Segment Security
Overview of MSS-Group
Hosts and networks can be grouped into segments based on their prefixes; the MSS-Group feature (also called Segment Security) allows policies to be applied to segments rather than to interfaces or subnets. Policies define inter-segment and intra-segment rules; for example, segment A is allowed to communicate with segment B, or hosts in segment B are not allowed to communicate with each other.
By default, traffic directed to a segment is dropped; an explicit allow policy is required to allow communication. The two directions of traffic are handled independently; to allow traffic between two segments, forward policy must be configured in both segments.
Configuring MSS-Group
To configure MSS-Group (segment security) to control groups of IPv4 and/or IPv6 addresses (called “segments”), define one or more match lists, create segments based on those match lists, create policies governing traffic to individual segments, define default policy for all segments, and enable the MSS-Group feature. Up to 60 segments can be defined across all VRFs. Traffic to and from VLANs with no SVI configured are considered part of the default VRF, and are subject to the policies defined in the default VRF. This feature does not require routing to be enabled on the switch, even though the mode name starts with the word “router.”
Define Match Lists
Use the match-list input command to define an IPv4 or IPv6 subnet list. Each match list must contain only one type of prefix, either IPv4 or IPv6. It cannot contain a mixture. Each match list name of a given type must be unique, but an IPv4 match list and an IPv6 match list can have the same name.
Example
- The following commands define two IPv4 match lists named camera-prefixes and
admin-prefixes and two IPv6 match lists also named camera-prefixes and
admin-prefixes, and add a total of seven prefixes.
switch(config)# match-list input prefix-ipv4 camera-prefixes switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 69.89.31.200/32 switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 69.89.31.201/32 switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 70.89.31.0/24 switch(config-match-list-prefix-ipv4-camera-prefixes)# exit switch(config)# match-list input prefix-ipv6 camera-prefixes switch(config-match-list-prefix-ipv6-camera-prefixes)# match prefix-ipv6 2001:0:9d38:6ab8::/64 switch(config-match-list-prefix-ipv6-camera-prefixes)# match prefix-ipv6 2002:0:9d38:6ab8::3/128 switch(config-match-list-prefix-ipv6-camera-prefixes)# exit switch(config)# match-list input prefix-ipv4 admin-prefixes switch(config-match-list-prefix-ipv4-admin-prefixes)# match prefix-ipv4 80.80.0.0/16 switch(config-match-list-prefix-ipv4-admin-prefixes)# exit switch(config)# match-list input prefix-ipv6 admin-prefixes switch(config-match-list-prefix-ipv6-admin-prefixes)# match prefix-ipv6 2003:0:9d38:6ab8::/64 switch(config-match-list-prefix-ipv6-admin-prefixes)# exit switch(config)#
Define Segments using Match Lists
Use the segment command to define a segment. A segment contains one or two match lists, one of type IPv4 and the other of type IPv6.
Example
- The following commands define segments using the match lists configured above.
switch(config)# router segment-security switch(config-router-seg-sec)# vrf default switch(config-router-seg-sec-vrf-default)# segment camera switch(config-router-seg-sec-vrf-segment-camera)# definition switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv4 camera-prefixes switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv6 camera-prefixes switch(config-router-seg-sec-vrf-segment-def)# exit switch(config-router-seg-sec-vrf-segment-camera)# exit switch(config-router-seg-sec-vrf-default)# segment secure-admin switch(config-router-seg-sec-vrf-segment-secure-admin)# definition switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv4 admin-prefixes switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv6 admin-prefixes switch(config-router-seg-sec-vrf-segment-def)# exit switch(config-router-seg-sec-vrf-segment-secure-admin) exit switch(config-router-seg-sec-vrf-default)# exit switch(config-router-seg-sec)# exit switch(config)#
Define Policies Between Segments
Use the policies command to drop or forward traffic to a segment from specific other segments. Two built-in policies are available: policy-forward-all to forward traffic between segments, and policy-drop-all to drop traffic between segments. By default, the drop-all policy is enabled.
