Cisco NX-OS Security Command Reference, Release 4.0
S Commands
Download this chapter
S CommandsS Commands
Download the complete book
Cisco NX-OS Security Command Reference, Release 4.0Cisco NX-OS Security Command Reference, Release 4.0 (PDF - 3 MB)
give_us_feedback

Table Of Contents

S Commands

sap pmk

sap modelist

send-lifetime

server

service dhcp

service-policy input

set cos

set dscp (policy map class)

set precedence (policy map class)

ssh

ssh key

ssh server enable

ssh6

statistics per-entry

storm-control level

switchport port-security

switchport port-security aging time

switchport port-security aging type

switchport port-security mac-address

switchport port-security mac-address sticky

switchport port-security maximum

switchport port-security violation


S Commands

This chapter describes the Cisco NX-OS security commands that begin with S, except for show commands, which are in Chapter SEC, "Show Commands."

sap pmk

To manually configure the Cisco TrustSec Security Association Protocol (SAP) pairwise master key (PMK), use the sap command. To remove the SAP configuration, use the no form of this command.

sap pmk [key | use-dot1x} [modelist {gcm-encrypt | gmac | no-encap | none}]

no sap

Syntax Description

key

Key value. This is a hexadecimal string with an even number of characters. The maximum length is 32 characters.

use-dot1x

Specifies that the peer device does not support Cisco TrustSec 802.1X authentication or authorization but does support SAP data path encryption and authentication.

modelist

(Optional) Specifies the SAP operation mode.

gcm-encrypt

Specifies Galois/Counter Mode (GCM) encryption and authentication mode.

gmac

Specifies GCM authentication mode.

no-encap

Specifies no encapsulation and no security group tag (SGT) insertion.

none

Specifies the encapsulation of the SGT without authentication or encryption.


Defaults

gcm-encrypt

Command Modes

Cisco TrustSec manual configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(3)

The use-dot1x keyword was added.

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.

This command requires the Advanced Services license.

Examples

This example shows how to manually configure Cisco TrustSec SAP on an interface: 

switch# config t

switch(config)# interface ethernet 2/3

switch(config-if)# cts manual

switch(config-if-cts-manual)# sap pmk fedbaa modelist gmac

switch(config-if-cts-manual)# exit

switch(config-if)# shutdown

switch(config-if)# no shutdown

This example shows how to remove a manual Cisco TrustSec SAP configuration from an interface: 

switch# config t

switch(config)# interface ethernet 2/3

switch(config-if)# cts manual

switch(config-if-cts-manual)# no sap

switch(config-if-cts-manual)# exit

switch(config-if)# shutdown

switch(config-if)# no shutdown

Related Commands

Command
Description

cts manual

Enters Cisco TrustSec manual configuration mode for an interface.

feature cts

Enables the Cisco TrustSec feature.

show cts interface

Displays the Cisco TrustSec configuration for interfaces.



sap modelist

To configure the Cisco TrustSec Security Association Protocol (SAP) operation mode, use the sap modelist command. To revert to the default, use the no form of this command.

sap modelist {gcm-encrypt | gmac | no-encap | none}

no sap modelist {gcm-encrypt | gmac | no-encap | none}

Syntax Description

gcm-encrypt

Specifies Galois/Counter Mode (GCM) encryption and authentication mode.

gmac

Specifies GCM authentication mode.

no-encap

Specifies no encapsulation and no security group tag (SGT) insertion.

none

Specifies the encapsulation of the SGT without authentication or encryption.


Defaults

gcm-encrypt

Command Modes

Cisco TrustSec 802.1X configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.

This command requires the Advanced Services license.

