Segment Security

Overview of MSS-Group

Hosts and networks can be grouped into segments based on their prefixes; the MSS-Group feature (also called Segment Security) allows policies to be applied to segments rather than to interfaces or subnets. Policies define inter-segment and intra-segment rules; for example, segment A is allowed to communicate with segment B, or hosts in segment B are not allowed to communicate with each other.

By default, traffic directed to a segment is dropped; an explicit allow policy is required to allow communication. The two directions of traffic are handled independently; to allow traffic between two segments, forward policy must be configured in both segments.

Configuring MSS-Group

To configure MSS-Group (segment security) to control groups of IPv4 and/or IPv6 addresses (called “segments”), define one or more match lists, create segments based on those match lists, create policies governing traffic to individual segments, define default policy for all segments, and enable the MSS-Group feature. Up to 60 segments can be defined across all VRFs. Traffic to and from VLANs with no SVI configured are considered part of the default VRF, and are subject to the policies defined in the default VRF. This feature does not require routing to be enabled on the switch, even though the mode name starts with the word “router.”

Define Match Lists

Use the match-list input command to define an IPv4 or IPv6 subnet list. Each match list must contain only one type of prefix, either IPv4 or IPv6. It cannot contain a mixture. Each match list name of a given type must be unique, but an IPv4 match list and an IPv6 match list can have the same name.

Example

  • The following commands define two IPv4 match lists named camera-prefixes and admin-prefixes and two IPv6 match lists also named camera-prefixes and admin-prefixes, and add a total of seven prefixes.
    switch(config)# match-list input prefix-ipv4 camera-prefixes
    switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 69.89.31.200/32
    switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 69.89.31.201/32
    switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 70.89.31.0/24
    switch(config-match-list-prefix-ipv4-camera-prefixes)# exit
    switch(config)# match-list input prefix-ipv6 camera-prefixes
    switch(config-match-list-prefix-ipv6-camera-prefixes)# match prefix-ipv6 2001:0:9d38:6ab8::/64
    switch(config-match-list-prefix-ipv6-camera-prefixes)# match prefix-ipv6 2002:0:9d38:6ab8::3/128
    switch(config-match-list-prefix-ipv6-camera-prefixes)# exit
    switch(config)# match-list input prefix-ipv4 admin-prefixes
    switch(config-match-list-prefix-ipv4-admin-prefixes)# match prefix-ipv4 80.80.0.0/16
    switch(config-match-list-prefix-ipv4-admin-prefixes)# exit
    switch(config)# match-list input prefix-ipv6 admin-prefixes
    switch(config-match-list-prefix-ipv6-admin-prefixes)# match prefix-ipv6 2003:0:9d38:6ab8::/64
    switch(config-match-list-prefix-ipv6-admin-prefixes)# exit
    switch(config)#

Define Segments using Match Lists

Use the segment command to define a segment. A segment contains one or two match lists, one of type IPv4 and the other of type IPv6.

Example

  • The following commands define segments using the match lists configured above.
    switch(config)# router segment-security
    switch(config-router-seg-sec)# vrf default
    switch(config-router-seg-sec-vrf-default)# segment camera
    switch(config-router-seg-sec-vrf-segment-camera)# definition
    switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv4 camera-prefixes
    switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv6 camera-prefixes
    switch(config-router-seg-sec-vrf-segment-def)# exit
    switch(config-router-seg-sec-vrf-segment-camera)# exit
    switch(config-router-seg-sec-vrf-default)# segment secure-admin
    switch(config-router-seg-sec-vrf-segment-secure-admin)# definition         
    switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv4 admin-prefixes
    switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv6 admin-prefixes
    switch(config-router-seg-sec-vrf-segment-def)#  exit
    switch(config-router-seg-sec-vrf-segment-secure-admin) exit
    switch(config-router-seg-sec-vrf-default)# exit
    switch(config-router-seg-sec)# exit
    switch(config)#

Define Policies Between Segments

Use the policies command to drop or forward traffic to a segment from specific other segments. Two built-in policies are available: policy-forward-all to forward traffic between segments, and policy-drop-all to drop traffic between segments. By default, the drop-all policy is enabled.

