Segment Security

Overview of MSS-Group

The system supports grouping hosts and networks into segments based on their prefixes. The MSS-Group feature (also referred to as Segment Security) allows policies to be applied to segments rather than interfaces or subnets.

Policies define inter-segment and intra-segment rules; for example:

  • Segment A is allowed to communicate with segment B.
  • Hosts in segment B are not allowed to communicate with each other.

By default, the system drops traffic directed to a segment, thus requiring an explicit allow policy to allow communication. The two directions of traffic are handled independently; to allow traffic between two segments, you must configure a forward policy in both segments.

Configuring MSS-Group

To configure MSS-Group (Segment Security) to control groups of IPv4 or IPv6 addresses (called “segments”), define one or more match lists, create segments based on those match lists, create policies governing traffic to individual segments, define default policy for all segments, and enable the MSS-Group feature. Up to 60 segments can be defined across all VRFs. Traffic to and from VLANs with no SVI configured are considered part of the default VRF and are subject to the policies defined in the default VRF. This feature does not require routing to be enabled on the switch, even though the mode name starts with the word “router.”


Define Match Lists

Use the match-list input command to define an IPv4 or IPv6 subnet list. Each match list must contain only one type of prefix, IPv4 or IPv6. It cannot contain a mixture. Each match list name of a given type must be unique, but an IPv4 match list and an IPv6 match list can have the same name.



  • The following commands define two IPv4 match lists named camera-prefixes and admin-prefixes and two IPv6 match lists also named camera-prefixes and admin-prefixes, and they add a total of seven prefixes.
    switch(config)# match-list input prefix-ipv4 camera-prefixes
    switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4
    switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4
    switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4
    switch(config-match-list-prefix-ipv4-camera-prefixes)# exit
    switch(config)# match-list input prefix-ipv6 camera-prefixes
    switch(config-match-list-prefix-ipv6-camera-prefixes)# match prefix-ipv6 2001:0:9d38:6ab8::/64
    switch(config-match-list-prefix-ipv6-camera-prefixes)# match prefix-ipv6 2002:0:9d38:6ab8::3/128
    switch(config-match-list-prefix-ipv6-camera-prefixes)# exit
    switch(config)# match-list input prefix-ipv4 admin-prefixes
    switch(config-match-list-prefix-ipv4-admin-prefixes)# match prefix-ipv4
    switch(config-match-list-prefix-ipv4-admin-prefixes)# exit
    switch(config)# match-list input prefix-ipv6 admin-prefixes
    switch(config-match-list-prefix-ipv6-admin-prefixes)# match prefix-ipv6 2003:0:9d38:6ab8::/64
    switch(config-match-list-prefix-ipv6-admin-prefixes)# exit


Define Segments using Match Lists

Use the segment command to define a segment. A segment contains one or two match lists, one of type IPv4 and the other of type IPv6.



  • The following commands define segments using the match lists configured above.
    switch(config)# router segment-security
    switch(config-router-seg-sec)# vrf default
    switch(config-router-seg-sec-vrf-default)# segment camera
    switch(config-router-seg-sec-vrf-segment-camera)# definition
    switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv4 camera-prefixes
    switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv6 camera-prefixes
    switch(config-router-seg-sec-vrf-segment-def)# exit
    switch(config-router-seg-sec-vrf-segment-camera)# exit
    switch(config-router-seg-sec-vrf-default)# segment secure-admin
    switch(config-router-seg-sec-vrf-segment-secure-admin)# definition         
    switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv4 admin-prefixes
    switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv6 admin-prefixes
    switch(config-router-seg-sec-vrf-segment-def)#  exit
    switch(config-router-seg-sec-vrf-segment-secure-admin) exit
    switch(config-router-seg-sec-vrf-default)# exit
    switch(config-router-seg-sec)# exit


Define Policies Between Segments

Use the policies command to drop or forward traffic to a segment from specific other segments. Two built-in policies are available: policy-forward-all to forward traffic between segments and policy-drop-all to drop traffic between segments. The drop-all policy is enabled, by default.



