Cisco Nexus 7000 Series Command Reference Manual Download Page 576

Page: 576 / 1018

•

icmp

—

Specifies that the rule applies to ICMP traffic only. When you use this keyword, the

icmp-message

argument is available, in addition to the keywords that are available for all valid values of the

protocol

argument.

•

igmp

—

Specifies that the rule applies to IGMP traffic only. When you use this keyword, the

igmp-type

argument is available, in addition to the keywords that are available for all valid values of the

protocol

argument.

•

—

Specifies that the rule applies to all IPv4 traffic.

•

nos

—

Specifies that the rule applies to KA9Q NOS-compatible IP-over-IP tunneling traffic only.

•

ospf

—

Specifies that the rule applies to Open Shortest Path First (OSPF) traffic only.

•

pcp

—

Specifies that the rule applies to payload compression protocol (PCP) traffic only.

•

pim

—

Specifies that the rule applies to protocol-independent multicast (PIM) traffic only.

•

tcp

—

Specifies that the rule applies to TCP traffic only. When you use this keyword, the

flags

and

operator

arguments and the

portgroup

and

established

keywords are available, in addition to the

keywords that are available for all valid values of the

protocol

argument.

•

udp

—

Specifies that the rule applies to UDP traffic only. When you use this keyword, the

operator

argument and the

portgroup

keyword are available, in addition to the keywords that are available for

all valid values of the

protocol

argument.

Source and Destination

You can specify the

source

and

destination

arguments in one of several ways. In each rule, the method you

use to specify one of these arguments does not affect how you specify the other. When you configure a rule,
use the following methods to specify the

source

and

destination

arguments:

•

IP address group object

—

You can use an IPv4 address group object to specify a

source

destination

argument. Use the

object-group ip address

command to create and change IPv4 address group objects.

The syntax is as follows:

addrgroup

address-group-name

The following example shows how to use an IPv4 address object group named lab-gateway-svrs to specify
the

destination

argument:

switch(config-acl)#

permit ip any addrgroup lab-gateway-svrs

•

Address and network wildcard

—

You can use an IPv4 address followed by a network wildcard to specify

a host or a network as a source or destination. The syntax is as follows:

IPv4-address network-wildcard

The following example shows how to specify the

source

argument with the IPv4 address and network wildcard

for the 192.168.67.0 subnet:

switch(config-acl)#

permit tcp 192.168.67.0 0.0.0.255 any

•

Address and variable-length subnet mask

—

You can use an IPv4 address followed by a variable-length

subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows:

IPv4-address/prefix-len

Cisco Nexus 7000 Series Security Command Reference

550

P Commands

permit (IPv4)

Summary of Contents for Nexus 7000 Series

Page 1: ...ries Security Command Reference First Published Last Modified Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 ...

Page 3: ...DAP 13 aaa accounting default 15 aaa accounting dot1x 17 aaa authentication cts default group 19 aaa authentication dot1x default group 21 aaa authentication eou default group 23 aaa authentication login ascii authentication 25 aaa authentication login chap enable 26 aaa authentication login console 27 aaa authentication login default 29 aaa authentication login error enable 31 aaa authentication ...

Page 4: ... 56 clear access list counters 58 clear accounting log 60 clear copp statistics 61 clear cts cache 62 clear cts policy 63 capture session 64 cts dot1x 65 class policy map 67 class map type control plane 69 clear aaa local user blocked 71 clear ldap server statistics 72 clear mac access list counters 73 clear port security 75 clear cts role based counters 77 clear dot1x 78 clear eou 79 clear hardwa...

Page 5: ...3 clear port security 115 clear radius server statistics 117 clear ssh hosts 118 clear tacacs server statistics 119 clear user 120 cts l3 spi global 121 cts l3 spi interface 123 crypto ca enroll 125 crypto ca export 127 crypto ca import 129 crypto ca lookup 132 crypto ca remote ldap crl refresh time 134 crypto ca remote ldap server group 135 crypto ca test verify 136 crypto ca trustpoint 137 crypt...

Page 6: ... cts sxp connection peer 173 cts sxp default password 176 cts sxp default source ip 178 cts sxp enable 179 cts sxp listener hold time 180 cts sxp mapping network map 182 cts sxp node id 183 cts sxp reconcile period 185 cts sxp retry period 187 cts sxp speaker hold time 189 C H A P T E R 3 D Commands 191 dot1x max reauth req 193 dot1x max req 195 dot1x pae authenticator 197 dot1x port control 199 d...