Examples

This example shows how to configure Cisco TrustSec SAP operation mode on an interface: 

switch# config t

switch(config)# interface ethernet 2/3

switch(config-if)# cts dot1x

switch(config-if-cts-dot1x)# sap modelist gmac

switch(config-if-cts-dot1x)# exit

switch(config-if)# shutdown

switch(config-if)# no shutdown

This example shows how to revert to the default Cisco TrustSec SAP operation mode on an interface: 

switch# config t

switch(config)# interface ethernet 2/3

switch(config-if)# cts dot1x

switch(config-if-cts-dot1x)# no sap modelist gmac

switch(config-if-cts-dot1x)# exit

switch(config-if)# shutdown

switch(config-if)# no shutdown

Related Commands

Command
Description

cts dot1x

Enters Cisco TrustSec 802.1X configuration mode for an interface.

feature cts

Enables the Cisco TrustSec feature.

show cts interface

Displays the Cisco TrustSec configuration for interfaces.



send-lifetime

To specify the time interval within which the device sends the key during key exchange with another device, use the send-lifetime command. To remove the time interval, use the no form of this command.

send-lifetime [local] start-time [duration duration-value | infinite | end-time]

Syntax Description

local

(Optional) Specifies that the device treats the configured times as local times. By default, the device treats the start-time and end-time arguments as UTC.

start-time

Time of day and date that the key becomes active.

For information about the values for the start-time argument, see the "Usage Guidelines" section.

duration duration-value

(Optional) Specifies the length of the lifetime in seconds. The maximum length is 2147483646 seconds (approximately 68 years).

infinite

(Optional) Specifies that the key never expires.

end-time

(Optional) Time of day and date that the key becomes inactive.

For information about valid values for the end-time argument, see the "Usage Guidelines" section.


Defaults

infinite

Command Modes

Key configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

By default, the device interprets all time range rules as UTC.

By default, the time interval within which the device sends a key during key exchange with another device—the send lifetime—is infinite, which means that the key is always valid.

The start-time and end-time arguments both require time and date components, in the following format:

hour[:minute[:second]] month day year

You specify the hour in 24-hour notation. For example, in 24-hour notation, 8:00 a.m. is 8:00 and 8:00 p.m. is 20:00. The minimum valid start-time is 00:00:00 Jan 1 1970, and the maximum valid start-time is 23:59:59 Dec 31 2037.

Examples

This example shows how to create a send lifetime that begins at midnight on June 13, 2008, and ends at 11:59:59 p.m. on August 12, 2008: 

switch# configure terminal

switch(config)# key chain glbp-keys

switch(config-keychain)# key 13

switch(config-keychain-key)# send-lifetime 00:00:00 Jun 13 2008 23:59:59 Aug 12 2008

switch(config-keychain-key)#

Related Commands

Command
Description

accept-lifetime

Configures an accept lifetime for a key.

key

Configures a key.

key chain

Configures a keychain.

key-string

Configures a key string.

show key chain

Shows keychain configuration.


server

To add a server to a RADIUS or TACACS+ server group, use the server command. To delete a server from a server group, use the no form of this command.

server {ipv4-address | ipv6-address | hostname}

no server {ipv4-address | ipv6-address | hostname}

Syntax Description

ipv4-address

Server IPv4 address in the A.B.C.D format.

ipv6-address

Server IPv6 address in the X:X:X::X format.

hostname

Server name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters.


Defaults

None

Command Modes

RADlUS server group configuration
TACACS+ server group configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You can configure up to 64 servers in a server group.

Use the aaa group server radius command to enter RADIUS server group configuration mode or the aaa group server tacacs+ command to enter TACACS+ server group configuration mode.

If the server is not found, use the radius-server host command or tacacs-server host command to configure the server.

Note You must use the feature tacacs+ command before you configure TACACS+.

This command does not require a license.