Example
- The following commands allow bidirectional traffic between the two
segments defined
above.
switch(config)# router segment-security switch(config-router-seg-sec)# vrf default switch(config-router-seg-sec-vrf-default)# segment camera switch(config-router-seg-sec-vrf-segment-camera)# policies switch(config-router-seg-sec-vrf-segment-policies)# from secure-admin policy policy-forward-all switch(config-router-seg-sec-vrf-segment-policies)# exit switch(config-router-seg-sec-vrf-segment-camera)# exit switch(config-router-seg-sec-vrf-default)# segment secure-admin switch(config-router-seg-sec-vrf-segment-secure-admin)# policies switch(config-router-seg-sec-vrf-segment-policies)# from secure-admin policy policy-forward-all switch(config-router-seg-sec-vrf-segment-policies)# exit switch(config-router-seg-sec-vrf-segment-secure-admin)# exit switch(config-router-seg-sec-vrf-default)# exit switch(config-router-seg-sec)# exit switch(config)#
Enable MSS-Group
By default, MSS-Group is not enabled. Use the no shutdown command to enable it. Use the shutdown command to disable it.
- The following commands enable MSS-Group.
switch(config)# router segment-security switch(config-router-seg-sec)# no shutdown switch(config-router-seg-sec)# exit switch(config)#
- The following commands disable MSS-Group.
switch(config)# router segment-security switch(config-router-seg-sec)# shutdown switch(config-router-seg-sec)# exit switch(config)#
Configuring Default Forward/Drop Behavior
By default, when MSS-Group is first enabled, all traffic to nodes in a segment is dropped unless explicitly allowed by a "forward-all" policy as shown above. This includes traffic within the segment. Use the no segment policy command to change this behavior to allow intra-segment traffic.
- The following commands allow all traffic within each segment as well as
between
segments.
switch(config)# router segment-security switch(config-router-seg-sec)# no segment policy policy-drop-all default switch(config-router-seg-sec)# exit switch(config)#
You can modify the policy for each segment and in greater detail with the policies command.
- The following commands prevent nodes in the
camera segment from communicating with
each other.
switch(config)# router segment-security switch(config-router-seg-sec)# vrf default switch(config-router-seg-sec-vrf-default)# segment camera switch(config-router-seg-sec-vrf-segment-camera)# policies switch(config-router-seg-sec-vrf-segment-policies)# from camera policy policy-drop-all switch(config-router-seg-sec-vrf-segment-policies)# exit switch(config-router-seg-sec-vrf-segment-camera)# exit switch(config-router-seg-sec-vrf-default)# exit switch(config-router-seg-sec)# exit switch(config)# exit
Limitations
- Multicast and Link Local prefixes are not supported.
- Traffic disruption during prefix and policy configuration is expected. We do not support atomicity during segment and prefix configuration.
- MSS-Group and URPF feature interaction is not supported. If both features are configured (misconfiguration), the platform gives URPF higher priority and removes any existing segment configurations from hardware.
- Prefixes entries failed to get installed in hardware (because of insufficient hardware resources) are retried periodically till resources become available and prefixes are successfully installed. However, the same is not true for policy entries. There is no retry mechanism implemented for failed policy entries. The user needs to free up hardware resources and re-enable the MSS-Group feature after removing it once.
- Custom policies can not be configured. Clients can choose from two built-in policies ‘policy-drop-all’ and ‘policy-forward-all’.
- A given prefix can only be part of a single segment in VRF. Attempting to configure the same prefix in more than one segment leads to undefined traffic forwarding behavior.
- The same prefix can not be configured in both MSS-Group and MSS-L3 configurations.
- SSU can be performed with MSS-Group configured but the traffic flows for MSS-Group configuration will not be hitless.
- DHCP discovery packets with broadcast destination IP of 255.255.255.255 will only match 0.0.0.0/0 prefix.
- All traffic sourced from and/or destined to switch owned IPs are allowed regardless of MSS-Group configuration.
- Due to source and destination IP lookup being required, the capacity of the LPM table is halved when MSS-G is enabled. The host table capacity is unchanged as the source and destination lookup is always enabled by default.
