Users can be created with one of the following user levels:
•Level 1—Users with this level can only run User EXEC mode commands.
Users at this level cannot access the web GUI or commands in the
Privileged EXEC mode.
•Level 7—Users with this level can run commands in the User EXEC mode
and a subset of commands in the Privileged EXEC mode. Users at this level
cannot access the web GUI.
•Level 15—Users with this level can run all commands. Only users at this
level can access the web GUI.
A system administrator (user with level 15) can create passwords that allow a
lower level user to temporarily become a higher level user. For example, the user
may go from level 1 to level 7, level 1 to 15, or level 7 to level 15.
Introduction
The passwords for each level are set (by an administrator) using the following
command:
level
enable password [
encrypted-password}
Using these passwords, you can raise your user level by entering the command:
enable and the password for level 7 or 15. You can go from level 1 to level 7 or
directly to level 15. The higher level holds only for the current session.
The disable command returns the user to a lower level.
To create a user and assign it a user level, use the username command. Only users
with command level 15, can create users at this level.
Example—Create passwords for level 7 and 15 (by the administrator):
switchxxxxxx#configure
switchxxxxxx<conf> username john password john1234
privilege 1
switchxxxxxx<conf>
Example 2— Switch between Level 1 to Level 15. The user must know the
password:
switchxxxxxx#
switchxxxxxx# enable
Enter Password: ****** (this is the password for level 15
- level15@abc)
switchxxxxxx#
NOTE If authentication of passwords is performed on RADIUS or TACACS+ servers, the
passwords assigned to user level 7 and user level 15 must be configured on the
external server and associated with the $enable7$ and $enable15$ user names,
respectively. See the Authentication, Authorization and Accounting (AAA)
Commands chapter for details.
CLI Command Modes
The CLI is divided into four command modes. The command modes are (in the
order in which they are accessed):
•User EXEC mode
•Privileged EXEC mode
•Global Configuration mode
•Interface Configuration mode
Each command mode has its own unique console prompt and set of CLI
commands. Entering a question mark at the console prompt displays a list of
available commands for the current mode and for the level of the user. Specific
commands are used to switch from one mode to another.
Users are assigned privilege levels that determine the modes and commands
available to them. User levels are described in User (Privilege) Levels.
User EXEC Mode
Users with level 1 initially log into User EXEC mode. User EXEC mode is used for
tasks that do not change the configuration, such as performing basic tests and
listing system information.
The user-level prompt consists of the switch host name followed by a #. The
default host name is switchxxxxxx where xxxxxx is the last six digits of the
device’s MAC address, as shown below
switchxxxxxx#
The default host name can be changed via the hostname command in Global
Configuration mode.
Privileged EXEC Mode
A user with level 7 or 15 automatically logs into Privileged EXEC mode.
Users with level 1 can enter Privileged Exec mode by entering the enable
command, and when prompted, the password for level 15.
To return from the Privileged EXEC mode to the User EXEC mode, use the disable
command.
Global Configuration Mode
The Global Configuration mode is used to run commands that configure features
at the system level, as opposed to the interface level.
Only users with command level of 7 or 15 can access this mode.
To access Global Configuration mode from Privileged EXEC mode, enter the
configure command at the Privileged EXEC mode prompt and press Enter. The
Global Configuration mode prompt, consisting of the device host name followed
by (config)#, is displayed:
switchxxxxxx(config)#
Use any of the following commands to return from Global Configuration mode to
the Privileged EXEC mode:
Configuration mode. The interface Global Configuration command is used
to enter this mode.
•Line Interface—Contains commands used to configure the management
connections for the console, Telnet and SSH. These include commands such
as line timeout settings, etc. The line Global Configuration command is used
to enter the Line Configuration command mode.
•VLAN Database—Contains commands used to configure a VLAN as a
whole. The vlan database Global Configuration mode command is used to
enter the VLAN Database Interface Configuration mode.
•Management Access List—Contains commands used to define
management access-lists. The management access-list Global
Configuration mode command is used to enter the Management Access
List Configuration mode.
•MAC Access-List, IPv6 Access List, IP Access List—Configures
conditions required to allow traffic based on MAC addresses, IPv6 address
and IPv4 address, respectively. The mac access-list, ipv6 access-list and ip
access-list Global Configuration mode commands are used to enter the
these configuration mode.
To return from any Interface Configuration mode to the Global Configuration mode,
use the exit command.
Accessing the CLI
The CLI can be accessed from a terminal or computer by performing one of the
following tasks:
•Running a terminal application, such as HyperTerminal, on a computer’s com
•Running a Telnet session from a command prompt on a computer with a
•Using SSH from an application that supports SSH client running on a
NOTE Telnet and SSH are disabled by default on the switch.
port that is directly connected to the switch’s console port,
If access is via a Telnet or SSH connection, ensure that the following conditions are
met before using CLI commands:
•The switch has a defined IP address.
•Corresponding management access is enabled.
•There is an IP path such that the computer and the switch can reach each
other.
Using HyperTerminal over the Console Interface
The switch’s RJ45 port provides a direct connection to a computer’s serial port
using a standard DB-9 null-modem or crossover cable. After the computer and
switch are connected, run a terminal application to access the CLI.
The terminal emulator must be configured to databits=8 and parity=none.
Click Enter twice, so that the device sets the serial port speed to match the PC's
serial port speed.
When the CLI appears, enter cisco at the User Name prompt and then enter cisco
for the Password prompt.
The switchxxxxxx# prompt is displayed. You can now enter CLI commands to
manage the switch. For detailed information on CLI commands, refer to the
appropriate chapter(s) of this reference guide.
Using Telnet over an Ethernet Interface
Telnet provides a method of connecting to the CLI over an IP network.
To establish a telnet session from the command prompt, perform the following
steps:
STEP 1 Click Start, then select All Programs > Accessories > Command Prompt to open a
command prompt.
Figure 1Start > All Programs > Accessories > Command Prompt
STEP 2 At the prompt, enter telnet 1<IP address of switch>, then press Enter.
Figure 2Command Prompt
STEP 3 CLI will be displayed.
CLI Command Conventions
When entering commands there are certain command entry standards that apply
to all commands. The following table describes the command conventions.
Convention
[ ]In a command line, square brackets indicate an optional entry.
{ }In a command line, curly brackets indicate a selection of
Description
compulsory parameters separated the | character. One option must
be selected. For example, flowcontrol {auto|on|off} means that for
the flowcontrol command, either auto, on, or off must be selected.
press keyNames of keys to be pressed are shown in bold.
Ctrl+F4Keys separated by the + character are to be pressed
Screen DisplayFixed-width font indicates CLI prompts, CLI commands entered by
allWhen a parameter is required to define a range of ports or
text
Description
When the input string contains space and/or reserved words (i.e.
VLAN), put the string in inverted commas.
Italic text indicates a parameter.
simultaneously on the keyboard
the user, and system messages displayed on the console.
parameters and all is an option, the default for the command is all
when no parameters are defined. For example, the command
interface range port-channel has the option of either entering a
range of channels, or selecting all. When the command is entered
without a parameter, it automatically defaults to all.
When free text can be entered as a parameter for a command (for
example in command: snmp-server contact) if the text consists of
multiple words separated by blanks, the entire string must appear
in double quotes. For example: snmp-server contact "QA on floor 8"
Editing Features
Entering Commands
A CLI command is a series of keywords and arguments. Keywords identify a
command, and arguments specify configuration parameters. For example, in the
command show interfaces status Gigabitethernet 1,
are keywords, Gigabitethernet is an argument that specifies the interface type,
1
specifies the port.
and
To enter commands that require parameters, enter the required parameters after
the command keyword. For example, to set a password for the administrator,
enter:
There are two instances where help information can be displayed:
•Keyword lookup—The character ? is entered in place of a command. A list
of all valid commands and corresponding help messages are is displayed.
•Partial keyword lookup—If a command is incomplete and or the character ?
is entered in place of a parameter, the matched keyword or parameters for
this command are displayed.
