manualshive.com logo in svg

Cisco Nexus 3600 NX-OS, Security Configuration Manual

The "Cisco Nexus 3600 NX-OS Security Configuration Manual" is a comprehensive user manual that provides step-by-step instructions for configuring advanced security features on the Cisco Nexus 3600 switch. This manual is available for free download from our website, ensuring easy access to valuable resources.

Share
Download
background image

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version
of the UNIX operating system. All rights reserved. Copyright

©

1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED

AS IS" WITH ALL FAULTS.

CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:

http://

www.cisco.com/go/trademarks

Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership

relationship between Cisco and any other company. (1110R)

©

2018 Cisco Systems, Inc. All rights reserved.

Summary of Contents for Nexus 3600 NX-OS

Page 1: ...guration Guide Release 7 x First Published 2017 09 27 Last Modified 2018 02 27 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 ...

Page 2: ... IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE T...

Page 3: ...2 Overview 3 Authentication Authorization and Accounting 3 RADIUS and TACACS Security Protocols 4 SSH and Telnet 4 SSH and Telnet 5 IP ACLs 5 C H A P T E R 3 Configuring AAA 7 Information About AAA 7 AAA Security Services 7 Benefits of Using AAA 8 Remote AAA Services 8 AAA Server Groups 8 AAA Service Configuration Options 9 Authentication and Authorization Process for User Logins 10 Prerequisites ...

Page 4: ...for Login Parameters 22 Restricting Sessions Per User Per User Per Login 23 Enabling the Password Prompt for User Name 24 Configuring Share Key Value for using RADIUS TACACS 24 Monitoring and Clearing the Local AAA Accounting Log 25 Verifying the AAA Configuration 25 Configuration Examples for AAA 26 Default AAA Settings 26 C H A P T E R 4 Configuring RADIUS 29 Information About RADIUS 29 RADIUS N...

Page 5: ...ult Settings for RADIUS 44 Feature History for RADIUS 44 C H A P T E R 5 Configuring TACACS 45 Information About Configuring TACACS 45 TACACS Advantages 45 User Login with TACACS 46 Default TACACS Server Encryption Type and Preshared Key 46 TACACS Server Monitoring 47 Prerequisites for TACACS 47 Guidelines and Limitations for TACACS 48 Configuring TACACS 48 TACACS Server Configuration Process 48 E...

Page 6: ... User Accounts 62 Specifying the SSH Public Keys in Open SSH Format 62 Specifying the SSH Public Keys in IETF SECSH Format 63 Specifying the SSH Public Keys in PEM Formatted Public Key Certificate Form 63 Configuring the SSH Source Interface 64 Starting SSH Sessions to Remote Devices 65 Clearing SSH Hosts 65 Disabling the SSH Server 65 Deleting SSH Server Keys 66 Clearing SSH Sessions 66 Configura...

Page 7: ...nits 78 ACL TCAM Regions 78 Licensing Requirements for ACLs 79 Prerequisites for ACLs 79 Guidelines and Limitations for ACLs 80 Default ACL Settings 80 ACL Logging 81 Configuring IP ACLs 81 Creating an IP ACL 81 Configuring IPv4 ACL Logging 82 Changing an IP ACL 84 Removing an IP ACL 85 Changing Sequence Numbers in an IP ACL 86 Applying an IP ACL to mgmt0 86 Applying an IP ACL as a Port ACL 87 App...

Page 8: ...ocess 102 Global Statistics 102 Licensing Requirements for Unicast RPF 103 Guidelines and Limitations for Unicast RPF 103 Default Settings for Unicast RPF 104 Configuring Unicast RPF 104 Configuration Examples for Unicast RPF 106 Verifying the Unicast RPF Configuration 106 Additional References for Unicast RPF 107 C H A P T E R 9 Configuring Control Plane Policing 109 About CoPP 109 Control Plane ...

Page 9: ...a Control Plane Class Map 127 Configuring a Control Plane Policy Map 129 Configuring the Control Plane Service Policy 131 Configuring the CoPP Scale Factor Per Line Card 132 Changing or Reapplying the Default CoPP Policy 133 Copying the CoPP Best Practice Policy 134 Verifying the CoPP Configuration 135 Displaying the CoPP Configuration Status 137 Monitoring CoPP 137 Clearing the CoPP Statistics 13...

Page 10: ...Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x x Contents ...

Page 11: ...t Conventions Command descriptions use the following conventions Description Convention Bold text indicates the commands and keywords that you enter literally as shown bold Italic text indicates arguments for which the user supplies the values Italic Square brackets enclose an optional element keyword or argument x Square brackets enclosing keywords or arguments separated by a vertical bar indicat...

Page 12: ...kets Default responses to system prompts are in square brackets An exclamation point or a pound sign at the beginning of a line of code indicates a comment line Obtaining Documentation and Submitting a Service Request For information on obtaining documentation using the Cisco Bug Search Tool BST submitting a service request and gathering additional information see What s New in Cisco Product Docum...

Page 13: ... documentation set is available at the following URL http www cisco com c en us support switches nexus 3000 series switches tsd products support series home html Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x xiii Preface Related Documentation for Cisco Nexus 3600 Platform Switches ...

Page 14: ...Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x xiv Preface Related Documentation for Cisco Nexus 3600 Platform Switches ...

Page 15: ...Description Feature About System ACLs on page 89 7 0 3 F3 4 Added support for configuring system ACLs System ACLs Configuring IP ACLs on page 75 7 0 3 F3 1 Added support for Access Control Lists ACLs Access Control Lists Configuring AAA on page 7 7 0 3 F3 1 Added support for Authentication Authorization and Accounting AAA Authentication Authorization and Accounting Configuring SSH and Telnet on pa...

Page 16: ... 101 7 0 3 F3 1 Added support for unicast RPF Unicast RPF Configuring Control Plane Policing on page 109 7 0 3 F3 1 Added support for CoPP Control Plane Policing CoPP Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x 2 New and Changed Information New and Changed Information ...

Page 17: ...at you select encryption Authentication is the way a user is identified prior to being allowed access to the network and network services You configure AAA authentication by defining a named list of authentication methods and then applying that list to various interfaces Authorization Provides the method for remote access control including one time authorization or authorization for each service p...

Page 18: ...and send authentication requests to a central RADIUS server that contains all user authentication and network service access information TACACS A security application implemented through AAA that provides a centralized validation of users who are attempting to gain access to a router or network access server TACACS services are maintained in a database on a TACACS daemon running typically on a UNI...

