+ feature using the feature tacacs+ command.
The group tacacs+ and group group-list methods refer to a set of previously defined TACACS+ servers. Use the tacacs-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
If you specify the group method or local method and it fails, then the authorization can fail. If you have not configured a fallback method after the TACACS+ server group method, authorization fails if all server groups fail to respond.
Caution Command authorization disables user role based authorization control (RBAC), including the default roles.
Note Command authorization is available only to non-console sessions. If you use a console to login to the server, command authorization is disabled.
Note By default, context sensitive help and command tab completion show only the commands supported for a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.
This command does not require a license.
Examples
This example shows how to configure the default AAA authorization methods for configuration commands:
switch# configure terminalswitch(config)# aaa authorization config-commands default group TacGroup localThis example shows how to revert to the default AAA authorization methods for configuration commands:
switch# configure terminalswitch(config)# no aaa authorization config-commands default group TacGroup localRelated Commands
aaa authorization cts default group
To configure the default authentication, authorization, and accounting (AAA) RADIUS server groups for Cisco TrustSec authorization, use the aaa authorization cts default group command. To remove a server group from the default AAA authorization server group list, use the no form of this command.
aaa authorization cts default group group-list
no aaa authorization cts default group group-list
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use the aaa authorization cts default group command, you must enable the Cisco TrustSec feature using the feature cts command.
The group-list refers to a set of previously defined RADIUS servers. Use the radius-server host command to configure the host servers. Use the aaa group server command to create a named group of servers.
Use the show aaa groups command to display the RADIUS server groups on the device.
If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
This command requires the Advanced Services license.
Examples
This example shows how to configure the default AAA authorization RADIUS server group for Cisco TrustSec:
switch# configure terminalswtich(config)# aaa authorization cts default group RadGroupRelated Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show aaa authorization
Displays the AAA authorization configuration.
show aaa groups
Displays the AAA server groups.
aaa authorization ssh-certificate
To configure the default AAA authorization method for TACACS+ or Lightweight Directory Access Protocol (LDAP) servers, use the aaa authorization ssh-certificate command. To disable this configuration, use the no form of this command.
aaa authorization ssh-certificate default {group group-list | local}
no aaa authorization ssh-certificate default {group group-list | local}
Syntax Description
Defaults
local
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the TACACS+ feature using the feature tacacs+ command or the LDAP feature using the feature ldap command.
The group tacacs+, group ldap, and group group-list methods refer to a set of previously defined TACACS+ and LDAP servers. Use the tacacs-server host command or ldap-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
If you specify the group method or local method and it fails, the authorization can fail. If you have not configured a fallback method after the TACACS+ or LDAP server group method, authorization fails if all server groups fail to respond.
This command does not require a license.
Examples
This example shows how to configure LDAP authorization with certificate authentication as the default AAA authorization method for LDAP servers:
switch# configure terminalswitch(config)# aaa authorization ssh-certificate default group LDAPServer1 LDAPServer2Related Commands
aaa authorization ssh-publickey
To configure Lightweight Directory Access Protocol (LDAP) or local authorization with the Secure Shell (SSH) public key as the default AAA authorization method for LDAP servers, use the aaa authorization ssh-publickey command. To revert to the default, use the no form of this command.
aaa authorization ssh-publickey default {group group-list | local}
no aaa authorization ssh-publickey default {group group-list | local}
Syntax Description
Defaults
local
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the LDAP feature using the feature ldap command.
The group ldap and group group-list methods refer to a set of previously defined LDAP servers. Use the ldap-server host command to configure the host servers. Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the server groups on the device.
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
If you specify the group method or local method and it fails, the authorization can fail. If you have not configured a fallback method after the LDAP server group method, authorization fails if all server groups fail to respond.
This command does not require a license.
Examples
This example shows how to configure LDAP authorization with the SSH public key as the default AAA authorization method for LDAP servers:
switch# configure terminalswitch(config)# aaa authorization ssh-publickey default group LDAPServer1 LDAPServer2Related Commands
aaa group server ldap
To create a Lightweight Directory Access Protocol (LDAP) server group and enter LDAP server group configuration mode, use the aaa group server ldap command. To delete an LDAP server group, use the no form of this command.
aaa group server ldap group-name
no aaa group server ldap group-name
Syntax Description
group-name
LDAP server group name. The name is alphanumeric and case-sensitive. The maximum length is 64 characters.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must use the feature ldap command before you configure LDAP.
