Segment Security
Overview of MSS-Group
The system supports grouping hosts and networks into segments based on their prefixes. The MSS-Group feature (also referred to as Segment Security) allows policies to be applied to segments rather than interfaces or subnets.
Policies define inter-segment and intra-segment rules; for example:
- Segment A is allowed to communicate with segment B.
- Hosts in segment B are not allowed to communicate with each other.
By default, the system drops traffic directed to a segment, thus requiring an explicit allow policy to allow communication. The two directions of traffic are handled independently; to allow traffic between two segments, you must configure a forward policy in both segments.
Configuring MSS-Group
To configure MSS-Group (Segment Security) to control groups of IPv4 or IPv6 addresses (called “segments”), define one or more match lists, create segments based on those match lists, create policies governing traffic to individual segments, define default policy for all segments, and enable the MSS-Group feature. Up to 60 segments can be defined across all VRFs. Traffic to and from VLANs with no SVI configured are considered part of the default VRF and are subject to the policies defined in the default VRF. This feature does not require routing to be enabled on the switch, even though the mode name starts with the word “router.”
Define Match Lists
Use the match-list input command to define an IPv4 or IPv6 subnet list. Each match list must contain only one type of prefix, IPv4 or IPv6. It cannot contain a mixture. Each match list name of a given type must be unique, but an IPv4 match list and an IPv6 match list can have the same name.
Example
- The following commands define two IPv4 match lists named camera-prefixes and
admin-prefixes and two IPv6 match lists also named camera-prefixes and
admin-prefixes, and they add a total of seven prefixes.
switch(config)# match-list input prefix-ipv4 camera-prefixes switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 69.89.31.200/32 switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 69.89.31.201/32 switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 70.89.31.0/24 switch(config-match-list-prefix-ipv4-camera-prefixes)# exit switch(config)# match-list input prefix-ipv6 camera-prefixes switch(config-match-list-prefix-ipv6-camera-prefixes)# match prefix-ipv6 2001:0:9d38:6ab8::/64 switch(config-match-list-prefix-ipv6-camera-prefixes)# match prefix-ipv6 2002:0:9d38:6ab8::3/128 switch(config-match-list-prefix-ipv6-camera-prefixes)# exit switch(config)# match-list input prefix-ipv4 admin-prefixes switch(config-match-list-prefix-ipv4-admin-prefixes)# match prefix-ipv4 80.80.0.0/16 switch(config-match-list-prefix-ipv4-admin-prefixes)# exit switch(config)# match-list input prefix-ipv6 admin-prefixes switch(config-match-list-prefix-ipv6-admin-prefixes)# match prefix-ipv6 2003:0:9d38:6ab8::/64 switch(config-match-list-prefix-ipv6-admin-prefixes)# exit switch(config)#
Define Segments using Match Lists
Use the segment command to define a segment. A segment contains one or two match lists, one of type IPv4 and the other of type IPv6.
Example
- The following commands define segments using the match lists configured above.
switch(config)# router segment-security switch(config-router-seg-sec)# vrf default switch(config-router-seg-sec-vrf-default)# segment camera switch(config-router-seg-sec-vrf-segment-camera)# definition switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv4 camera-prefixes switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv6 camera-prefixes switch(config-router-seg-sec-vrf-segment-def)# exit switch(config-router-seg-sec-vrf-segment-camera)# exit switch(config-router-seg-sec-vrf-default)# segment secure-admin switch(config-router-seg-sec-vrf-segment-secure-admin)# definition switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv4 admin-prefixes switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv6 admin-prefixes switch(config-router-seg-sec-vrf-segment-def)# exit switch(config-router-seg-sec-vrf-segment-secure-admin) exit switch(config-router-seg-sec-vrf-default)# exit switch(config-router-seg-sec)# exit switch(config)#
Define Policies Between Segments
Use the policies command to drop or forward
traffic to a segment from specific other segments. Two built-in policies are
available: policy-forward-all to forward traffic between
segments and policy-drop-all to drop traffic between
segments. The drop-all policy is enabled, by default.