Example

  • The following commands allow bidirectional traffic between the two segments defined above.
    switch(config)# router segment-security
    switch(config-router-seg-sec)# vrf default
    switch(config-router-seg-sec-vrf-default)# segment camera
    switch(config-router-seg-sec-vrf-segment-camera)# policies
    switch(config-router-seg-sec-vrf-segment-policies)# from secure-admin policy policy-forward-all
    switch(config-router-seg-sec-vrf-segment-policies)# exit
    switch(config-router-seg-sec-vrf-segment-camera)# exit
    switch(config-router-seg-sec-vrf-default)# segment secure-admin
    switch(config-router-seg-sec-vrf-segment-secure-admin)# policies
    switch(config-router-seg-sec-vrf-segment-policies)# from secure-admin policy policy-forward-all
    switch(config-router-seg-sec-vrf-segment-policies)# exit
    switch(config-router-seg-sec-vrf-segment-secure-admin)# exit
    switch(config-router-seg-sec-vrf-default)# exit
    switch(config-router-seg-sec)# exit
    switch(config)#

Enable MSS-Group

By default, MSS-Group is not enabled. Use the no shutdown command to enable it. Use the shutdown command to disable it.

Examples
  • The following commands enable MSS-Group.
    switch(config)# router segment-security
    switch(config-router-seg-sec)# no shutdown
    switch(config-router-seg-sec)# exit
    switch(config)#
  • The following commands disable MSS-Group.
    switch(config)# router segment-security
    switch(config-router-seg-sec)# shutdown
    switch(config-router-seg-sec)# exit
    switch(config)#

Configuring Default Forward/Drop Behavior

By default, when MSS-Group is first enabled, all traffic to nodes in a segment is dropped unless explicitly allowed by a "forward-all" policy as shown above. This includes traffic within the segment. Use the no segment policy command to change this behavior to allow intra-segment traffic.

Example
  • The following commands allow all traffic within each segment as well as between segments.
    switch(config)# router segment-security
    switch(config-router-seg-sec)# no segment policy policy-drop-all default
    switch(config-router-seg-sec)# exit
    switch(config)#

You can modify the policy for each segment and in greater detail with the policies command.

Example
  • The following commands prevent nodes in the camera segment from communicating with each other.
    switch(config)# router segment-security
    switch(config-router-seg-sec)# vrf default
    switch(config-router-seg-sec-vrf-default)# segment camera
    switch(config-router-seg-sec-vrf-segment-camera)# policies
    switch(config-router-seg-sec-vrf-segment-policies)# from camera policy policy-drop-all
    switch(config-router-seg-sec-vrf-segment-policies)# exit
    switch(config-router-seg-sec-vrf-segment-camera)# exit
    switch(config-router-seg-sec-vrf-default)# exit
    switch(config-router-seg-sec)# exit
    switch(config)# exit

Limitations

  • Multicast and Link Local prefixes are not supported.
  • Traffic disruption during prefix and policy configuration is expected. We do not support atomicity during segment and prefix configuration.
  • MSS-Group and URPF feature interaction is not supported. If both features are configured (misconfiguration), the platform gives URPF higher priority and removes any existing segment configurations from hardware.
  • Prefixes entries failed to get installed in hardware (because of insufficient hardware resources) are retried periodically till resources become available and prefixes are successfully installed. However, the same is not true for policy entries. There is no retry mechanism implemented for failed policy entries. The user needs to free up hardware resources and re-enable the MSS-Group feature after removing it once.
  • Custom policies can not be configured. Clients can choose from two built-in policies ‘policy-drop-all’ and ‘policy-forward-all’.
  • A given prefix can only be part of a single segment in VRF. Attempting to configure the same prefix in more than one segment leads to undefined traffic forwarding behavior.
  • The same prefix can not be configured in both MSS-Group and MSS-L3 configurations.
  • SSU can be performed with MSS-Group configured but the traffic flows for MSS-Group configuration will not be hitless.
  • DHCP discovery packets with broadcast destination IP of 255.255.255.255 will only match 0.0.0.0/0 prefix.
  • All traffic sourced from and/or destined to switch owned IPs are allowed regardless of MSS-Group configuration.
  • Due to source and destination IP lookup being required, the capacity of the LPM table is halved when MSS-G is enabled. The host table capacity is unchanged as the source and destination lookup is always enabled by default.