To assist in using the CLI, there is an assortment of editing features. The following
features are described:
•Terminal Command Buffer
•Command Completion
•Interface Naming Conventions
•Keyboard Shortcuts
Terminal Command Buffer
Every time a command is entered in the CLI, it is recorded on an internally
managed Command History buffer. Commands stored in the buffer are maintained
on a First In First Out (FIFO) basis. These commands can be recalled, reviewed,
modified, and reissued. This buffer is not preserved across device resets.
KeywordDescription
Up-Arrow key
Ctrl+P
Down-Arrow keyReturns to more recent commands in the history
By default, the history buffer system is enabled, but it can be disabled at any time.
For more information on enabling or disabling the history buffer, refer to the history
command.
Recalls commands in the history buffer,
beginning with the most recent command.
Repeat the key sequence to recall successively
older commands.
buffer after recalling commands with the
up-arrow key. Repeating the key sequence will
recall successively more recent commands.
There is a standard default number of commands that are stored in the buffer. The
standard number of 10 commands can be increased to 216. By configuring 0, the
effect is the same as disabling the history buffer system. For more information on
configuring the command history buffer, refer to the history size command.
To display the history buffer, refer to the show history command.
Negating the Effect of Commands
For many configuration commands, the prefix keyword no can be entered to
cancel the effect of a command or reset the configuration to the default value. This
Reference Guide provides a description of the negation effect for each CLI
command.
Command Completion
If the command entered is incomplete, invalid or has missing or invalid parameters,
then the appropriate error message is displayed. This assists in entering the
correct command. By pressing Tab after an incomplete command is entered, the
system will attempt to identify and complete the command. If the characters
already entered are not enough for the system to identify a single matching
command, press ? to display the available commands matching the characters
already entered.
Keyboard Shortcuts
The CLI has a range of keyboard shortcuts to assist in editing the CLI commands.
The following table describes the CLI shortcuts.
Keyboard Key
Up-arrow Recalls commands from the history buffer,
Down-arrowReturns the most recent commands from the
beginning with the most recent command. Repeat
the key sequence to recall successively older
commands.
history buffer after recalling commands with the
up arrow key. Repeating the key sequence will
recall successively more recent commands.
command line.
Page 38
1
Introduction
Keyboard Key
Ctrl+EMoves the cursor to the end of the command line.
Ctrl+Z / EndReturns back to the Privileged EXEC mode from
BackspaceDeletes one character left to the cursor position.
Description
any configuration mode.
Copying and Pasting Text
Up to 1000 lines of text (or commands) can be copied and pasted into the device.
NOTE It is the user’s responsibility to ensure that the text copied into the device consists
of legal commands only.
When copying and pasting commands from a configuration file, make sure that the
following conditions exist:
•A device Configuration mode has been accessed.
The commands contain no encrypted data, like encrypted passwords or keys.
Encrypted data cannot be copied and pasted into the device except for encrypted
passwords where the keyword encrypted is used before the encrypted data (for
instance in the enable password command).
Interface Naming Conventions
Interfaces on the device can be one of the following types:
•Fast Ethernet (10/100 kbits) ports—This can be written as FastEthernet,
fa or fe.
•Gigabit Ethernet (10/100/1000 kbits) ports—These can be written as
either GigabitEthernet or gi or GE.
•—LAG (Port Channel)—Written as either Port-Channel or po.
NOTE Range lists can contain either ports and port-channels or VLANs. Combinations of
port/port-channels and VLANs are not allowed
The space after the comma is optional.
When a range list is defined, a space after the first entry and before the comma (,)
must be entered.
A sample of this command is shown in the example below:
switchxxxxxx#configure
switchxxxxxx(config)#interface range gi1-5, vlan 1-2
IPv6z Address Conventions
The following describes how to write an IPv6z address, which is a link-local IPv6
address.
The format is:
where:
egress-interface (also known as zone) = vlan<vlan-id> | po<number> |
tunnel<number> | port<number> | 0
If the egress interface is not specified, the default interface is selected. Specifying
egress interface = 0 is equal to not defining an egress interface.
<ipv6-link-local-address>%<egress-interface>
The following combinations are possible:
•ipv6_address%egress-interface—Refers to the IPv6 address on the
•ipv6_address%0—Refers to the IPv6 address on the single interface on
which an IPv6 address is defined.
• ipv6_address—Refers to the IPv6 address on the single interface on which
an IPv6 address is defined.
Loopback Interface
When an IP application on a router wants to communicate with a remote IP
application, it must select the local IP address to be used as its IP address. It can
use any IP address defined on the router, but if this link goes down, the
communication is aborted, even though there might well be another IP route
between these IP applications.
The loopback interface is a virtual interface whose operational state is always up.
If the IP address that is configured on this virtual interface is used as the local
address when communicating with remote IP applications, the communication will
not be aborted even if the actual route to the remote application was changed.
1
The name of the loopback interface is loopback1.
A loopback interface does not support bridging; it cannot be a member of any
VLAN, and no layer 2 protocol can be enabled on it.
Layer 3 Specification
IP Interface
IPv4 and IPv6 addresses can be assigned to a loopback interface.
The IPv6 link-local interface identifier is 1.
Routing Protocols
A routing protocol running on the switch supports the advertising of the IP prefixes
defined on the loopback interfaces via the routing protocol redistribution
mechanism.
If a layer 2 switch with one IPv4 address supports a loopback interface, the above
rules are replaced by the following ones:
This is the definition of the IP configuration when the device is in layer 2 mode:
•exclude: Excludes all lines that have a sequence of characters matching the
given regular expression pattern.
•count: Counts all lines that have a sequence of characters matching the
given regular expression pattern and displays the result (no other output is
displayed).
NOTE Only 1 output modifier can be used in each command. The remainder of the text
typed in is part of the regular expression pattern.
A regular expression is a pattern (a phrase, number, or more complex pattern). The
CLI String Search feature matches regular expressions to the show or more
command output. Regular expressions are case-sensitive and allow for complex
matching requirements.
A regular expression can be a single-character pattern or a multiple-character
pattern. That is, a regular expression can be a single character that matches the
same single character in the command output or multiple characters that match
the same multiple characters in the command output. The pattern in the command
output is referred to as a string. This section describes creating both
single-character patterns and multiple-character patterns. It also discusses
creating more complex regular expressions, using multipliers, alternation,
anchoring, and parentheses.
Single-Character Patterns
The simplest regular expression is a single character that matches the same single
character in the command output. You can use any letter (A-Z, a-z) or digit (0-9) as
a single-character pattern. You can also use other keyboard characters (such as !
or ~) as single-character patterns, but certain keyboard characters have special
meaning when used in regular expressions. Table lists the keyboard characters
that have special meanings.
Character Meaning
.
*Matches 0 or more sequences of the pattern.
+Matches 1 or more sequences of the pattern.
?Matches 0 or 1 occurrences of the pattern.
^Matches the beginning of the string.
$Matches the end of the string.
Matches any single character, including white space.
To use these special characters as single-character patterns, remove the special
meaning by preceding each character with a backslash (\).
The following examples are single-character patterns matching a dollar sign, an
underscore, and a plus sign, respectively.
\$ \_ \+
You can specify a range of single-character patterns to match against command
output. For example, you can create a regular expression that matches a string
containing one of the following letters: a, e, i, o, or u. Only one of these characters
must exist in the string for pattern matching to succeed. To specify a range of
single-character patterns, enclose the single-character patterns in square
brackets ([ ]). For example, [aeiou] matches any one of the five vowels of the
lowercase alphabet, while [abcdABCD] matches any one of the first four letters of
the lower- or uppercase alphabet.
You can simplify ranges by entering only the endpoints of the range separated by
a dash (-). Simplify the previous range as follows:
[a-dA-D]
To add a dash as a single-character pattern in your range, include another dash
and precede it with a backslash:
[a-dA-D\-]
You can also include a right square bracket (]) as a single-character pattern in your
range, as shown here:
[a-dA-D\-\]]
The previous example matches any one of the first four letters of the lower- or
uppercase alphabet, a dash, or a right square bracket.
