Purpose	When an NFS client accesses a share as root (a UNIX superuser), an NFS-access list typically re-maps the users identity to that of the anonymous user, which has very low access rights. This security feature is called root squashing. Use the anonymous-gid command to change the Group ID (GID) for the anonymous user. Use the no form of the command to revert to the default GID for anonymous.
Mode	gbl-nfs-acl
Security Level	crypto-officer
Syntax	anonymous-gid id no anonymous-gid   id (1-65535) is a group ID number that the access list uses when it squashes root access.
Default(s)	65534
Guidelines	When permit rules have root-squash enabled, they translate the Group ID (GID) of a root user to an anonymous GID. To set the user ID (UID), use anonymous-uid. Use show nfs-access-list to see the current GID and UID used for anonymous.
Sample	bstnA(gbl)# nfs-access-list eastcoast bstnA(gbl-nfs-acl[eastcoast])# anonymous-gid 100 bstnA(gbl-nfs-acl[eastcoast])# ... sets the anonymous GID to 100.
Related Commands	nfs-access-list show nfs-access-list anonymous-uid

Purpose	When an NFS client accesses a share as root (a UNIX superuser), an NFS-access list typically re-maps the users identity to that of the anonymous user, which has very low access rights. This security feature is called root squashing. Use the anonymous-uid command to change the User ID (UID) for the anonymous user. Use the no form of the command to revert to the default UID for anonymous.
Mode	gbl-nfs-acl
Security Level	crypto-officer
Syntax	anonymous-uid id no anonymous-uid   id (1-65535) is a User ID number that the access list uses when it squashes root access.
Default(s)	65534
Guidelines	When permit rules have root-squash enabled, they translate the User ID (UID) of a root user to an anonymous UID. To set the group ID (GID), use anonymous-gid. Use show nfs-access-list to see the current GID and UID used for anonymous.
Sample	bstnA(gbl)# nfs-access-list eastcoast bstnA(gbl-nfs-acl[eastcoast])# anonymous-uid 100 bstnA(gbl-nfs-acl[eastcoast])# ... sets the anonymous UID to 100.
Related Commands	anonymous-gid nfs-access-list permit (gbl-nfs-acl)

Purpose	Use this command to deny NFS access for one subnet. Use the no form of the command to remove a deny rule from the current access list.
Mode	gbl-nfs-acl
Security Level	crypto-officer
Syntax	deny ip-address mask no deny ip-address mask   ip-address (0.0.0.0-255.255.255.255) is the address of the subnet to be denied access. mask (0.0.0.0-255.255.255.255) is the netmask (network part of the ip address).
Default(s)	None
Guidelines	You may have a situation where most of a large subnet should be permitted access to NFS, but some portions of the subnet should be denied access. From gbl-nfs-acl mode, use this command to add a deny rule for one subnet. Use the permit command to allow access for a subnet. Order is important; if a client matches both rules, only the first one is enforced. No permit or deny rule is enforced until you exit gbl-nfs-acl mode. This ensures that all permit and deny rules are enforced at once, after you finish setting them up in the desired order. Use the exit or end command to exit the mode.
Samples	bstnA(gbl)# nfs-access-list eastcoast bstnA(gbl-nfs-acl[eastcoast])# deny 192.168.77.0 255.255.255.0 bstnA(gbl-nfs-acl[eastcoast])# deny 192.168.202.0 255.255.255.0 bstnA(gbl-nfs-acl[eastcoast])# permit 192.168.0.0 255.255.0.0 read-write bstnA(gbl-nfs-acl[eastcoast])# ... denies access to two Class C subnets, but then permits access to any other IP inside their Class B supernet, 192.168.0.0/16.
Related Commands	nfs-access-list permit (gbl-nfs-acl)

Purpose	Use the optional description command to include a descriptive string for an access list. Use the no form of the command to remove the description from the current access list.
Mode	gbl-nfs-acl
Security Level	crypto-officer
Syntax	description text no description   text (1-255 characters) is your description for the current access list. Surround the text with quotation marks () if it contains any spaces.
Default(s)	no description
Guidelines	The description appears in the detailed output for show nfs-access-list.
Sample	bstnA(gbl)# nfs-access-list eastcoast bstnA(gbl-nfs-acl[eastcoast])# description allowable subnets in MA, NY, & DC bstnA(gbl-nfs-acl[eastcoast])# ... adds a description for the current NFS access list.
Related Commands	nfs-access-list show nfs-access-list