  • The following commands allow bidirectional traffic between the two segments defined earlier.
    switch(config)# router segment-security
    switch(config-router-seg-sec)# vrf default
    switch(config-router-seg-sec-vrf-default)# segment camera
    switch(config-router-seg-sec-vrf-segment-camera)# policies
    switch(config-router-seg-sec-vrf-segment-policies)# from secure-admin policy policy-forward-all
    switch(config-router-seg-sec-vrf-segment-policies)# exit
    switch(config-router-seg-sec-vrf-segment-camera)# exit
    switch(config-router-seg-sec-vrf-default)# segment secure-admin
    switch(config-router-seg-sec-vrf-segment-secure-admin)# policies
    switch(config-router-seg-sec-vrf-segment-policies)# from secure-admin policy policy-forward-all
    switch(config-router-seg-sec-vrf-segment-policies)# exit
    switch(config-router-seg-sec-vrf-segment-secure-admin)# exit
    switch(config-router-seg-sec-vrf-default)# exit
    switch(config-router-seg-sec)# exit


Enable MSS-Group

MSS-Group is not enabled, by default. Use the no shutdown command to enable it or the shutdown command to disable it.


  • The following commands enable MSS-Group.
    switch(config)# router segment-security
    switch(config-router-seg-sec)# no shutdown
    switch(config-router-seg-sec)# exit


  • The following commands disable MSS-Group.
    switch(config)# router segment-security
    switch(config-router-seg-sec)# shutdown
    switch(config-router-seg-sec)# exit


Configuring Default Forward/Drop Behavior

When MSS-Group is first enabled, by default, all traffic to nodes in a segment is dropped unless explicitly allowed by a forward-all policy, as shown earlier. This includes traffic within the segment. Use the no segment policy command to change this behavior to allow intra-segment traffic.


  • The following commands allow all traffic within each segment as well as between segments.
    switch(config)# router segment-security
    switch(config-router-seg-sec)# no segment policy policy-drop-all default
    switch(config-router-seg-sec)# exit


You can modify the policy for each segment more granularly with the policies command.


  • The following commands prevent nodes in the camera segment from communicating with each other.
    switch(config)# router segment-security
    switch(config-router-seg-sec)# vrf default
    switch(config-router-seg-sec-vrf-default)# segment camera
    switch(config-router-seg-sec-vrf-segment-camera)# policies
    switch(config-router-seg-sec-vrf-segment-policies)# from camera policy policy-drop-all
    switch(config-router-seg-sec-vrf-segment-policies)# exit
    switch(config-router-seg-sec-vrf-segment-camera)# exit
    switch(config-router-seg-sec-vrf-default)# exit
    switch(config-router-seg-sec)# exit
    switch(config)# exit


Segment Security Considerations

  • Multicast and Link-Local prefixes are not supported.


  • Expect traffic disruption during prefix and policy configuration. The system does not support atomicity during segment and prefix configuration.


  • MSS-Group and URPF feature interaction is not supported. If both features are configured (misconfiguration), the platform gives URPF higher priority and removes any existing segment configurations from the hardware.


  • The system periodically retries prefix entries that fail to install in hardware (due to insufficient resources) until resources become available and the system successfully installs the prefixes. However, this retry mechanism does not apply to policy entries. If a policy entry fails, you must remove it, free up hardware resources, and re-enable the MSS-Group feature.


  • You cannot configure custom policies but choose from two built-in policies: policy-drop-all and policy-forward-all.


  • A given prefix can only be part of a single segment in VRF. Attempting to configure the same prefix in more than one segment leads to undefined traffic forwarding behavior.


  • You cannot configure the same prefix in both MSS-Group and MSS-L3 configurations.


  • You can perform SSU with MSS-Group configured, but the configuration will not allow for hitless traffic flows.


  • DHCP discovery packets with a broadcast destination IP of will only match the prefix.


  • All traffic sourced from or destined to switch-owned IPs is allowed regardless of MSS-Group configuration.


  • Enabling MSS-G halves the LPM table capacity because the feature requires a source and destination IP lookup. The system always enables source and destination lookup by default, so the host table capacity remains unchanged.