You can reverse the matching of the range by including a caret (^) at the start of
the range. The following example matches any letter except the ones listed:
[^a-dqsv]
The following example matches anything except a right square bracket (]) or the
letter d:
When creating regular expressions, you can also specify a pattern containing
multiple characters. You create multiple-character regular expressions by joining
letters, digits, or keyboard characters that do not have special meaning. For
example, a4% is a multiple-character regular expression.
With multiple-character patterns, order is important. The regular expression a4%
matches the character a followed by a 4 followed by a % sign. If the string does
not have a4%, in that order, pattern matching fails. The multiple-character regular
expression a. uses the special meaning of the period character to match the letter
a followed by any single character. With this example, the strings ab, a!, or a2 are
all valid matches for the regular expression.
You can remove the special meaning of the period character by inserting a
backslash before it. For example, when the expression a\. is used in the command
syntax, only the string a. will be matched.
You can create a multiple-character regular expression containing all letters, all
digits, all keyboard characters, or a combination of letters, digits, and other
keyboard characters. For example, telebit 3107 v32bis is a valid regular
expression.
Multipliers
You can create more complex regular expressions that instruct the system to
match multiple occurrences of a specified regular expression. To do so, use some
special characters with your single-character and multiple-character patterns.
Table 1 lists the special characters that specify multiples of a regular expression.
Table 1:Special Characters Used as Multipliers
Character
*
+
?
Description
Matches 0 or more single-character or
multiple-character patterns.
Matches 1 or more single-character or
multiple-character patterns.
Matches 0 or 1 occurrences of a single-character or
multiple-character pattern.
The following example matches any number of occurrences of the letter a,
including none:
The following pattern requires that at least one letter a be in the string to be
matched:
a+
The following pattern matches the string bb or bab:
ba?b
The following string matches any number of asterisks (*):
\**
To use multipliers with multiple-character patterns, enclose the pattern in
parentheses. In the following example, the pattern matches any number of the
multiple-character string ab:
(ab)*
The following pattern matches one or more instances of alphanumeric pairs, but
not none (that is, an empty string is not a match):
([A-Za-z][0-9])+
The order for matches using multipliers (*, +, or ?) is to put the longest construct
first. Nested constructs are matched from outside to inside. Concatenated
constructs are matched beginning at the left side of the construct. Thus, the
regular expression above matches A9b3, but not 9Ab3 because the letters are
specified before the numbers.
Alternation
Alternation allows you to specify alternative patterns to match against a string. You
separate the alternative patterns with a vertical bar (|). Only one of the alternatives
can match the string. For example, the regular expression codex|telebit either
matches the string codex or the string telebit, but not both codex and telebit.
You can instruct the system to match a regular expression pattern against the
beginning or the end of the string. You anchor these regular expressions to a
portion of the string using the special characters shown in Table 2..
Table 2:Special Characters Used for Anchoring
Character
^
$
For example, the regular expression ^con matches any string that starts with con,
and $sole matches any string that ends with sole.
In addition to indicating the beginning of a string, the ^ symbol can be used to
indicate the logical function not when used in a bracketed range. For example, the
expression [^abcd] indicates a range that matches any single letter, as long as it is
not the letters a, b, c, or d.
Use the ip access-list extended Global Configuration mode command to name an
IPv4 access list (ACL) and to place the device in IPv4 Access List Configuration
mode. All commands after this command refer to this ACL. The rules (ACEs) for this
ACL are defined in the permit ( IP ) and deny ( IP ) commands. The service-acl input
command is used to attach this ACL to an interface.
2
Use the no form of this command to remove the access list.
Syntax
ip access-list extended
no ip access-list extended
Parameters
acl-name
acl-nam
e
•acl-name—Name of the IPv4 access list. (Range 1-32 characters)
Default Configuration
No IPv4 access list is defined.
Command Mode
Global Configuration mode
User Guidelines
An IPv4 ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name.
Use the permit IP Access-list Configuration mode command to set permit
conditions for an IPv4 access list (ACL). Permit conditions are also known as
access control entries (ACEs). Use the no form of the command to remove the
access control entry.
names are: icmp, igmp, ip, tcp, egp, igp, udp, hmp, rdp, idpr, ipv6, ipv6:rout,
ipv6:frag, idrp, rsvp, gre, esp, ah, ipv6:icmp, eigrp, ospf, ipinip, pim, l2tp, isis.
To match any protocol, use the ip keyword.(Range: 0–255)
] [match-all
| source source-wildcard
[time-range
—The name or the number of an IP protocol. Available protocol
] [dscp
} {any
list-of-flags]
} {any
} {any
| destination
number |
|destination-port/port-range
|destination-port/port-range
time-range-name]
precedence
} {any
|source-port/port-range
[time-range
} {any
|source-port/port-range
time-range-name]
number]
} [dscp
} [dscp
[time-range
}{any
|
number |
} {any
|
number |
•
source
•
source-wildcard
ones in the bit position that you want to be ignored.
•
destination
•
destination-wildcard
address. Use ones in the bit position that you want to be ignored.
•
priority
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
•dscp
•precedence
•
icmp-type
Enter a number or one of the following values: echo-reply,
destination-unreachable, source-quench, redirect, alternate-host-address,
echo-request, router-advertisement, router-solicitation, time-exceeded,
parameter-problem, timestamp, timestamp-reply, information-request,
—Source IP address of the packet.
—Wildcard bits to be applied to the source IP address. Use
—Destination IP address of the packet.
—Wildcard bits to be applied to the destination IP
- Specify the priority of the access control entry (ACE) in the access
number
—Specifies the DSCP value.
number
—Specifies an ICMP message type for filtering ICMP packets.
number or one of the following values: host-query, host-report, dvmrp, pim,
cisco-trace, host-report-v2, host-leave-v2, host-report-v3. (Range: 0–255)
•
destination-port
range of ports by using hyphen. E.g. 20 - 21. For TCP enter a number or one
of the following values: bgp (179), chargen (19), daytime (13), discard (9),
domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher
(70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119),
pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds
(49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For
UDP enter a number or one of the following values: biff (512), bootpc (68),
bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434),
nameserver (42), netbios-dgm (138), netbios-ns (137), on500-isakmp (4500),
ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog (514),
tacacs-ds (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).(Range:
0–65535).
—Specifies an ICMP message code for filtering ICMP packets.
—IGMP packets can be filtered by IGMP message type. Enter a
—Specifies the UDP/TCP destination port. You can enter
2
•
source-port
are defined in the destination-port parameter. (Range: 0–65535)
•match-all
set, it is prefixed by “+”. If a flag should be unset, it is prefixed by “-”.
Available options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst,
-syn and -fin. The flags are concatenated to a one string. For example:
+fin-ack.
—Specifies the UDP/TCP source port. Predefined port names
list-of-flags
—List of TCP flags that should occur. If a flag should be
•time-range-name—Name of the time range that applies to this permit
statement. (Range: 1–32)
•log-input—Specifies sending an informational SYSLOG message about the
packet that matches the entry. Because forwarding/dropping is done in
hardware and logging is done in software, if a large number of packets
match an ACE containing a log-input keyword, the software might not be
able to match the hardware processing rate, and not all packets will be
logged.
If a range of ports is used for source port in an ACE, it is not counted again, if it is
also used for a source port in another ACE. If a range of ports is used for the
destination port in an ACE, it is not counted again if it is also used for destination
port in another ACE.
If a range of ports is used for source port it is counted again if it is also used for
destination port.
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Example
switchxxxxxx(config)#
switchxxxxxx(config-ip-al)#
ip access-list extended
permit ip
176.212.0.0 00.255.255
server
any
2.3deny ( IP )
Use the deny IP Access-list Configuration mode command to set deny conditions
for IPv4 access list. Deny conditions are also known as access control entries
(ACEs). Use the no form of the command to remove the access control entry.