This command does not require a license.
Examples
This example shows how to create an LDAP server group and enter LDAP server configuration mode:
switch# configure terminalswitch(config)# aaa group server ldap LdapServerswitch(config-ldap)#This example shows how to delete an LDAP server group:
switch# configure terminalswitch(config)# no aaa group server ldap LdapServerRelated Commands
aaa group server radius
To create a RADIUS server group and enter RADIUS server group configuration mode, use the aaa group server radius command. To delete a RADIUS server group, use the no form of this command.
aaa group server radius group-name
no aaa group server radius group-name
Syntax Description
group-name
RADIUS server group name.The name is alphanumeric and case-sensitive. The maximum length is 64 characters.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to create a RADIUS server group and enter RADIUS server configuration mode:
switch# configure terminalswitch(config)# aaa group server radius RadServerswitch(config-radius)#This example shows how to delete a RADIUS server group:
switch# configure terminalswitch(config)# no aaa group server radius RadServerRelated Commands
aaa group server tacacs+
To create a TACACS+ server group and enter TACACS+ server group configuration mode, use the aaa group server tacacs+ command. To delete a TACACS+ server group, use the no form of this command.
aaa group server tacacs+ group-name
no aaa group server tacacs+ group-name
Syntax Description
group-name
TACACS+ server group name. The name is alphanumeric and case-sensitive. The maximum length is 64 characters.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must use the feature tacacs+ command before you configure TACACS+.
This command does not require a license.
Examples
This example shows how to create a TACACS+ server group and enter TACACS+ server configuration mode:
switch# configure terminalswitch(config)# aaa group server tacacs+ TacServerswitch(config-radius)#This example shows how to delete a TACACS+ server group:
switch# configure terminalswitch(config)# no aaa group server tacacs+ TacServerRelated Commands
Command Descriptionfeature tacacs+
Enables TACACS+.
show aaa groups
Displays server group information.
aaa user default-role
To allow remote users who do not have a user role to log in to the device through RADIUS or TACACS+ using a default user role, use the aaa user default-role command. To disable default user roles for remote users, use the no form of this command.
aaa user default-role
no aaa user default-role
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can enable or disable this feature for the virtual device context (VDC) as needed. For the default VDC, the default role is network-operator. For nondefault VDCs, the default VDC is vdc-operator. When you disable the AAA default user role feature, remote users who do not have a user role cannot log in to the device.
This command does not require a license.
Examples
This example shows how to enable default user roles for AAA authentication of remote users:
switch# configure terminalswitch(config)# aaa user default-roleThis example shows how to disable default user roles for AAA authentication of remote users:
switch# configure terminalswitch(config)# no aaa user default-roleRelated Commands
Command Descriptionshow aaa user default-role
Displays the status of AAA default user role feature.
absolute
To specify a time range that has a specific start date and time, a specific end date and time, or both, use the absolute command. To remove an absolute time range, use the no form of this command.
[sequence-number] absolute [start time date] [end time date]
no {sequence-number | absolute [start time date] [end time date]}
Syntax Description
Defaults
None
Command Modes
Time-range configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The device interprets all time range rules as local time.
If you omit both the start and the end keywords, the device considers the absolute time range to be always active.
You specify time arguments in 24-hour notation, in the form of hours:minutes or hours:minutes:seconds. For example, in 24-hour notation, 8:00 a.m. is 8:00 and 8:00 p.m. is 20:00.
You specify date arguments in the day month year format. The minimum valid start time and date is 00:00:00 1 January 1970, and the maximum valid start time is 23:59:59 31 December 2037.
This command does not require a license.
Examples
This example shows how to create an absolute time rule that begins at 7:00 a.m. on September 17, 2007, and ends at 11:59:59 p.m. on September 19, 2007:
switch# configure terminalswitch(config)# time-range conference-remote-accessswitch(config-time-range)# absolute start 07:00 17 September 2007 end 23:59:59 19 September 2007Related Commands
Command Descriptionperiodic
Configures a periodic time range rule.
time-range
Configures a time range for use in IPv4 or IPv6 ACLs.
accept-lifetime
To specify the time interval within which the device accepts a key during a key exchange with another device, use the accept-lifetime command. To remove the time interval, use the no form of this command.
accept-lifetime [local] start-time [duration duration-value | infinite | end-time]
no accept-lifetime [local] start-time [duration duration-value | infinite | end-time]
Syntax Description
Defaults
infinite
Command Modes
Key configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
By default, the device interprets all time range rules as UTC.