Example
- The following commands allow bidirectional traffic between the two
segments defined
earlier.
switch(config)# router segment-security switch(config-router-seg-sec)# vrf default switch(config-router-seg-sec-vrf-default)# segment camera switch(config-router-seg-sec-vrf-segment-camera)# policies switch(config-router-seg-sec-vrf-segment-policies)# from secure-admin policy policy-forward-all switch(config-router-seg-sec-vrf-segment-policies)# exit switch(config-router-seg-sec-vrf-segment-camera)# exit switch(config-router-seg-sec-vrf-default)# segment secure-admin switch(config-router-seg-sec-vrf-segment-secure-admin)# policies switch(config-router-seg-sec-vrf-segment-policies)# from secure-admin policy policy-forward-all switch(config-router-seg-sec-vrf-segment-policies)# exit switch(config-router-seg-sec-vrf-segment-secure-admin)# exit switch(config-router-seg-sec-vrf-default)# exit switch(config-router-seg-sec)# exit switch(config)#
Enable MSS-Group
MSS-Group is not enabled, by default. Use the no shutdown command to enable it or the shutdown command to disable it.
- The following commands enable MSS-Group.
switch(config)# router segment-security switch(config-router-seg-sec)# no shutdown switch(config-router-seg-sec)# exit switch(config)# - The following commands disable MSS-Group.
switch(config)# router segment-security switch(config-router-seg-sec)# shutdown switch(config-router-seg-sec)# exit switch(config)#
Configuring Default Forward/Drop Behavior
When MSS-Group is first enabled, by default, all traffic to nodes in a segment is
dropped unless explicitly allowed by a forward-all policy,
as shown earlier. This includes traffic within the segment. Use the no
segment policy command to change this behavior to allow
intra-segment traffic.
- The following commands allow all traffic within each segment as well as
between
segments.
switch(config)# router segment-security switch(config-router-seg-sec)# no segment policy policy-drop-all default switch(config-router-seg-sec)# exit switch(config)#
You can modify the policy for each segment more granularly with the policies command.
- The following commands prevent nodes in the
camera segment from communicating with
each other.
switch(config)# router segment-security switch(config-router-seg-sec)# vrf default switch(config-router-seg-sec-vrf-default)# segment camera switch(config-router-seg-sec-vrf-segment-camera)# policies switch(config-router-seg-sec-vrf-segment-policies)# from camera policy policy-drop-all switch(config-router-seg-sec-vrf-segment-policies)# exit switch(config-router-seg-sec-vrf-segment-camera)# exit switch(config-router-seg-sec-vrf-default)# exit switch(config-router-seg-sec)# exit switch(config)# exit
Segment Security Considerations
- Multicast and Link-Local prefixes are not supported.
- Expect traffic disruption during prefix and policy configuration. The system does not support atomicity during segment and prefix configuration.
- MSS-Group and URPF feature interaction is not supported. If both features are configured (misconfiguration), the platform gives URPF higher priority and removes any existing segment configurations from the hardware.
- The system periodically retries prefix entries that fail to install in hardware (due to insufficient resources) until resources become available and the system successfully installs the prefixes. However, this retry mechanism does not apply to policy entries. If a policy entry fails, you must remove it, free up hardware resources, and re-enable the MSS-Group feature.
- You cannot configure custom policies but choose from two built-in policies:
policy-drop-allandpolicy-forward-all. - A given prefix can only be part of a single segment in VRF. Attempting to configure the same prefix in more than one segment leads to undefined traffic forwarding behavior.
- You cannot configure the same prefix in both MSS-Group and MSS-L3 configurations.
- You can perform SSU with MSS-Group configured, but the configuration will not allow for hitless traffic flows.
- DHCP discovery packets with a broadcast destination IP of 255.255.255.255 will only match the 0.0.0.0/0 prefix.
- All traffic sourced from or destined to switch-owned IPs is allowed regardless of MSS-Group configuration.
- Enabling MSS-G halves the LPM table capacity because the feature requires a source and destination IP lookup. The system always enables source and destination lookup by default, so the host table capacity remains unchanged.
