Table Of Contents
ip dhcp relay information option
ip dhcp snooping information option
ip dhcp snooping verify mac-address
ip verify source dhcp-snooping-vlan
ip verify unicast source reachable-via
I Commands
This chapter describes the Cisco NX-OS security commands that begin with I.
identity policy
To create or specify an identity policy and enter identity policy configuration mode, use the identity policy command. To remove an identity policy, use the no form of this command.
identity policy policy-name
no identity policy policy-name
Syntax Description
policy-name
Name for the identity policy. The name is case sensitive, alphanumeric, and has a maximum of 100 characters.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-admin
VDC userCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to create an identity policy and enter identity policy configuration mode:
switch# config tswitch(config)# identity policy AdminPolicyswitch(config-id-policy)#This example shows how to remove an identity policy:
switch# config tswitch(config)# no identity policy AdminPolicyRelated Commands
identity profile eapoudp
To create the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) identity profile and enter identity profile configuration mode, use the identity profile eapoupd command. To remove the EAPoUPD identity profile configuration, use the no form of this command.
identity profile eapoudp
no identity profile eapoudp
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-admin
VDC userCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to create the EAPoUDP identity profile and enter identity profile configuration mode:
switch# config tswitch(config)# identity profile eapoudpswitch(config-id-policy)#This example shows how to remove the EAPoUDP identity profile configuration:
switch# config tswitch(config)# no identity profile eapoudpRelated Commands
interface policy deny
To enter interface policy configuration mode for a user role, use the interface policy deny command. To revert to the default interface policy for a user role, use the no form of this command.
interface policy deny
no interface policy deny
Syntax Description
This command has no arguments or keywords.
Defaults
All interfaces
Command Modes
User role configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command denies all interfaces to the user role except for those that you allow using the permit interface command in user role interface policy configuration mode.
This command does not require a license.
Examples
This example shows how to enter user role interface policy configuration mode for a user role:
switch# config tswitch(config)# role name MyRoleswitch(config-role)# interface policy denyswitch(config-role-interface)#This example shows how to revert to the default interface policy for a user role:
switch# config tswitch(config)# role name MyRoleswitch(config-role)# no interface policy denyRelated Commands
ip access-group
To apply an IPv4 access control list (ACL) to an interface as a router ACL, use the ip access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip access-group access-list-name {in | out}
no ip access-group access-list-name {in | out}
Syntax Description
Defaults
None
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
By default, no IPv4 ACLs are applied to an interface.
You can use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface types:
•
VLAN interfaces
Note
•
•
•
•
•
•
You can also use the ip access-group command to apply an IPv4 ACL as a router ACL to the following interface types:
•
•
However, an ACL applied to a Layer 2 interface with the ip access-group command is inactive unless the port mode changes to routed (Layer 3) mode. To apply an IPv4 ACL as a port ACL, use the ip port access-group command.
You can also apply an IPv4 ACL as a VLAN ACL. For more information, see the match (VLAN access-map) command on page 225.
The device applies router ACLs on either outbound or inbound traffic. When the device applies an ACL to inbound traffic, the device checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the device continues to process the packet. If the first matching rule denies the packet, the device drops the packet and returns an ICMP host-unreachable message.
For outbound access lists, after receiving and routing a packet to an interface, the device checks the ACL. If the first matching rule permits the packet, the device sends the packet to its destination. If the first matching rule denies the packet, the device drops the packet and returns an ICMP host unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
This command does not require a license.
Examples
This example shows how to apply an IPv4 ACL named ip-acl-01 to Ethernet interface 2/1:
switch# config tswitch(config)# interface ethernet 2/1switch(config-if)# ip access-group ip-acl-01 inThis example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 2/1:
switch# config tswitch(config)# interface ethernet 2/1switch(config-if)# no ip access-group ip-acl-01 inRelated Commands
ip access-list
To create an IPv4 access control list (ACL) or to enter IP access list configuration mode for a specific ACL, use the ip access-list command. To remove an IPv4 ACL, use the no form of this command.
ip access-list access-list-name
no ip access-list access-list-name
Syntax Description
access-list-name
Name of the IPv4 ACL. The name has a maximum of 64 alphanumeric, case-sensitive characters but cannot contain a space or quotation mark.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
No IPv4 ACLs are defined by default.