Page 7: ...access control list 262 description identity policy 264 description user role 266 destination interface 268 device 270 device role 272 dot1x default 274 dot1x host mode 275 dot1x initialize 277 dot1x mac auth bypass 278 C H A P T E R 4 E Commands 279 encrypt pause frame 280 encryption decrypt type6 282 encryption delete type6 283 enable 284 enable Cert DN match 286 enable secret 288 enable user se...

Page 8: ...5 feature user role feature group 316 feature cts 317 feature dhcp 319 feature dot1x 321 feature eou 322 feature ldap 323 feature mka 325 feature password encryption aes 327 feature port security 328 feature privilege 330 feature scp server 332 feature sftp server 333 feature ssh 334 feature tacacs 335 feature telnet 336 filter 337 fips mode enable 339 fragments 341 C H A P T E R 6 G Commands 343 ...

Page 9: ...ip access class 373 ip access group 375 ip access list 378 ip arp inspection filter 380 ip arp inspection log buffer 382 ip arp inspection trust 384 ip arp inspection validate 385 ip arp inspection vlan 387 ip dhcp packet strict validation 389 ip dhcp redirect response 391 ip dhcp relay 392 ip dhcp relay address 394 ip dhcp relay information option 396 ip dhcp relay information option vpn 398 ip d...

Page 10: ...class 432 ipv6 access class 434 ipv6 access list 436 ipv6 dhcp ldra 438 ipv6 dhcp guard policy 439 ipv6 dhcp ldra interface 440 ipv6 dhcp relay 441 ipv6 dhcp ldra attach policy interface 443 ipv6 dhcp ldra attach policy vlan 445 ipv6 dhcp relay address 446 ipv6 nd raguard attach policy 448 ipv6 nd raguard policy 450 ipv6 neighbor binding 452 ipv6 neighbor binding logging 454 ipv6 neighbor binding ...

Page 11: ...1 M Commands 493 mac access list 494 mac packet classify 496 mac port access group 498 macsec keychain policy 500 macsec policy 502 managed config flag 504 match class map 505 match VLAN access map 507 monitor session 509 C H A P T E R 1 2 N Commands 511 nac enable 512 neq 513 C H A P T E R 1 3 O Commands 515 object group identity policy 516 object group ip address 518 object group ip port 520 obj...

Page 12: ...579 permit vrf 581 platform access list update 583 platform rate limit 585 police policy map 587 policy 590 policy map type control plane 592 preference 593 propagate sgt 594 C H A P T E R 1 5 R Commands 597 radius abort 598 radius commit 599 radius distribute 600 radius server deadtime 601 radius server directed request 603 radius server host 604 radius server key 607 radius server retransmit 609...

Page 13: ...P T E R 1 6 S Commands 639 sak expiry time 640 sap modelist 642 sap pmk 644 send lifetime 646 server 648 service dhcp 650 service policy input 652 set cos 654 set dscp policy map class 656 set precedence policy map class 659 source interface 661 ssh 663 ssh key 665 ssh login attempts 667 ssh server enable 668 ssh6 669 statistics per entry 671 storm control level 673 switchport port security 675 Ci...

Page 14: ...03 show access lists 704 show accounting log 707 show arp access lists 710 show class map type control plane 712 show cli syntax roles network admin 713 show cli syntax roles network operator 715 show copp diff profile 717 show copp profile 719 show copp status 721 show crypto ca certificates 722 show crypto ca certstore 724 show crypto ca crl 725 show crypto ca remote certstore 727 show crypto ca...

Page 15: ...w cts sxp connection 758 show data corruption 759 show dot1x 760 show dot1x all 761 show dot1x interface ethernet 763 show encryption service stat 765 show eou 766 show fips status 768 show hardware access list feature combo 769 show hardware rate limiter 772 show identity policy 776 show identity profile 777 show ip access lists 778 show ip access lists capture session 781 show ip arp inspection ...

Page 16: ...how ipv6 snooping capture policy 821 show ipv6 snooping counters 823 show ipv6 snooping features 825 show ipv6 snooping policies 826 show key chain 828 show ldap search map 830 show ldap server 832 show ldap server groups 833 show ldap server statistics 834 show mac access lists 836 show macsec mka 838 show macsec policy 842 show password secure mode 844 show password strength check 845 show polic...

Page 17: ...ig eou 886 show running config ldap 887 show running config port security 888 show running config radius 889 show running config security 890 show running config tacacs 891 show security system state 892 show software integrity 893 show ssh key 894 show ssh server 895 show startup config aaa 896 show startup config aclmgr 897 show startup config copp 899 show startup config dhcp 901 show startup c...