Show commands

The show commands available to examine the configuration and status of MSS-Group include:

  • show segment-security [vrf <vrf-name>][segment <seg-name>]
    switch# show segment-security
    VRF : default
      Segment      interfaces Prefix IPv4     Prefix IPv6     From Segment Policy             
      ------------ ---------- --------------- --------------- ------------ ------------------
      camera                  camera-prefixes camera-prefixes secure-admin policy-forward-all
      secure-admin            admin-prefixes  admin-prefixes  camera       policy-forward-all
  • show match-list {prefix-ipv4 | prefix-ipv6}[<list-name>]
  • switch# show match-list prefix-ipv4 
    Name            Prefix          
    --------------- --------------- 
    admin-prefixes  80.80.0.0/16    
    camera-prefixes 69.89.31.200/32 
                    69.89.31.201/32 
                    70.89.31.0/24 
                     
    switch# show match-list prefix-ipv6
    Name            Prefix
    --------------- -----------------------
    admin-prefixes  2003:0:9d38:6ab8::/64
    camera-prefixes 2001:0:9d38:6ab8::/64
                    2002:0:9d38:6ab8::3/128
  • show segment-security hardware summary [vrf<vrf-name>][segment<seg-name>]

    This command shows the hardware ID, number of prefixes, and number of successfully programmed prefixes for each VRF and segment specified. By default, all VRFs and segments are shown.

    switch# show segment-security hardware summary
    VRF: default
    Segment              Hardware ID     Prefixes   Programmed
    -------------------- --------------- ---------- ---------------
    camera               63              5          5
    secure-admin         62              2          2
  • show segment-security hardware detail [vrf<vrf-name>][segment<seg-name>]

    This command shows the hardware ID assigned to each segment, the prefixes in each segment, and the adjacency index for each prefix (as determined from L3 hardware tables).

    switch# show segment-security hardware detail
    VRF: default
    Segment              Hardware ID     Prefixes                                Adj Index
    -------------------- --------------- --------------------------------------- ---------------
    camera               63              69.89.31.200/32                         1
                                         69.89.31.201/32                         1
                                         70.89.31.0/24                           1
                                         2001:0:9d38:6ab8::/64                   2
                                         2002:0:9d38:6ab8::3/128                 2
    secure-admin         62              80.80.0.0/16                            1
                                         2003:0:9d38:6ab8::/64                   2
  • show segment-security hardware routes [vrf<vrf-name>][segment<seg-name>]

    Since MSS Group prefixes use L3 hardware tables, the prefixes can overlap with FIB routes. So each prefix is assigned a route type. There are three possible classifications for a prefix:

    1. The prefix does not overlap with an FIB route. This prefix has route type 'S'.

    2. The prefix is also configured in the FIB. If a segment prefix is identical to an FIB prefix, it is given the route type 'S,F'.

    3. The prefix overlaps with an FIB entry but there is no exact match in the FIB. This prefix has the route type 'F'.

    The following command shows the route types for prefixes in hardware.
    switch# show segment-security hardware routes 
    Codes: S - Segment prefix
           F - FIB route
           S,F - Segment prefix which is also present in FIB
    VRF: default
    Segment              Hardware ID     Routes                                  Route Type
    -------------------- --------------- --------------------------------------- ----------
    camera               63              69.89.31.200/32                         S
                                         69.89.31.201/32                         S
                                         70.89.31.0/24                           S,F
                                         2001:0:9d38:6ab8::/64                   S
                                         2002:0:9d38:6ab8::3/128                 S
    secure-admin         62              80.80.0.0/16                            S
                                         2003:0:9d38:6ab8::/64                   S
  • show segment-security hardware counters[vrf<vrf-name>]

    This command displays the counters for policies in each segment, including the default policies. For each policy configured between two segments, the Hit counter shows all hits, whether the packets were dropped or forwarded. The Drop counter shows which of those hits were dropped. There are also lines for the default policy of each segment, and the Drop counter includes packets which do not match a configured policy but are dropped by these default policies.

