deny

Adds deny device adoption rules to the Auto Provisioning Policy

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

deny [anyap|ap505|ap510|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600]
deny [anyap|ap505|ap510|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600] precedence <1-10000> 
[any|cdp-match|dhcp-option|fqdn|ip|ipv6|lldp-match|mac|model-number|serial-number|vlan]
deny [anyap|ap505|ap510|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600] 
precedence <1-10000> any
deny [anyap|ap505|ap520|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600] precedence <1-10000> 
[cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|
<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|
mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|
vlan <VLAN-ID>]

Parameters

deny [anyap|aap505|ap510|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600] 
precedence <1-10000> any

deny

Adds a deny adoption rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule.

The different device types are:

AP505, AP510, RFS4000, NX5500, NX7500, NX9500, NX9600, VX9000

Note: Use the ‘anyap‘ option to auto provision any AP regardless of its model type.

precedence <1-10000>

Sets the rule precedence. A rule with a lower value has a higher precedence.

any

Indicates any device. Any device seeking adoption is denied adoption.

deny [anyap|ap505|ap510|rfs4000|nx5500|nx75xx|nx9000|vx9000|nx9600] precedence <1-10000> 
[cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|
<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> 
{<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>]

adopt

Adds a deny adoption rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule.

The different device types are:

AP505, AP510, RFS4000, NX5500, NX7500, NX9500, NX9600, VX9000

Note: Use the ‘anyap‘ option to auto provision any AP regardless of its model type.

precedence <1-10000>

Sets the rule precedence. A rule with a lower value has a higher precedence.

After specifying the rule precedence, specify the match criteria. Devices matching the specified criteria are denied adoption.

cdp-match <LOCATION-SUBSTRING> Matches a substring in a list of CDP snoop strings (case insensitive). For example, if an access point snooped 3 devices: controller1.example.com, controller2.example.com, and controller3.example.com, 'controller1', ‘example‘, 'example.com', are examples of the substrings that will match.
  • <LOCATION-SUBSTRING> – Specify the value to match. Devices matching the specified value are denied adoption.
dhcp-option <DHCP-OPTION> Matches the value found in DHCP vendor option 191 (case insensitive). DHCP vendor option 191 can be setup to communicate various configuration parameters to an AP. The value of the option in a string in the form of tag=value separated by a semicolon, for example 'tag1=value1;tag2=value2;tag3=value3'. The access point includes the value of tag 'rf-domain', if present.
  • <DHCP-OPTION> – Specify the DHCP option value to match. Devices matching the specified value are denied adoption.

fqdn <FQDN>

Matches a substring to the FQDN of a device (case insensitive)

FQDN is a domain name that specifies its exact location in the DNS hierarchy. It specifies all domain levels, including its top-level domain and the root domain.

  • <FQDN> – Specify the FQDN. Devices matching the specified value are denied adoption.

ip [<START-IP> <END-IP>| <IP/MASK>]

Denies adoption if a device's IP address matches the specified IPv4 address or is within the specified IP address range
  • <START-IP> – Specify the first IPv4 address in the range.
    • <END-IP> – Specify the last IPv4 address in the range.
  • <IP/MASK> – Specify the IPv4 subnet and mask to match against the device‘s IP address.
ipv6 [<START-IP> <END-IP>| <IP/MASK>] Denies adoption if a device's IPv6 address matches the specified IP address or is within the specified IP address range
  • <START-IP> – Specify the first IPv6 address in the range.
    • <END-IP> – Specify the last IPv6 address in the range.
  • <IP/MASK> – Specify the IPv6 subnet and mask to match against the device‘s IPv6 address.

lldp-match <LLDP-STRING>

Matches a substring in a list of LLDP snoop strings (case insensitive). For example, if an Access Point snooped 3 devices: controller1.example.com, controller2.example.com and controller3.example.com,'controller1', 'example', 'example.com', are substrings match.

LLDP is a vendor neutral link layer protocol that advertises a network device‘s identity, capabilities, and neighbors on a local area network.

  • <LLDP-STRING> – Specify the LLDP string. Devices matching the specified values are denied adoption.

mac <START-MAC> {<END-MAC>}

Denies adoption if a device's MAC address matches the specified MAC address or is within the specified MAC address range
  • <START-MAC> – Specify the first MAC address in the range. Provide this MAC address if you want to match for a single device.
    • <END-MAC> – Optional. Specify the last MAC address in the range.

model-number <MODEL-NUMBER>

Denies adoption if a device‘s model number matches <MODEL-NUMBER>
  • <MODEL-NUMBER> – Specify the model number to match.

serial-number <SERIAL-NUMBER>

Denies adoption if a device‘s serial number matches <SERIAL-NUMBER>
  • <SERIAL-NUMBER> – Specify the serial number to match.

vlan <VLAN-ID>

Denies adoption if a device‘s VLAN matches <VLAN-ID>
  • <VLAN-ID> – Specify the VLAN ID.

Examples

rfs4000-229D58(config-auto-provisioning-policy-test)#deny ap8432 precedence 1 mac 74-67-F7-07-02-35
rfs4000-229D58(config-auto-provisioning-policy-test)#deny ap8432 precedence 2 ip 192.168.13.24 102.168.13.26
rfs4000-229D58(config-auto-provisioning-policy-test)#show context
auto-provisioning-policy test
 default-adoption
 deny ap8432 precedence 1 mac 74-67-F7-07-02-35
 deny ap8432 precedence 2 ip 192.168.13.24 102.168.13.26
 adopt ap8432 precedence 5 profile default-ap8432 rf-domain TechPubs vlan 1
rfs4000-229D588(config-auto-provisioning-policy-test)#

Related Commands

no

Removes a deny adoption rule from this Auto Provisioning Policy