Page 18: ...how time range 925 show user account 927 show username 928 show users 930 show vlan access list 931 show vlan access map 933 show vlan filter 935 C H A P T E R 1 8 T Commands 937 tacacs abort 938 tacacs commit 939 tacacs distribute 940 tacacs server deadtime 941 tacacs server directed request 943 tacacs server host 945 tacacs server key 948 tacacs server test 950 tacacs server timeout 952 telnet 9...

Page 19: ...username 970 userprofile 975 user pubkey match 977 user switch bind 979 use vrf 981 C H A P T E R 2 0 V Commands 983 vlan access map 984 vlan filter 986 vlan policy deny 988 vrf policy deny 990 Cisco Nexus 7000 Series Security Command Reference xix Contents ...

Page 20: ...Cisco Nexus 7000 Series Security Command Reference xx Contents ...

Page 21: ... requirements we have modified the manner in which we document configuration tasks As a result of this you may find a deviation in the style used to describe these tasks with the newly included sections of the document following the new format The Guidelines and Limitations section contains general guidelines and limitations that are applicable to all the features and the feature specific guidelin...

Page 22: ...A nonquoted set of characters Do not use quotation marks around the string or the string will include the quotation marks string Examples use the following conventions Description Convention Terminal sessions and information the switch displays are in screen font screen font Information you must enter is in boldface screen font boldface screen font Arguments for which you supply values are in ital...

Page 23: ... reader be careful In this situation you might do something that could result in equipment damage or loss of data Caution Cisco Nexus 7000 Series Security Command Reference xxiii Preface Document Conventions ...

Page 24: ...es products release notes list html Install and Upgrade Guides http www cisco com c en us support switches nexus 7000 series switches products installation guides list html Licensing Guide http www cisco com c en us support switches nexus 7000 series switches products licensing information listing html Documentation for Cisco Nexus 7000 Series Switches and Cisco Nexus 2000 Series Fabric Extenders ...

Page 25: ...information on obtaining documentation using the Cisco Bug Search Tool BST submitting a service request and gathering additional information see What s New in Cisco Product Documentation To receive new and revised Cisco technical content directly to your desktop you can subscribe to the What s New in Cisco Product Documentation RSS feed RSS feeds are a free service Cisco Nexus 7000 Series Security...

Page 26: ...Cisco Nexus 7000 Series Security Command Reference xxvi Preface Obtaining Documentation and Submitting a Service Request ...

Page 27: ...aa authentication login chap enable page 26 aaa authentication login console page 27 aaa authentication login default page 29 aaa authentication login error enable page 31 aaa authentication login invalid username log page 32 aaa authentication login mschap enable page 33 aaa authentication login mschapv2 enable page 34 aaa authentication rejected page 35 aaa authorization commands default page 37...

Page 28: ...ation ssh publickey page 45 aaa group server ldap page 47 aaa group server radius page 49 aaa group server tacacs page 50 aaa user default role page 51 Cisco Nexus 7000 Series Security Command Reference 2 A Commands ...

Page 29: ...ber that is 10 greater than the sequence number of the preceding rule Use the resequence command to reassign sequence numbers to rules sequence number Optional Specifies the exact time and date when the device begins enforcing the permit and deny rules associated with the time range If you do not specify a start time and date the device enforces the permit or deny rules immediately For information...

Page 30: ...format The minimum valid start time and date is 00 00 00 1 January 1970 and the maximum valid start time is 23 59 59 31 December 2037 This command does not require a license Examples This example shows how to create an absolute time rule that begins at 7 00 a m on September 17 2007 and ends at 11 59 59 p m on September 19 2007 switch configure terminal switch config time range conference remote ac...

Page 31: ...accepting the key For information about the values for the start time argument see the Usage Guidelines section start time Optional Specifies the length of the lifetime in seconds The maximum length is 2147483646 seconds approximately 68 years duration duration value Optional Specifies that the key never expires infinite Optional Time of day and date that the device stops accepting the key For inf...

Page 32: ...me is 23 59 59 Dec 31 2037 This command does not require a license Examples This example shows how to create an accept lifetime that begins at midnight on June 13 2008 and ends at 11 59 59 p m on August 12 2008 switch configure terminal switch config key chain glbp keys switch config keychain key 13 switch config keychain key accept lifetime 00 00 00 Jun 13 2008 23 59 59 Sep 12 2008 switch config ...

Page 33: ...ine configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines Because a user can connect to any VTY line you should set identical restrictions on all virtual terminal lines This command does not require a license Examples This example shows how to remove dynamically learned secure MAC addresses from the Ethernet 2 1 interface switch config t switch confi...