Use IPv4 ACLs to filter IPv4 traffic.
When you use the ip access-list command, the device enters IP access list configuration mode, where you can use the IPv4 deny and permit commands to configure rules for the ACL. If the ACL specified does not exist, the device creates it when you enter this command.
Use the ip access-group command to apply the ACL to an interface as a router ACL. Use the ip port access-group command to apply the ACL to an interface as a port ACL.
Every IPv4 ACL has the following implicit rule as its last rule:
deny ip any anyThis implicit rule ensures that the device denies unmatched IP traffic.
IPv4 ACLs do not include additional implicit rules to enable the neighbor discovery process. The Address Resolution Protocol (ARP), uses a separate data link layer protocol. By default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Use the statistics per-entry command to configure the device to record statistics for each rule in an IPv4 ACL. The device does not record statistics for implicit rules. To record statistics for packets that would match the implicit deny ip any any rule, you must explicitly configure an identical rule.
This command does not require a license.
Examples
This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01:
switch# conf tswitch(config)# ip access-list ip-acl-01switch(config-acl)#Related Commands
ip arp inspection filter
To apply an ARP access control list (ACL) to a list of VLANs, use the ip arp inspection filter command. To remove the ARP ACL from the list of VLANs, use the no form of this command.
ip arp inspection filter acl-name vlan vlan-list
no ip arp inspection filter acl-name vlan vlan-list
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to apply an ARP ACL named arp-acl-01 to VLANs 15 and 37 through 48:
switch# configure terminalswitch(config)# ip arp inspection filter arp-acl-01 vlan 15,37-48switch(config)#Related Commands
ip arp inspection log-buffer
To configure the Dynamic ARP Inspection (DAI) logging buffer size, use the ip arp inspection log-buffer command. To reset the DAI logging buffer to its default size, use the no form of this command.
ip arp inspection log-buffer entries number
no ip arp inspection log-buffer entries number
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
By default, the DAI logging buffer size is 32 messages.
This command does not require a license.
Examples
This example shows how to configure the DAI logging buffer size:
switch# configure terminalswitch(config)# ip arp inspection log-buffer entries 64switch(config)#Related Commands
ip arp inspection trust
To configure a Layer 2 interface as a trusted ARP interface, use the ip arp inspection trust command. To configure a Layer 2 interface as an untrusted ARP interface, use the no form of this command.
ip arp inspection trust
no ip arp inspection trust
Syntax Description
This command has no arguments or keywords.
Defaults
By default, all interfaces are untrusted ARP interfaces.
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can configure only Layer 2 Ethernet interfaces as trusted ARP interfaces.
This command does not require a license.
Examples
This example shows how to configure a Layer 2 interface as a trusted ARP interface:
switch# configure terminalswitch(config)# interface ethernet 2/1switch(config-if)# ip arp inspection trustswitch(config-if)#Related Commands
ip arp inspection validate
To enable additional Dynamic ARP Inspection (DAI) validation, use the ip arp inspection validate command. To disable additional DAI, use the no form of this command.
ip arp inspection validate {dst-mac [ip] [src-mac]}
ip arp inspection validate {[dst-mac] ip [src-mac]}
ip arp inspection validate {[dst-mac] [ip] src-mac}
no ip arp inspection validate {dst-mac [ip] [src-mac]}
no ip arp inspection validate {[dst-mac] ip [src-mac]}
no ip arp inspection validate {[dst-mac] [ip] src-mac}
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must specify at least one keyword. If you specify more than one keyword, the order is irrelevant.
This command does not require a license.
Examples
This example shows how to enable additional DAI validation:
switch# configure terminalswitch(config)# ip arp inspection validate src-mac dst-mac ipswitch(config)#Related Commands
show ip arp inspection
Displays the DAI configuration status.
show running-config dhcp
Displays DHCP snooping configuration, including DAI configuration.
ip arp inspection vlan
To enable Dynamic ARP Inspection (DAI) for a list of VLANs, use the ip arp inspection vlan command. To disable DAI for a list of VLANs, use the no form of this command.
ip arp inspection vlan vlan-list [logging dhcp-bindings {permit | all | none}]
no ip arp inspection vlan vlan-list [logging dhcp-bindings {permit | all | none}]
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
By default, the device does not log packets inspected by DAI.