    switch# show segment-security hardware counters
    VRF: default
    Policy HitDrop
    -------------------- ---------- ----------
    policy-drop-all66
    policy-forward-all 13 0
    Dest Segment Source Segment Policy HitDrop
    -------------------- -------------------- -------------------- ---------- ----------
    camera *n/a03
    camera camera66
    camera secure-admin40
    secure-admin *n/a012
    secure-admin camera90
  • clear segment-security hardware counters

    This command clears the Hit and Drop counters for each policy, setting them to 0.

Segment Security commands

Global Configuration commands

Match-List Input Configuration commands
Router Segment-Security VRF Configuration commands
Router Segment-Security VRF Segment Configuration commands
Router Segment-Security VRF Segment Policies Configuration commands

Router Segment-Security VRF Segment Definition Configuration commands

Segment-Security Clear and Show commands

clear segment-security hardware counters

The clear segment-security hardware command clears the MSS-Group (segment security) Hit and Drop counters for all hits, and the hits and drops for each separate segment's policy. All MSS-Group counters are set to 0.

command Mode

Privileged EXEC

command Syntax

clear segment-security hardware counters

Examples

  • This command clears all counters for MSS-Group.
    switch# clear segment-security hardware counters
    switch#

definition (segment)

The definition command enters Router Segment-Security VRF Segment Definition Configuration mode. This is not a group change mode. Changes are applied to running-config immediately. The exit command does not affect the configuration.

The no definition and default definition commands clear the segment definitions from running-config.

command Mode

Router Segment-Security VRF Segment Configuration

command Syntax

definition

no definition

default definition

commands Available in Router Segment-Security VRF Segment Definition Configuration Mode

match (segment definition)

Example
  • These commands enter Router Segment-Security VRF Segment Definition mode for the segment "admin".
    switch(config)# router segment-security
    switch(config-router-seg-sec)# vrf default
    switch(config-router-seg-sec-vrf-default)# segment admin
    switch(config-router-seg-sec-vrf-segment-admin)# definition
    switch(config-router-seg-sec-vrf-segment-def)#

from (segment policies)

The from command adds a policy to a segment in order to filter traffic from a specified segment (the same segment or a different segment). The policy can be either policy-drop-all or policy-forward-all. The default is policy-drop-all. Therefore, for a segment to allow traffic among its own members, it requires a policy-forward-all policy for itself. You can add any number of policies.

The no from and default from commands clear the segment policy from the running-config.

command Mode

Router Segment-Security VRF Segment Policies Configuration

command Syntax

from segment_name policy policy_type

no from segment_name [policy policy_type]

default from segment_name [policy policy_type]

Parameters

policy_typeThe type of policy. The possible values are "policy-drop-all" and "policy-forward-all". The default is "policy-drop-all".

segment_name The name of the segment to filter. This can be the segment currently being configured, to give you control over traffic within the segment.

Related command

segment policy policy-drop-all default

Example

These commands add three policies to the segment admin. One policy allows traffic within the admin segment itself. The second policy drops all traffic from segment seg1. The third policy forwards all traffic from seg2.
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)# policies
switch(config-router-seg-sec-vrf-segment-policies)# from admin policy policy-forward-all
switch(config-router-seg-sec-vrf-segment-policies)# from seg1 policy policy-drop-all
switch(config-router-seg-sec-vrf-segment-policies)# from seg2 policy policy-forward-all
switch(config-router-seg-sec-vrf-segment-policies)#

match-list input

The match-list input command enters Match List Configuration mode for the specified match list, creating one if it does not exist. The commands in this mode apply changes to running-config immediately. The exit command is not needed to save the changes to the configuration.