Page 34: ...ommand Provides debugging information for port security ip access list Enables port security globally line Shows information about port security show line Cisco Nexus 7000 Series Security Command Reference 8 A Commands access class ...

Page 35: ...vice logs the packets it drops because of the drop keyword log Specifies that the device forwards the packet to its destination port forward Specifies that the device redirects the packet to an interface redirect Specifies the Ethernet interface that the device redirects the packet to ethernet slot port Specifies the port channel interface that the device redirects the packet to The dot separator ...

Page 36: ...h config access map match ip address ip acl 320 switch config access map match mac address mac acl 00e switch config access map action drop switch config access map show vlan access map Vlan access map vlan map 01 10 match ip ip acl 01 match mac mac acl 00f action forward Vlan access map vlan map 01 20 match ip ip acl 320 match mac mac acl 00e action drop Related Commands Description Command Speci...

Page 37: ... was introduced 4 0 1 Usage Guidelines Use ARP ACLs to filter ARP traffic when you cannot use DCHP snooping No ARP ACLs are defined by default When you use the arp access list command the device enters ARP access list configuration mode where you can use the ARP deny and permit commands to configure rules for the ACL If the ACL specified does not exist the device creates it when you enter this com...

Page 38: ...ARP ACL deny ARP Applies an ARP ACL to a VLAN ip arp inspection filter Configures a permit rule in an ARP ACL permit ARP Displays all ARP ACLs or a specific ARP ACL show arp access lists Cisco Nexus 7000 Series Security Command Reference 12 A Commands arp access list ...

Page 39: ...Optional Specifies the user password You can enter up to 63 alphanumeric characters password attribute password Command Default Bind method using first search and then bind Command Modes LDAP server group configuration Command History Modification Release This command was introduced 5 0 2 Usage Guidelines This command does not require a license Examples This example shows how to configure LDAP aut...

Page 40: ...onfigures the LDAP server as a member of the LDAP server group server Displays the LDAP server group configuration show ldap server groups Cisco Nexus 7000 Series Security Command Reference 14 A Commands authentication LDAP ...

Page 41: ...nting local Command Default local Command Modes Global configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines The group group list methods refer to a set of previously defined servers Use the radius server host and tacacs server host commands to configure the host servers Use the aaa group server command to create a named group of servers Use the show...

Page 42: ...ands Description Command Configures AAA RADIUS server groups aaa group server Configures RADIUS servers radius server host Displays AAA accounting status information show aaa accounting Displays AAA server group information show aaa groups Configures TACACS servers tacacs server host Cisco Nexus 7000 Series Security Command Reference 16 A Commands aaa accounting default ...

Page 43: ...atabase for accounting local Command Default local Command Modes Global configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines The group group list methods refer to a set of previously defined RADIUS servers Use the radius server host command to configure the host servers Use the aaa group server command to create a named group of servers Use the show...

Page 44: ... accounting dot1x default group group list Related Commands Description Command Configures AAA RADIUS server groups aaa group server radius Configures RADIUS servers radius server host Displays AAA accounting status information show aaa accounting Displays AAA server group information show aaa groups Cisco Nexus 7000 Series Security Command Reference 18 A Commands aaa accounting dot1x ...

Page 45: ...ory Modification Release This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command The group list refers to a set of previously defined RADIUS servers Use the radius server host command to configure the host servers Use the aaa group server command to create a named group of servers Use the show aaa groups comman...

Page 46: ...isco TrustSec feature feature cts Configures RADIUS servers radius server host Displays the AAA authentication configuration show aaa authentication Displays the AAA server groups show aaa groups Cisco Nexus 7000 Series Security Command Reference 20 A Commands aaa authentication cts default group ...

Page 47: ...is command was introduced 4 0 1 Usage Guidelines You must use the feature dot1x command before you configure 802 1X The group list refers to a set of previously defined RADIUS servers Use the radius server host command to configure the host servers Use the aaa group server command to create a named group of servers Use the show aaa groups command to display the RADIUS server groups on the device I...

Page 48: ...ault group Dot1xGroup Related Commands Description Command Enables 802 1X feature dot1x Configures RADIUS servers radius server host Displays the AAA authentication configuration show aaa authentication Displays the AAA server groups show aaa groups Cisco Nexus 7000 Series Security Command Reference 22 A Commands aaa authentication dot1x default group ...