—The name or the number of an IP protocol. Available protocol
—Source IP address of the packet.
—Wildcard bits to be applied to the source IP address. Use
—Destination IP address of the packet.
time-range-name]
} {any
|source-port/port-range
|destination-port/port-range
[disable-port |log-input ]
} [dscp
} {any
number |
|
Page 54
2
ACL Commands
•
destination-wildcard
address. Use 1s in the bit position that you want to be ignored.
•
priority
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
- Specify the priority of the access control entry (ACE) in the access
—Wildcard bits to be applied to the destination IP
•dscp
•precedence
•
•
•
•
number
icmp-type
Enter a number or one of the following values: echo-reply,
destination-unreachable, source-quench, redirect, alternate-host-address,
echo-request, router-advertisement, router-solicitation, time-exceeded,
parameter-problem, timestamp, timestamp-reply, information-request,
information-reply, address-mask-request, address-mask-reply, traceroute,
datagram-conversion-error, mobile-host-redirect,
mobile-registration-request, mobile-registration-reply,
domain-name-request, domain-name-reply, skip, photuris. (Range: 0–255)
icmp-code
(Range: 0–255)
igmp-type
number or one of the following values: host-query, host-report, dvmrp, pim,
cisco-trace, host-report-v2, host-leave-v2, host-report-v3. (Range: 0–255)
destination-port
range of ports by using hyphen. E.g. 20 - 21. For TCP enter a number or one
of the following values: bgp (179), chargen (19), daytime (13), discard (9),
domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher
(70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119),
pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds
(49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For
UDP enter a number or one of the following values: biff (512), bootpc (68),
bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434),
nameserver (42), netbios-dgm (138), netbios-ns (137), non500-isakmp
(4500), ntp (123), rip (520), snmp 161), snmptrap (162), sunrpc (111), syslog
(514), tacacs-ds (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).
(Range: 0–65535)
—Specifies the DSCP value.
number
—Specifies an ICMP message type for filtering ICMP packets.
—Specifies an ICMP message code for filtering ICMP packets.
—IGMP packets can be filtered by IGMP message type. Enter a
—Specifies the IP precedence value.
—Specifies the UDP/TCP destination port. You can enter
•
source-port
are defined in the destination-port parameter. (Range: 0–65535)
•match-all
set it is prefixed by “+”.If a flag should be unset it is prefixed by “-”. Available
—Specifies the UDP/TCP source port. Predefined port names
list-of-flags
—List of TCP flags that should occur. If a flag should be
Page 55
ACL Commands
2
options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and
-fin. The flags are concatenated to a one string. For example: +fin-ack.
•time-range-name—Name of the time range that applies to this permit
statement. (Range: 1–32)
•disable-port—The Ethernet interface is disabled if the condition is matched.
• log-input—Specifies sending an informational syslog message about the
packet that matches the entry. Because forwarding/dropping is done in
hardware and logging is done in software, if a large number of packets
match an ACE containing a log-input keyword, the software might not be
able to match the hardware processing rate, and not all packets will be
logged.
Default Configuration
No IPv4 access list is defined.
Command Mode
IP Access-list Configuration mode
User Guidelines
The number of TCP/UDP ranges that can be defined in ACLs is limited. If a range of
ports is used for a source port in ACE it is not counted again if it is also used for
source port in another ACE. If a range of ports is used for destination port in ACE it
is not counted again if it is also used for destination port in another ACE.
If a range of ports is used for source port, it is counted again if it is also used for
destination port.
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Use the ipv6 access-list Global Configuration mode command to define an IPv6
access list (ACL) and to place the device in Ipv6 Access-list Configuration mode.
All commands after this command refer to this ACL. The rules (ACEs) for this ACL
are defined in the permit ( IPv6 ) and deny ( IPv6 ) commands. The service-acl
input command is used to attach this ACL to an interface.
Use the no form of this command to remove the access list.
Syntax
ipv6 access-list [
no ipv6 access-list
Parameters
acl-name—Name of the IPv6 access list. Range 1-32 characters.
Default Configuration
No IPv6 access list is defined.
Command Mode
Global Configuration mode
User Guidelines
IPv6 ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name.
Every IPv6 ACL has an implicit permit icmp any any nd-ns any, permit icmp any
any nd-na any, and deny ipv6 any any statements as its last match conditions. (The
former two match conditions allow for ICMPv6 neighbor discovery.)
acl-name]
[acl-name]
The IPv6 neighbor discovery process uses the IPv6 network layer service,
therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets
to be sent and received on an interface. In IPv4, the Address Resolution Protocol
(ARP), which is equivalent to the IPv6 neighbor discovery process, uses a
separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow
ARP packets to be sent and received on an interface.
Use the permit command in Ipv6 Access-list Configuration mode to set permit
conditions (ACEs) for IPv6 ACLs. Use the no form of the command to remove the
access control entry.
names are: icmp (58), tcp (6) and udp (17). To match any protocol, use the
ipv6 keyword. (Range: 0–255)
•
source-prefix/length
which to set permit conditions. This argument must be in the form
documented in RFC 3513 where the address is specified in hexadecimal
using 16-bit values between colons.
•
destination-prefix/length
networks about which to set permit conditions. This argument must be in
the form documented in RFC 3513 where the address is specified in
hexadecimal using 16-bit values between colons.
•
priority
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
ACL Commands
—The name or the number of an IP protocol. Available protocol
—The source IPv6 network or class of networks about
—The destination IPv6 network or class of
- Specify the priority of the access control entry (ACE) in the access
•dscp
•precedence
•
•
•
number
icmp-type
Enter a number or one of the following values: destination-unreachable (1),
packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request
(128), echo-reply (129), mld-query (130), mld-report (131), mldv2-report
(143), mld-done (132), router-solicitation (133), router-advertisement (134),
nd-ns (135), nd-na (136). (Range: 0–255)
icmp-code
(Range: 0–255)
destination-port
range of ports by using a hyphen. E.g. 20 - 21. For TCP enter a number or
one of the following values: bgp (179), chargen (19), daytime (13), discard (9),
domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data (20), gopher
(70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119),
pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds
(49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For
UDP enter a number or one of the following values: biff (512), bootpc (68),
bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434),
nameserver (42), netbios-dgm (138), netbios-ns (137), non500-isakmp
(4500), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog
(514), tacacs (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).
(Range: 0–65535)
—Specifies the DSCP value. (Range: 0–63)
number
—Specifies an ICMP message type for filtering ICMP packets.
—Specifies an ICMP message code for filtering ICMP packets.
—Specifies the IP precedence value.
—Specifies the UDP/TCP destination port. You can enter a
are defined in the destination-port parameter. (Range: 0–65535)
—Specifies the UDP/TCP source port. Predefined port names
2
•match-all
set it is prefixed by “+”.If a flag should be unset it is prefixed by “-”. Available
options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and
-fin. The flags are concatenated to a one string. For example: +fin-ack.
•
time-range-name
statement. (Range: 1–32)
list-of-flag
—Name of the time range that applies to this permit
—List of TCP flags that should occur. If a flag should be
• log-input—Specifies sending an informational SYSLOG message about
the packet that matches the entry. Because forwarding/dropping is done in
hardware and logging is done in software, if a large number of packets
match an ACE containing a log-input keyword, the software might not be
able to match the hardware processing rate, and not all packets will be
logged.
Default Configuration
No IPv6 access list is defined.
Command Mode
Ipv6 Access-list Configuration mode
User Guidelines
If a range of ports is used for the destination port in an ACE, it is not counted again
if it is also used for destination port in another ACE.
The number of TCP/UDP ranges that can be defined in ACLs is limited. If a range of
ports is used for a source port in ACE, it is not counted again if it is also used for a
source port in another ACE. If a range of ports is used for destination port in ACE it
is not counted again if it is also used for destination port in another ACE.
