deny

Adds deny device adoption rules to the Auto Provisioning Policy

Supported on the following devices:

Access Points: AP5010, AP310i/e, AP410i/e, AP505i, AP510i, AP510e, AP560i, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP763, AP7662, AP8163, AP8543, AP8533.
Service Platforms: NX5500, NX7500, NX9500, NX9600
Virtual Platforms: CX9000, VX9000

Syntax

deny [anyap|ap410|ap460|ap505|ap510|ap560|nx5500|nx75xx|nx95xx|vx9000|nx96xx]

deny [anyap|ap410|ap460|ap505|ap510|ap560|nx5500|nx75xx|nx95xx|vx9000|nx96xx] precedence <1-10000> 
[any|cdp-match|dhcp-option|fqdn|ip|ipv6|lldp-match|mac|model-number|serial-number|vlan]

deny [anyap|ap410|ap460|ap505|ap510|ap560|nx5500|nx75xx|nx95xx|vx9000|nx96xx] precedence <1-10000> any

deny [anyap|ap410|ap460|ap505|ap510|ap560|nx5500|nx75xx|nx95xx|vx9000|nx96xx] precedence <1-10000> 
[cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|
<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|
mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|
vlan <VLAN-ID>]

Parameters

deny [anyap|ap410|ap460|ap505|ap510|ap560|nx5500|nx75xx|nx95xx|vx9000|nx96xx] precedence <1-10000> any


deny	Adds a deny adoption rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule. The different device types are: AP410, AP460. AP505, AP510, AP560, NX5500, NX7500, NX9500, NX9600, and VX9000. Note: Use the ‘anyap‘ option to auto provision any AP regardless of its model type.
precedence <1-10000>	Sets the rule precedence. A rule with a lower value has a higher precedence.
any	Indicates any device. Any device seeking adoption is denied adoption.

deny [anyap|ap410|ap460|ap505|ap510|ap560|nx5500|nx75xx|nx95xx|vx9000|nx96xx] precedence <1-10000> 
[cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|
<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-MAC> 
{<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>]


adopt	Adds a deny adoption rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule. The different device types are: AP410, AP460. AP505, AP510, AP560, NX5500, NX7500, NX9500, NX9600, and VX9000. Note: Use the ‘anyap‘ option to auto provision any AP regardless of its model type.
precedence <1-10000>	Sets the rule precedence. A rule with a lower value has a higher precedence. After specifying the rule precedence, specify the match criteria. Devices matching the specified criteria are denied adoption.
cdp-match <LOCATION-SUBSTRING>	Matches a substring in a list of CDP snoop strings (case insensitive). For example, if an access point snooped 3 devices: controller1.example.com, controller2.example.com, and controller3.example.com, 'controller1', ‘example‘, 'example.com', are examples of the substrings that will match. <LOCATION-SUBSTRING> – Specify the value to match. Devices matching the specified value are denied adoption.
dhcp-option <DHCP-OPTION>	Matches the value found in DHCP vendor option 191 (case insensitive). DHCP vendor option 191 can be setup to communicate various configuration parameters to an AP. The value of the option in a string in the form of tag=value separated by a semicolon, for example 'tag1=value1;tag2=value2;tag3=value3'. The access point includes the value of tag 'rf-domain', if present. <DHCP-OPTION> – Specify the DHCP option value to match. Devices matching the specified value are denied adoption.
fqdn <FQDN>	Matches a substring to the FQDN of a device (case insensitive) FQDN is a domain name that specifies its exact location in the DNS hierarchy. It specifies all domain levels, including its top-level domain and the root domain. <FQDN> – Specify the FQDN. Devices matching the specified value are denied adoption.
ip [<START-IP> <END-IP>\| <IP/MASK>]	Denies adoption if a device's IP address matches the specified IPv4 address or is within the specified IP address range <START-IP> – Specify the first IPv4 address in the range. <END-IP> – Specify the last IPv4 address in the range. <IP/MASK> – Specify the IPv4 subnet and mask to match against the device‘s IP address.
ipv6 [<START-IP> <END-IP>\| <IP/MASK>]	Denies adoption if a device's IPv6 address matches the specified IP address or is within the specified IP address range <START-IP> – Specify the first IPv6 address in the range. <END-IP> – Specify the last IPv6 address in the range. <IP/MASK> – Specify the IPv6 subnet and mask to match against the device‘s IPv6 address.
lldp-match <LLDP-STRING>	Matches a substring in a list of LLDP snoop strings (case insensitive). For example, if an Access Point snooped 3 devices: controller1.example.com, controller2.example.com and controller3.example.com,'controller1', 'example', 'example.com', are substrings match. LLDP is a vendor neutral link layer protocol that advertises a network device‘s identity, capabilities, and neighbors on a local area network. <LLDP-STRING> – Specify the LLDP string. Devices matching the specified values are denied adoption.
mac <START-MAC> {<END-MAC>}	Denies adoption if a device's MAC address matches the specified MAC address or is within the specified MAC address range <START-MAC> – Specify the first MAC address in the range. Provide this MAC address if you want to match for a single device. <END-MAC> – Optional. Specify the last MAC address in the range.
model-number <MODEL-NUMBER>	Denies adoption if a device‘s model number matches <MODEL-NUMBER> <MODEL-NUMBER> – Specify the model number to match.
serial-number <SERIAL-NUMBER>	Denies adoption if a device‘s serial number matches <SERIAL-NUMBER> <SERIAL-NUMBER> – Specify the serial number to match.
vlan <VLAN-ID>	Denies adoption if a device‘s VLAN matches <VLAN-ID> <VLAN-ID> – Specify the VLAN ID.

Examples

nx9500-6C8809(config-auto-provisioning-policy-test)#deny ap8432 precedence 1 mac 74-67-F7-07-02-35

nx9500-6C8809(config-auto-provisioning-policy-test)#deny ap8432 precedence 2 ip 192.168.13.24 102.168.13.26

nx9500-6C8809(config-auto-provisioning-policy-test)#show context
auto-provisioning-policy test
 default-adoption
 deny ap8432 precedence 1 mac 74-67-F7-07-02-35
 deny ap8432 precedence 2 ip 192.168.13.24 102.168.13.26
 adopt ap8432 precedence 5 profile default-ap8432 rf-domain TechPubs vlan 1
nx9500-6C88098(config-auto-provisioning-policy-test)#

Related Commands


no	Removes a deny adoption rule from this Auto Provisioning Policy