The no match-list input and default match-list input commands remove the specified match list from running-config.

command Mode

Global Configuration Mode

command Syntax

match-list input {prefix-ipv4|prefix-ipv6} match_list_name

no match-list input {prefix-ipv4|prefix-ipv6} match_list_name

no match-list input {prefix-ipv4|prefix-ipv6} match_list_name

Parameters
  • prefix-ipv4 This match list has IPv4 prefixes only.
  • prefix-ipv6 This match list has IPv6 prefixes only.
  • match_list_name The name of the match-list to add to. If it does not exist it will be created.
Examples
  • The following command creates an IPv4 match list called camera-prefixes and enters Match List Configuration mode.
    switch(config)# match-list input prefix-ipv4 camera-prefixes
    switch(config-match-list-prefix-ipv4-admin-prefixes)#
  • The following command removes the IPv4 match list camera-prefixes from running-config.
    switch(config)# no match-list input prefix-ipv4 camera-prefixes
    switch(config)#

match (match-list input)

The match command adds an entry to a match list. Each entry in a given match list must be of the same type, either IPv4 or IPv6. This command updates running-config immediately. It is not necessary to use the exit command to save changes.

The no match and default match commands remove the specified match list entry from the match list in running-config.

command Mode

Match List inpur Configuration Mode

command Syntax

match {prefix-ipv4|prefix-ipv6} ip_address_prefix

no match {prefix-ipv4|prefix-ipv6} ip_address_prefix

default match {prefix-ipv4|prefix-ipv6} ip_address_prefix

Parameters
  • prefix-ipv4 This prefix is IPv4. You cannot mix prefix types in a single match list.
  • prefix-ipv6 This prefix is IPv6. You cannot mix prefix types in a single match list.
  • ip_address_prefix The prefix to add. For IPv4, it is of the form A.B.C.D/E. For IPv6, it is of the form A:B:C:D:E:F:G:H/I.
Examples
  • The following commands add two IPv4 entries to the match list camera-prefixes.
    switch(config)# match-list input prefix-ipv5 camera-prefixes
    switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 69.89.31.200/32
    switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 69.89.31.201/32
    switch(config-match-list-prefix-ipv4-camera-prefixes)#
  • The following command removes one entry from the camera-prefixes match list.
    switch(config)# match-list input prefix-ipv4 camera-prefixes
    switch(config-match-list-prefix-ipv4-camera-prefixes)# no match prefix-ipv4 69.89.31.201/32
    switch(config-match-list-prefix-ipv4-camera-prefixes)#

match (segment definition)

The match command adds a match list to a segment definition. The match list cannot contain both IPv4 and IPv6 prefixes. One match list of each type can be added. The segment definition is updated in running-config immediately.

The no match command removes the specified match list from the segment definition in running-config.

The default match command removes the specified match list from the segment definition in running-config.

command Mode

Router Segment-Security VRF Segment Definition Configuration

command Syntax

match {prefix-ipv4|prefix-ipv6} match_list_name

no match {prefix-ipv4|prefix-ipv6} match_list_name

default match {prefix-ipv4|prefix-ipv6} match_list_name

Parameters

prefix-ipv4 The match list contains IPv4 prefixes.

prefix-ipv6 The match list contains IPv6 prefixes.

match_list_name The name of the match list.

Examples

These commands add two match lists to the segment admin, an IPv4 match list named admin-prefixes and an IPv6 match list also named admin-prefixes.
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)# definition
switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv4 admin-prefixes
switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv6 admin-prefixes
switch(config-router-seg-sec-vrf-segment-def)#

policies (segment)

The policies command places the switch in Router Segment Security VRF Segment Policies Configuration mode. In this mode, the command from creates a policy for the segment. A segment can contain multiple policies.

The no policies command clears the segment policies from running-config.

The default policies command clears the segment policies from running-config.

command Mode

Router Segment-Security VRF Segment Configuration

command Syntax

policies

no policies

default policies

Examples

This command places the switch in Router Segment-Security VRF Segment Policies configuration mode for the segment admin.
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)# policies
switch(config-router-seg-sec-vrf-segment-policies)#

router segment-security

The router segment-security command enters Router Segment-Security Configuration Mode. This mode is required to enable or disable MSS-Group (segment security), and to enter the Router Segment-Security VRF configuration mode to create segments from match lists and to configure MSS-Group.

The no router segment-security command removes the MSS-Group configuration from running-config.