Show Commands

The show commands available to examine the configuration and status of MSS-Group include:

  • show segment-security [vrf <vrf-name>][segment <seg-name>]
    switch# show segment-security
    VRF : default
      Segment      Interfaces Prefix IPv4     Prefix IPv6     From Segment Policy             
      ------------ ---------- --------------- --------------- ------------ ------------------
      camera                  camera-prefixes camera-prefixes secure-admin policy-forward-all
      secure-admin            admin-prefixes  admin-prefixes  camera       policy-forward-all


  • show match-list {prefix-ipv4 | prefix-ipv6}[<list-name>]
  • switch# show match-list prefix-ipv4 
    Name            Prefix          
    --------------- --------------- 
    switch# show match-list prefix-ipv6
    Name            Prefix
    --------------- -----------------------
    admin-prefixes  2003:0:9d38:6ab8::/64
    camera-prefixes 2001:0:9d38:6ab8::/64


  • show segment-security hardware summary [vrf <vrf-name>][segment<seg-name>]

    This command shows the hardware ID, number of prefixes, and number of successfully programmed prefixes for each VRF and segment specified. By default, all VRFs and segments are shown.

    switch# show segment-security hardware summary
    VRF: default
    Segment              Hardware ID     Prefixes   Programmed
    -------------------- --------------- ---------- ---------------
    camera               63              5          5
    secure-admin         62              2          2


  • show segment-security hardware detail [vrf <vrf-name>][segment<seg-name>]

    This command shows the hardware ID assigned to each segment, the prefixes in each segment, and the adjacency index for each prefix (as determined from L3 hardware tables).

    switch# show segment-security hardware detail
    VRF: default
    Segment              Hardware ID     Prefixes                                Adj Index
    -------------------- --------------- --------------------------------------- ---------------
    camera               63                             1
                                         2001:0:9d38:6ab8::/64                   2
                                         2002:0:9d38:6ab8::3/128                 2
    secure-admin         62                                1
                                         2003:0:9d38:6ab8::/64                   2


  • show segment-security hardware routes [vrf<vrf-name>][segment<seg-name>]

    Since MSS Group prefixes use L3 hardware tables, the prefixes can overlap with FIB routes. So each prefix is assigned a route type. There are three possible classifications for a prefix:

    1. The prefix does not overlap with an FIB route. This prefix has route type 'S'.

    2. The prefix is also configured in the FIB. If a segment prefix is identical to an FIB prefix, it is given the route type 'S,F'.

    3. The prefix overlaps with an FIB entry but there is no exact match in the FIB. This prefix has the route type 'F'.

    The following command shows the route types for prefixes in hardware.
    switch# show segment-security hardware routes 
    Codes: S - Segment prefix
           F - FIB route
           S,F - Segment prefix which is also present in FIB
    VRF: default
    Segment              Hardware ID     Routes                                  Route Type
    -------------------- --------------- --------------------------------------- ----------
    camera               63                             S
                                         2001:0:9d38:6ab8::/64                   S
                                         2002:0:9d38:6ab8::3/128                 S
    secure-admin         62                                S
                                         2003:0:9d38:6ab8::/64                   S


  • show segment-security hardware counters[vrf<vrf-name>]

    This command displays the counters for policies in each segment, including the default policies. For each policy configured between two segments, the Hit counter shows all hits, whether the packets were dropped or forwarded. The Drop counter shows which of those hits were dropped. There are also lines for the default policy of each segment, and the Drop counter includes packets which do not match a configured policy but are dropped by these default policies.

    switch# show segment-security hardware counters
    VRF: default
    Policy HitDrop
    -------------------- ---------- ----------
    policy-forward-all 13 0
    Dest Segment Source Segment Policy HitDrop
    -------------------- -------------------- -------------------- ---------- ----------
    camera *n/a03
    camera camera66
    camera secure-admin40
    secure-admin *n/a012
    secure-admin camera90


  • clear segment-security hardware counters

    This command clears the Hit and Drop counters for each policy, setting them to 0.

    switch# clear segment-security hardware counters

Segment Security Commands


Global Configuration Commands

Match-List Input Configuration Commands
Router Segment-Security VRF Configuration Commands
Router Segment-Security VRF Segment Configuration Commands
Router Segment-Security VRF Segment Policies Configuration Commands

Router Segment-Security VRF Segment Definition Configuration Commands

Segment-Security Clear and Show Commands

clear segment-security hardware counters

The clear segment-security hardware command clears the MSS-Group (segment security) Hit and Drop counters for all hits, and the hits and drops for each separate segment's policy. All MSS-Group counters are set to 0.


Command Mode

Privileged EXEC


Command Syntax

clear segment-security hardware counters



  • This command clears all counters for MSS-Group.
    switch# clear segment-security hardware counters

definition (segment)

The definition command enters Router Segment-Security VRF Segment Definition Configuration mode. This is not a group change mode. Changes are applied to running-config immediately. The exit command does not affect the configuration.

The no definition and default definition commands clear the segment definitions from running-config.