Purpose	Use the ip address command to identify one NIS server for the current NIS domain. Use the no form of the command to remove one NIS server from the list.
Mode	gbl-nis-dom
Security Role(s)	storage-engineer or crypto-officer
Syntax	ip address address no ip address address   address identifies the NIS server (for example, 192.168.70.128). This address must be on a server/proxy-IP subnet (see ip proxy-address) or reachable through a gateway on that subnet (via static route: see ip route to create a static route).
Default(s)	None
Guidelines	You can enter this command multiple times to identify up to four servers for the same NIS domain. The switch uses the first server for all of its netgroup lookups, falling back on the rest in case the first server fails or times out. The servers are used in the order that they are defined; if the first server is unreachable, the switch tries the second server, and so on. Use show nis domain to see the current order of NIS servers.
Samples	bstnA(gbl-nis-dom[mydom.org])# ip address 192.168.78.55 uses a NIS server for mydom.org, at 192.168.78.55.   bstnA(gbl-nis-dom[mydom.org])# no ip address 10.10.25.1 removes one NIS server from the list.
Related Commands	nis domain show nis domain ip proxy-address ip route

Purpose	Use this command to create an access list (optional) for NFS services. An access list is a list of IP hosts to which you permit or deny access to the NFS service. You can use an NFS access list (or create additional ones) for any number of NFS services. Use the no form of the command to remove an access list. If you do not include an access list for an exported volume, all clients can access the share. See export (gbl-nfs) for more information.
Mode	gbl
Security Level	crypto-officer
Syntax	nfs-access-list list-name no nfs-access-list list-name   list-name (1-64 characters) is a name you choose for the access list.
Default(s)	None
Guidelines	The CLI prompts for confirmation before creating a new NFS access list; enter yes to continue. (You can use terminal expert to eliminate confirmation prompts for creating new objects.) When you configure an NFS service, you can optionally apply one NFS access list to the service. This command places you in gbl-nfs-acl mode, from which you can configure various permit and deny rules for specific subnets and/or NIS netgroups. For example, you could permit access from the subnet at 192.168.101.0 but deny access from all other subnets. By default, all subnets are denied any access. Use the permit (gbl-nfs-acl) and deny commands to add permit and deny access rules, respectively. To use NIS netgroups from your back-end servers, use nis domain to create a NIS domain on the switch, use nis domain (gbl-nfs-acl) to apply it to the access list, and use permit netgroup to allow access to the hosts in one netgroup. When you use the no form of the command to remove an access list, you must first remove all references to the access list before you can remove the list itself.
Samples	bstnA(gbl)# nfs-access-list eastcoast   This will create a new NFS ACL.   Create NFS ACL ''eastcoast''? [yes/no] yes bstnA(gbl-nfs-acl[eastcoast])# ... creates a new access list and places you gbl-nfs-acl mode.   bstnA(gbl)# no nfs-access-list testacl removes an NFS access list from the switch configuration.
Related Commands	anonymous-gid anonymous-uid nis domain (gbl-nfs-acl) deny permit (gbl-nfs-acl) description (gbl-nfs-acl) show nfs-access-list export (gbl-nfs)

Purpose	Use the nis domain command to identify a Network Information System (NIS) domain to be used in one or more NFS access lists. Use no nis domain to remove the NIS-domain configuration from the ARX.
Mode	gbl
Security Role(s)	storage-engineer or crypto-officer
Syntax	nis domain domain no nis domain domain   domain (1-256 characters) is the NIS-domain name (for example, company or company.com).
Default(s)	None
Guidelines	This command places you into gbl-nis-dom mode, where you use the ip address (gbl-nis-dom) command to identify at least one NIS server for the domain. After you specify one or more NIS servers, the ARX looks up all of the netgroups in the domain, then performs DNS lookups for all hostnames in those netgroups. The results are cached on the switch, to prevent excessive traffic between the switch and the DNS server; the show nis netgroup command shows the contents of this cache. Use nis update to refresh this cache by performing all of the necessary lookups. The switch ignores all users and groups in these netgroups. As a proxy, the ARX does not authenticate specific users and groups; the back-end filers perform user/group authentications, and the switch passes the results back to the client. You can use nis domain (gbl-nfs-acl) to use this NIS domain in an access list. The permit netgroup command (see permit (gbl-nfs-acl)) adds a permit rule for one netgroup. Use show nis domain to view all NIS domains and their configured NIS servers.
Samples	bstnA(gbl)# nis domain wwmed.com bstnA(gbl-nis-dom[wwmed.com])# ... creates a new NIS domain, wwmed.com.   bstnA(gbl)# no nis domain testnis removes a NIS domain.
Related Commands	ip address (gbl-nis-dom) nis update show nis netgroup show nis domain nis domain (gbl-nfs-acl) permit (gbl-nfs-acl)