The default router segment-security command removes the MSS-Group configuration from running-config.

command Mode

Global Configuration Mode

command Syntax

router segment-security

no router segment-security

default router segment-security

commands Available In Router Segment-Security Configuration Mode

segment

shutdown

vrf

Examples
  • The following command enters Router Segment-Security configuration Mode.
    switch(config)# router segment-security
    switch(config-router-seg-sec)#
  • The following command disables MSS-Group and removes the MSS-Group configuration from the running-config.
    switch(config)# no router segment-security
    switch(config)#

segment

The segment command enters Router Segment-Security VRF Segment Configuration mode, creating a segment if one does not exist. The commands in this mode apply changes to running-config immediately. The exit command does not affect the configuration.

The no segment command and the default segment command clear the segment from running-config.

command Mode

Router Segment-Security VRF Configuration

command Syntax

segment segment_name

no segment segment_name

default segment segment_name

Parameters
  • segment_namethe name of the segment.
commands Available in Router Segment-Security VRF Segment Configuration Mode

Example

The following command creates a new segment called admin and enters Segment Configuration mode.
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)#

segment policy policy-drop-all default

The segment policy policy-drop-all default command configures the switch to drop all traffic to all segments. This is the default.

The no segment policy policy-drop-all default command allows segments to receive traffic. This is necessary to allow traffic within a segment.

The default segment policy policy-drop-all default command restores the default, so that all traffic to all segments is dropped.

command Mode

Router Segment-Security Configuration

command Syntax

segment policy policy-drop-all default

no segment policy policy-drop-all default

default segment policy policy-drop-all default

Example

This command removes the policy-drop-all policy from the general segment security configuration.
switch(config)# router segment-security
switch(config-router-seg-sec)# no segment policy policy-drop-all default
switch(config-router-seg-sec)#

show match-list

The show match-list command displays match lists of type IPv4 or IPv6.

command Mode

Privileged EXEC

command Syntax

show match-list {prefix-ipv4 | prefix-ipv6} [list-name]

Parameters
  • prefix-ipv4 IPv4 prefix list.
  • prefix-ipv6 IPv6 prefix list.
  • list-name match list name.
Examples
  • The following command displays all the IPv4 match lists and their contents.
    switch# show match-list prefix-ipv4 
    Name            Prefix          
    --------------- --------------- 
    admin-prefixes  80.80.0.0/16    
    camera-prefixes 69.89.31.200/32 
                    69.89.31.201/32 
                    70.89.31.0/24
    
    switch#
  • The following command displays the contents of the IPv6 match list camera-prefixes.
    switch# show match-list prefix-ipv6 camera-prefixes
    Name            Prefix
    --------------- -----------------------
    camera-prefixes 2001:0:9d38:6ab8::/64
                    2002:0:9d38:6ab8::3/128
    
    switch#

show segment-security

The show segment-security command shows the status and configuration of MSS-Group (segment security).

command Mode

Privileged EXEC

command Syntax

show segment-security [{[vrf vrf_name] [segment seg_name] | application [application_name] | policy [policy_name] | segment segment_name | sessions [vrf vrf_name] | status [vrf vrf_name] [segment seg_name]}]

Parameters
  • vrf Show information for a particular VRF. By default, all VRFs are shown.
    • vrf_name VRF name to show. The default VRF instance is named "default".
  • segment Show information for a particular segment. By default, all segments are shown.
    • segment_name The name of the segment to show.
  • application Show status and configuration for applications. By default, no application information is shown.
    • application_name The name of the application to show. If this is omitted, all applications are shown.
  • policy Show information about policies.
    • policy_name  The name of the policy to show. If this is omitted, all policies are shown.
  • sessions Show information about sessions.
    • vrf Show session information about a particular VRF.
      • vrf_name The VRF for which to show session information. The default VRF is named "default".
  • status Show status information.

Guidelines

If both vrf and segment parameters are specified, the vrf parameter must precede the segment parameter. command syntax such as show segment-security hardware detail segment segment_name vrf vrf_name is not valid.