Command Mode

Router Segment-Security VRF Segment Configuration


Command Syntax


no definition

default definition


Commands Available in Router Segment-Security VRF Segment Definition Configuration Mode

match (segment definition)


  • These commands enter Router Segment-Security VRF Segment Definition mode for the segment "admin".
    switch(config)# router segment-security
    switch(config-router-seg-sec)# vrf default
    switch(config-router-seg-sec-vrf-default)# segment admin
    switch(config-router-seg-sec-vrf-segment-admin)# definition

from (segment policies)

The from command adds a policy to a segment in order to filter traffic from a specified segment (the same segment or a different segment). The policy can be either policy-drop-all or policy-forward-all. The default is policy-drop-all. Therefore, for a segment to allow traffic among its own members, it requires a policy-forward-all policy for itself. You can add any number of policies.

The no from and default from commands clear the segment policy from the running-config.


Command Mode

Router Segment-Security VRF Segment Policies Configuration


Command Syntax

from segment_name policy policy_type

no from segment_name [policy policy_type]

default from segment_name [policy policy_type]



policy_typeThe type of policy. The possible values are "policy-drop-all" and "policy-forward-all". The default is "policy-drop-all".

segment_name The name of the segment to filter. This can be the segment currently being configured, to give you control over traffic within the segment.


Related Command

segment policy policy-drop-all default



These commands add three policies to the segment admin. One policy allows traffic within the admin segment itself. The second policy drops all traffic from segment seg1. The third policy forwards all traffic from seg2.
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)# policies
switch(config-router-seg-sec-vrf-segment-policies)# from admin policy policy-forward-all
switch(config-router-seg-sec-vrf-segment-policies)# from seg1 policy policy-drop-all
switch(config-router-seg-sec-vrf-segment-policies)# from seg2 policy policy-forward-all

match-list input

The match-list input command enters Match List Configuration mode for the specified match list, creating one if it does not exist. The commands in this mode apply changes to running-config immediately. The exit command is not needed to save the changes to the configuration.

The no match-list input and default match-list input commands remove the specified match list from running-config.


Command Mode

Global Configuration Mode


Command Syntax

match-list input {prefix-ipv4|prefix-ipv6} match_list_name

no match-list input {prefix-ipv4|prefix-ipv6} match_list_name

no match-list input {prefix-ipv4|prefix-ipv6} match_list_name


  • prefix-ipv4 This match list has IPv4 prefixes only.
  • prefix-ipv6 This match list has IPv6 prefixes only.
  • match_list_name The name of the match-list to add to. If it does not exist it will be created.


  • The following command creates an IPv4 match list called camera-prefixes and enters Match List Configuration mode.
    switch(config)# match-list input prefix-ipv4 camera-prefixes


  • The following command removes the IPv4 match list camera-prefixes from running-config.
    switch(config)# no match-list input prefix-ipv4 camera-prefixes

match (match-list input)

The match command adds an entry to a match list. Each entry in a given match list must be of the same type, either IPv4 or IPv6. This command updates running-config immediately. It is not necessary to use the exit command to save changes.

The no match and default match commands remove the specified match list entry from the match list in running-config.


Command Mode

Match List input Configuration Mode

Command Syntax

match {prefix-ipv4|prefix-ipv6} ip_address_prefix

no match {prefix-ipv4|prefix-ipv6} ip_address_prefix

default match {prefix-ipv4|prefix-ipv6} ip_address_prefix


  • prefix-ipv4 This prefix is IPv4. You cannot mix prefix types in a single match list.
  • prefix-ipv6 This prefix is IPv6. You cannot mix prefix types in a single match list.
  • ip_address_prefix The prefix to add. For IPv4, it is of the form A.B.C.D/E. For IPv6, it is of the form A:B:C:D:E:F:G:H/I.


  • The following commands add two IPv4 entries to the match list camera-prefixes.
    switch(config)# match-list input prefix-ipv5 camera-prefixes
    switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4
    switch(config-match-list-prefix-ipv4-camera-prefixes)# match prefix-ipv4


  • The following command removes one entry from the camera-prefixes match list.
    switch(config)# match-list input prefix-ipv4 camera-prefixes
    switch(config-match-list-prefix-ipv4-camera-prefixes)# no match prefix-ipv4

match (segment definition)

The match command adds a match list to a segment definition. The match list cannot contain both IPv4 and IPv6 prefixes. One match list of each type can be added. The segment definition is updated in running-config immediately.