Show Commands
The show commands available to examine the configuration and status of MSS-Group include:
show segment-security [vrf <vrf-name>][segment <seg-name>]switch# show segment-security VRF : default Segment Interfaces Prefix IPv4 Prefix IPv6 From Segment Policy ------------ ---------- --------------- --------------- ------------ ------------------ camera camera-prefixes camera-prefixes secure-admin policy-forward-all secure-admin admin-prefixes admin-prefixes camera policy-forward-allshow match-list {prefix-ipv4 | prefix-ipv6}[<list-name>]-
switch# show match-list prefix-ipv4 Name Prefix --------------- --------------- admin-prefixes 80.80.0.0/16 camera-prefixes 69.89.31.200/32 69.89.31.201/32 70.89.31.0/24 switch# show match-list prefix-ipv6 Name Prefix --------------- ----------------------- admin-prefixes 2003:0:9d38:6ab8::/64 camera-prefixes 2001:0:9d38:6ab8::/64 2002:0:9d38:6ab8::3/128 show segment-security hardware summary [vrf <vrf-name>][segment<seg-name>]This command shows the hardware ID, number of prefixes, and number of successfully programmed prefixes for each VRF and segment specified. By default, all VRFs and segments are shown.
switch# show segment-security hardware summary VRF: default Segment Hardware ID Prefixes Programmed -------------------- --------------- ---------- --------------- camera 63 5 5 secure-admin 62 2 2show segment-security hardware detail [vrf <vrf-name>][segment<seg-name>]This command shows the hardware ID assigned to each segment, the prefixes in each segment, and the adjacency index for each prefix (as determined from L3 hardware tables).
switch# show segment-security hardware detail VRF: default Segment Hardware ID Prefixes Adj Index -------------------- --------------- --------------------------------------- --------------- camera 63 69.89.31.200/32 1 69.89.31.201/32 1 70.89.31.0/24 1 2001:0:9d38:6ab8::/64 2 2002:0:9d38:6ab8::3/128 2 secure-admin 62 80.80.0.0/16 1 2003:0:9d38:6ab8::/64 2show segment-security hardware routes [vrf<vrf-name>][segment<seg-name>]Since MSS Group prefixes use L3 hardware tables, the prefixes can overlap with FIB routes. So each prefix is assigned a route type. There are three possible classifications for a prefix:
The following command shows the route types for prefixes in hardware.-
The prefix does not overlap with an FIB route. This prefix has route type 'S'.
-
The prefix is also configured in the FIB. If a segment prefix is identical to an FIB prefix, it is given the route type 'S,F'.
-
The prefix overlaps with an FIB entry but there is no exact match in the FIB. This prefix has the route type 'F'.
switch# show segment-security hardware routes Codes: S - Segment prefix F - FIB route S,F - Segment prefix which is also present in FIB VRF: default Segment Hardware ID Routes Route Type -------------------- --------------- --------------------------------------- ---------- camera 63 69.89.31.200/32 S 69.89.31.201/32 S 70.89.31.0/24 S,F 2001:0:9d38:6ab8::/64 S 2002:0:9d38:6ab8::3/128 S secure-admin 62 80.80.0.0/16 S 2003:0:9d38:6ab8::/64 S-
show segment-security hardware counters[vrf<vrf-name>]This command displays the counters for policies in each segment, including the default policies. For each policy configured between two segments, the Hit counter shows all hits, whether the packets were dropped or forwarded. The Drop counter shows which of those hits were dropped. There are also lines for the default policy of each segment, and the Drop counter includes packets which do not match a configured policy but are dropped by these default policies.
switch# show segment-security hardware counters VRF: default Policy HitDrop -------------------- ---------- ---------- policy-drop-all66 policy-forward-all 13 0 Dest Segment Source Segment Policy HitDrop -------------------- -------------------- -------------------- ---------- ---------- camera *n/a03 camera camera66 camera secure-admin40 secure-admin *n/a012 secure-admin camera90
- clear
segment-security hardware counters
This command clears the Hit and Drop counters for each policy, setting them to 0.
switch# clear segment-security hardware counters switch#
Segment Security Commands
Global Configuration Commands
Router Segment-Security VRF Segment Definition Configuration Commands
Segment-Security Clear and Show Commands
clear segment-security hardware counters
The clear segment-security hardware command clears the MSS-Group (segment security) Hit and Drop counters for all hits, and the hits and drops for each separate segment's policy. All MSS-Group counters set to 0.