Purpose	Use the gbl-nfs-acl nis domain command to set the NIS domain for the current NFS access list. Use no nis domain to remove the NIS domain from the access list.
Mode	gbl-nfs-acl
Security Role(s)	crypto-officer
Syntax	nis domain domain no nis domain   domain (1-256 characters) is the NIS-domain name (for example, myorg.org from lnx3.myorg.org). This domain must be pre-mapped to a NIS server with the nis domain command, from gbl mode.
Default(s)	None
Guidelines	If you plan to use NIS groups in your NFS access list, you must identify the NIS domain with this command. Use show nis domain for a list of configured NIS domains, or use nis domain to create a new one. To view the netgroups in a domain, use show nis netgroup. The permit netgroup command (permit (gbl-nfs-acl)) permits all hosts in a netgroup to pass the NFS access list.
Samples	bstnA(gbl-nfs-acl[westcoast])# nis domain sfmed.com sets the NIS domain to sfmed.com for the westcoast access list.   bstnA(gbl-nfs-acl[midwest])# no nis-domain removes the NIS domain setting from the midwest access list.
Related Commands	permit (gbl-nfs-acl) show nis domain nis domain

Purpose	The ARX caches a database of NIS netgroups and all of their DNS-resolved IP addresses. Use the nis update command to refresh this cache by querying the NIS server(s) and the local DNS server(s).
Mode	priv-exec
Security Role(s)	network-technician, network-engineer, storage-engineer or crypto-officer
Syntax	nis update [domain]   domain (1-256 characters) focuses the update on a single NIS domain. Use show nis domain to view all NIS domains. If this is omitted, the switch refreshes its cache for all configured NIS domains.
Default(s)	None
Guidelines	This command creates one report per updated domain. Each report is named nis-update.domain-name.rpt. Use show reports to list all reports, including NIS-update reports. To follow the progress of the NIS-update operation, you can use tail reports report-name follow. Use show reports file-name to read the report. You can search through the report with grep. To copy or delete it, use the copy or delete commands. If you want to truncate the report before it finishes, use the truncate-report command. To schedule this command to run on a regular basis, use the at command. The show nis netgroup command shows the netgroups in a NIS domain, or the hosts in a particular netgroup. This is the contents of the current NIS-netgroup cache. The show nis domain command shows when the most-recent NIS update occurred. In a redundant pair, the NIS update works independently on each peer. The output of show nis netgroup and the NIS reports therefore only apply to the current peer. The benefit of these redundant updates is that failovers do not incur any extra down time for NIS.
Samples	bstnA# nis update updates all NIS domains on the switch.   bstnA# nis update wwmed.com updates a single NIS domain, wwmed.com.
Related Commands	at show nis domain show nis netgroup nis domain