Page 19: ...ce to the other Telnet can accept either an IP address or a domain name as the remote device address IP ACLs IP ACLs are ordered sets of rules that you can use to filter traffic based on IPv4 information in the Layer 3 header of packets Each rule specifies a set of conditions that a packet must satisfy to match the rule When the Cisco NX OS software determines that an IP ACL applies to a packet it...

Page 20: ...Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x 6 Overview IP ACLs ...

Page 21: ... The Cisco Nexus device supports Remote Access Dial In User Service RADIUS or Terminal Access Controller Access Control device Plus TACACS protocols Based on the user ID and password that you provide the switches perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers A preshared secret key provides security for...

Page 22: ...ocal AAA services User password lists for each switch in the fabric are easier to manage AAA servers are already deployed widely across enterprises and can be easily used for AAA services The accounting log for all switches in the fabric can be centrally managed User attributes for each switch in the fabric are easier to manage than using the local databases on the switches AAA Server Groups You c...

Page 23: ... RADIUS or TACACS server groups for authentication Local Uses the local username or password database for authentication None Uses only the username If the method is for all RADIUS servers instead of a specific server group the Cisco Nexus devices choose the RADIUS server from the global pool of configured RADIUS servers in the order of configuration Servers from this global pool are the servers t...

Page 24: ... is tried and so on until the remote server responds to the authentication request If all AAA servers in the server group fail to respond the servers in the next server group are tried If all configured methods fail the local database is used for authentication If a Cisco Nexus device successfully authenticates you through a remote AAA server the following conditions apply If the AAA server protoc...

Page 25: ...tes for Remote AAA Remote AAA servers have the following prerequisites At least one RADIUS or TACACS server must be IP reachable The Cisco Nexus device is configured as a client of the AAA servers The preshared secret key is configured on the Cisco Nexus device and on the remote AAA servers The remote server responds to AAA requests from the Cisco Nexus device Cisco Nexus 3600 NX OS Security Confi...

Page 26: ...ng Global pool of RADIUS servers Named subset of RADIUS or TACACS servers Local database on the Cisco Nexus device Username only none The default method is local The group radius and group server name forms of the aaa authentication command are used for a set of previously defined RADIUS servers Use the radius server host command to configure the host servers Use the aaa group server radius comman...

Page 27: ...nfigured methods fail to respond Exits global configuration mode switch config exit Step 3 Optional Displays the configuration of the console login authentication methods switch show aaa authentication Step 4 Optional Copies the running configuration to the startup configuration switch copy running config startup config Step 5 This example shows how to configure authentication methods for the cons...

Page 28: ...configuration of the default login authentication methods switch show aaa authentication Step 4 Optional Copies the running configuration to the startup configuration switch copy running config startup config Step 5 Enabling Login Authentication Failure Messages When you log in the login is processed by the local user database if the remote AAA servers do not respond If you have enabled the displa...

Page 29: ...or user admin from 172 22 00 00 When logging level authpriv is 6 additional Linux kernel authentication messages appear along with the previous message If these additional messages need to be ignored the authpriv value should be set to 3 Note Logs all successful authentication messages to the configured syslog server With this configuration the following syslog message appears after the successful...

Page 30: ...nd all configuration mode commands The authorization methods include the following Group TACACS server group Local Local role based authorization None No authorization is performed The default method is Local There is no authorization on the console session Note Before You Begin You must enable TACACS before configuring AAA command authorization Procedure Purpose Command or Action Enters global co...

Page 31: ... based on the user s local role switch config aaa authorization config commands default group tac1 local The followng example shows how to authorize configuration mode commands with TACACS server group tac1 If the server is reachable the command is allowed or not allowed based on the server response If there is an error reaching the server allow the command regardless of the local role switch aaa ...

Page 32: ...e Command or Action Enters global configuration mode switch configure terminal Step 1 Enables MS CHAP authentication The default is disabled switch config aaa authentication login mschap enable Step 2 Exits configuration mode switch config exit Step 3 Optional Displays the MS CHAP configuration switch show aaa authentication login mschap Step 4 Optional Copies the running configuration to the star...

Page 33: ...gure terminal Step 1 Configures the default accounting method One or more server group names can be specified in a space separated list switch config aaa accounting default group group list local Step 2 The group list argument consists of a space delimited list of group names The group names are the following radius Uses the global pool of RADIUS servers for accounting named group Uses a named sub...

Page 34: ...ation results This authorization information is specified through VSAs VSA Format The following VSA protocol options are supported by the Cisco Nexus device Shell Used in access accept packets to provide user profile information Accounting Used in accounting request packets If a value contains any white spaces put it within double quotation marks The following attributes are supported by the Cisco...

Page 35: ... Configuration Examples for Login Parameters Restricting Sessions Per User Per User Per Login Enabling the Password Prompt for User Name Configuring Share Key Value for using RADIUS TACACS Configuring Login Parameters Use this task to configure your Cisco NX OS device for login parameters that help detect suspected DoS attacks and slow down dictionary attacks All login parameters are disabled by d...

Page 36: ...ters show login failures Step 5 Example Switch show login failures Displays information related only to failed login attempts Configuration Examples for Login Parameters Setting Login Parameters Example The following example shows how to configure your switch to enter a 100 second quiet period if 15 failed login attempts is exceeded within 100 seconds all login requests are denied during the quiet...

Page 37: ...at no information is presently logged Switch show login failures No logged failed login attempts with the device Restricting Sessions Per User Per User Per Login Use this task to restrict the maximum sessions per user Procedure Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Restricts the maximum sessions per user The range is ...

Page 38: ...ing RADIUS TACACS The shared secret you configure for remote authentication and accounting must be hidden For the radius server key and tacacs server key commands a separate command to generate encrypted shared secret can be used Procedure Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Configures RADIUS and TACACS shared secre...

Page 39: ...utput The range is from 0 to 250000 bytes You can also specify a start time for the log output Optional Clears the accounting log contents switch clear accounting log Step 2 Verifying the AAA Configuration To display AAA configuration information perform one of the following tasks Purpose Command Displays AAA accounting configuration show aaa accounting Displays AAA authentication information show...

Page 40: ...running config aaa all Displays the maximum number of login sessions allowed per user show running config all i max login Displays the AAA configuration in the startup configuration show startup config aaa Displays the minimum and maximum length of the user password show userpassphrase length max length min length Configuration Examples for AAA The following example shows how to configure AAA swit...

Page 41: ...od Disabled Login authentication failure messages Disabled MSCHAP authentication local Default accounting method 250 KB Accounting log display length Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x 27 Configuring AAA Default AAA Settings ...

Page 42: ...Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x 28 Configuring AAA Default AAA Settings ...

Page 43: ...Service RADIUS distributed client server system allows you to secure networks against unauthorized access In the Cisco implementation RADIUS clients run on Cisco Nexus device and send authentication and accounting requests to a central RADIUS server that contains all user authentication and network service access information RADIUS Network Environments RADIUS can be implemented in a variety of net...