Examples
  • This command displays the MSS-Group configuration for all VRF instances and all segments.
    switch# show segment-security
    VRF : default
      Segment      interfaces Prefix IPv4     Prefix IPv6     From Segment Policy             
      ------------ ---------- --------------- --------------- ------------ ------------------
      camera                  camera-prefixes camera-prefixes secure-admin policy-forward-all
      secure-admin            admin-prefixes  admin-prefixes  camera       policy-forward-all
    
    switch#
  • This command shows the MSS-Group configuration for the default VRF instance only.
    switch# show segment-security vrf default
    VRF : default
      Segment      interfaces Prefix IPv4     Prefix IPv6     From Segment Policy             
      ------------ ---------- --------------- --------------- ------------ ------------------
      camera                  camera-prefixes camera-prefixes secure-admin policy-forward-all
      secure-admin            admin-prefixes  admin-prefixes  camera       policy-forward-all
    
    switch#
  • This command shows the MSS-Group configuration for the camera segment.
    switch# show segment-security segment camera
    VRF : default
      Segment      interfaces Prefix IPv4     Prefix IPv6     From Segment Policy             
      ------------ ---------- --------------- --------------- ------------ ------------------
      camera                  camera-prefixes camera-prefixes secure-admin policy-forward-all
    
    switch#
  • This command shows information for all applications.
    switch# show segment-security applications
    application: app-match-all
       protocol: all
    switch#
  • This command shows information for the policy policy-drop-all.
    switch# show segment-security policy policy-drop-all
    policy: policy-drop-all [readonly]
       10 application app-match-all action drop stateless
    switch#

show segment-security hardware counters

The show segment-security hardware counters command displays the counters for policies in each segment, including the default policies. For each policy configured between two segments, the Hit counter shows all hits, whether the packets were dropped or forwarded. The Drop counter shows which of those hits were dropped. There are also lines for the default policy of each segment, and the Drop counter includes packets which do not match a configured policy but are dropped by these default policies. To clear the Hit and Drop counters for each policy, setting them to 0, use the clear segment-security hardware counters command.

command Mode

Privileged EXEC

command Syntax

show segment-security hardware counters [vrf vrf_name]

Parameters
  • vrf Show details for a specific VRF. If this parameter is omitted, details for all VRFs are shown.
  • vrf_name The VRF to show. To show the default VRF, specify "default".

Example

This command displays the policy and counters for policies configured for all segments in VRF site_b.
switch# show segment-security hardware counters vrf site_b
VRF: site_b
Policy               Hit        Drop
-------------------- ---------- ----------
policy-drop-all      6          6
policy-forward-all   13         0

Dest Segment         Source Segment       Policy               Hit        Drop
-------------------- -------------------- -------------------- ---------- ----------
camera               *                    n/a                  0          3
camera               camera                                    6          6
camera               secure-admin                              4          0
secure-admin         *                    n/a                  0          12
secure-admin         camera                                    9          0
switch#

show segment-security hardware detail

The show segment-security hardware detail command displays the hardware ID allocated to each segment, the prefixes programmed in hardware for each segment, and the adjacency index used by each prefix (as determined from L3 hardware tables).

command Mode

Privileged EXEC

command Syntax

show segment-security hardware detail [vrf vrf_name][segment seg_name]

Parameters
  • vrf Show details for a specific VRF. If this parameter is omitted, details for all VRFs are shown.
  • vrf_name The name of the VRF to show details for. To show details for the default VRF, you must specify "default".
  • segment Show details for a specific segment. If this parameter is omitted, details for all segments are shown.
  • seg_name The name of the segment to show details for.

Guidelines

If both vrf and segment parameters are specified, the vrf parameter must come first. The command syntax show segment-security hardware detail segment segment_name vrf vrf_name is not valid.