The no match command removes the specified match list from the segment definition in running-config.

The default match command removes the specified match list from the segment definition in running-config.


Command Mode

Router Segment-Security VRF Segment Definition Configuration


Command Syntax

match {prefix-ipv4|prefix-ipv6} match_list_name

no match {prefix-ipv4|prefix-ipv6} match_list_name

default match {prefix-ipv4|prefix-ipv6} match_list_name



prefix-ipv4 The match list contains IPv4 prefixes.

prefix-ipv6 The match list contains IPv6 prefixes.

match_list_name The name of the match list.



These commands add two match lists to the segment admin, an IPv4 match list named admin-prefixes and an IPv6 match list also named admin-prefixes.
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)# definition
switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv4 admin-prefixes
switch(config-router-seg-sec-vrf-segment-def)# match prefix-ipv6 admin-prefixes


policies (segment)

The policies command places the switch in Router Segment Security VRF Segment Policies Configuration mode. In this mode, the command from creates a policy for the segment. A segment can contain multiple policies.

The no policies command clears the segment policies from running-config.

The default policies command clears the segment policies from running-config.


Command Mode

Router Segment-Security VRF Segment Configuration


Command Syntax


no policies

default policies



This command places the switch in Router Segment-Security VRF Segment Policies configuration mode for the segment admin.
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin
switch(config-router-seg-sec-vrf-segment-admin)# policies

router segment-security

The router segment-security command enters Router Segment-Security Configuration Mode. This mode is required to enable or disable MSS-Group (segment security), and to enter the Router Segment-Security VRF configuration mode to create segments from match lists and to configure MSS-Group.

The no router segment-security command removes the MSS-Group configuration from running-config.

The default router segment-security command removes the MSS-Group configuration from running-config.


Command Mode

Global Configuration Mode


Command Syntax

router segment-security

no router segment-security

default router segment-security


Commands Available In Router Segment-Security Configuration Mode





  • The following command enters Router Segment-Security configuration Mode.
    switch(config)# router segment-security


  • The following command disables MSS-Group and removes the MSS-Group configuration from the running-config.
    switch(config)# no router segment-security


The segment command enters Router Segment-Security VRF Segment Configuration mode, creating a segment if one does not exist. The commands in this mode apply changes to running-config immediately. The exit command does not affect the configuration.

The no segment command and the default segment command clear the segment from running-config.


Command Mode

Router Segment-Security VRF Configuration


Command Syntax

segment segment_name

no segment segment_name

default segment segment_name



segment_name the name of the segment.


Commands Available in Router Segment-Security VRF Segment Configuration Mode



The following command creates a new segment called admin and enters Segment Configuration mode.
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default
switch(config-router-seg-sec-vrf-default)# segment admin

segment policy policy-drop-all default

The segment policy policy-drop-all default command configures the switch to drop all traffic to all segments. This is the default.

The no segment policy policy-drop-all default command allows segments to receive traffic. This is necessary to allow traffic within a segment.

The default segment policy policy-drop-all default command restores the default, so that all traffic to all segments is dropped.


Command Mode

Router Segment-Security Configuration


Command Syntax

segment policy policy-drop-all default

no segment policy policy-drop-all default

default segment policy policy-drop-all default



This command removes the policy-drop-all policy from the general segment security configuration.
switch(config)# router segment-security
switch(config-router-seg-sec)# no segment policy policy-drop-all default


show match-list

The show match-list command displays match lists of type IPv4 or IPv6.


Command Mode

Privileged EXEC


Command Syntax

show match-list {prefix-ipv4 | prefix-ipv6} [list-name]


  • prefix-ipv4 IPv4 prefix list.
  • prefix-ipv6 IPv6 prefix list.
  • list-name match list name.


  • The following command displays all the IPv4 match lists and their contents.
    switch# show match-list prefix-ipv4 
    Name            Prefix          
    --------------- --------------- 


  • The following command displays the contents of the IPv6 match list camera-prefixes.
    switch# show match-list prefix-ipv6 camera-prefixes
    Name            Prefix
    --------------- -----------------------
    camera-prefixes 2001:0:9d38:6ab8::/64

show segment-security


The show segment-security command shows the status and configuration of MSS-Group (segment security).


Command Mode

Privileged EXEC


Command Syntax

show segment-security [{[vrf vrf_name] [segment seg_name] | application [application_name] | policy [policy_name] | segment segment_name | sessions [vrf vrf_name] | status [vrf vrf_name] [segment seg_name]}]


  • vrf Show information for a particular VRF. By default, all VRFs are shown.
    • vrf_name VRF name to show. The default VRF instance is named "default".