Page 44: ... to log in and authenticate to a Cisco Nexus device using RADIUS the following process occurs 1 The user is prompted for and enters a username and password 2 The username and encrypted password are sent over the network to the RADIUS server 3 The user receives one of the following responses from the RADIUS server ACCEPT The user is authenticated REJECT The user is not authenticated and is prompted...

Page 45: ...live servers and dead servers are different and can be configured by the user The RADIUS server monitoring is performed by sending a test authentication request to the RADIUS server Note Vendor Specific Attributes The Internet Engineering Task Force IETF draft standard specifies a method for communicating vendor specific attributes VSAs between the network access server and the RADIUS server The I...

Page 46: ...DIUS accounting protocol This attribute is sent only in the VSA portion of the Account Request frames from the RADIUS client on the switch It can be used only with the accounting protocol data units PDUs Prerequisites for RADIUS RADIUS has the following prerequisites You must obtain IPv4 or IPv6 addresses or hostnames for the RADIUS servers You must obtain preshared keys from the RADIUS servers En...

Page 47: ...onfiguring Periodic RADIUS Server Monitoring on page 40 Configuring RADIUS Server Hosts You must configure the IPv4 or IPv6 address or the hostname for each RADIUS server that you want to use for authentication All RADIUS server hosts are added to the default RADIUS server group You can configure up to 64 RADIUS servers Procedure Purpose Command or Action Enters global configuration move switch co...

Page 48: ...ured Exits configuration mode switch config exit Step 3 Optional Displays the RADIUS server configuration switch show radius server Step 4 The preshared keys are saved in encrypted form in the running configuration Use the show running config command to display the encrypted preshared keys Note Optional Saves the change persistenetly through reboots and restarts by copying the running configuratio...

Page 49: ...ted form in the running configuration Use the show running config command to display the encrypted preshared keys Note Optional Saves the change persistenetly through reboots and restarts by copying the running configuration to the startup configuration switch copy running config startup contig Step 5 This example shows how to configure RADIUS preshared keys switch configure terminal switch config...

Page 50: ...ad time value Note Optional Assigns a source interface for a specific RADIUS server group switch config radius source interface interface Step 5 The supported interface types are management and VLAN Use the source interface command to override the global source interface assigned by the ip radius source interface command Note Exits configuration mode switch config radius exit Step 6 Optional Displ...

Page 51: ...nterface interface Step 2 interface can be the management or the VLAN interface Exits configuration mode switch config exit Step 3 Optional Displays the RADIUS server configuration information switch show radius server Step 4 Optional Copies the running configuration to the startup configuration switch copy running config startup config Step 5 This example shows how to configure the mgmt 0 interfa...

Page 52: ... retry count and timeout interval for all RADIUS servers By default a switch retries transmission to a RADIUS server only once before reverting to local authentication You can increase this number up to a maximum of five retries per server The timeout interval determines how long the Cisco Nexus device waits for responses from RADIUS servers before declaring a timeout failure Procedure Purpose Com...

Page 53: ...P port numbers where RADIUS accounting and authentication messages should be sent Procedure Purpose Command or Action Enters global configuration move switch configure terminal Step 1 Optional Specifies a UDP port to use for RADIUS accounting messages The default UDP port is 1812 switch config radius server host ipv4 address ipv6 address host name acct port udp port Step 2 The range is from 0 to 6...

Page 54: ...figuring Periodic RADIUS Server Monitoring You can monitor the availability of RADIUS servers These parameters include the username and password to use for the server and an idle timer The idle timer specifies the interval during which a RADIUS server receives no requests before the switch sends out a test packet You can configure this option to test servers periodically For security reasons we re...

Page 55: ...g Step 6 This example shows how to configure RADIUS server host 10 10 1 1 with a username user1 and password Ur2Gd2BH and with an idle timer of 3 minutes and a deadtime of 5 minutes switch configure terminal switch config radius server host 10 10 1 1 test username user1 password Ur2Gd2BH idle time 3 switch config radius server deadtime 5 switch config exit switch copy running config startup config...

Page 56: ...g exit switch copy running config startup config Manually Monitoring RADIUS Servers or Groups Procedure Purpose Command or Action Sends a test message to a RADIUS server to confirm availability switch test aaa server radius ipv4 address ipv6 address server name vrf vrf name username password test aaa server radius ipv4 address Step 1 ipv6 address server name vrf vrf name username password Sends a ...

Page 57: ...s the RADIUS statistics switch show radius server statistics hostname ipv4 address ipv6 address Step 1 Clearing RADIUS Server Statistics You can display the statistics that the Cisco NX OS device maintains for RADIUS server activity Before You Begin Configure RADIUS servers on the Cisco NX OS device Procedure Purpose Command or Action Optional Displays the RADIUS server statistics on the Cisco NX ...

Page 58: ...efault settings for RADIUS parameters Table 6 Default RADIUS Parameters Default Parameters Authentication and accounting Server roles 0 minutes Dead timer interval 1 Retransmission count 5 seconds Retransmission timer interval 0 minutes Idle timer interval test Periodic server monitoring username test Periodic server monitoring password Feature History for RADIUS Table 7 Feature History for RADIUS...

Page 59: ...ation authorization and accounting facilities TACACS allows for a single access control server the TACACS daemon to provide each service authentication authorization and accounting independently Each service is associated with its own database to take advantage of other services available on that server or on the network depending on the capabilities of the daemon The TACACS client server protocol...

Page 60: ...eviceh receives an ERROR response the switch tries to use an alternative method for authenticating the user The user also undergoes an additional authorization phase if authorization has been enabled on the Cisco Nexus device Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the Cisco Nexus device again cont...

Page 61: ...ACACS server changes to the dead or alive state a Simple Network Management Protocol SNMP trap is generated and the Cisco Nexus device displays an error message that a failure is taking place before it can impact performance The following figure shows the different TACACS server states Figure 3 TACACS Server States The monitoring interval for alive servers and dead servers are different and can be...

Page 62: ...f needed configure TACACS server groups with subsets of the TACACS servers for AAA authentication methods Configuring TACACS Server Groups on page 51 Step 5 If needed configure periodic TACACS server monitoring Configuring Periodic TACACS Server Monitoring on page 54 Enabling TACACS Although by default the TACACS feature is disabled on the Cisco Nexus device You can enable the TACACS feature to ac...

Page 63: ...TACACS server hosts you should do the following Enable TACACS See Enabling TACACS on page 48 for more information Obtain the IPv4 or IPv6 addresses or the hostnames for the remote TACACS servers Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Specifies the IPv4 or IPv6 address or hostname for a TACACS server switch config tacacs server host ipv...