Show commands
The show commands available to examine the configuration and status of MSS-Group include:
show segment-security [vrf <vrf-name>][segment <seg-name>]
switch# show segment-security VRF : default Segment interfaces Prefix IPv4 Prefix IPv6 From Segment Policy ------------ ---------- --------------- --------------- ------------ ------------------ camera camera-prefixes camera-prefixes secure-admin policy-forward-all secure-admin admin-prefixes admin-prefixes camera policy-forward-all
show match-list {prefix-ipv4 | prefix-ipv6}[<list-name>]
-
switch# show match-list prefix-ipv4 Name Prefix --------------- --------------- admin-prefixes 80.80.0.0/16 camera-prefixes 69.89.31.200/32 69.89.31.201/32 70.89.31.0/24 switch# show match-list prefix-ipv6 Name Prefix --------------- ----------------------- admin-prefixes 2003:0:9d38:6ab8::/64 camera-prefixes 2001:0:9d38:6ab8::/64 2002:0:9d38:6ab8::3/128
show segment-security hardware summary [vrf<vrf-name>][segment<seg-name>]
This command shows the hardware ID, number of prefixes, and number of successfully programmed prefixes for each VRF and segment specified. By default, all VRFs and segments are shown.
switch# show segment-security hardware summary VRF: default Segment Hardware ID Prefixes Programmed -------------------- --------------- ---------- --------------- camera 63 5 5 secure-admin 62 2 2
show segment-security hardware detail [vrf<vrf-name>][segment<seg-name>]
This command shows the hardware ID assigned to each segment, the prefixes in each segment, and the adjacency index for each prefix (as determined from L3 hardware tables).
switch# show segment-security hardware detail VRF: default Segment Hardware ID Prefixes Adj Index -------------------- --------------- --------------------------------------- --------------- camera 63 69.89.31.200/32 1 69.89.31.201/32 1 70.89.31.0/24 1 2001:0:9d38:6ab8::/64 2 2002:0:9d38:6ab8::3/128 2 secure-admin 62 80.80.0.0/16 1 2003:0:9d38:6ab8::/64 2
show segment-security hardware routes [vrf<vrf-name>][segment<seg-name>]
Since MSS Group prefixes use L3 hardware tables, the prefixes can overlap with FIB routes. So each prefix is assigned a route type. There are three possible classifications for a prefix:
-
The prefix does not overlap with an FIB route. This prefix has route type 'S'.
-
The prefix is also configured in the FIB. If a segment prefix is identical to an FIB prefix, it is given the route type 'S,F'.
-
The prefix overlaps with an FIB entry but there is no exact match in the FIB. This prefix has the route type 'F'.
switch# show segment-security hardware routes Codes: S - Segment prefix F - FIB route S,F - Segment prefix which is also present in FIB VRF: default Segment Hardware ID Routes Route Type -------------------- --------------- --------------------------------------- ---------- camera 63 69.89.31.200/32 S 69.89.31.201/32 S 70.89.31.0/24 S,F 2001:0:9d38:6ab8::/64 S 2002:0:9d38:6ab8::3/128 S secure-admin 62 80.80.0.0/16 S 2003:0:9d38:6ab8::/64 S
-
show segment-security hardware counters[vrf<vrf-name>]
This command displays the counters for policies in each segment, including the default policies. For each policy configured between two segments, the Hit counter shows all hits, whether the packets were dropped or forwarded. The Drop counter shows which of those hits were dropped. There are also lines for the default policy of each segment, and the Drop counter includes packets which do not match a configured policy but are dropped by these default policies.
switch# show segment-security hardware counters VRF: default Policy HitDrop -------------------- ---------- ---------- policy-drop-all66 policy-forward-all 13 0 Dest Segment Source Segment Policy HitDrop -------------------- -------------------- -------------------- ---------- ---------- camera *n/a03 camera camera66 camera secure-admin40 secure-admin *n/a012 secure-admin camera90
- clear segment-security hardware counters
This command clears the Hit and Drop counters for each policy, setting them to 0.
Segment Security commands
Global Configuration commands
Router Segment-Security VRF Segment Definition Configuration commands
Segment-Security Clear and Show commands
clear segment-security hardware counters
The clear segment-security hardware command clears the MSS-Group (segment security) Hit and Drop counters for all hits, and the hits and drops for each separate segment's policy. All MSS-Group counters are set to 0.
command Mode
Privileged EXEC
command Syntax
clear segment-security hardware counters
Examples
- This command clears all counters for MSS-Group.
switch# clear segment-security hardware counters switch#
definition (segment)
The definition command enters Router Segment-Security VRF Segment Definition Configuration mode. This is not a group change mode. Changes are applied to running-config immediately. The exit command does not affect the configuration.