If a range of ports is used for source port it is counted again if it is also used for
destination port.
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Use the deny command in Ipv6 Access-list Configuration mode to set permit
conditions (ACEs) for IPv6 ACLs. Use the no form of the command to remove the
access control entry.
names are: icmp (58), tcp (6) and udp (17). To match any protocol, use the
ipv6 keyword. (Range: 0–255)
•
source-prefix/length
which to set permit conditions. This argument must be in the format
documented in RFC 3513 where the address is specified in hexadecimal
using 16-bit values between colons.
•
destination-prefix/length
networks about which to set permit conditions. This argument must be in
the format documented in RFC 3513 where the address is specified in
hexadecimal using 16-bit values between colons.
number
number]
] [match-all
source-prefix/length
[time-range
—The name or the number of an IP protocol. Available protocol
list-of-flags
} {any|
destination-port/port-range
time-range-name]
—The source IPv6 network or class of networks about
—The destination IPv6 network or class of
] [time-range
}} {any |
source-port/port-range
time-range-name]
}}{any |
} [dscp
[disable-port |log-input]
number
|
•
priority
control list (ACL). "1" value represents the highest priority and "2147483647"
number represents the lowest priority.(Range: 1-2147483647)
•dscp
•precedence
•
icmp-type
Enter a number or one of the following values: destination-unreachable (1),
packet-too-big (2), time-exceeded (3), parameter-problem (4), echo-request
(128), echo-reply (129), mld-query (130), mld-report (131), mldv2-report
(143), mld-done (132), router-solicitation (133), router-advertisement (134),
nd-ns (135), nd-na (136). (Range: 0–255)
•
icmp-code
(Range: 0–255)
•
destination-port
range of ports by using a hyphen. E.g. 20 - 21. For TCP enter a number or
one of the following values: bgp (179), chargen (19), daytime (13), discard (9),
domain (53), drip (3949), echo (7), finger (79), ftp (21), ftp-data 20), gopher
(70), hostname (42), irc (194), klogin (543), kshell (544), lpd (515), nntp (119),
pop2 (109), pop3 (110), smtp (25), sunrpc (1110, syslog (514), tacacs-ds
- Specify the priority of the access control entry (ACE) in the access
number
—Specifies the DSCP value. (Range: 0–63)
number
—Specifies an ICMP message type for filtering ICMP packets.
—Specifies an ICMP message code for filtering ICMP packets.
—Specifies the IP precedence value.
—Specifies the UDP/TCP destination port. You can enter a
(49), talk (517), telnet (23), time (37), uucp (117), whois (43), www (80). For
UDP enter a number or one of the following values: biff (512), bootpc (68),
bootps (67), discard (9), dnsix (90), domain (53), echo (7), mobile-ip (434),
nameserver (42), netbios-dgm (138), netbios-ns (137), non500-isakmp
(4500), ntp (123), rip (520), snmp (161), snmptrap (162), sunrpc (111), syslog
(514), tacacs (49), talk (517), tftp (69), time (37), who (513), xdmcp (177).
(Range: 0–65535)
•
source-port
are defined in the destination-port parameter. (Range: 0–65535)
—Specifies the UDP/TCP source port. Predefined port names
•match-all
set it is prefixed by “+”.If a flag should be unset it is prefixed by “-”. Available
options are +urg, +ack, +psh, +rst, +syn, +fin, -urg, -ack, -psh, -rst, -syn and
-fin. The flags are concatenated to a one string. For example: +fin-ack.
•
time-range-name
statement. (Range: 1–32)
list-of-flags
—Name of the time range that applies to this permit
—List of TCP flags that should occur. If a flag should be
•disable-port—The Ethernet interface is disabled if the condition is matched.
• log-input—Specifies sending an informational syslog message about the
packet that matches the entry. Because forwarding/dropping is done in
hardware and logging is done in software, if a large number of packets
match an ACE containing a log-input keyword, the software might not be
able to match the hardware processing rate, and not all packets will be
logged.
Default Configuration
No IPv6 access list is defined.
Command Mode
Ipv6 Access-list Configuration mode
User Guidelines
The number of TCP/UDP ranges that can be defined in ACLs is limited. If a range of
ports is used for source port in ACE it is not counted again if it is also used for
source port in another ACE. If a range of ports is used for a destination port in ACE
it is not counted again if it is also used for a destination port in another ACE.
If a range of ports is used for source port it is counted again if it is also used for
destination port.
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Use the mac access-list Global Configuration mode command to define a Layer 2
access list (ACL) based on source MAC address filtering and to place the device
in MAC Access-list Configuration mode. All commands after this command refer to
this ACL. The rules (ACEs) for this ACL are defined in the permit ( MAC ) and deny
(MAC) commands. The service-acl input command is used to attach this ACL to an
interface.
Use the no form of this command to remove the access list.
Syntax
mac access-list extended
no mac access-list extended
acl-name
acl-name
Parameters
acl-name—Specifies the name of the MAC ACL (Range: 1–32 characters).
Default Configuration
No MAC access list is defined.
Command Mode
Global Configuration mode
User Guidelines
A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Example
switchxxxxxx(config)#
switchxxxxxx(config-mac-al)#
mac access-list extended
permit
00:00:00:00:00:01 00:00:00:00:00:ff
server1
any
2.8permit ( MAC )
Use the permit command in MAC Access-list Configuration mode to set permit
conditions (ACEs) for a MAC ACL. Use the no form of the command to remove the
access control entry.
—Wildcard bits to be applied to the source MAC address.
—Destination MAC address of the packet.
—Wildcard bits to be applied to the destination MAC
- Specify the priority of the access control entry (ACE) in the access
Page 65
ACL Commands
•
eth-type
•
vlan-id
•
cos
•
cos-wildcard
•
time-range-name
statement. (Range: 1–32)
—The Ethernet type in hexadecimal format of the packet.
—The VLAN ID of the packet. (Range: 1–4094)
—The Class of Service of the packet. (Range: 0–7)
—Wildcard bits to be applied to the CoS.
—Name of the time range that applies to this permit
• log-input—Specifies sending an informational SYSLOG message about
the packet that matches the entry. Because forwarding/dropping is done in
hardware and logging is done in software, if a large number of packets
match an ACE containing a log-input keyword, the software might not be
able to match the hardware processing rate, and not all packets will be
logged.
User Guidelines
2
A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Use the deny command in MAC Access-list Configuration mode to set deny
conditions (ACEs) for a MAC ACL. Use the no form of the command to remove the
access control entry.
hardware and logging is done in software, if a large number of packets
match an ACE containing a log-input keyword, the software might not be
able to match the hardware processing rate, and not all packets will be
logged.
Default Configuration
No MAC access list is defined.
Command Mode
MAC Access-list Configuration mode
User Guidelines
A MAC ACL is defined by a unique name. IPv4 ACL, IPv6 ACL, MAC ACL or policy
maps cannot have the same name
If ace-priority is omitted, the system sets the rule's priority to the current highest
priority ACE (in the current ACL) + 20. The ACE-priority must be unique per ACL.If
the user types already existed priority, then the command is rejected.
Example
switchxxxxxx(config)#
switchxxxxxx(config-mac-al)#
mac access-list extended
deny
00:00:00:00:00:01 00:00:00:00:00:ff
server1
any
2.10service-acl input
Use the service-acl input command in Interface Configuration mode to bind an
access list(s) (ACL) to an interface.
Use the no form of this command to remove all ACLs from the interface.
The following rules govern when ACLs can be bound or unbound from an
interface:
•IPv4 ACLs and IPv6 ACLs can be bound together to an interface.
•A MAC ACL cannot be bound on an interface which already has an IPv4
ACL or IPv6 ACL bound to it.
•Two ACLs of the same type cannot be bound to a port.
•An ACL cannot be bound to a port that is already bound to an ACL, without
first removing the current ACL. Both ACLs must be mentioned at the same
time in this command.