Purpose	Use this command to permit NFS access for one trusted subnet or NIS netgroup. Use the no form of the command to remove a permit rule for a subnet or netgroup.
Mode	gbl-nfs-acl
Security Level	crypto-officer
Syntax: permit (for a subnet)	permit ip-address mask [read-only] [ root {squash | allow} ] no permit ip-address mask [read-only] [ root {squash | allow} ]   ip-address (0.0.0.0255.255.255.255) is the address of the subnet to be allowed access. mask (0.0.0.0255.255.255.255) is the netmask (network part of the ip address). read-only (optional) limits users to read-only access. root (optional) applies this rule to root-user access and requires one of the following keywords: squash disables root access and remaps it to the configured UID and GID settings (provides more security). allow enables root-user access.
Syntax: permit netgroup	permit netgroup group-name [read-only] [ root {squash | allow} ] no permit netgroup group-name   group-name (1-1024) is the address of the NIS netgroup to be allowed access. read-only (optional) limits users to read-only access. root (optional) applies this rule to root-user access and requires one of the following keywords: squash disables root access and remaps it to the configured UID and GID settings (provides more security). allow enables root-user access.
Default(s)	read-write; root squash.
Guidelines	By default, a new NFS access list denies access to all subnets and NIS netgroups. This command enables you to selectively allow access for a trusted subnet or netgroup. An access list can only use netgroups from a single NIS domain; use nis domain (gbl-nfs-acl) to choose one for the current access list. An NFS-access list can support a maximum of 2048 rules. Each host in a NIS netgroup results in a separate rule, so use show nfs-access-list ... resolve-netgroups to verify that the netgroups are not too large for the access list. A new permit rule squashes root access by default. That is, if a client logs in as the root user and accesses the NFS share, the ARX translates the clients user ID to an anonymous ID with limited access privileges. In gbl-nfs-acl mode, you can change the anonymous User/Group IDs through the anonymous-gid and anonymous-uid commands. The no form of the command always removes the rule, whether or not you specify any options (such as read-write, root allow, and so on). This facilitates copying and pasting a rule from the show nfs-access-list output to the CLI and placing a no in front of it.
Guidelines: Rule Order	The order that you enter rules determines the order in which they are compared to client IPs. If a clients IP address matches more than one rule in the access list, the ARX uses the first matching rule and ignores the rest. For example, consider the two permit rules below. Clients in 192.168.10.x match the first rule, while clients outside that subnet in the same Class B network (192.168.x.x) match the second rule. This allows read-only access to clients in the Class B network but full read-write access to clients in the smaller Class-C subnet: permit 192.168.10.0 255.255.255.0 read-write permit 192.168.0.0 255.255.0.0 read-only If the rules were reversed, clients in the Class C subnet would match the read-only rule before reaching the read-write rule that was intended for them. No permit or deny rule is enforced until you exit gbl-nfs-acl mode. This ensures that all permit and deny rules are enforced at once, after you finish setting them up in the desired order. Use the exit or end command to exit the mode.
Samples	bstnA(gbl)# nfs-access-list eastcoast bstnA(gbl-nfs-acl[eastcoast])# permit 172.16.100.0 255.255.255.0 read-write bstnA(gbl-nfs-acl[eastcoast])# ... permits read-write access to clients at 172.16.100.0.   bstnA(gbl)# nfs-access-list eastcoast bstnA(gbl-nfs-acl[eastcoast])# permit 172.16.204.0 255.255.255.0 read-only root allow bstnA(gbl-nfs-acl[eastcoast])# ... allows root access from clients at 172.16.204.0. To control security, access is read-only for this rule.   bstnA(gbl-nfs-acl[eastcoast])# permit netgroup nurses permits access to all hosts in the nurses netgroup.
Related Commands	nis domain anonymous-gid anonymous-uid deny nfs-access-list show nfs-access-list

Purpose	Use this command to display a summary of all configured NFS access lists or specify an individual list to view its details.
Mode	(any)
Security Level	operator
Syntax	show nfs-access-list [list-name [resolve-netgroups]]   list-name (optional; 1-64 characters) is the access list you want to view. resolve-netgroups (optional) expands the NIS netgroups. This shows every resolved host in every NIS netgroup, in order. Without this option, netgroups are summarized on a single line and counted as a single rule.
Default(s)	None
Guidelines	The show nfs-access-list command displays the following information: Access List Name: The names of all configured access lists. Anon UID: The anonymous User ID number assigned to root when root squashing is enabled (the default). You can change this with anonymous-uid. Anon GID: The anonymous Group ID number assigned to root when root squashing is enabled (the default).Use anonymous-gid to edit this. Num Rules: The number of permit and/or deny rules applied to this access list. This counts each NIS netgroup as a single rule; use the resolve-netgroups command to find the total count, including every host in every netgroup. Num References: The number of times this access list is used by an NFS service(s).
Guidelines: Detailed Output	If you enter a list name, the output also shows the description (gbl-nfs-acl) for the access list, if any, and the lists exact rules. The order is important; if a client matches two rules in the list, the switch follows the first rule and ignores the second. Two additional fields appear at the bottom if you use the resolve-netgroups flag: Number of entries in access list: The total number of rules, including each host in the expanded netgroups. An error appears above this field if the number of rules exceeds the maximum, 2048. Each host in a netgroup requires a rule, so large netgroups can cause an access list to exceed its maximum. Only the first 2048 rules are used. Status line: A line summarizes the results of resolving all NIS netgroups and each hostname in the netgroup: All Netgroup(s) were successfully resolved. This indicates success. Netgroup(s) were not completely resolved. This may indicate that one or more hosts in the NIS netgroups cannot be resolved at the local DNS server. Use show ip domain to find the DNS servers that the switch is using. Domain was not found. The NIS domain for this access list, set with nis domain (gbl-nfs-acl), is not supported at the NIS server. Use show nis domain to find the NIS server(s) used by the ARX. One or more Netgroup(s) were not found. A NIS netgroup contained another NIS netgroup as one of its members; the NIS server did not define one or more of these member netgroups. The switch has not resolved all netgroups for this domain. Either the first update is not yet finished (for example, right after finishing the NIS configuration or rebooting the switch), or every NIS update has failed since the most-recent reboot. Use nis update to invoke another NIS update.
Samples	bstnA# show nfs-access-list displays a list of all configured access lists. For example, see Figure 19.2.   bstnA# show nfs-access-list eastcoast displays detailed information for this access list, including the permit and deny rules for the associated subnet(s) and/or netgroups. See Figure 19.3 on page 19-19 for sample output.   bstnA# show nfs-access-list eastcoast resolve-netgroups expands all NIS netgroups into their component rules, one rule per host in the netgroup. See Figure 19.4 on page 19-19 for sample output.
Related Commands	anonymous-gid anonymous-uid deny permit (gbl-nfs-acl) description (gbl-nfs-acl) nfs-access-list