The no definition and default definition commands clear the segment definitions from running-config.
command Mode
Router Segment-Security VRF Segment Configuration
command Syntax
definition
no definition
default definition
commands Available in Router Segment-Security VRF Segment Definition Configuration Mode
match (segment definition)
- These commands enter Router Segment-Security VRF Segment Definition mode for the
segment "admin".
switch(config)# router segment-security switch(config-router-seg-sec)# vrf default switch(config-router-seg-sec-vrf-default)# segment admin switch(config-router-seg-sec-vrf-segment-admin)# definition switch(config-router-seg-sec-vrf-segment-def)#
from (segment policies)
The from command adds a policy to a segment in order to filter traffic from a specified segment (the same segment or a different segment). The policy can be either policy-drop-all or policy-forward-all. The default is policy-drop-all. Therefore, for a segment to allow traffic among its own members, it requires a policy-forward-all policy for itself. You can add any number of policies.
The no from and default from commands clear the segment policy from the running-config.
command Mode
Router Segment-Security VRF Segment Policies Configuration
command Syntax
from segment_name policy policy_type
no from segment_name [policy policy_type]
default from segment_name [policy policy_type]
Parameters
policy_typeThe type of policy. The possible values are "policy-drop-all" and "policy-forward-all". The default is "policy-drop-all".
segment_name The name of the segment to filter. This can be the segment currently being configured, to give you control over traffic within the segment.
Related command
segment policy policy-drop-all default
Example
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)# policies
switch(config-router-seg-sec-vrf-segment-policies)# from admin policy policy-forward-all
switch(config-router-seg-sec-vrf-segment-policies)# from seg1 policy policy-drop-all
switch(config-router-seg-sec-vrf-segment-policies)# from seg2 policy policy-forward-all
switch(config-router-seg-sec-vrf-segment-policies)#
match-list input
The match-list input command enters Match List Configuration mode for the specified match list, creating one if it does not exist. The commands in this mode apply changes to running-config immediately. The exit command is not needed to save the changes to the configuration.
The no match-list input and default match-list input commands remove the specified match list from running-config.
command Mode
Global Configuration Mode
command Syntax
match-list input {prefix-ipv4|prefix-ipv6} match_list_name
no match-list input {prefix-ipv4|prefix-ipv6} match_list_name
no match-list input {prefix-ipv4|prefix-ipv6} match_list_name
- prefix-ipv4 This match list has IPv4 prefixes only.
- prefix-ipv6 This match list has IPv6 prefixes only.
- match_list_name The name of the match-list to add to. If it does not exist it will be created.
- The following command creates an IPv4 match list called
camera-prefixes and enters Match List
Configuration mode.
switch(config)# match-list input prefix-ipv4 camera-prefixes switch(config-match-list-prefix-ipv4-admin-prefixes)#
- The following command removes the IPv4 match list
camera-prefixes from
running-config.
switch(config)# no match-list input prefix-ipv4 camera-prefixes switch(config)#
match (match-list input)
The match command adds an entry to a match list. Each entry in a given match list must be of the same type, either IPv4 or IPv6. This command updates running-config immediately. It is not necessary to use the exit command to save changes.
The no match and default match commands remove the specified match list entry from the match list in running-config.
command Mode
Match List inpur Configuration Mode
command Syntax
match {prefix-ipv4|prefix-ipv6} ip_address_prefix
no match {prefix-ipv4|prefix-ipv6} ip_address_prefix
default match {prefix-ipv4|prefix-ipv6} ip_address_prefix
- prefix-ipv4 This prefix is IPv4. You cannot mix prefix types in a single match list.
- prefix-ipv6 This prefix is IPv6. You cannot mix prefix types in a single match list.
- ip_address_prefix The prefix to add. For IPv4, it is of the form A.B.C.D/E. For IPv6, it is of the form A:B:C:D:E:F:G:H/I.