•MAC ACLs that include a VLAN as match criteria cannot be bound to a
VLAN.
•ACLs with time-based configuration on one of its ACEs cannot be bound to
a VLAN.
•ACLs with the action Shutdown cannot be bound to a VLAN.
•When the user binds ACL to an interface, TCAM resources will be
consumed. One TCAM rule for each MAC or IP ACE and two TCAM rules for
each IPv6 ACE.The TCAM consumption is always even number, so in case
of odd number of rules the consumption will be increased by 1.
•An ACL cannot be bound as input if it has been bound as output.
An ACL cannot be added to a port that is already bounded to an ACL, without first
removing the current ACL and binding the two ACLs together.
An ACL cannot be bound as output if it has been bound as input.
Example
This example binds an egress ACL to a port:
switchxxxxxx(config)# mac access-list extended server
switchxxxxxx(config-mac-al)# permit 00:00:00:00:00:01 00:00:00:00:00:ff any
switchxxxxxx(config-mac-al)# exit
switchxxxxxx(config)# interface gi11
switchxxxxxx(config-if)# service-acl output server
2.12time-range
Use the time-range Global Configuration mode command to define time ranges for
different functions. In addition, this command enters the Time-range Configuration
mode. All commands after this one refer to the time-range being defined.
This command sets a time-range name. Use the absolute and periodic commands
to actually configure the time-range.
Use the no form of this command to remove the time range from the device.
Syntax
time-range
no time-range
Parameters
time-range-name—Specifies the name for the time range. (Range: 1–32
characters)
After adding the name of a time range with this command, use the absolute and
periodic commands to actually configure the time-range. Multiple periodic
commands are allowed in a time range. Only one absolute command is allowed.
If a time-range command has both absolute and periodic values specified, then
the periodic items are evaluated only after the absolute start time is reached, and
are not evaluated again after the absolute end time is reached.
All time specifications are interpreted as local time.
To ensure that the time range entries take effect at the desired times, the software
clock should be set by the user or by SNTP. If the software clock is not set by the
user or by SNTP, the time range ACEs are not activated.
The user cannot delete a time-range that is bound to any features.
When a time range is defined, it can be used in the following commands:
•dot1x port-control
•power inline
•operation time
•permit (IP)
•deny (IP)
•permit (IPv6)
•deny (IPv6)
•permit (MAC)
•deny (MAC)
Example
switchxxxxxx(config)#
time-range http-allowed
console(config-time-range)#periodic mon 12:00 to wed 12:00
Use the absolute Time-range Configuration mode command to specify an
absolute time when a time range is in effect. Use the no form of this command to
remove the time limitation.
Syntax
absolute
no absolute
absolute
no absolute
Parameters
start hh:mm day month year
start
end hh:mm day month year
end
•start—Absolute time and date that the permit or deny statement of the
associated function going into effect. If no start time and date are specified,
the function is in effect immediately.
•end—Absolute time and date that the permit or deny statement of the
associated function is no longer in effect. If no end time and date are
specified, the function is in effect indefinitely.
•hh:mm—Time in hours (military format) and minutes (Range: 0–23, mm: 0–5)
•day—Day (by date) in the month. (Range: 1–31)
•month—Month (first three letters by name). (Range: Jan...Dec)
•year—Year (no abbreviation) (Range: 2000–2097)
Default Configuration
There is no absolute time when the time range is in effect.
Use the periodic Time-range Configuration mode command to specify a recurring
(weekly) time range for functions that support the time-range feature. Use the no
form of this command to remove the time limitation.
Syntax
periodic
no periodic
periodic list
day-of-the-week7]
no periodic list
day-of-the-week7]
periodic list
day-of-the-week hh:mm to day-of-the-week hh:mm
day-of-the-week hh:mm to day-of-the-week hh:mm
hh:mm to hh:mm day-of-the-week1 [day-of-the-week2…
hh:mm to hh:mm day-of-the-week1 [day-of-the-week2…
hh:mm to hh:mm all
no periodic list
Parameters
hh:mm to hh:mm all
•day-of-the-week—The starting day that the associated time range is in
effect. The second occurrence is the ending day the associated statement
is in effect. The second occurrence can be the following week (see
description in the User Guidelines). Possible values are: mon, tue, wed, thu,
fri, sat, and sun.
•hh:mm—The first occurrence of this argument is the starting hours:minutes
(military format) that the associated time range is in effect. The second
occurrence is the ending hours:minutes (military format) the associated
statement is in effect. The second occurrence can be at the following day
(see description in the User Guidelines). (Range: 0–23, mm: 0–59)
•
list day-of-the-week1
effect.
Default Configuration
There is no periodic time when the time range is in effect.
—Specifies a list of days that the time range is in
The second occurrence of the day can be at the following week, e.g. Thursday–
Monday means that the time range is effective on Thursday, Friday, Saturday,
Sunday, and Monday.
The second occurrence of the time can be on the following day, e.g. “22:00–2:00”.
Example
switchxxxxxx(config)#
switchxxxxxx(config-time-range)#
time-range http-allowed
periodic
mon 12:00 to wed 12:00
2.15show time-range
Use the show time-range User EXEC mode command to display the time range
configuration.
Syntax
show time-range
Parameters
time-range-name—Specifies the name of an existing time range.
Command Mode
User EXEC mode
time-range-name
Example
switchxxxxxx> show time-range
http-allowed
--------------
absolute start 12:00 1 Jan 2005 end 12:00 31 Dec 2005
] | any— IP prefix defined as an IP address and length or
src-len
src-len
must be in the interval 1-32.
is not defined, a
Page 79
ACL Commands
2
Command Mode
Global Configuration mode
User Guidelines
Use the ip access-list command to configure IP address filtering. Access lists are
configured with permit or deny keywords to either permit or deny an IP address
based on a matching condition. An implicit deny is applied to address that does
not match any access-list entry.
An access-list entry consists of an IP address and a bit mask. The bit mask is a
number from 1 to 32.
Evaluation of an IP address by an access list starts with the first entry of the list
and continues down the list until a match is found. When the IP address match is
found, the permit or deny statement is applied to that address and the remainder
of the list is not evaluated.
Use the no ip access-list command to delete the access list.
In addition to filtering IP traffic on a per port base, a basic IP access control list can
be used by RIP (Routing Information Protocol) to filter route updates.
Examples
Example 1 - The following example of a standard access list allows only the three
specified networks. Any IP address that does not match the access list statements
will be rejected.
switchxxxxxx(config)#
switchxxxxxx(config)#
switchxxxxxx(config)#
ip access-list
ip access-list
ip access-list
1
1
1
permit
permit
permit
192.168.34.0/24
10.88.0.0/16
10.0.0.0/8
Note: all other access is implicitly denied.
Example 2 - The following example of a standard access list allows access for IP
addresses in the range from 10.29.2.64 to 10.29.2.127. All IP addresses not in this
range will be rejected.
switchxxxxxx(config)# ip access-list apo permit 10.29.2.64/26
Example 3 - To specify a large number of individual addresses more easily, you
can omit the mask length if it is 32. Thus, the following two configuration
commands are identical in effect:
switchxxxxxx(config)#
switchxxxxxx(config)# i
ip access-list
p access-list
2aa
2aa
permit
permit
10.48.0.3
10.48.0.3/32
2.21ipv6 access-list (IP standard)
The ipv6 access-list Global Configuration mode command defines an IPv6
standard list. The no format of the command removes the list.
Syntax
ipv6 access-list
no ipv6 access-list
Parameters
•access-list-name—The name of the Standard IPv6 access list. The name
may contain maximum 32 characters.
•deny—Denies access if the conditions are matched.
access-list-name
access-list-name
{deny|permit} {
src-addr[/src-len
] | any}
•permit—Permits access if the conditions are matched.
•
src-addr[/src-len
or any. The any value matches to all IPv6 addresses. If the
defined a value of 128 is applied. A value of
1-128.