Purpose	Use this command to display a summary of all configured NIS domains, or to show details for one NIS-domain configuration.
Mode	(any)
Security Level	operator
Syntax	show nis domain [domain-name]   domain-name (optional; 1-256 characters) is the NIS domain you want to view. If you omit this, the output displays a summary of all NIS domains configured on the switch.
Default(s)	None
Guidelines	The summary form of the show nis domain command displays the following information: NIS Domain is the name of the NIS domain. Use the nis domain command to configure a new NIS domain, or change an existing one. Last Update is the date and time that the ARX last updated its internal NIS database. This occurs when each NIS domain is first configured, and whenever someone issues the nis update command. Status summarizes the results of the most-recent NIS update. This is Success, Updating, or Failed. Servers are the NIS servers for this NIS domain. You can use the ip address (gbl-nis-dom) command to identify more servers that support this domain. This shows the order in which the servers are used; if the first server fails, the switch tries the second, and so on.
	The detailed output adds several more fields: Last Successful Update is the date and time for the last NIS update that ended with a Success status. Netgroups is the number of netgroups defined for this NIS domain. Netgroup Resolution Errors is the number of netgroup entries that the switch failed to parse. These are typically malformed lines in the NIS servers configuration file for netgroups. Hosts is the number of hosts found in all the netgroups. Hosts Resolved is the number of hosts that were successfully resolved to IP addresses. These are DNS resolutions, made by an external DNS server; use show ip domain to see the DNS server(s) used by this switch. If this number is lower than the number for Hosts, above, some hosts were not resolved.
Samples	bstnA# show nis domain displays a list of all configured NIS domains. See Figure 19.5 for sample output.   bstnA# show nis domain wwmed.com displays detailed information for the wwmed.com NIS domain. Figure 19.6 shows sample output.
Related Commands	nis domain ip address (gbl-nis-dom) nis update show ip domain

Purpose	Use this command to list the netgroups in a given NIS domain, or to show all of the hosts in a given netgroup.
Mode	(any)
Security Level	operator
Syntax	show nis netgroup domain [netgroup]   domain (1-256 characters) is the NIS domain you want to view. netgroup (optional; 1-1024 characters) specifies a single netgroup. If you enter this, the command shows all hosts in the netgroup.
Default(s)	None
Guidelines	The summary form of the show nis netgroup command displays an alphabetical list of all netgroups defined for the domain. The ARX finds these at the back-end NIS servers; use show nis domain for a list of NIS servers. The detailed form of the command shows a table with one row for each host found in the netgroup. The Hostname is the name found in the netgroup, and the IP Address is resolved at the local DNS server. Use show ip domain for a list of local DNS servers. The switch ignores all users and groups in the netgroup. As a proxy, the ARX does not authenticate specific users and groups; the back-end filers perform user/group authentications, and the switch passes the results back to the client.
Samples	bstnA# show nis netgroup wwmed.com displays a list of all netgroups in the wwmed.com domain. See Figure 19.7 for sample output.   bstnA# show nis netgroup wwmed.com medtechs shows every host in the medtechs netgroup. Figure 19.8 shows sample output.
Related Commands	nis domain ip address (gbl-nis-dom) nis update show ip domain