Command Mode
Privileged EXEC
Command Syntax
clear segment-security hardware counters
Examples
- This command clears all counters for MSS-Group.
switch# clear segment-security hardware counters switch#
definition (segment)
The definition command enters Router Segment-Security VRF Segment Definition Configuration mode. Changes apply to running-config immediately. The exit command does not affect the configuration.
The no definition and default definition commands clear the segment definitions from running-config.
Command Mode
Router Segment-Security VRF Segment Configuration
Command Syntax
definition
no definition
default definition
Commands Available in Router Segment-Security VRF Segment Definition Configuration Mode
match (segment definition)
Example
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)# definition
switch(config-router-seg-sec-vrf-segment-def)#from (segment policies)
The from command adds a policy to a segment in order to filter traffic from a specified segment, either the same segment or a different segment. The policy can be either policy-drop-all or policy-forward-all. The default behavior uses policy-drop-all. Therefore, for a segment to allow traffic among members, it requires a policy-forward-all policy. You can add any number of policies.
The no from and default from commands clear the segment policy from the running-config.
Command Mode
Router Segment-Security VRF Segment Policies Configuration
Command Syntax
from segment_name policy [ policy-drop-all | policy-forward-all]
no from segment_name [policy [ policy-drop-all | policy-forward-all]
default from segment_name [policy [ policy-drop-all | policy-forward-all]
Parameters
[ policy-drop-all | policy-forward-all] - Specify the type of policy.
segment_name The name of the segment to filter. This can be the current segment to give control over traffic within the segment.
Related Command
segment policy policy-drop-all default
Example
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)# policies
switch(config-router-seg-sec-vrf-segment-policies)# from admin policy policy-forward-all
switch(config-router-seg-sec-vrf-segment-policies)# from seg1 policy policy-drop-all
switch(config-router-seg-sec-vrf-segment-policies)# from seg2 policy policy-forward-all
switch(config-router-seg-sec-vrf-segment-policies)#match-list input
The match-list input command enters Match List Configuration mode for the specified match list, creating one if it does not exist. The commands in this mode apply changes to running-config immediately.
The no match-list input and default match-list input commands remove the specified match list from running-config.
Command Mode
Global Configuration Mode
Command Syntax
match-list input [prefix-ipv4 | prefix-ipv6] match_list_name
no match-list input [prefix-ipv4 | prefix-ipv6] match_list_name
no match-list input [prefix-ipv4 | prefix-ipv6] match_list_name
- prefix-ipv4 - This match list has IPv4 prefixes only.
- prefix-ipv6 - This match list has IPv6 prefixes only.
- match_list_name - The name of the match-list to add. If it does not exist, it creates one.
- The following command creates an IPv4 match list called
camera-prefixes and enters Match List
Configuration mode.
switch(config)# match-list input prefix-ipv4 camera-prefixes switch(config-match-list-prefix-ipv4-admin-prefixes)# - The following command removes the IPv4 match list
camera-prefixes from
running-config.
switch(config)# no match-list input prefix-ipv4 camera-prefixes switch(config)#
match (match-list input)
The match command adds an entry to a match list. Each entry in a given match list must be of the same type, either IPv4 or IPv6. This command updates running-config immediately.
The no match and default match commands remove the specified match list entry from the match list in running-config.
Command Mode
Match List input Configuration Mode
Command Syntax
match [prefix-ipv4 | prefix-ipv6]ip_address_prefix
no match [prefix-ipv4 | prefix-ipv6] ip_address_prefix
default match [prefix-ipv4 | prefix-ipv6] ip_address_prefix
- prefix-ipv4 - Specify an IPv4 prefix list. You cannot mix prefix types in a single match list.
- prefix-ipv6 - Specify an IPv6 prefix list. You cannot mix prefix types in a single match list.
- ip_address_prefix - Specify the prefix to add. For IPv4, it is of the form A.B.C.D/E. For IPv6, it is of the form A:B:C:D:E:F:G:H/I.