- The following commands add two IPv4 entries to the match list
camera-prefixes.
switch(config)# match-list input prefix-ipv5 camera-prefixes switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 69.89.31.200/32 switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 69.89.31.201/32 switch(config-match-list-prefix-ipv4-camera-prefixes)#
- The following command removes one entry from the camera-prefixes match
list.
switch(config)# match-list input prefix-ipv4 camera-prefixes switch(config-match-list-prefix-ipv4-camera-prefixes)# no match prefix-ipv4 69.89.31.201/32 switch(config-match-list-prefix-ipv4-camera-prefixes)#
match (segment definition)
The match command adds a match list to a segment definition. The match list cannot contain both IPv4 and IPv6 prefixes. One match list of each type can be added. The segment definition is updated in running-config immediately.
The no match command removes the specified match list from the segment definition in running-config.
The default match command removes the specified match list from the segment definition in running-config.
command Mode
Router Segment-Security VRF Segment Definition Configuration
command Syntax
match {prefix-ipv4|prefix-ipv6} match_list_name
no match {prefix-ipv4|prefix-ipv6} match_list_name
default match {prefix-ipv4|prefix-ipv6} match_list_name
Parameters
prefix-ipv4 The match list contains IPv4 prefixes.
prefix-ipv6 The match list contains IPv6 prefixes.
match_list_name The name of the match list.
Examples
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)# definition
switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv4 admin-prefixes
switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv6 admin-prefixes
switch(config-router-seg-sec-vrf-segment-def)#
policies (segment)
The policies command places the switch in Router Segment Security VRF Segment Policies Configuration mode. In this mode, the command from creates a policy for the segment. A segment can contain multiple policies.
The no policies command clears the segment policies from running-config.
The default policies command clears the segment policies from running-config.
command Mode
Router Segment-Security VRF Segment Configuration
command Syntax
policies
no policies
default policies
Examples
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)# policies
switch(config-router-seg-sec-vrf-segment-policies)#
router segment-security
The router segment-security command enters Router Segment-Security Configuration Mode. This mode is required to enable or disable MSS-Group (segment security), and to enter the Router Segment-Security VRF configuration mode to create segments from match lists and to configure MSS-Group.
The no router segment-security command removes the MSS-Group configuration from running-config.
The default router segment-security command removes the MSS-Group configuration from running-config.
command Mode
Global Configuration Mode
command Syntax
router segment-security
no router segment-security
default router segment-security
commands Available In Router Segment-Security Configuration Mode
segment
shutdown
vrf
- The following command enters Router Segment-Security configuration
Mode.
switch(config)# router segment-security switch(config-router-seg-sec)#
- The following command disables MSS-Group and removes the MSS-Group configuration
from the running-config.
switch(config)# no router segment-security switch(config)#
segment
The segment command enters Router Segment-Security VRF Segment Configuration mode, creating a segment if one does not exist. The commands in this mode apply changes to running-config immediately. The exit command does not affect the configuration.
The no segment command and the default segment command clear the segment from running-config.
command Mode
Router Segment-Security VRF Configuration
command Syntax
segment segment_name
no segment segment_name
default segment segment_name
- segment_namethe name of the segment.
Example
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)#
segment policy policy-drop-all default
The segment policy policy-drop-all default command configures the switch to drop all traffic to all segments. This is the default.
The no segment policy policy-drop-all default command allows segments to receive traffic. This is necessary to allow traffic within a segment.
The default segment policy policy-drop-all default command restores the default, so that all traffic to all segments is dropped.
command Mode
Router Segment-Security Configuration
command Syntax
segment policy policy-drop-all default
no segment policy policy-drop-all default
default segment policy policy-drop-all default
Example
switch(config)# router segment-security
switch(config-router-seg-sec)# no segment policy policy-drop-all default
switch(config-router-seg-sec)#
show match-list
The show match-list
command displays match lists of type
IPv4 or IPv6.
command Mode
Privileged EXEC
command Syntax
show match-list {prefix-ipv4 |
prefix-ipv6}
[list-name]
- prefix-ipv4 IPv4 prefix list.
- prefix-ipv6 IPv6 prefix list.
- list-name match list name.