Examples

This example shows how to add a server to a RADIUS server group: 

switch# config t

switch(config)# aaa group server radius RadServer

switch(config-radius)# server 10.10.1.1

This example shows how to delete a server from a RADIUS server group: 

switch# config t

switch(config)# aaa group server radius RadServer

switch(config-radius)# no server 10.10.1.1

This example shows how to add a server to a TACACS+ server group: 

switch# config t

switch(config)# feature tacacs+

switch(config)# aaa group server tacacs+ TacServer

switch(config-tacacs+)# server 10.10.2.2

This example shows how to delete a server from a TACACS+ server group: 

switch# config t

switch(config)# feature tacacs+

switch(config)# aaa group server tacacs+ TacServer

switch(config-tacacs+)# no server 10.10.2.2

Related Commands

Command
Description

aaa group server

Configures AAA server groups.

radius-server host

Configures a RADIUS server.

show radius-server groups

Displays RADIUS server group information.

show tacacs-server groups

Displays TACACS+ server group information.

feature tacacs+

Enables TACACS+.

tacacs-server host

Configures a TACACS+ server.


service dhcp

To enable the DHCP relay agent, use the service dhcp command. To disable the DHCP relay agent, use the no form of this command.

service dhcp

no service dhcp

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

This command does not require a license.

Examples

This example shows how to globally enable DHCP snooping: 

switch# configure terminal 

switch(config)# service dhcp 

switch(config)#

Related Commands

Command
Description

feature dhcp

Enables the DHCP snooping feature on the device.

ip dhcp relay address

Configures an IP address of a DHCP server on an interface.

ip dhcp relay information option

Enables the insertion and removal of option-82 information from DHCP packets.

ip dhcp snooping

Globally enables DHCP snooping on the device.

show ip dhcp snooping

Displays general information about DHCP snooping.

show running-config dhcp

Displays DHCP snooping configuration, including IP Source Guard configuration.


service-policy input

To attach a control plane policy map to the control plane, use the service-policy input command. To remove a control plane policy map, use the no form of this command.

service-policy input policy-map-name

no service-policy input policy-map-name

Syntax Description

policy-map-name

Name of the control plane policy map.


Defaults

None

Command Modes

Control plane configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You can use this command only in the default virtual device context (VDC).

You can assign only one control place policy map to the control plane. To assign a new control plane policy map to the control plane, you must remove the old control plane policy map.

This command does not require a license.

Examples

This example shows how to assign a control plane policy map to the control plane: 

switch# config t

switch(config)# control-plane

switch(config-cp)# service-policy input PolicyMapA

This example shows how to remove a control plane policy map from the control plane: 

switch# config t

switch(config)# control-plane 

switch(config-cp)# no service-policy input PolicyMapA

Related Commands

Command
Description

policy-map type control-plane

Specifies a control plane policy map and enters policy map configuration mode.

show policy-map type control-plane

Displays configuration information for control plane policy maps.


set cos

To set the IEEE 802.1Q class of service (CoS) value for a control plane policy map, use the set cos command. To revert to the default, use the no form of this command.

set cos [inner] cos-value

no set cos [inner] cos-value

Syntax Description

inner

(Optional) Specifies inner 802.1Q in a Q-in-Q environment.

cos-value

Numerical value of CoS in the control plane policy map. The range is from 0 to 7.


Defaults

0

Command Modes

Policy map class configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to configure the CoS value for a control plane policy map: 

switch# config t

switch(config)# policy-map type control-plane PolicyMapA

switch(config-pmap)# class ClassMapA

switch(config-pmap-c)# set cos 4

This example shows how to revert to the default CoS value for a control plane policy map: 

switch# config t

switch(config)# policy-map type control-plane PolicyMapA

switch(config-pmap)# class ClassMapA

switch(config-pmap-c)# no set cos 4

Related Commands

Command
Description

class (policy map)

Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode.

policy-map type control-plane

Specifies a control plane policy map and enters policy map configuration mode.

show policy-map type control-plane

Displays configuration information for control plane policy maps.


set dscp (policy map class)

To set the differentiated services code point (DSCP) value for IPv4 and IPv6 packets in a control plane policy map, use the set dscp command. To revert to the default, use the no form of this command.

set dscp [tunnel] {dscp-value | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | ef | default}

no set dscp [tunnel] {dscp-value | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | ef | default}

Syntax Description

tunnel

(Optional) Sets DSCP in a tunnel encapsulation.