- The following commands add two IPv4 entries to the match list
camera-prefixes.
switch(config)# match-list input prefix-ipv5 camera-prefixes switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 69.89.31.200/32 switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4 69.89.31.201/32 switch(config-match-list-prefix-ipv4-camera-prefixes)# - The following command removes one entry from the camera-prefixes match
list.
switch(config)# match-list input prefix-ipv4 camera-prefixes switch(config-match-list-prefix-ipv4-camera-prefixes)# no match prefix-ipv4 69.89.31.201/32 switch(config-match-list-prefix-ipv4-camera-prefixes)#
match (segment definition)
The match command adds a match list to a segment definition. The match list cannot contain both IPv4 and IPv6 prefixes. One match list of each type can be added. The segment definition updates in running-config immediately.
The no match command removes the specified match list from the segment definition in running-config.
The default match command removes the specified match list from the segment definition in running-config.
Command Mode
Router Segment-Security VRF Segment Definition Configuration
Command Syntax
match [prefix-ipv4 | prefix-ipv6] match_list_name
no match [prefix-ipv4 | prefix-ipv6] match_list_name
default match [prefix-ipv4 | prefix-ipv6] match_list_name
Parameters
prefix-ipv4 - The match list contains IPv4 prefixes.
prefix-ipv6 - The match list contains IPv6 prefixes.
match_list_name - The name of the match list.
Example
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)# definition
switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv4 admin-prefixes
switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv6 admin-prefixes
switch(config-router-seg-sec-vrf-segment-def)#
policies (segment)
The policies command places the switch in Router Segment Security VRF Segment Policies Configuration mode. In this mode, the command from creates a policy for the segment. A segment can contain multiple policies.
The no policies command clears the segment policies from running-config.
The default policies command clears the segment policies from running-config.
Command Mode
Router Segment-Security VRF Segment Configuration
Command Syntax
policies
no policies
default policies
Example
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)# policies
switch(config-router-seg-sec-vrf-segment-policies)#router segment-security
The router segment-security command enters Router Segment-Security Configuration Mode. Use this mode to enable or disable MSS-Group (segment security), and to enter the Router Segment-Security VRF Configuration Mode to create segments from match lists and to configure MSS-Group.
The no router segment-security command removes the MSS-Group configuration from running-config.
The default router segment-security command removes the MSS-Group configuration from running-config.
Command Mode
Global Configuration Mode
Command Syntax
router segment-security
no router segment-security
default router segment-security
Commands Available In Router Segment-Security Configuration Mode
segment
shutdown
vrf
- The following command enters Router Segment-Security configuration
Mode.
switch(config)# router segment-security switch(config-router-seg-sec)# - The following command disables MSS-Group and removes the MSS-Group configuration
from the running-config.
switch(config)# no router segment-security switch(config)#
segment
The segment command enters Router Segment-Security VRF Segment Configuration mode, creating a segment if one does not exist. The commands in this mode apply changes to running-config immediately. The exit command does not affect the configuration.
The no segment command and the default segment command clear the segment from running-config.
Command Mode
Router Segment-Security VRF Configuration
Command Syntax
segment segment_name
no segment segment_name
default segment segment_name
Parameters
segment_name - Specify the name of the segment.
Example
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)#segment policy policy-drop-all default
The segment policy policy-drop-all default command configures the switch to drop all traffic to all segments. This is the default.
The no segment policy policy-drop-all default command allows segments to receive traffic. This is necessary to allow traffic within a segment.
The default segment policy policy-drop-all default command restores the default, so that all traffic to all segments drops.
Command Mode
Router Segment-Security Configuration
Command Syntax
segment policy policy-drop-all default
no segment policy policy-drop-all default
default segment policy policy-drop-all default
Example
switch(config)# router segment-security
switch(config-router-seg-sec)# no segment policy policy-drop-all default
switch(config-router-seg-sec)#
show match-list
The show match-list command displays match lists of type
IPv4 or IPv6.
Command Mode
Privileged EXEC
Command Syntax
show match-list [prefix-ipv4 | prefix-ipv6] [list-name]
- prefix-ipv4 - Specify an IPv4 prefix list.
- prefix-ipv6 - Specify an IPv6 prefix list.
- list-name - Specify a match list name.