- The following command displays all the IPv4 match lists and their contents.
switch# show match-list prefix-ipv4 Name Prefix --------------- --------------- admin-prefixes 80.80.0.0/16 camera-prefixes 69.89.31.200/32 69.89.31.201/32 70.89.31.0/24 switch#
- The following command displays the contents of the IPv6 match list
camera-prefixes.
switch# show match-list prefix-ipv6 camera-prefixes Name Prefix --------------- ----------------------- camera-prefixes 2001:0:9d38:6ab8::/64 2002:0:9d38:6ab8::3/128 switch#
show segment-security
The show segment-security command shows the status and configuration of MSS-Group (segment security).
command Mode
Privileged EXEC
command Syntax
show segment-security [{[vrf vrf_name] [segment seg_name] | application [application_name] | policy [policy_name] | segment segment_name | sessions [vrf vrf_name] | status [vrf vrf_name] [segment seg_name]}]
- vrf Show information for a particular VRF. By default, all
VRFs are shown.
- vrf_name VRF name to show. The default VRF instance is named "default".
- segment Show information for a particular segment. By
default, all segments are shown.
- segment_name The name of the segment to show.
- application Show status and configuration for applications.
By default, no application information is shown.
- application_name The name of the application to show. If this is omitted, all applications are shown.
- policy Show information about policies.
- policy_name The name of the policy to show. If this is omitted, all policies are shown.
- sessions Show information about sessions.
- vrf Show session information about a particular
VRF.
- vrf_name The VRF for which to show session information. The default VRF is named "default".
- vrf Show session information about a particular
VRF.
- status Show status information.
Guidelines
If both vrf and segment parameters are specified, the vrf parameter must precede the segment parameter. command syntax such as show segment-security hardware detail segment segment_name vrf vrf_name is not valid.
- This command displays the MSS-Group configuration for all VRF instances and
all segments.
switch# show segment-security VRF : default Segment interfaces Prefix IPv4 Prefix IPv6 From Segment Policy ------------ ---------- --------------- --------------- ------------ ------------------ camera camera-prefixes camera-prefixes secure-admin policy-forward-all secure-admin admin-prefixes admin-prefixes camera policy-forward-all switch#
- This command shows the MSS-Group configuration for the default VRF instance
only.
switch# show segment-security vrf default VRF : default Segment interfaces Prefix IPv4 Prefix IPv6 From Segment Policy ------------ ---------- --------------- --------------- ------------ ------------------ camera camera-prefixes camera-prefixes secure-admin policy-forward-all secure-admin admin-prefixes admin-prefixes camera policy-forward-all switch#
- This command shows the MSS-Group configuration for the camera
segment.
switch# show segment-security segment camera VRF : default Segment interfaces Prefix IPv4 Prefix IPv6 From Segment Policy ------------ ---------- --------------- --------------- ------------ ------------------ camera camera-prefixes camera-prefixes secure-admin policy-forward-all switch#
- This command shows information for all
applications.
switch# show segment-security applications application: app-match-all protocol: all switch#
- This command shows information for the policy
policy-drop-all.
switch# show segment-security policy policy-drop-all policy: policy-drop-all [readonly] 10 application app-match-all action drop stateless switch#
show segment-security hardware counters
The show segment-security hardware counters command displays the counters for policies in each segment, including the default policies. For each policy configured between two segments, the Hit counter shows all hits, whether the packets were dropped or forwarded. The Drop counter shows which of those hits were dropped. There are also lines for the default policy of each segment, and the Drop counter includes packets which do not match a configured policy but are dropped by these default policies. To clear the Hit and Drop counters for each policy, setting them to 0, use the clear segment-security hardware counters command.
command Mode
Privileged EXEC
command Syntax
show segment-security hardware counters [vrf vrf_name]
- vrf Show details for a specific VRF. If this parameter is omitted, details for all VRFs are shown.
- vrf_name The VRF to show. To show the default VRF, specify "default".
Example
switch# show segment-security hardware counters vrf site_b
VRF: site_b
Policy Hit Drop
-------------------- ---------- ----------
policy-drop-all 6 6
policy-forward-all 13 0
Dest Segment Source Segment Policy Hit Drop
-------------------- -------------------- -------------------- ---------- ----------
camera * n/a 0 3
camera camera 6 6
camera secure-admin 4 0
secure-admin * n/a 0 12
secure-admin camera 9 0
switch#
show segment-security hardware detail
The show segment-security hardware detail command displays the hardware ID allocated to each segment, the prefixes programmed in hardware for each segment, and the adjacency index used by each prefix (as determined from L3 hardware tables).
command Mode
Privileged EXEC
command Syntax
show segment-security hardware detail [vrf vrf_name][segment seg_name]
- vrf Show details for a specific VRF. If this parameter is omitted, details for all VRFs are shown.