dscp-value

Numerical value of CoS in the control plane policy map. The range is from 0 to63.

af11

Specifies assured forwarding 11 DSCP (001010).

af12

Specifies assured forwarding 12 DSCP (001100).

af13

Specifies assured forwarding 13 DSCP (001110).

af21

Specifies assured forwarding 21 DSCP (010010).

af22

Specifies assured forwarding 22 DSCP (010100).

af23

Specifies assured forwarding 23 DSCP (010110).

af31

Specifies assured forwarding 31 DSCP (011010).

af32

Specifies assured forwarding 32 DSCP (011100).

af33

Specifies assured forwarding 33 DSCP (011110).

af41

Specifies assured forwarding 41 DSCP (100010).

af42

Specifies assured forwarding 42 DSCP (100100).

af43

Specifies assured forwarding 43 DSCP (100110).

cs1

Specifies class selector 1 (precedence 1) DSCP (001000).

cs2

Specifies class selector 2 (precedence 2) DSCP (010000).

cs3

Specifies class selector 3 (precedence 3) DSCP (011000).

cs4

Specifies class selector 4 (precedence 4) DSCP (100000).

cs5

Specifies class selector 5 (precedence 5) DSCP (101000).

cs6

Specifies class selector 6 (precedence 6) DSCP (110000).

cs7

Specifies class selector 7 (precedence 7) DSCP (111000).

ef

Specifies expedited forwarding DSCP (101110).

default

Specifies default DSCP (000000).


Defaults

default

Command Modes

Policy map class configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to configure the DSCP value for a control plane policy map: 

switch# config t

switch(config)# policy-map type control-plane PolicyMapA

switch(config-pmap)# class ClassMapA

switch(config-pmap-c)# set dscp 4

This example shows how to revert to the default DSCP value for a control plane policy map: 

switch# config t

switch(config)# policy-map type control-plane PolicyMapA

switch(config-pmap)# class ClassMapA

switch(config-pmap-c)# no set dscp 4

Related Commands

Command
Description

class (policy map)

Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode.

policy-map type control-plane

Specifies a control plane policy map and enters policy map configuration mode.

show policy-map type control-plane

Displays configuration information for control plane policy maps.


set precedence (policy map class)

To set the precedence value for IPv4 and IPv6 packets in a control plane policy map, use the set precedence command. To revert to the default, use the no form of this command.

set precedence [tunnel] {prec-value | critical | flash | flash-override | immediate | internet | network | priority | routine}

no set precedence [tunnel] {prec-value | critical | flash | flash-override | immediate | internet | network | priority | routine}

Syntax Description

tunnel

(Optional )Sets the precedence in a tunnel encapsulation.

prec-value

Numerical value for DSCP precedence in the control plane policy map. The range is from 0 to 7.

critical

Specifies critical precedence equal to precedence value 5.

flash

Specifies flash precedence equal to precedence value 3.

flash-override

Specifies flash override precedence equal to precedence value 4.

immediate

Specifies immediate precedence equal to precedence value 2.

internet

Specifies internet precedence equal to precedence value 6.

network

Specifies network precedence equal to precedence value 7.

priority

Specifies priority precedence equal to precedence value 1.

routine

Specifies routine precedence equal to precedence value 0.


Defaults

0 or routine

Command Modes

Policy map class configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to configure the CoS value for a control plane policy map: 

switch# config t

switch(config)# policy-map type control-plane PolicyMapA

switch(config-pmap)# class ClassMapA

switch(config-pmap-c)# set precedence critical

This example shows how to revert to the default CoS value for a control plane policy map: 

switch# config t

switch(config)# policy-map type control-plane PolicyMapA

switch(config-pmap)# class ClassMapA

switch(config-pmap-c)# no set precedence critical

Related Commands

Command
Description

class (policy map)

Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode.

policy-map type control-plane

Specifies a control plane policy map and enters policy map configuration mode.

show policy-map type control-plane

Displays configuration information for control plane policy maps.


ssh

To create a Secure Shell (SSH) session using IPv4 on the NX-OS device, use the ssh command.

ssh [username@]{ipv4-address | hostname} [vrf vrf-name]

Syntax Description

username

(Optional) Username for the SSH session. The user name is not case sensitive.

ipv4-address

IPv4 address of the remote device.

hostname

Hostname of the remote device. The hostname is case sensitive.

vrf vrf-name

(Optional) Specifies the virtual routing and forwarding (VRF) name to use for the SSH session. The VRF name is case sensitive.