- The following command displays all the IPv4 match lists and their contents.
switch# show match-list prefix-ipv4 Name Prefix --------------- --------------- admin-prefixes 80.80.0.0/16 camera-prefixes 69.89.31.200/32 69.89.31.201/32 70.89.31.0/24 - The following command displays the contents of the IPv6 match list
camera-prefixes.
switch# show match-list prefix-ipv6 camera-prefixes Name Prefix --------------- ----------------------- camera-prefixes 2001:0:9d38:6ab8::/64 2002:0:9d38:6ab8::3/128
show segment-security
The show segment-security command shows the status and configuration of MSS-Group (segment security).
Command Mode
Privileged EXEC
Command Syntax
show segment-security [[[vrf vrf_name]|[segment seg_name]|[application [application_name]|[policy [policy_name]|[segment segment_name]|[sessions]|[vrf vrf_name]| status |[vrf vrf_name]|[segment seg_name]]]
- vrf - Displays information for a particular VRF.
By default, the output displays all VRFs.
- vrf_name - Displays the VRF name. The default VRF instance displays default.
- segment - Displays information for a particular
segment. By default, the output displays all segments.
- segment_name - Displays the name of the segment.
- application - Displays status and configuration
for applications. By default, the output displays no application
information.
- application_name - Displays the name of the application. If omitted, the output displays all applications.
- policy - Displays information about policies.
- policy_name - Displays the name of the policy. If omitted, the output displays all policies.
- sessions
- Displays information about sessions.
- vrf - Displays session information about a
particular VRF.
- vrf_name - Displays the VRF with session information. The default VRF instance displays default.
- vrf - Displays session information about a
particular VRF.
- status - Displays the status information.
Guidelines
If specifying both vrf and segment parameters, the vrf parameter must precede the segment parameter.
- This command displays the MSS-Group configuration for all VRF instances and
all segments.
switch# show segment-security VRF : default Segment Interfaces Prefix IPv4 Prefix IPv6 From Segment Policy ------------ ---------- --------------- --------------- ------------ ------------------ camera camera-prefixes camera-prefixes secure-admin policy-forward-all secure-admin admin-prefixes admin-prefixes camera policy-forward-all - This command displays the MSS-Group configuration for the default VRF
instance only.
switch# show segment-security vrf default VRF : default Segment Interfaces Prefix IPv4 Prefix IPv6 From Segment Policy ------------ ---------- --------------- --------------- ------------ ------------------ camera camera-prefixes camera-prefixes secure-admin policy-forward-all secure-admin admin-prefixes admin-prefixes camera policy-forward-all - This command displays the MSS-Group configuration for the
camera segment.
switch# show segment-security segment camera VRF : default Segment Interfaces Prefix IPv4 Prefix IPv6 From Segment Policy ------------ ---------- --------------- --------------- ------------ ------------------ camera camera-prefixes camera-prefixes secure-admin policy-forward-all - This command displays information for all
applications.
switch# show segment-security applications application: app-match-all protocol: all - This command displays information for the policy
policy-drop-all.
switch# show segment-security policy policy-drop-all policy: policy-drop-all [readonly] 10 application app-match-all action drop stateless
show segment-security hardware
The show segment-security hardware command displays detailed information about the hardware resources used by the MSS-Group feature.
Command Mode
Privileged EXEC
Command Syntax
show segment-security hardware [summary | detail | routes | counters][vrf vrf-name][segment seg-name]
- summary - Displays the hardware ID, number of prefixes, and number of successfully programmed prefixes for each VRF and segment specified. By default, all VRFs and segments are shown.
- detail - Displays the hardware ID allocated to each segment, the prefixes programmed in hardware for each segment, and the adjacency index used by prefix ( as determined from L3 hardware tables).
- routes - Displays the route and type for each
programmed prefix in hardware. Since MSS-Group prefixes use L3 hardware
tables, the prefixes can overlap with FIB routes, so each prefix is assigned
a route type. There are three possible classifications for a prefix:
- The prefix does not overlap with an FIB route. This prefix has route type S.
- The prefix also configured in the FIB. If a segment prefix matches an FIB prefix, it has the route type S,F.