This command does not require a license.
Examples
This example shows how to enable DAI on VLANs 13, 15, and 17 through 23:
switch# configure terminalswitch(config)# ip arp inspection vlan 13,15,17-23switch(config)#Related Commands
ip dhcp relay address
To configure the IP address of a DHCP server on an interface, use the ip dhcp relay address command. To remove the DHCP server IP address, use the no form of this command.
ip dhcp relay address IP-address
no ip dhcp relay address IP-address
Syntax Description
Defaults
None
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
4.0(1)
This command was introduced.
4.0(3)
Up to four ip dhcp relay address commands can be added to the configuration of a Layer 3 Ethernet interface or subinterface.
Usage Guidelines
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
You can configure up to four DHCP server IP addresses on Layer 3 Ethernet interfaces and subinterfaces, VLAN interfaces, and Layer 3 port channels. In Cisco NX-OS Release 4.0.2 and earlier releases, you can configure only one DHCP server IP address on an interface.
When an inbound DHCP BOOTREQUEST packet arrives on the interface, the relay agent forwards the packet to all DHCP server IP addresses specified on that interface. The relay agent forwards replies from all DHCP servers to the host that sent the request.
This command does not require a license.
Examples
This example shows how to configure two IP addresses for DHCP servers so that the relay agent can forward BOOTREQUEST packets received on the specified Layer 3 Ethernet interface:
switch# configure terminalswitch(config)# interface ethernet 2/1switch(config-if)# ip dhcp relay address 10.132.7.120switch(config-if)# ip dhcp relay address 10.132.7.175switch(config-if)#This example shows how to configure the IP address of a DHCP server on a VLAN interface:
switch# configure terminalswitch(config)# interface vlan 13switch(config-if)# ip dhcp relay address 10.132.7.120switch(config-if)#This example shows how to configure the IP address of a DHCP server on a Layer 3 port-channel interface:
switch# configure terminalswitch(config)# interface port-channel 7switch(config-if)# ip dhcp relay address 10.132.7.120switch(config-if)#Related Commands
ip dhcp relay information option
To enable the device to insert and remove option-82 information on DHCP packets forwarded by the relay agent, use the ip dhcp relay information option command. To disable the insertion and removal of option-82 information, use the no form of this command.
ip dhcp relay information option
no ip dhcp relay information option
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the device does not insert and remove option-82 information on DHCP packets forwarded by the relay agent.
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
This command does not require a license.
Examples
This example shows how to enable the DHCP relay agent to insert and remove option-82 information to and from packets it forwards:
switch# configure terminalswitch(config)# ip dhcp relay information optionswitch(config)#Related Commands
ip dhcp snooping
To globally enable DHCP snooping on the device, use the ip dhcp snooping command. To globally disable DHCP snooping, use the no form of this command.
ip dhcp snooping
no ip dhcp snooping
Syntax Description
This command has no arguments or keywords.
Defaults
By default, DHCP snooping is globally disabled.
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
The device preserves DHCP snooping configuration when you disable DHCP snooping with the no ip dhcp snooping command.
This command does not require a license.
Examples
This example shows how to globally enable DHCP snooping:
switch# configure terminalswitch(config)# ip dhcp snoopingswitch(config)#Related Commands
ip dhcp snooping information option
To enable the insertion and removal of option-82 information for DHCP packets, use the ip dhcp snooping information option command. To disable the insertion and removal of option-82 information, use the no form of this command.
ip dhcp snooping information option
no ip dhcp snooping information option
Syntax Description
This command has no arguments or keywords.
Defaults
By default, the device does not insert and remove option-82 information.
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
This command does not require a license.