Example

This command displays the hardware IDs allocated to each segment in vrf site_a, the prefixes in each segment, and the adjacency index for each prefix (as determined from L3 hardware tables).
switch# show segment-security hardware detail vrf site_a
VRF: site_a
Segment        Hardware ID     Prefixes                 Adj Index
-------------- --------------- ------------------------ ---------------
camera         63              69.89.31.200/32           1
                               69.89.31.201/32           1
                               70.89.31.0/24             1
                               2001:0:9d38:6ab8::/64     2
                               2002:0:9d38:6ab8::3/128   2
secure-admin   62              80.80.0.0/16              1
                               2003:0:9d38:6ab8::/64     2
switch#

show segment-security hardware routes

The show segment-security hardware routes command displays the route and type for each programmed prefix in hardware. Since MSS-Group prefixes use L3 hardware tables, the prefixes can overlap with FIB routes, so each prefix is assigned a route type. There are three possible classifications for a prefix:
  1. The prefix does not overlap with an FIB route. This prefix has route type S.
  2. The prefix is also configured in the FIB. If a segment prefix is identical to an FIB prefix, it is given the route type S,F.
  3. The prefix overlaps with an FIB entry but there is no exact match in the FIB. This prefix has the route type F.

command Mode

Privileged EXEC

command Syntax

show segment-security hardware routes [vrf vrf-name][segment seg-name]

Parameters
  • vrf Show details for a specific VRF. If this parameter is omitted, details for all VRFs are shown.
  • vrf_name The name of the VRF to show details for. To show details for the default VRF, you must specify "default".
  • segment Show details for a specific segment. If this parameter is omitted, details for all segments are shown.
  • seg_name The name of the segment to show details for.

Guidelines

If both vrf and segment parameters are specified, the vrf parameter must come first. The command syntax show segment-security hardware detail segment segment_name vrf vrf_name is not valid.

Example

This command displays the route and type for programmed prefixes in hardware for the VRF named site_a and the segment camera.
switch# show segment-security hardware routes vrf site_a segment camera 
Codes: S - Segment prefix
       F - FIB route
       S,F - Segment prefix which is also present in FIB

VRF: site_a
Segment       Hardware ID   Routes                     Route Type
------------- ------------- -------------------------- ----------
camera        63            69.89.31.200/32             S
                            69.89.31.201/32             S
                            70.89.31.0/24               S,F
                            2001:0:9d38:6ab8::/64       S
                            2002:0:9d38:6ab8::3/128     S
switch#

show segment-security hardware summary

The show segment-security hardware summary command displays the hardware ID, number of prefixes, and number of successfully programmed prefixes for each VRF and segment specified. By default, all VRFs and segments are shown.

command Mode

Privileged EXEC

command Syntax

show segment-security hardware summary [vrf vrf-name][segment seg-name]

Parameters
  • vrf Show details for a specific VRF. If this parameter is omitted, details for all VRFs are shown.
  • vrf_name The name of the VRF to show details for. To show details for the default VRF, you must specify "default".
  • segment Show details for a specific segment. If this parameter is omitted, details for all segments are shown.
  • seg_name The name of the segment to show details for.

Guidelines

If both vrf and segment parameters are specified, the vrf parameter must come first. The command syntax show segment-security hardware detail segment segment_name vrf vrf_name is not valid.

Example

This command displays the hardware ID allocated to each configured segment, the number of prefixes configured, and the number of prefixes successfully programmed in hardware for all VRFs and all segments.
switch# show segment-security hardware summary

VRF: default
Segment              Hardware ID     Prefixes   Programmed
-------------------- --------------- ---------- ---------------
camera               63              5          5
secure-admin         62              2          2
switch#

shutdown (router segment-security)

The shutdown command disables MSS-Group (segment security) in the switch. This is the default. The no shutdown and default shutdown commands enable MSS-Group.

command Mode

Router Segment-Security Configuration

command Syntax

shutdown

no shutdown

default shutdown

Example

This command enables MSS-Group in the switch.
switch(config)# router segment-security
switch(config-router-seg-sec)# no shutdown
switch(config-router-seg-sec)#

vrf (router segment-security)

The vrf command enters Router Segment-Security VRF Configuration mode, creating a VRF instance if necessary, to create and configure MSS-Group segments.

command Mode

Router Segment-Security Configuration

command Syntax

vrf vrf_instance

Parameters
  • vrf_instance The name of the VRF instance. To configure MSS-Group for the default VRF instance, specify "default".
commands Available in Router Segment-Security VRF Configuration Mode

Example

The following command enters Router Segment-Security VRF Configuration mode for the default VRF instance.
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)#