- The prefix overlaps with an FIB entry but no exact match in the FIB. This prefix has the route type F.
- counters - Displays the counters for policies in each segment, including the default policies. For each policy configured between two segments, the Hit counter shows all hits, whether the packets dropped or forwarded. The Drop counter shows which of those hits dropped. The output displays lines for the default policy of each segment, and the Drop counter includes packets which do not match a configured policy but dropped by these default policies. To clear the Hit and Drop counters for each policy, setting them to 0, use the clear segment-security hardware counters command.
- vrf-name - Displays the VRF. By default, the output displays all VRFs.
- seg-name- Displays the segment. By default, the output displays all segments.
Examples
- This command displays the hardware ID allocated to the configured
segment, number of prefixes configured and number of prefixes successfully
programmed in
hardware.
switch# show segment-security hardware summary VRF: default Segment Hardware ID Prefixes Programmed -------------------- --------------- ---------- --------------- camera 63 5 5 secure-admin 62 2 2 - This command displays the hardware IDs allocated to each segment, the prefixes
in each segment, and the adjacency index for each prefix (as determined from L3
hardware
tables).
switch# show segment-security hardware detail VRF: default Segment Hardware ID Prefixes Adj Ind ex -------------- --------------- ------------------------ ------------ camera 63 69.89.31.200/32 1 69.89.31.201/32 1 70.89.31.0/24 1 2001:0:9d38:6ab8::/64 2 2002:0:9d38:6ab8::3/128 2 secure-admin 62 80.80.0.0/16 1 2003:0:9d38:6ab8::/64 2 - This command displays the route and type for programmed prefixes in
hardware.
switch# show segment-security hardware routes Codes: S - Segment prefix F - FIB route S,F - Segment prefix which is also present in FIB VRF: default Segment Hardware ID Routes Route Type ------------- ------------- -------------------------- ---------- camera 63 69.89.31.200/32 S 69.89.31.201/32 S 70.89.31.0/24 S,F 2001:0:9d38:6ab8::/64 S 2002:0:9d38:6ab8::3/128 S secure-admin 62 80.80.0.0/16 S 2003:0:9d38:6ab8::/64 S - This command displays the policy and counters for policies configured for
segments.
switch# show segment-security hardware counters VRF: default Policy Hit Drop -------------------- ---------- ---------- policy-drop-all 6 6 policy-forward-all 13 0 Dest Segment Source Segment Policy Hit Drop -------------- ---------------- ------- ---- ----- camera * n/a 0 3 camera camera 6 6 camera secure-admin 4 0 secure-admin * n/a 0 12 secure-admin camera 9 0
show segment-security hardware counters
The show segment-security hardware counters command displays the counters for policies in each segment, including the default policies. For each policy configured between two segments, the Hit counter shows all hits, whether the packets drop or forward. The Drop counter shows which of those hits drop. There are also lines for the default policy of each segment, and the Drop counter includes packets that do not match a configured policy but dropped by these default policies. To clear the Hit and Drop counters for each policy, setting them to 0, use the clear segment-security hardware counters command.
Command Mode
Privileged EXEC
Command Syntax
show segment-security hardware counters [vrf vrf_name]
- vrf - Display details for a specific VRF. If omitted, the output displays details for all VRFs.
- vrf_name - Display the VRF. To show the default VRF, specify "default".
Example
switch# show segment-security hardware counters vrf site_b
VRF: site_b
Policy Hit Drop
-------------------- ---------- ----------
policy-drop-all 6 6
policy-forward-all 13 0
Dest Segment Source Segment Policy Hit Drop
-------------------- -------------------- -------------------- ---------- ----------
camera * n/a 0 3
camera camera 6 6
camera secure-admin 4 0
secure-admin * n/a 0 12
secure-admin camera 9 0
switch#show segment-security hardware detail
The show segment-security hardware detail command displays the hardware ID allocated to each segment, the prefixes programmed in hardware for each segment, and the adjacency index used by each prefix as determined from L3 hardware tables.
Command Mode
Privileged EXEC
Command Syntax
show segment-security hardware detail [vrf vrf_name][segment seg_name]
- vrf - Display details for a specific VRF. If omitted,
the output displays details for all VRFs.