Default Configuration
no access list
Command Mode
Global Configuration mode
User Guidelines
Use the ipv6 access-list command to configure IPv6 address filtering. Access lists
are configured with permit or deny keywords to either permit or deny an IPv6
address based on a matching condition. An implicit deny is applied to address that
does not match any access-list entry.
] | any— IPv6 prefix defined as an IPv6 address and length
An access-list entry consists of an IP address and a bit mask. The bit mask is a
number from 1 to 128.
Evaluation of an IPv6 address by an access list starts with the first entry of the list
and continues down the list until a match is found. When the IPv6 address match is
found, the permit or deny statement is applied to that address and the remainder
of the list is not evaluated.
Use the no ipv6 access-list command to delete the access list.
The IPv6 standard access list is used to filter received and sent IPv6 routing
information.
Example
The following example of an access list allows only the one specified prefix: Any
IPv6 address that does not match the access list statements will be rejected.
To specify which servers are used for authentication when 802.1X authentication
is enabled, use the aaa authentication dot1x command in Global Configuration
mode. To restore the default configuration, use the no form of this command.
The following example sets the 802.1X authentication mode to RADIUS server
authentication. Even if no response was received, authentication succeeds.
switchxxxxxx(config)#
aaa authentication dot1x default
radius none
3.2authentication open
To enable open access (monitoring mode) on this port, use the authentication
open command in Interface Configuration mode. To disable open access on this
port, use the no form of this command.
Syntax
authentication open
no authentication open
Parameters
This command has no arguments or keywords.
Default Configuration
Disabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Open Access or Monitoring mode allows clients or devices to gain network
access before authentication is performed. In the mode the switch performs
failure replies received from a Radius server as success.
Example
The following example enables open mode on interface gi11:
To enable unauthorized devices access to a VLAN, use the dot1x auth-not-req
command in Interface (VLAN) Configuration mode. To disable access to a VLAN,
use the no form of this command.
Syntax
dot1x auth-not-req
no dot1x auth-not-req
Parameters
N/A
Default Configuration
Access is enabled.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
The guest VLAN cannot be configured as unauthorized VLAN.
Example
The following example enables unauthorized devices access to VLAN 5.
To enable authentication methods on a port, use the dot1x authentication
command in Interface Configuration mode. To restore the default configuration,
use the no form of this command.
Syntax
dot1x authentication [802.1x] [mac] [web]
no dot1x authentication
Parameters
•802.1x—Enables authentication based on 802.1X (802.1X-based
authentication).
•mac—Enables authentication based on the station's MAC address
(MAC-Based authentication).
•web—Enables WEB-Based authentication.
Default Configuration
802.1X-Based authentication is enabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
Static MAC addresses cannot be authorized by the MAC-based method.
It is not recommended to change a dynamic MAC address to a static one or delete
it if the MAC address was authorized by the MAC-based authentication:
a. If a dynamic MAC address authenticated by MAC-based authentication is
changed to a static one, it will not be manually re-authenticated.
b. Removing a dynamic MAC address authenticated by the MAC-based
To define a guest VLAN, use the dot1x guest-vlan mode command in Interface
(VLAN) Configuration mode. To restore the default configuration, use the no form of
this command.
Syntax
dot1x guest-vlan
no dot1x guest-vlan
Parameters
N/A
Default Configuration
No VLAN is defined as a guest VLAN.
Command Mode
Interface (VLAN) Configuration mode
User Guidelines
Use the dot1x guest-vlan enable command to enable unauthorized users on an
interface to access the guest VLAN.
A device can have only one global guest VLAN.
The guest VLAN must be a static VLAN and it cannot be removed.
An unauthorized VLAN cannot be configured as guest VLAN.
The following example defines VLAN 2 as a guest VLAN.
switchxxxxxx(config)#
switchxxxxxx(config-if)#
interface
dot1x guest-vlan
vlan
2
3.8dot1x guest-vlan enable
To enable unauthorized users on the access interface to the guest VLAN, use the
dot1x guest-vlan enable command in Interface Configuration mode. To disable
access, use the no form of this command.
Syntax
dot1x guest-vlan enable
no dot1x guest-vlan enable
Parameters
N/A
Default Configuration
The default configuration is disabled.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
The port cannot belong to the guest VLAN.
The guest VLAN and the WEB-Based authentication cannot be configured on a
port at the same time.
This command cannot be configured if the monitoring VLAN is enabled on the
interface.
If the authentication mode is single-host or multi-host, the value of PVID is set to
the guest VLAN_ID.
If the authentication mode is multi-sessions mode, the PVID is not changed and all
untagged traffic and tagged traffic not belonging to the unauthenticated VLANs
from unauthorized hosts are mapped to the guest VLAN.
If 802.1X is disabled, the port static configuration is reset.
See the User Guidelines of the dot1x host-mode command for more information.
Example
The following example enables unauthorized users on gi11 to access the guest
VLAN.
switchxxxxxx(config)#
switchxxxxxx(config-if)#
interface
dot1x guest-vlan enable
gi11
3.9dot1x guest-vlan timeout
To set the time delay between enabling 802.1X (or port up) and adding a port to
the guest VLAN, use the dot1x guest-vlan timeout command in Global
Configuration mode. To restore the default configuration, use the no form of this
command.
Syntax
dot1x guest-vlan timeout
no dot1x guest-vlan timeout
Parameters
•
timeout
port up) and adding the port to the guest VLAN. (Range: 30–180).
—Specifies the time delay in seconds between enabling 802.1X (or
This command is relevant if the guest VLAN is enabled on the port. Configuring the
timeout adds a delay from enabling 802.1X (or port up) to the time the device adds
the port to the guest VLAN.
Example
The following example sets the delay between enabling 802.1X and adding a port
to a guest VLAN to 60 seconds.
switchxxxxxx(config)#
dot1x guest-vlan timeout
60
3.10dot1x host-mode
To allow a single host (client) or multiple hosts on an IEEE 802.1X-authorized port,
use the dot1x host-mode command in Interface Configuration mode. To restore the
default configuration, use the no form of this command.
The single-host mode manages the authentication status of the port: the port is
authorized if there is an authorized host. In this mode, only a single host can be
authorized on the port.
When a port is unauthorized and the guest VLAN is enabled, untagged traffic is
remapped to the guest VLAN. Tagged traffic is dropped unless the VLAN tag is the
guest VLAN or the unauthenticated VLANs. If guest VLAN is not enabled on the
port, only tagged traffic belonging to the unauthenticated VLANs is bridged.
When a port is authorized, untagged and tagged traffic from the authorized host is
bridged based on the static vlan membership configured at the port. Traffic from
other hosts is dropped.
A user can specify that untagged traffic from the authorized host will be
remapped to a VLAN that is assigned by a RADIUS server during the
authentication process. In this case, tagged traffic is dropped unless the VLAN tag
is the RADIUS-assigned VLAN or the unauthenticated VLANs. See the dot1x
radius-attributes vlan command to enable RADIUS VLAN assignment at a port.
The switch removes from FDB all MAC addresses learned on a port when its
authentication status is changed from authorized to unauthorized.
Multi-Host Mode
The multi-host mode manages the authentication status of the port: the port is
authorized after at least one host is authorized.
When a port is unauthorized and the guest VLAN is enabled, untagged traffic is
remapped to the guest VLAN. Tagged traffic is dropped unless the VLAN tag is the
guest VLAN or the unauthenticated VLANs. If guest VLAN is not enabled on the
port, only tagged traffic belonging to the unauthenticated VLANs is bridged.
When a port is authorized, untagged and tagged traffic from all hosts connected to
the port is bridged based on the static vlan membership configured at the port.
A user can specify that untagged traffic from the authorized port will be
remapped to a VLAN that is assigned by a RADIUS server during the
authentication process. In this case, tagged traffic is dropped unless the VLAN tag
is the RADIUS assigned VLAN or the unauthenticated VLANs. See the dot1x
radius-attributes vlan command to enable RADIUS VLAN assignment at a port.