Page 64: ...t is clear text The maximum length is 63 characters Example switch config tacacs server key 7 fewhg By default no secret key is configured If you already configured a shared secret using the generate type7_encrypted_secret command enter it in quotation marks as shown in the second example Note Exits configuration mode switch config exit Step 3 Optional Displays the TACACS server configuration swit...

Page 65: ...me The default is 0 minutes The range is from 0 through 1440 switch config tacacs deadtime minutes Step 3 If the dead time interval for a TACACS server group is greater than zero 0 that value takes precedence over the global dead time value Note Optional Assigns a source interface for a specific TACACS server group switch config tacacs source interface interface Step 4 The supported interface type...

Page 66: ...ip tacacs source interface interface Example switch config ip tacacs source interface mgmt 0 Step 2 device The source interface can be the management or the VLAN interface Exits configuration mode exit Example switch config exit switch Step 3 Optional Displays the TACACS server configuration information show tacacs server Example switch show tacacs server Step 4 Optional Copies the running configu...

Page 67: ... from a TACACS server before declaring a timeout failure The timeout interval determines how long the switch waits for responses from a TACACS server before declaring a timeout failure Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Exits configuration mode switch config exit Step 2 Optional Displays the TACACS server configuration switch show ...

Page 68: ...val in which a TACACS server receives no requests before the Cisco Nexus device sends out a test packet You can configure this option to test servers periodically or you can run a one time only test To protect network security we recommend that you use a username that is not the same as an existing username in the TACACS database Note The test idle timer specifies the interval in which a TACACS se...

Page 69: ...me interval for all TACACS servers The dead time interval specifies the time that the Cisco Nexus device waits after declaring a TACACS server is dead before sending out a test packet to determine if the server is now alive When the dead time interval is 0 minutes TACACS servers are not marked as dead even if they are not responding You can configure the dead time interval per group See Configurin...

Page 70: ...wing example shows how to manually issue a test message switch test aaa server tacacs 10 10 1 1 user1 Ur2Gd2BH switch test aaa group TacGroup user2 As3He3CI Disabling TACACS You can disable TACACS When you disable TACACS all related configurations are automatically discarded Caution Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Disables TACAC...

Page 71: ... tacacs status pending pending diff Displays the TACACS configuration in the running configuration show running config tacacs all Displays the TACACS configuration in the startup configuration show startup config tacacs Displays all configured TACACS server parameters show tacacs serve host name ipv4 address ipv6 address directed request groups sorted statistics Configuration Examples for TACACS T...

Page 72: ...g aaa group server tacacs TacServer1 switch config tacacs server 1 1 1 1 switch config tacacs server 1 1 1 2 Default Settings for TACACS The following table lists the default settings for TACACS parameters Table 8 Default TACACS Parameters Default Parameters Disabled TACACS 0 minutes Dead time interval 5 seconds Timeout interval 0 minutes Idle timer interval test Periodic server monitoring usernam...

Page 73: ...feature enables a SSH client to make a secure encrypted connection to a Cisco Nexus device SSH uses strong encryption for authentication The SSH server in the Cisco Nexus device switch interoperates with publicly and commercially available SSH clients The user authentication mechanisms supported for SSH are RADIUS TACACS and the use of locally stored user names and passwords SSH Client The SSH cli...

Page 74: ...tion Using Digital Certificates SSH authentication on CiscoNX OS devices provide X 509 digital certificate support for host authentication An X 509 digital certificate is a data item that ensures the origin and integrity of a message It contains encryption keys for secured communications and is signed by a trusted certification authority CA to verify the identity of the presenter The X 509 digital...

Page 75: ...024 bits Procedure Purpose Command or Action Enters global configuration move switch configure terminal Step 1 Generates the SSH server key switch config ssh key dsa force rsa bits force Step 2 The bits argument is the number of bits used to generate the key The range is from 768 to 2048 and the default value is 1024 Use the force keyword to replace an existing key Exits global configuration mode ...

Page 76: ... Format You can specify the SSH public keys in SSH format for user accounts Procedure Purpose Command or Action Enters global configuration move switch configure terminal Step 1 Configures the SSH public key in SSH format switch config username username sshkey ssh key Step 2 Exits global configuration mode switch config exit Step 3 Optional Displays the user account configuration switch show user ...

Page 77: ...format switch config username username sshkey file filename Step 3 Exits global configuration mode switch config exit Step 4 Optional Displays the user account configuration switch show user account Step 5 Optional Copies the running configuration to the startup configuration switch copy running config startup config Step 6 The following example shows how to specify the SSH public key in the IETF ...

Page 78: ...ertificate form switch copy tftp 10 10 1 1 cert pem bootflash cert pem switch configure terminal switch show user account switch copy running config startup config Configuring the SSH Source Interface You can configure SSH to use a specific interface Procedure Purpose Command or Action Enters global configuration move switch configure terminal Step 1 Configures the source interface for all SSH pac...

Page 79: ...4 address or a hostname switch ssh hostname username hostname vrf vrf name Step 1 Clearing SSH Hosts When you download a file from a server using SCP or SFTP you establish a trusted SSH relationship with that server Procedure Purpose Command or Action Clears the SSH host sessions switch clear ssh hosts Step 1 Disabling the SSH Server By default the SSH server is enabled on the Cisco Nexus device P...

Page 80: ... global configuration move switch configure terminal Step 1 Disables the SSH server switch config no feature ssh Step 2 Deletes the SSH server key switch config no ssh key dsa rsa Step 3 The default is to delete all the SSH keys Exits global configuration mode switch config exit Step 4 Optional Displays the SSH server configuration switch show ssh key Step 5 Optional Copies the running configurati...

Page 81: ... This step should not be required because the SSH server is enabled by default Note Step 3 Display the SSH server key switch config show ssh key rsa Keys generated Fri May 8 22 09 47 2009 ssh rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYzCfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZ cTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv DQBsDQH6rZt0KR 2Da8hJD4ZXIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5 Ninn0Mc bitc...

Page 82: ... id password 0 5 password Step 2 maximum length of 28 characters Valid characters are Example switch config username jsmith password 4Ty18Rnt uppercase letters A through Z lowercase letters a through z numbers 0 through 9 hyphen period underscore _ plus sign and equal sign The at symbol is supported in remote usernames but not in local usernames Usernames must begin with an underscore _ which is s...

Page 83: ... trustpoint The CRL file is a snapshot of the list of crypto ca crl request trustpoint bootflash static crl crl Step 6 revoked certificates by the trustpoint This static CRL list Example switch config crypto ca crl request winca bootflash crllist crl is manually copied to the device from the Certification Authority CA Static CRL is the only supported revocation check method Note Optional Displays ...