- vrf_name - Displays the name of the VRF to show details for. To show details for the default VRF, you must specify "default".
- segment - Display details for a specific segment. If
omitted, the output displays details for all segments.
- seg_name - Displays the name of the segment.
Guidelines
If both vrf and segment parameters specified, the vrf parameter must come first. The command syntax show segment-security hardware detail segment segment_name vrf vrf_name is not valid.
Example
switch# show segment-security hardware detail vrf site_a
VRF: site_a
Segment Hardware ID Prefixes Adj Index
-------------- --------------- ------------------------ ---------------
camera 63 69.89.31.200/32 1
69.89.31.201/32 1
70.89.31.0/24 1
2001:0:9d38:6ab8::/64 2
2002:0:9d38:6ab8::3/128 2
secure-admin 62 80.80.0.0/16 1
2003:0:9d38:6ab8::/64 2show segment-security hardware routes
- The prefix does not overlap with an FIB route. This prefix has route type S.
- The prefix also configured in the FIB. If a segment prefix matches an FIB prefix, it receives the route type S,F.
- The prefix overlaps with an FIB entry but has no exact match in the FIB. This prefix receives the route type F.
Command Mode
Privileged EXEC
Command Syntax
show segment-security hardware routes [vrf vrf-name][segment seg-name]
- vrf - Display details for a specific VRF. If omitted, the output displays details for all VRFs.
- vrf_name - Displays the name of the VRF to show details for. To show details for the default VRF, you must specify "default".
- segment - Display details for a specific segment. If omitted, the output displays details for all segments.
- seg_name - Displays the name of the segment.
Guidelines
If specifying both vrf and segment parameters, the vrf parameter must come first. The command syntax show segment-security hardware detail segment segment_name vrf vrf_name is not valid.
Example
switch# show segment-security hardware routes vrf site_a segment camera
Codes: S - Segment prefix
F - FIB route
S,F - Segment prefix which is also present in FIB
VRF: site_a
Segment Hardware ID Routes Route Type
------------- ------------- -------------------------- ----------
camera 63 69.89.31.200/32 S
69.89.31.201/32 S
70.89.31.0/24 S,F
2001:0:9d38:6ab8::/64 S
2002:0:9d38:6ab8::3/128 Sshow segment-security hardware summary
The show segment-security hardware summary command displays the hardware ID, number of prefixes, and number of successfully programmed prefixes for each VRF and segment specified. By default, all VRFs and segments are shown.
Command Mode
Privileged EXEC
Command Syntax
show segment-security hardware summary [vrf vrf-name][segment seg-name]
- vrf - Display details for a specific VRF. If this
parameter is omitted, details for all VRFs are shown.
- vrf_name - Display the name of the VRF to show details for. To show details for the default VRF, you must specify "default".
- segment - Display details for a specific segment.
If this parameter is omitted, details for all segments are shown.
- seg_name - Display the name of the segment to show details for.
Guidelines
If specifying both vrf and segment parameters , the vrf parameter must come first. The command syntax show segment-security hardware detail segment segment_name vrf vrf_name is not valid.
Example
switch# show segment-security hardware summary
VRF: default
Segment Hardware ID Prefixes Programmed
-------------------- --------------- ---------- ---------------
camera 63 5 5
secure-admin 62 2 2shutdown (router segment-security)
The shutdown command disables MSS-Group (segment security) on the switch. This is the default. The no shutdown and default shutdown commands enable MSS-Group.
Command Mode
Router Segment-Security Configuration
Command Syntax
shutdown
no shutdown
default shutdown
Example
switch(config)# router segment-security
switch(config-router-seg-sec)# no shutdown
switch(config-router-seg-sec)#vrf (router segment-security)
The vrf command enters Router Segment-Security VRF Configuration mode, creating a VRF instance if necessary, to create and configure MSS-Group segments.
Command Mode
Router Segment-Security Configuration
Command Syntax
vrf vrf_instance
Parameter
vrf_instance - Specify the name of the VRF instance. To configure MSS-Group for the default VRF instance, specify default.
Commands Available in Router Segment-Security VRF Configuration Mode
Example
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)#