  • segment Show information for a particular segment. By default, all segments are shown.
    • segment_name The name of the segment to show.


  • application Show status and configuration for applications. By default, no application information is shown.
    • application_name The name of the application to show. If this is omitted, all applications are shown.
  • policy Show information about policies.
    • policy_name  The name of the policy to show. If this is omitted, all policies are shown.


  • sessions Show information about sessions.
    • vrf Show session information about a particular VRF.
      • vrf_name The VRF for which to show session information. The default VRF is named "default".


  • status Show status information.



If both vrf and segment parameters are specified, the vrf parameter must precede the segment parameter. Command syntax such as show segment-security hardware detail segment segment_name vrf vrf_name is not valid.


  • This command displays the MSS-Group configuration for all VRF instances and all segments.
    switch# show segment-security
    VRF : default
      Segment      Interfaces Prefix IPv4     Prefix IPv6     From Segment Policy             
      ------------ ---------- --------------- --------------- ------------ ------------------
      camera                  camera-prefixes camera-prefixes secure-admin policy-forward-all
      secure-admin            admin-prefixes  admin-prefixes  camera       policy-forward-all


  • This command shows the MSS-Group configuration for the default VRF instance only.
    switch# show segment-security vrf default
    VRF : default
      Segment      Interfaces Prefix IPv4     Prefix IPv6     From Segment Policy             
      ------------ ---------- --------------- --------------- ------------ ------------------
      camera                  camera-prefixes camera-prefixes secure-admin policy-forward-all
      secure-admin            admin-prefixes  admin-prefixes  camera       policy-forward-all


  • This command shows the MSS-Group configuration for the camera segment.
    switch# show segment-security segment camera
    VRF : default
      Segment      Interfaces Prefix IPv4     Prefix IPv6     From Segment Policy             
      ------------ ---------- --------------- --------------- ------------ ------------------
      camera                  camera-prefixes camera-prefixes secure-admin policy-forward-all


  • This command shows information for all applications.
    switch# show segment-security applications
    application: app-match-all
       protocol: all



  • This command shows information for the policy policy-drop-all.
    switch# show segment-security policy policy-drop-all
    policy: policy-drop-all [readonly]
       10 application app-match-all action drop stateless

show segment-security hardware counters

The show segment-security hardware counters command displays the counters for policies in each segment, including the default policies. For each policy configured between two segments, the Hit counter shows all hits, whether the packets were dropped or forwarded. The Drop counter shows which of those hits were dropped. There are also lines for the default policy of each segment, and the Drop counter includes packets which do not match a configured policy but are dropped by these default policies. To clear the Hit and Drop counters for each policy, setting them to 0, use the clear segment-security hardware counters command.


Command Mode

Privileged EXEC


Command Syntax

show segment-security hardware counters [vrf vrf_name]


  • vrf Show details for a specific VRF. If this parameter is omitted, details for all VRFs are shown.
  • vrf_name The VRF to show. To show the default VRF, specify "default".



This command displays the policy and counters for policies configured for all segments in VRF site_b.
switch# show segment-security hardware counters vrf site_b
VRF: site_b
Policy               Hit        Drop
-------------------- ---------- ----------
policy-drop-all      6          6
policy-forward-all   13         0

Dest Segment         Source Segment       Policy               Hit        Drop
-------------------- -------------------- -------------------- ---------- ----------
camera               *                    n/a                  0          3
camera               camera                                    6          6
camera               secure-admin                              4          0
secure-admin         *                    n/a                  0          12
secure-admin         camera                                    9          0

show segment-security hardware detail

The show segment-security hardware detail command displays the hardware ID allocated to each segment, the prefixes programmed in hardware for each segment, and the adjacency index used by each prefix (as determined from L3 hardware tables).


Command Mode

Privileged EXEC


Command Syntax

show segment-security hardware detail [vrf vrf_name][segment seg_name]


  • vrf Show details for a specific VRF. If this parameter is omitted, details for all VRFs are shown.
  • vrf_name The name of the VRF to show details for. To show details for the default VRF, you must specify "default".
  • segment Show details for a specific segment. If this parameter is omitted, details for all segments are shown.
  • seg_name The name of the segment to show details for.