Examples
This example shows how to globally enable DHCP snooping:
switch# configure terminalswitch(config)# ip dhcp snooping information optionswitch(config)#Related Commands
ip dhcp snooping trust
To configure an interface as a trusted source of DHCP messages, use the ip dhcp snooping trust command. To configure an interface as an untrusted source of DHCP messages, use the no form of this command.
ip dhcp snooping trust
no ip dhcp snooping trust
Syntax Description
This command has no arguments or keywords.
Defaults
By default, no interface is a trusted source of DHCP messages.
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
You can configure DHCP trust on the following types of interfaces:
•
•
•
This command does not require a license.
Examples
This example shows how to configure an interface as a trusted source of DHCP messages:
switch# configure terminalswitch(config)# interface ethernet 2/1switch(config-if)# ip dhcp snooping trustswitch(config-if)#Related Commands
ip dhcp snooping verify mac-address
To enable DHCP snooping MAC address verification, use the ip dhcp snooping verify mac-address command. To disable DHCP snooping MAC address verification, use the no form of this command.
ip dhcp snooping verify mac-address
no ip dhcp snooping verify mac-address
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
By default, MAC address verification with DHCP snooping is not enabled.
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
If the device receives a packet on an untrusted interface and the source MAC address and the DHCP client hardware address do not match, address verification causes the device to drop the packet.
This command does not require a license.
Examples
This example shows how to enable DHCP snooping MAC address verification:
switch# configure terminalswitch(config)# ip dhcp snooping verify mac-addressswitch(config)#Related Commands
ip dhcp snooping vlan
To enable DHCP snooping one or more VLANs, use the ip dhcp snooping vlan command. To disable DHCP snooping on one or more VLANs, use the no form of this command.
ip dhcp snooping vlan vlan-list
no ip dhcp snooping vlan vlan-list
Syntax Description
Defaults
By default, DHCP snooping is not enabled on any VLAN.
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the DHCP snooping feature (see the feature dhcp command).
This command does not require a license.
Examples
This example shows how to enable DHCP snooping on VLANs 100, 200, and 250 through 252:
switch# configure terminalswitch(config)# ip dhcp snooping vlan 100,200,250-252switch(config)#Related Commands
ip port access-group
To apply an IPv4 access control list (ACL) to an interface as a port ACL, use the ip port access-group command. To remove an IPv4 ACL from an interface, use the no form of this command.
ip port access-group access-list-name in
no ip port access-group access-list-name in
Syntax Description
access-list-name
Name of the IPv4 ACL, which can be up to 64 alphanumeric, case-sensitive characters.
in
Specifies that the ACL applies to inbound traffic.
Defaults
in
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
By default, no IPv4 ACLs are applied to an interface.
You can use the ip port access-group command to apply an IPv4 ACL as a port ACL to the following interface types:
•
•
You can also use the ip port access-group command to apply an IPv4 ACL as a port ACL to the following interface types:
•
Note
•
•
•
•
•
•
However, an ACL applied to a Layer 3 interface with the ip port access-group command is inactive unless the port mode changes to access or trunk (Layer 2) mode. To apply an IPv4 ACL as a router ACL, use the ip access-group command.
You can also apply an IPv4 ACL as a VLAN ACL. For more information, see the match (VLAN access-map) command on page 225.
The device applies port ACLs to inbound traffic only. The device checks inbound packets against the rules in the ACL. If the first matching rule permits the packet, the device continues to process the packet. If the first matching rule denies the packet, the device drops the packet and returns an ICMP host-unreachable message.
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface.
This command does not require a license.
Examples
This example shows how to apply an IPv4 ACL named ip-acl-01 to Ethernet interface 2/1 as a port ACL:
switch# config tswitch(config)# interface ethernet 2/1switch(config-if)# ip port access-group ip-acl-01 inThis example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 2/1:
switch# config tswitch(config)# interface ethernet 2/1switch(config-if)# no ip port access-group ip-acl-01 inRelated Commands
ip source binding
To create a static IP source entry for a Layer 2 Ethernet interface, use the ip source binding command. To disable the static IP source entry, use the no form of this command.
ip source binding IP-address MAC-address vlan vlan-id interface ethernet slot/port
no ip source binding IP-address