Page 84: ...IJ06KL07MN notBefore Jun 29 12 36 26 2016 GMT notAfter Jun 29 12 46 23 2021 GMT SHA1 Fingerprint 47 29 E3 00 C1 C1 47 F2 56 8B AC B2 1C 64 48 FC F4 8D 53 AF purposes sslserver sslclient show crypto ca crl tp1 Trustpoint tp1 CRL Certificate Revocation List CRL Version 2 0x1 Signature Algorithm sha1WithRSAEncryption Issuer CN SecDevCA Last Update Aug 8 20 03 15 2016 GMT Next Update Aug 16 08 23 15 2...

Page 85: ...you can reenable it Procedure Purpose Command or Action Reenables the Telnet server switch config no feature telnet Step 1 Configuring the Telnet Source Interface You can configure Telnet to use a specific interface Procedure Purpose Command or Action Enters global configuration move switch configure terminal Step 1 Configures the source interface for all Telnet packets The following list contains...

Page 86: ...ain the username on the remote device Enable the Telnet server on the Cisco Nexus device Enable the Telnet server on the remote device Procedure Purpose Command or Action Creates a Telnet session to a remote device The hostname argument can be an IPv4 address an IPv6 address or a device name switch telnet hostname Step 1 The following example shows how to start a Telnet session to connect to a rem...

Page 87: ... and user account configuration in the running configuration The all keyword displays the default values for the SSH and user accounts switch show running config security all Displays the SSH server configuration switch show ssh server Displays user account information switch show user account Displays the users logged into the device switch show users Displays the configured certificate chain and...

Page 88: ...eters Enabled SSH server RSA key generated with 1024 bits SSH server key 1024 RSA key bits for generation Enabled Telnet server Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x 74 Configuring SSH and Telnet Default Settings for SSH ...

Page 89: ...of rules that you can use to filter traffic Each rule specifies a set of conditions that a packet must satisfy to match the rule When the switch determines that an ACL applies to a packet it tests the packet against the conditions of all rules The first match determines whether the packet is permitted or denied If there is no match the switch applies the applicable default rule The switch continue...

Page 90: ...et port channel subinterfaces Management interfaces Switched Virtual Interfaces SVIs Router ACL IPv4 ACLs IPv6 ACLs VTYs VTY ACL Application Order When the device processes a packet it determines the forwarding path of the packet The path determines which ACLs that the device applies to the traffic The device applies the ACLs in the following order 1 Port ACL 2 Ingress Router ACL Rules You can cre...

Page 91: ...owing implicit rule deny ipv6 any any All MAC ACLs include the following implicit rule deny any any protocol This implicit rule ensures that the device denies the unmatched traffic regardless of the protocol specified in the Layer 2 header of the traffic Additional Filtering Options You can identify traffic by using additional options IPv4 ACLs support the following additional filtering options La...

Page 92: ...gical Operators and Logical Operation Units IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers The Cisco Nexus device stores operator operand couples in registers called logical operation units LOUs to perform operations greater than less than not equal to and range on the TCP and UDP ports specified in an IP ACL ACL TCAM Regions You can change t...

Page 93: ... racl 1024 IPv6 RACL ipv6 racl 640 IPv4 L3 QoS l3qos 256 IPv6 L3 QoS ipv6 l3qos 96 SPAN span 128 Ingress COPP copp 1024 Redirect v4 2048 Redirect v6 Licensing Requirements for ACLs The following table shows the licensing requirements for this feature License Requirement Product No license is required to use ACLs Cisco NX OS Prerequisites for ACLs IP ACLs have the following prerequisites Cisco Nexu...

Page 94: ...ion This is especially useful for ACLs that include more than about 1000 rules You can configure any number of ACLs as long as TCAM space is available Packets that fail the Layer 3 maximum transmission unit check and therefore require fragmenting IPv4 packets that have IP options additional IP packet header fields following the destination address field When you apply an ACL that uses time ranges ...

Page 95: ... can be up to 64 characters switch config ip ipv6 access list name Step 2 Creates the IP ACL and enters IP ACL configuration mode The name argument can be up to 64 characters switch config ip access list name Step 3 Creates a rule in the IP ACL You can create many rules The sequence number argument can be a whole number between 1 and 4294967295 switch config acl sequence number permit deny protoco...

Page 96: ...xample switch configure terminal switch config Step 1 Creates an IPv4 ACL and enters IP ACL configuration mode The name argument can be up to 64 characters ip access list name Example switch config ip access list logging test switch config acl Step 2 Creates an ACL rule that permits or denies IPv4 traffic matching its conditions To enable the system to generate permit deny ip source address destin...

Page 97: ... ip access list cache entries number of flows Example switch config logging ip access list cache entries 8001 Step 9 If the specified number of packets is logged before the expiry of the alert interval the system generates a syslog message logging ip access list cache threshold threshold Example switch config logging ip access list cache threshold 490 Step 10 Enables the ACL name the sequence numb...

Page 98: ...es than the current sequence numbering allows you can use the resequence command to reassign sequence numbers Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Enters IP ACL configuration mode for the ACL that you specify by name switch config ip ipv6 ip access list name Step 2 Enters IP ACL configuration mode for the ACL that you specify by name...

Page 99: ...currently applied Removing an ACL does not affect the configuration of interfaces where you have applied the ACL Instead the switch considers the removed ACL to be empty Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Removes the IP ACL that you specified by name from the running configuration switch config no ip ipv6 access list name Step 2 Re...

Page 100: ...L that you want to apply exists and that it is configured to filter traffic in the manner that you need for this application Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Applies an IPv4 or IPv6 ACL to the Layer 3 interface for traffic flowing in the direction ip access group access list in out Example...

Page 101: ...ters global configuration mode switch configure terminal Step 1 Enters interface configuration mode for the specified interface switch config interface ethernet chassis slot port port channel channel number Step 2 Optional Displays the ACL configuration switch show running config Step 3 Optional Copies the running configuration to the startup configuration switch copy running config startup config...

Page 102: ... switch config if ip access group access list in switch config if ipv6 traffic filter access list in Optional Displays the ACL configuration switch config if show running config aclmgr Step 4 Optional Copies the running configuration to the startup configuration switch config if copy running config startup config Step 5 Verifying the ACL Logging Configuration To display ACL logging configuration i...

Page 103: ... in the running configuration including the IP ACL configuration and the interfaces where you have applied IP ACLs This command displays the user configured ACLs in the running configuration The all option displays both the default CoPP configured and the user configured ACLs in the startup configuration Note switch show running config aclmgr all About System ACLs Beginning with Cisco NX OS Releas...