If both vrf and segment parameters are specified, the vrf parameter must come first. The command syntax show segment-security hardware detail segment segment_name vrf vrf_name is not valid.



This command displays the hardware IDs allocated to each segment in vrf site_a, the prefixes in each segment, and the adjacency index for each prefix (as determined from L3 hardware tables).
switch# show segment-security hardware detail vrf site_a
VRF: site_a
Segment        Hardware ID     Prefixes                 Adj Index
-------------- --------------- ------------------------ ---------------
camera         63               1
                               2001:0:9d38:6ab8::/64     2
                               2002:0:9d38:6ab8::3/128   2
secure-admin   62                  1
                               2003:0:9d38:6ab8::/64     2

show segment-security hardware routes

The show segment-security hardware routes command displays the route and type for each programmed prefix in hardware. Since MSS-Group prefixes use L3 hardware tables, the prefixes can overlap with FIB routes, so each prefix is assigned a route type. There are three possible classifications for a prefix:
  1. The prefix does not overlap with an FIB route. This prefix has route type S.
  2. The prefix is also configured in the FIB. If a segment prefix is identical to an FIB prefix, it is given the route type S,F.
  3. The prefix overlaps with an FIB entry but there is no exact match in the FIB. This prefix has the route type F.


Command Mode

Privileged EXEC


Command Syntax

show segment-security hardware routes [vrf vrf-name][segment seg-name]


  • vrf Show details for a specific VRF. If this parameter is omitted, details for all VRFs are shown.
  • vrf_name The name of the VRF to show details for. To show details for the default VRF, you must specify "default".
  • segment Show details for a specific segment. If this parameter is omitted, details for all segments are shown.
  • seg_name The name of the segment to show details for.



If both vrf and segment parameters are specified, the vrf parameter must come first. The command syntax show segment-security hardware detail segment segment_name vrf vrf_name is not valid.



This command displays the route and type for programmed prefixes in hardware for the VRF named site_a and the segment camera.
switch# show segment-security hardware routes vrf site_a segment camera 
Codes: S - Segment prefix
       F - FIB route
       S,F - Segment prefix which is also present in FIB

VRF: site_a
Segment       Hardware ID   Routes                     Route Type
------------- ------------- -------------------------- ----------
camera        63               S
                            2001:0:9d38:6ab8::/64       S
                            2002:0:9d38:6ab8::3/128     S

show segment-security hardware summary

The show segment-security hardware summary command displays the hardware ID, number of prefixes, and number of successfully programmed prefixes for each VRF and segment specified. By default, all VRFs and segments are shown.


Command Mode

Privileged EXEC


Command Syntax

show segment-security hardware summary [vrf vrf-name][segment seg-name]


  • vrf Show details for a specific VRF. If this parameter is omitted, details for all VRFs are shown.
  • vrf_name The name of the VRF to show details for. To show details for the default VRF, you must specify "default".
  • segment Show details for a specific segment. If this parameter is omitted, details for all segments are shown.
  • seg_name The name of the segment to show details for.



If both vrf and segment parameters are specified, the vrf parameter must come first. The command syntax show segment-security hardware detail segment segment_name vrf vrf_name is not valid.



This command displays the hardware ID allocated to each configured segment, the number of prefixes configured, and the number of prefixes successfully programmed in hardware for all VRFs and all segments.
switch# show segment-security hardware summary

VRF: default
Segment              Hardware ID     Prefixes   Programmed
-------------------- --------------- ---------- ---------------
camera               63              5          5
secure-admin         62              2          2

shutdown (router segment-security)

The shutdown command disables MSS-Group (segment security) in the switch. This is the default. The no shutdown and default shutdown commands enable MSS-Group.


Command Mode

Router Segment-Security Configuration


Command Syntax


no shutdown

default shutdown



This command enables MSS-Group in the switch.
switch(config)# router segment-security
switch(config-router-seg-sec)# no shutdown

vrf (router segment-security)

The vrf command enters Router Segment-Security VRF Configuration mode, creating a VRF instance if necessary, to create and configure MSS-Group segments.


Command Mode

Router Segment-Security Configuration


Command Syntax

vrf vrf_instance



vrf_instance The name of the VRF instance. To configure MSS-Group for the default VRF instance, specify "default".


Commands Available in Router Segment-Security VRF Configuration Mode




The following command enters Router Segment-Security VRF Configuration mode for the default VRF instance.
switch(config)# router segment-security
switch(config-router-seg-sec)# vrf default