- vrf_name The name of the VRF to show details for. To show details for the default VRF, you must specify "default".
- segment Show details for a specific segment. If this parameter is omitted, details for all segments are shown.
- seg_name The name of the segment to show details for.
Guidelines
If both vrf and segment parameters are specified, the vrf parameter must come first. The command syntax show segment-security hardware detail segment segment_name vrf vrf_name is not valid.
Example
switch# show segment-security hardware detail vrf site_a
VRF: site_a
Segment Hardware ID Prefixes Adj Index
-------------- --------------- ------------------------ ---------------
camera 63 69.89.31.200/32 1
69.89.31.201/32 1
70.89.31.0/24 1
2001:0:9d38:6ab8::/64 2
2002:0:9d38:6ab8::3/128 2
secure-admin 62 80.80.0.0/16 1
2003:0:9d38:6ab8::/64 2
switch#
show segment-security hardware routes
- The prefix does not overlap with an FIB route. This prefix has route type S.
- The prefix is also configured in the FIB. If a segment prefix is identical to an FIB prefix, it is given the route type S,F.
- The prefix overlaps with an FIB entry but there is no exact match in the FIB. This prefix has the route type F.
command Mode
Privileged EXEC
command Syntax
show segment-security hardware routes [vrf vrf-name][segment seg-name]
- vrf Show details for a specific VRF. If this parameter is omitted, details for all VRFs are shown.
- vrf_name The name of the VRF to show details for. To show details for the default VRF, you must specify "default".
- segment Show details for a specific segment. If this parameter is omitted, details for all segments are shown.
- seg_name The name of the segment to show details for.
Guidelines
If both vrf and segment parameters are specified, the vrf parameter must come first. The command syntax show segment-security hardware detail segment segment_name vrf vrf_name is not valid.
Example
switch# show segment-security hardware routes vrf site_a segment camera
Codes: S - Segment prefix
F - FIB route
S,F - Segment prefix which is also present in FIB
VRF: site_a
Segment Hardware ID Routes Route Type
------------- ------------- -------------------------- ----------
camera 63 69.89.31.200/32 S
69.89.31.201/32 S
70.89.31.0/24 S,F
2001:0:9d38:6ab8::/64 S
2002:0:9d38:6ab8::3/128 S
switch#
show segment-security hardware summary
The show segment-security hardware summary command displays the hardware ID, number of prefixes, and number of successfully programmed prefixes for each VRF and segment specified. By default, all VRFs and segments are shown.
command Mode
Privileged EXEC
command Syntax
show segment-security hardware summary [vrf vrf-name][segment seg-name]
- vrf Show details for a specific VRF. If this parameter is omitted, details for all VRFs are shown.
- vrf_name The name of the VRF to show details for. To show details for the default VRF, you must specify "default".
- segment Show details for a specific segment. If this parameter is omitted, details for all segments are shown.
- seg_name The name of the segment to show details for.
Guidelines
If both vrf and segment parameters are specified, the vrf parameter must come first. The command syntax show segment-security hardware detail segment segment_name vrf vrf_name is not valid.
Example
switch# show segment-security hardware summary
VRF: default
Segment Hardware ID Prefixes Programmed
-------------------- --------------- ---------- ---------------
camera 63 5 5
secure-admin 62 2 2
switch#
shutdown (router segment-security)
The shutdown command disables MSS-Group (segment security) in the switch. This is the default. The no shutdown and default shutdown commands enable MSS-Group.
command Mode
Router Segment-Security Configuration
command Syntax
shutdown
no shutdown
default shutdown
Example
switch(config)# router segment-security
switch(config-router-seg-sec)# no shutdown
switch(config-router-seg-sec)#
vrf (router segment-security)
The vrf command enters Router Segment-Security VRF Configuration mode, creating a VRF instance if necessary, to create and configure MSS-Group segments.
command Mode
Router Segment-Security Configuration
command Syntax
vrf vrf_instance
- vrf_instance The name of the VRF instance. To configure MSS-Group for the default VRF instance, specify "default".
Example
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)#