By default, the time interval within which the device accepts a key during a key exchange with another device—the accept lifetime—is infinite, which means that the key is always valid.
The start-time and end-time arguments both require time and date components, in the following format:
hour[:minute[:second]] month day year
You specify the hour in 24-hour notation. For example, in 24-hour notation, 8:00 a.m. is 8:00 and 8:00 p.m. is 20:00. The minimum valid start-time is 00:00:00 Jan 1 1970, and the maximum valid start-time is 23:59:59 Dec 31 2037.
This command does not require a license.
Examples
This example shows how to create an accept lifetime that begins at midnight on June 13, 2008, and ends at 11:59:59 p.m. on August 12, 2008:
switch# configure terminalswitch(config)# key chain glbp-keysswitch(config-keychain)# key 13switch(config-keychain-key)# accept-lifetime 00:00:00 Jun 13 2008 23:59:59 Sep 12 2008switch(config-keychain-key)#Related Commands
action
To specify what the device does when a packet matches a permit command in a VLAN access control list (VACL), use the action command. To remove an action command, use the no form of this command.
action drop [log]
no action drop [log]
action forward
no action forward
action redirect {ethernet slot/port | port-channel channel-number.subinterface-number}
no action redirect {ethernet slot/port | port-channel channel-number.subinterface-number}
Syntax Description
Defaults
None
Command Modes
VLAN access-map configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The action command specifies the action that the device takes when a packet matches the conditions in an ACL specified by a match command in the same access map entry as the action command.
This command does not require a license.
Examples
This example shows how to create a VLAN access map named vlan-map-01 and add two entries that each have two match commands and one action command:
switch(config-access-map)# vlan access-map vlan-map-01switch(config-access-map)# match ip address ip-acl-01switch(config-access-map)# action forwardswitch(config-access-map)# match mac address mac-acl-00fswitch(config-access-map)# vlan access-map vlan-map-01switch(config-access-map)# match ip address ip-acl-320switch(config-access-map)# match mac address mac-acl-00eswitch(config-access-map)# action dropswitch(config-access-map)# show vlan access-mapVlan access-map vlan-map-01 10match ip: ip-acl-01match mac: mac-acl-00faction: forwardVlan access-map vlan-map-01 20match ip: ip-acl-320match mac: mac-acl-00eaction: dropRelated Commands
arp access-list
To create an Address Resolution Protocol (ARP) access control list (ACL) or to enter ARP access list configuration mode for a specific ARP ACL, use the arp access-list command. To remove an ARP ACL, use the no form of this command.
arp access-list access-list-name
no arp access-list access-list-name
Syntax Description
access-list-name
Name of the ARP ACL. The name can be up to 64 alphanumeric, case-sensitive characters. Names cannot contain a space or quotation mark.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
Use ARP ACLs to filter ARP traffic when you cannot use DCHP snooping.
No ARP ACLs are defined by default.
When you use the arp access-list command, the device enters ARP access list configuration mode, where you can use the ARP deny and permit commands to configure rules for the ACL. If the ACL specified does not exist, the device creates it when you enter this command.
Use the ip arp inspection filter command to apply the ARP ACL to a VLAN.
This command does not require a license.
Examples
This example shows how to enter ARP access list configuration mode for an ARP ACL named arp-acl-01:
switch# conf tswitch(config)# arp access-list arp-acl-01switch(config-arp-acl)#Related Commands
authentication (LDAP)
To configure Lightweight Directory Access Protocol (LDAP) authentication to use the bind or compare method, use the authentication command. To disable this configuration, use the no form of this command.
authentication {bind-first [append-with-baseDN DNstring] | compare [password-attribute password]}
no authentication {bind-first [append-with-baseDN DNstring] | compare [password-attribute password]}
Syntax Description
Defaults
Bind method using first search and then bind
Command Modes
LDAP server group configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to configure LDAP authentication to use the compare method:
switch# conf tswitch(config)# aaa group server ldap LDAPServer1switch(config-ldap)# server 10.10.2.2switch(config-ldap)# authentication compare password-attribute TyuL8rswitch(config-ldap)#Related Commands