Defaults

Default VRF

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The NX-OS software supports SSH version 2.

To use IPv6 addressing for an SSH session, use the ssh6 command.

This command does not require a license.

Examples

This example shows how to start an SSH session using IPv4: 

switch# ssh 10.10.1.1 vrf management

The authenticity of host '10.10.1.1 (10.10.1.1)' can't be established.

RSA key fingerprint is 9b:d9:09:97:f6:40:76:89:05:15:42:6b:12:48:0f:d6.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '10.10.1.1' (RSA) to the list of known hosts.

User Access Verification

Password:

Related Commands

Command
Description

clear ssh session

Clears SSH sessions.

ssh server enable

Enables the SSH server.

ssh6

Starts an SSH session using IPv6 addressing.


ssh key

To create a Secure Shell (SSH) server key for a virtual device context (VDC), use the ssh key command. To remove the SSH server key, use the no form of this command.

ssh key {dsa [force] | rsa [length [force]]}

no ssh key [dsa | rsa]

Syntax Description

dsa

Specifies the Digital System Algrorithm (DSA) SSH server key.

force

(Optional) Forces the replacement of an SSH key.

rsa

Specifies the Rivest, Shamir, and Adelman (RSA) public-key cryptography SSH server key.

length

(Optional) Number of bits to use when creating the SSH server key. The range is from 768 to 2048.


Defaults

1024-bit length

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The NX-OS software supports SSH version 2.

If you want to remove or replace an SSH server key, you must first disable the SSH server using the no ssh server enable command.

This command does not require a license.

Examples

This example shows how to create an SSH server key using DSA: 

switch# config t

switch(config)# ssh key dsa

generating dsa key(1024 bits).....

..

generated dsa key

This example shows how to create an SSH server key using RSA with the default key length: 

switch# config t

switch(config)# ssh key rsa

generating rsa key(1024 bits).....

.

generated rsa key

This example shows how to create an SSH server key using RSA with a specified key length: 

switch# config t

switch(config)# ssh key rsa 768

generating rsa key(768 bits).....

.

generated rsa key

This example shows how to replace an SSH server key using DSA with the force option: 

switch# config t

switch(config)# no ssh server enable

switch(config)# ssh key dsa force

deleting old dsa key.....

generating dsa key(1024 bits).....

.

generated dsa key

switch(config)# ssh server enable

This example shows how to remove the DSA SSH server key: 

switch# config t

switch(config)# no ssh server enable

XML interface to system may become unavailable since ssh is disabled

switch(config)# no ssh key dsa

switch(config)# ssh server enable

This example shows how to remove all SSH server keys: 

switch# config t

switch(config)# no ssh server enable

XML interface to system may become unavailable since ssh is disabled

switch(config)# no ssh key 

switch(config)# ssh server enable

Related Commands

Command
Description

show ssh key

Displays the SSH server key information.

ssh server enable

Enables the SSH server.


ssh server enable

To enable the Secure Shell (SSH) server for a virtual device context (VDC), use the ssh server enable command. To disable the SSH server, use the no form of this command.

ssh server enable

no ssh server enable

Syntax Description

This command has no arguments or keywords.

Defaults

Enabled

Command Modes

Global configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The NX-OS software supports SSH version 2.

This command does not require a license.