The switch removes from FDB all MAC addresses learned on a port when its
authentication status is changed from authorized to unauthorized.
Multi-Sessions Mode
Unlike the single-host and multi-host modes (port-based modes) the
multi-sessions mode manages the authentication status for each host connected
to the port (session-based mode). If the multi-sessions mode is configured on a
port the port does have any authentication status. Any number of hosts can be
authorized on the port. The dot1x max-hosts command can limit the maximum
number of authorized hosts allowed on the port.
Each authorized client requires a TCAM rule. If there is no available space in the
TCAM, the authentication is rejected.
When using the dot1x host-mode command to change the port mode to
single-host or multi-host when authentication is enabled, the port state is set to
unauthorized.
If the dot1x host-mode command changes the port mode to multi-session when
authentication is enabled, the state of all attached hosts is set to unauthorized.
To change the port mode to single-host or multi-host, set the port (dot1x
port-control) to force-unauthorized, change the port mode to single-host or
multi-host, and set the port to authorization auto.
multi-sessions mode cannot be configured on the same interface together with
Policy Based VLANs configured by the following commands:
-switchport general map protocol-group vlans
-switchport general map macs-group vlans
Tagged traffic belonging to the unauthenticated VLANs is always bridged
regardless if a host is authorized or not.
When the guest VLAN is enabled, untagged and tagged traffic from unauthorized
hosts not belonging to the unauthenticated VLANs is bridged via the guest VLAN.
Traffic from an authorized hosts is bridged in accordance with the port static
configuration. A user can specify that untagged and tagged traffic from the
authorized host not belonging to the unauthenticated VLANs will be remapped to
a VLAN that is assigned by a RADIUS server during the authentication process.
See the dot1x radius-attributes vlan command to enable RADIUS VLAN
assignment at a port.
The switch does not remove from FDB the host MAC address learned on the port
when its authentication status is changed from authorized to unauthorized. The
MAC address will be removed after the aging timeout expires.
To configure the maximum number of authorized hosts allowed on the interface,
use the dot1x max-hosts command in Interface Configuration mode. To restore the
default configuration, use the no form of this command.
Syntax
dot1x max-hosts
no dot1x max-hosts
Parameters
•
count
interface. May be any 32 bits positive number.
Default Configuration
No limitation.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
By default, the number of authorized hosts allowed on an interface is not limited.
To limit the number of authorized hosts allowed on an interface, use the dot1x
max-hosts command.
This command is relevant only for multi-session mode.
count
—Specifies the maximum number of authorized hosts allowed on the
Example
The following example limits the maximum number of authorized hosts on Ethernet
port gi11 to 6:
To set the maximum number of allowed login attempts, use the dot1x
max-login-attempts command in Interface Configuration mode. To restore the
default configuration, use the no form of this command.
Syntax
dot1x max-login-attempts
no dot1x max-login-attempts
Parameters
•
count
—Specifies the maximum number of allowed login attempts. A value
of 0 means an infinite numbers of attempts. The valid range is 3-10.
Default Configuration
Unlimited.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
By default, the switch does not limit the number of failed login attempts. To specify
the number of allowed fail login attempts, use this command. After this number of
failed login attempts, the switch does not allow the host to be authenticated for a
period defined by the dot1x timeout quiet-period command.
count
The command is applied only to the Web-based authentication.
Example
The following example sets maximum number of allowed login attempts to 5:
To set the maximum number of times that the device sends an Extensible
Authentication Protocol (EAP) request/identity frame (assuming that no response
is received) to the client before restarting the authentication process, use the
dot1x max-req command in Interface Configuration mode. To restore the default
configuration, use the no form of this command.
Syntax
dot1x max-req
no dot1x max-req
Parameters
•
count
EAP request/identity frame before restarting the authentication process.
(Range: 1–10).
Default Configuration
The default maximum number of attempts is 2.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
The default value of this command should be changed only to adjust to unusual
circumstances, such as unreliable links or specific behavioral problems with
certain clients and authentication servers.
count
—Specifies the maximum number of times that the device sends an
Example
The following example sets the maximum number of times that the device sends
an EAP request/identity frame to 6.
To enable manual control of the port authorization state, use the dot1x port-control
command in Interface Configuration mode. To restore the default configuration,
use the no form of this command.
Syntax
|
dot1x port-control {auto
time-range-name
Parameters
]
•auto—Enables 802.1X authentication on the port and causes it to transition
to the authorized or unauthorized state, based on the 802.1X authentication
exchange between the device and the client.
•force-authorized—Disables 802.1X authentication on the interface and
causes the port to transition to the authorized state without any
authentication exchange required. The port sends and receives traffic
without 802.1X-based client authentication.
•force-unauthorized—Denies all access through this port by forcing it to
transition to the unauthorized state and ignoring all attempts by the client to
authenticate. The device cannot provide authentication services to the
client through this port.
•time-range
Range is not in effect, the port state is Unauthorized. (Range: 1-32
characters).
Default Configuration
The port is in the force-authorized state.
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
The switch removes all MAC addresses learned on a port when its authorization
control is changed from force-authorized to another.
Note. It is recommended to disable spanning tree or to enable spanning-tree
PortFast mode on 802.1X edge ports in auto state that are connected to end
stations, in order to proceed to the forwarding state immediately after successful
authentication.
Example
The following example sets 802.1X authentication on gi11 to auto mode.
sing
switchxxxxxx(config)#
interface
gi1
1
switchxxxxxx(config-if)#
dot1x port-control auto
3.16dot1x radius-attributes vlan
To enable RADIUS-based VLAN assignment, use the dot1x radius-attributes vlan
command in Interface Configuration mode. To disable RADIUS-based VLAN
assignment, use the no form of this command.
Syntax
dot1x radius-attributes vlan [reject | static]
no dot1x radius-attributes vlan
Parameters
•reject—If the RADIUS server authorized the supplicant, but did not provide
a supplicant VLAN the supplicant is rejected. If the parameter is omitted,
this option is applied by default.
•static—If the RADIUS server authorized the supplicant, but did not provide
a supplicant VLAN, the supplicant is accepted.
Default Configuration
reject
Command Mode
Interface (Ethernet) Configuration mode
User Guidelines
If RADIUS provides invalid VLAN information, the authentication is rejected.
If a RADIUS server assigns a client with a non-existing VLAN, the switch creates
the VLAN. The VLAN is removed when it is no longer being used.
If RADIUS provides valid VLAN information and the port does not belong to the
VLAN received from RADIUS, it is added to the VLAN as an egress untagged port.
When the last authorized client assigned to the VLAN becomes unauthorized or
802.1x is disabled on the port, the port is excluded from the VLAN.
If the authentication mode is single-host or multi-host, the value of PVID is set to
the VLAN_ID.
If an authorized port in the single-host or multi-host mode changes its status to
unauthorized, the port static configuration is reset.
If the authentication mode is multi-sessions mode, the PVID is not changed and all
untagged traffic and tagged traffic not belonging to the unauthenticated VLANs
are mapped to the VLAN using TCAM.
If the last authorized host assigned to a VLAN received from RADIUS connected to
a port in the multi-sessions mode changes its status to unauthorized, the port is
removed from the VLAN if it is not in the static configuration.
See the User Guidelines of the dot1x host-mode command for more information.
If 802.1X is disabled the port static configuration is reset.
If the reject keyword is configured and the RADIUS server authorizes the host but
the RADIUS accept message does not assign a VLAN to the supplicant,
authentication is rejected.
If the static keyword is configured and the RADIUS server authorizes the host then
even though the RADIUS accept message does not assign a VLAN to the
supplicant, authentication is accepted and the traffic from the host is bridged in
accordance with port static configuration.
If this command is used when there are authorized ports/hosts, it takes effect at
subsequent authentications. To manually re-authenticate, use the dot1x
re-authenticate command.
The command cannot be configured on a port if it together with