Page 104: ...v4 ACL on the device See Creating an IP ACL on page 81 for more information Procedure Purpose Command or Action Enters the configuration mode config t Step 1 Configures the system ACL system acl Step 2 Applies a Layer 2 PACL to the interface Only inbound filtering is supported with port ACLs You can apply one port ACL to an interface ip port access group pacl name in Step 3 Configuration and Show ...

Page 105: ...8 1 1 32 100 100 100 100 32 switch sh ip access lists test summary IPV4 ACL test Total ACEs Configured 12279 Configured on interfaces Active on interfaces ingress ingress switch To validate PACL IPv4 ifacl TCAM region size use the show hardware access list tcam region command switch show hardware access list tcam region WARNING The output shows NFE tcam region info Please refer to show hardware ac...

Page 106: ... aclqos commands show tech support aclmgr show tech support aclqos Configuring ACL Logging Configuring the ACL Logging Cache Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Sets the maximum number of log entries cached in the software The range is from 0 to 1000000 entries The default value is 8000 entries switch config logging ip access list c...

Page 107: ...onfigure the ACL logging cache Configure the ACL log match level Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Specifies the Ethernet interface switch config interface ethernet slot port Step 2 Attaches an ACL with a log to the specified interface ACL logging is enabled when the ACL is applied to the interface on the hardware switch config if...

Page 108: ... config startup config Step 3 The following example shows how to apply the log match level for entries to be logged in the ACL log switch configure terminal switch config acllog match log level 3 switch config copy running config startup config Clearing Log Files You can clear messages in the log file and the NVRAM Procedure Purpose Command or Action Clears the access control list ACL cache switch...

Page 109: ...ult CoPP configured and the user configured ACLs in the startup configuration Note switch show startup config aclmgr all Displays the access control list ACL log file in the running configuration switch show running config acllog Displays the access control list ACL log file in the running configuration including the IP ACL configuration and the interfaces where you have applied IP ACLs This comma...

Page 110: ... switch config show hardware access list tcam region Example switch config show hardware access list tcam region Step 4 Copies the running configuration to the startup configuration switch config reload Example switch config reload Step 5 The new size values are effective only upon the next reload after saving the copy running config to startup config Note The following example shows how to change...

Page 111: ...h switch config reload Step 4 The following example shows how to revert to the default RACL TCAM region sizes switch config no hardware profile tcam region racl 256 SUCCESS New tcam size will be applicable only at boot time You need to copy run start and reload switch config copy running configur startup config switch config reload WARNING This command will reboot the system Do you want to continu...

Page 112: ...ass ozi2 in switch config line no access class ozi3 out switch config Step 4 Exits line configuration mode switch config line exit Example switch config line exit switch Step 5 Optional Displays the running configuration of the ACLs on the switch switch show running config aclmgr Example switch show running config aclmgr Step 6 Optional Copies the running configuration to the startup configuration...

Page 113: ...show running config aclmgr Time Fri Aug 27 22 01 09 2010 version 5 0 2 N1 1 ip access list ozi 10 deny ip 172 18 217 82 32 any 20 permit ip any any ip access list ozi2 10 permit ip 10 55 144 118 32 any 20 permit ip 172 18 217 79 32 any 30 permit ip 172 18 217 82 32 any 40 permit ip 172 18 217 92 32 any line vty access class ozi in access class ozi2 out The following example shows how to configure ...

Page 114: ...itch configure terminal Enter configuration commands one per line End with CNTL Z switch config line vty switch config line no access class ozi2 in switch config line no ip access class ozi2 in switch config line exit switch Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x 100 Configuring IP ACLs Configuration Examples for ACLs on VTY Lines ...

Page 115: ...tackers to thwart efforts to locate or filter the attacks Unicast RPF deflects attacks by forwarding only the packets that have source addresses that are valid and consistent with the IP routing table When you enable Unicast RPF on an interface the examines all ingress packets received on that interface to ensure that the source address and source interface appear in the routing table and match th...

Page 116: ...t the upstream end of a connection You can use Unicast RPF for downstream networks even if the downstream network has other connections to the Internet Be careful when using optional BGP attributes such as weight and local preference because an attacker can modify the best path back to the source address Modification would affect the operation of Unicast RPF Caution When a packet is received at th...

Page 117: ...twork The more entities that deploy uRPF across Internet intranet and extranet resources means that the better the chances are of mitigating large scale network disruptions throughout the Internet community and the better the chances are of tracing the source of an attack uRPF will not inspect IP packets that are encapsulated in tunnels such as generic routing encapsulation GRE tunnels You must co...

Page 118: ...raffic Check on Source IP Address uRPF Configuration MPLS Encap VPN ECMP IP ECMP IP Unipath IPv6 IPv4 Allow Allow Allow Disable Disable uRPF loose uRPF loose uRPF loose Loose Loose uRPF loose uRPF loose uRPF strict Strict Strict Default Settings for Unicast RPF This table lists the default settings for Unicast RPF parameters Table 14 Default Unicast RPF Parameter Settings Default Parameters Disabl...

Page 119: ... interface configuration mode interface ethernet slot port Example switch config interface ethernet 2 3 switch config if Step 2 Configures unicast RPF on the interface for both IPv4 and IPv6 ip ipv6 verify unicast source reachable via any Step 3 Example switch config if ip verify unicast source reachable via any You must configure unicast RPF on each interface since it is disabled by default The c...

Page 120: ...ast RPF for IPv4 IPv6 packets interface Ethernet2 3 ip address 172 23 231 240 23 ip verify unicast source reachable via any interface Ethernet2 3 ipv6 address 2001 0DB8 c18 1 3 64 ipv6 verify unicast source reachable via any The following examples shows how to configure strict Unicast RPF for IPv4 IPv6 packets interface Ethernet2 2 ip address 172 23 231 240 23 ip verify unicast source reachable vi...

Page 121: ...face and verifies if the unicast RPF is enabled or disabled show ip interface ethernet slot port Displays the IP configuration in the startup configuration show startup config ip Additional References for Unicast RPF This section includes additional information related to implementing unicast RPF Related Documents Document Title Related Topic Cisco Nexus 3600 Series NX OS Label Switching Configura...

Page 122: ...Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x 108 Configuring Unicast RPF Additional References for Unicast RPF ...

Page 123: ... ensures network stability reachability and packet delivery This feature allows a policy map to be applied to the control plane This policy map looks like a normal QoS policy and is applied to all traffic entering the switch from a non management port A common attack vector for network devices is the denial of service DoS attack where excessive traffic is directed at the device interfaces The Cisc...