Examples

This example shows how to enable the SSH server: 

switch# config t

switch(config)# ssh server enable

This example shows how to disable the SSH server: 

switch# config t

switch(config)# no ssh server enable

XML interface to system may become unavailable since ssh is disabled

Related Commands

Command
Description

show ssh server

Displays the SSH server key information.


ssh6

To create a Secure Shell (SSH) session using IPv6 on the NX-OS device, use the ssh6 command.

ssh6 [username@]{ipv6-address | hostname} [vrf vrf-name]

Syntax Description

username

(Optional) Username for the SSH session. The username is not case sensitive.

ipv6-address

IPv6 address of the remote device.

hostname

Hostname of the remote device.

vrf vrf-name

(Optional) Specifies the virtual forwarding and routing (VRF) name to use for the SSH session. The VRF name is case sensitive.


Defaults

Default VRF

Command Modes

Any command mode

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The NX-OS software supports SSH version 2.

To use IPv4 addressing to start an SSH session, use the ssh command.

This command does not require a license.

Examples

This example shows how to start an SSH session using IPv6: 

switch# ssh host2 vrf management

Related Commands

Command
Description

clear ssh session

Clears SSH sessions.

ssh

Starts an SSH session using IPv4 addressing.

ssh server enable

Enables the SSH server.


statistics per-entry

To start recording statistics for how many packets are permitted or denied by each entry in an IP or a MAC access control list (ACL), use the statistics per-entry command. To stop recording per-entry statistics, use the no form of this command.

statistics per-entry

no statistics per-entry

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

IP access-list configuration
IPv6 access-list configuration
MAC access-list configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.

4.0(3)

Changed command from statistics to statistics per-entry.


Usage Guidelines

When the device determines that an IPv4, IPv6, or MAC ACL applies to a packet, it tests the packet against the conditions of all entries in the ACLs. ACL entries are derived from the rules that you configure with the applicable permit and deny commands. The first matching rule determines whether the packet is permitted or denied. Enter the statistics per-entry command to start recording how many packets are permitted or denied by each entry in an ACL.

The device does not record statistics for implicit rules. To record statistics for these rules, you must explicitly configure an identical rule for each implicit rule. For more information about implicit rules, see the following commands:

ip access-list

ipv6 access-list

mac access-list

To view per-entry statistics for an ACL, use the show access-lists command or the applicable following command:

show ip access-lists

show ipv6 access-lists

show mac access-lists

To clear per-entry statistics for an ACL, use the clear access-list counters command or the applicable following command:

clear ip access-list counters

clear ipv6 access-list counters

clear mac access-list counters

This command does not require a license.

Examples

This example shows how to start recording per-entry statistics for an IPv4 ACL named ip-acl-101: 

switch# config t

switch(config)# ip access-list ip-acl-101

switch(config-acl)# statistics per-entry

switch(config-acl)#

This example shows how to stop recording per-entry statistics for an IPv4 ACL named ip-acl-101: 

switch# config t

switch(config)# ip access-list ip-acl-101

switch(config-acl)# no statistics per-entry

switch(config-acl)#

Related Commands

Command
Description

show access-lists

Displays all IPv4, IPv6, and MAC ACLs, or a specific ACL.

clear access-list counters

Clears per-entry statistics for all IPv4, IPv6, and MAC ACLs, or for a specific ACL.


storm-control level

To set the suppression level for traffic storm control, use the storm-control level command. To turn off the suppression mode or revert to the default, use the no form of this command.

storm-control {broadcast | multicast | unicast} level percentage [. fraction]

no storm-control {broadcast | multicast | unicast} level

Syntax Description

broadcast

Specifies the broadcast traffic.

multicast

Specifies the multicast traffic.

unicast

Specifies the unicast traffic.

percentage

Percentage of the suppression level. The range is from 0 to 100 percent.

. fraction

(Optional) Fraction of the suppression level. The range is from 0 to 99.


Defaults

All packets are passed

Command Modes

Interface configuration

Supported User Roles

network-admin
vdc-admin

Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

Enter the storm-control level command to enable traffic storm co