Page 124: ...he control plane at a very high rate forcing the control plane to spend a large amount of time in handling these packets and preventing the control plane from processing genuine traffic Examples of DoS attacks include Internet Control Message Protocol ICMP echo requests IP fragments TCP SYN flooding These attacks can impact the device performance and have the following negative effects Reduced ser...

Page 125: ... The following exceptions are possible from line cards and fabric modules match exception mtu failure Redirected packets Packets that are redirected to the supervisor module Glean packets If a Layer 2 MAC address for a destination IP address is not present in the FIB the supervisor module receives the packet and sends an ARP request to the host All of these different packets could be maliciously u...

Page 126: ... Nexus 9000 Series NX OS Quality of Service Configuration Guide Dynamic and Static CoPP ACLs CoPP access control lists ACLs are classified as either dynamic or static Cisco Nexus 9300 and 9500 Series and 3164Q 31128PQ 3232C and 3264Q switches use only dynamic CoPP ACLs Cisco Nexus 9200 Series switches use both dynamic and static CoPP ACLs Dynamic CoPP ACLs work only for Forwarding Information Base...

Page 127: ... is applied This option is removed starting with Cisco NX OS Release 7 0 3 I2 1 For previous releases Cisco does not recommend using the Skip option because it will impact the control plane of the network If you do not select an option or choose not to execute the setup utility the software applies strict policing We recommend that you start with the strict policy and later modify the CoPP policie...

Page 128: ...s the following configuration class map type control plane match any copp system p class important match access group name copp system p acl hsrp match access group name copp system p acl vrrp match access group name copp system p acl hsrp6 match access group name copp system p acl vrrp6 match access group name copp system p acl mac lldp The copp system class l2 default class has the following con...

Page 129: ... system p acl mld The copp system class multicast router class has the following configuration class map type control plane match any copp system p class multicast router match access group name copp system p acl pim match access group name copp system p acl msdp match access group name copp system p acl pim6 match access group name copp system p acl pim reg match access group name copp system p a...

Page 130: ...lice cir 36000 kbps bc 1280000 bytes conform transmit violate drop class copp system p class important set cos 6 police cir 2500 kbps bc 1280000 bytes conform transmit violate drop class copp system p class multicast router set cos 6 police cir 2600 kbps bc 128000 bytes conform transmit violate drop class copp system p class management set cos 2 police cir 10000 kbps bc 32000 bytes conform transmi...

Page 131: ...copp system p class important set cos 6 police cir 3000 pps bc 128 packets conform transmit violate drop class copp system p class multicast router set cos 6 police cir 3000 pps bc 128 packets conform transmit violate drop class copp system p class management set cos 2 police cir 3000 pps bc 32 packets conform transmit violate drop class copp system p class multicast host set cos 1 police cir 2000...

Page 132: ...mit violate drop class copp system p class important set cos 6 police cir 2500 kbps bc 1920000 bytes conform transmit violate drop class copp system p class multicast router set cos 6 police cir 2600 kbps bc 192000 bytes conform transmit violate drop class copp system p class management set cos 2 police cir 10000 kbps bc 48000 bytes conform transmit violate drop class copp system p class multicast...

Page 133: ...ps bc 192 packets conform transmit violate drop class copp system p class multicast router set cos 6 police cir 3000 pps bc 192 packets conform transmit violate drop class copp system p class management set cos 2 police cir 3000 pps bc 48 packets conform transmit violate drop class copp system p class multicast host set cos 1 police cir 2000 pps bc 192 packets conform transmit violate drop class c...

Page 134: ...000 bytes conform transmit violate drop class copp system p class multicast router set cos 6 police cir 2600 kbps bc 256000 bytes conform transmit violate drop class copp system p class management set cos 2 police cir 10000 kbps bc 64000 bytes conform transmit violate drop class copp system p class multicast host set cos 1 police cir 1000 kbps bc 256000 bytes conform transmit violate drop class co...

Page 135: ...icast router set cos 6 police cir 3000 pps bc 256 packets conform transmit violate drop class copp system p class management set cos 2 police cir 3000 pps bc 64 packets conform transmit violate drop class copp system p class multicast host set cos 1 police cir 2000 pps bc 256 packets conform transmit violate drop class copp system p class l3mc data set cos 1 police cir 3000 pps bc 32 packets confo...

Page 136: ...ss multicast router set cos 6 police cir 370 kbps bc 128000 bytes conform transmit violate drop class copp system p class management set cos 2 police cir 2500 kbps bc 128000 bytes conform transmit violate drop class copp system p class multicast host set cos 2 police cir 300 kbps bc 128000 bytes conform transmit violate drop class copp system p class l3mc data set cos 1 police cir 600 kbps bc 3200...

Page 137: ...s copp system p class multicast host set cos 2 police cir 1000 pps bc 128 packets conform transmit violate drop class copp system p class l3mc data set cos 1 police cir 1200 pps bc 32 packets conform transmit violate drop class copp system p class normal set cos 1 police cir 750 pps bc 32 packets conform transmit violate drop class copp system p class ndp set cos 1 police cir 750 pps bc 32 packets...

Page 138: ...class map command A traffic class is used to classify traffic This example shows how to create a new class map called copp sample class class map type control plane copp sample class Step 2 Create a traffic policy using the policy map command A traffic policy policy map contains a traffic class and one or more CoPP features that will be applied to the traffic class The CoPP features in the traffic...

Page 139: ...ps is put into the last class the default class Monitor the drops in this class and investigate if these drops are based on traffic that you do not want or the result of a feature that was not configured and you need to add All broadcast traffic is sent through CoPP logic in order to determine which packets for example ARP and DHCP need to be redirected through an access control list ACL to the ro...

Page 140: ...f 10 kbps the rate is rounded down For example the switch will use 50 kbps if a rate of 55 kbps is configured The show policy map type control plane command shows the user configured rate See Verifying the CoPP Configuration on page 135 for more information For Cisco Nexus 9200 Series switches ip icmp redirect ipv6 icmp redirect ip icmp unreachable ipv6 icmp unreachable and mtu failure use the sam...

Page 141: ...onfigure CoPP Configuring a Control Plane Class Map You must configure control plane class maps for control plane policies You can classify traffic by matching packets based on existing ACLs The permit and deny ACL keywords are ignored in the matching You can configure policies for IP version 4 IPv4 and IP version 6 IPv6 packets Before You Begin Ensure that you have configured the IP ACLs if you w...

Page 142: ...h config cmap match exception ip icmp redirect Step 4 Optional Specifies matching for IPv4 or IPv6 ICMP unreachable exception packets match exception ip ipv6 icmp unreachable Example switch config cmap match exception ip icmp unreachable Step 5 Optional Specifies matching for IPv4 or IPv6 option exception packets match exception ip ipv6 option Example switch config cmap match exception ip option S...

Page 143: ...terminal Example switch configure terminal switch config Step 1 Specifies a control plane policy map and enters policy map configuration mode The policy map name can have a maximum of 64 characters and is case sensitive policy map type control plane policy map name Example switch config policy map type control plane ClassMapA switch config pmap Step 2 Specifies a control plane class map name or th...

Page 144: ...es The conform transmit action transmits the packet You can specify the BC and conform action for the same CIR Note Optional Specifies the threshold value for dropped packets and generates a syslog if the drop count exceeds the logging drop threshold drop count level syslog level Example switch config pmap c logging drop threshold 100 Step 5 configured threshold The range for the drop count argume...

Page 145: ... y 2013 Nov 13 23 16 46 switch ACLQOS SLOT24 5 ACLQOS_NON_ATOMIC Non atomic ACL QoS policy update done for CoPP 2013 Nov 13 23 16 46 switch ACLQOS SLOT23 5 ACLQOS_NON_ATOMIC Non atomic ACL QoS policy update done for CoPP 2013 Nov 13 23 16 46 switch ACLQOS SLOT21 5 ACLQOS_NON_ATOMIC Non atomic ACL QoS policy update done for CoPP 2013 Nov 13 23 16 46 switch ACLQOS SLOT25 5 ACLQOS_NON_ATOMIC Non atom...

Page 146: ...plane configuration mode exit Example switch config cp exit switch config Step 4 Optional Displays the CoPP configuration show running config copp all Example switch config show running config copp Step 5 Optional Copies the running configuration to the startup configuration copy running config startup config Example switch config copy running config startup config Step 6 Related Topics Configurin...

Page 147: ... programmed in the particular module To revert to the default scale factor value of 1 00 use the no scale factor value module multiple module range command or explicitly set the default scale factor value to 1 00 using the scale factor 1 module multiple module range command Optional Displays the applied scale factor values when a CoPP policy is applied show policy map interface control plane Examp...

Page 148: ...p Example switch config show running config copp Step 3 Related Topics Changing or Reapplying the Default CoPP Policy Using the Setup Utility on page 139 Copying the CoPP Best Practice Policy The CoPP best practice policy is read only If you want to modify its configuration you must copy it Procedure Purpose Command or Action Creates a copy of the CoPP best practice policy copp copy profile strict...

Page 149: ... maps and drops per policy or class map It also displays the scale factor values when a CoPP policy is applied When the scale factor value is the default 1 00 it is not displayed The scale factor changes the CIR and BC values internally on each module but the display shows the configured CIR and BC values only The actual applied value on a module is the scale factor multiplied by the configured va...

Page 150: ...erate lenient dense show copp diff profile Displays the details of the CoPP best practice policy along with the classes and policer values show copp profile strict moderate lenient dense Displays the user configured access control lists ACLs in the running configuration The all option displays both the default CoPP configured and user configured ACLs in the running configuration show running confi...

Page 151: ... interface control plane Step 1 Statistics are specified in terms of OutPackets packets admitted to the control plane and DropPackets packets dropped because of rate limiting This example shows how to monitor CoPP switch show policy map interface control plane Control Plane Service policy input copp system p policy strict class map copp system p class critical match any set cos 7 police cir 19000 ...

Page 152: ... 0 24 ip access list copp system p acl msdp permit tcp any any eq 639 mac access list copp system p acl arp permit any any 0x0806 ip access list copp system p acl tacas permit udp any any eq 49 ip access list copp system p acl ntp permit udp any 10 0 1 1 23 eq 123 ip access list copp system p acl icmp permit icmp any any class map type control plane match any copp system p class critical match acc...

Page 153: ...y will guide you through the basic configuration of the system Setup configures only enough connectivity for management of the system Note setup is mainly used for configuring the system initially when no configuration is present So setup always assumes system defaults and not the current system configuration values Press Enter at anytime to skip a dialog Use ctrl c at anytime to skip the remainin...

Page 154: ...t server enable no system default switchport system default switchport shutdown policy map type control plane copp system p policy Would you like to edit the configuration yes no n CR Use this configuration and save it yes no y y switch Additional References for CoPP This section provides additional information related to implementing CoPP Related Documents Document Title Related Topic Cisco NX OS...

Reviews:

No comments

Related manuals for Nexus 3600 NX-OS

FCI FLT93 Series Installation, Operation, Maintenance And Troubleshooting preview
FLT93 Series
Brand: FCI Pages: 12
Eaton LPC25-16FUSE Instruction Leaflet preview
LPC25-16FUSE
Brand: Eaton Pages: 2
DAS AUDIO INTEGRAL Series User Manual preview
INTEGRAL Series
Brand: DAS AUDIO Pages: 45
H3C LSW1GP16P0 User Manual preview
LSW1GP16P0
Brand: H3C Pages: 26
Lakeshore 3f Delta Operation & Maintenance Manual preview
3f Delta
Brand: Lakeshore Pages: 82
Leviton 47693-ESM Product Specifications preview
47693-ESM
Brand: Leviton Pages: 2
S&T kontron KSwitch D3 UMP User Manual preview
kontron KSwitch D3 UMP
Brand: S&T Pages: 36
Allied Telesis AT 8000/8POE Installation Manual preview
AT 8000/8POE
Brand: Allied Telesis Pages: 56
Justin JH-810 User Manual preview
JH-810
Brand: Justin Pages: 8
Star Progetti SW3500 Manual Instruction preview
SW3500
Brand: Star Progetti Pages: 6
Microsens MS453510M User Manual preview
MS453510M
Brand: Microsens Pages: 42
W&T IP-Watcher 2x2 Digital PoE Manual preview
IP-Watcher 2x2 Digital PoE
Brand: W&T Pages: 79
Atlona AT-PRO2HD88M User Manual preview
AT-PRO2HD88M
Brand: Atlona Pages: 17
B&G NEMESIS Installation Manual preview
NEMESIS
Brand: B&G Pages: 11
Rose electronics UC1-1X16U/E Installation And Operation Manual preview
UC1-1X16U/E
Brand: Rose electronics Pages: 80
CYP CH-2537TXM-TB Operation Manual preview
CH-2537TXM-TB
Brand: CYP Pages: 40
Cisco Catalist 3850 Series Configuring Network Settings preview
Catalist 3850 Series
Brand: Cisco Pages: 32
Cisco Catalyst 2900 Series Hardware Installation Manual preview
Catalyst 2900 Series
Brand: Cisco Pages: 46

Brands by name

Popular brands

Load more brands