Page 49: ...oduced 4 0 1 Usage Guidelines Before configuring EAPoUDP default authentication methods you must enable EAPoUDP using the feature eou command The group list refers to a set of previously defined RADIUS servers Use the radius server host command to configure the host servers Use the aaa group server command to create a named group of servers Use the show aaa groups command to display the RADIUS ser...

Page 50: ...default group EoUGroup Related Commands Description Command Enables EAPoUDP feature eou Configures RADIUS servers radius server host Displays the AAA authentication configuration show aaa authentication Displays the AAA server groups show aaa groups Cisco Nexus 7000 Series Security Command Reference 24 A Commands aaa authentication eou default group ...

Page 51: ...age Guidelines Only the TACACS protocol supports this feature This command does not require a license Examples This example shows how to enable ASCII authentication for passwords on TACACS servers switch configure terminal switch config aaa authentication login ascii authentication This example shows how to disable ASCII authentication for passwords on TACACS servers switch configure terminal swit...

Page 52: ...ase This command was introduced 5 0 2 Usage Guidelines You cannot enable both CHAP and MSCHAP or MSCHAP V2 on your Cisco NX OS device This command does not require a license Examples This example shows how to enable CHAP authentication switch configure terminal switch config aaa authentication login chap enable This example shows how to disable CHAP authentication switch configure terminal switch ...

Page 53: ...NX OS device forcing you to perform a password recovery in order to gain access To prevent being locked out of the device we recommend disabling fallback to local authentication for only the default login or the console login not both Note fallback error local Specifies to use a server group for authentication group Space separated list of server groups The list can include the following radius fo...

Page 54: ...n can fail If you specify the none method alone or after the group method the authentication always succeeds The command operates only in the default VDC VDC 1 This command does not require a license Examples This example shows how to configure the AAA authentication console login methods switch configure terminal switch config aaa authentication login console group radius This example shows how t...

Page 55: ...device forcing you to perform a password recovery in order to gain access To prevent being locked out of the device we recommend disabling fallback to local authentication for only the default login or the console login not both Note fallback error local Specifies a server group list to be used for authentication group Space separated list of server groups that can include the following radius for...

Page 56: ... they fail the authentication fails If you specify the none method alone or after the group method the authentication always succeeds This command does not require a license Examples This example shows how to configure the AAA authentication default login method switch configure terminal switch config aaa authentication login default group radius This example shows how to revert to the default AAA...

Page 57: ...ge is displayed on the user s terminal if you have enabled the displaying of login failure messages Remote AAA servers unreachable local authentication done Remote AAA servers unreachable local authentication failed This command does not require a license Examples This example shows how to enable the display of AAA authentication failure messages to the console switch configure terminal switch con...

Page 58: ...idelines The above command will cause the username to be included in authentication failed messages for all failure reasons This is irrespective of whether the username is valid or not since under some conditions the switch cannot determine a username s validity This applies to both local and remote authentication This command does not require a license Examples This example shows how to include t...

Page 59: ...elease This command was introduced 4 0 1 Usage Guidelines You cannot enable both MSCHAP and CHAP or MSCHAP V2 on your Cisco NX OS device This command does not require a license Examples This example shows how to enable MSCHAP authentication switch configure terminal switch config aaa authentication login mschap enable This example shows how to disable MSCHAP authentication switch configure termina...

Page 60: ... Release This command was introduced 4 1 2 Usage Guidelines You cannot enable both MSCHAP V2 and CHAP or MSCHAP on your Cisco NX OS device This command does not require a license Examples This example shows how to enable MSCHAP V2 authentication switch configure terminal switch config aaa authentication login mschapv2 enable This example shows how to disable MSCHAP V2 authentication switch configu...

Page 61: ...es Global configuration Command History Modification Release This command was introduced 7 3 0 D1 1 Usage Guidelines This feature is applicable only for local users Examples The following example shows how to configure the login parameters to block a user for 300 seconds when 5 login attempts fail within a period of 60 seconds switch configure terminal swtich config aaa authentication rejected 5 i...

Page 62: ...Cisco Nexus 7000 Series Security Command Reference 36 A Commands aaa authentication rejected ...

Page 63: ...des Global configuration Command History Modification Release The none keyword was deprecated 5 0 2 This command was introduced 4 2 1 Usage Guidelines To use this command you must enable the TACACS feature using the feature tacacs command The group tacacs and group group list methods refer to a set of previously defined TACACS servers Use the tacacs server host command to configure the host server...

Page 64: ...his example shows how to configure the default AAA authorization methods for EXEC commands switch configure terminal switch config aaa authorization commands default group TacGroup local Per command authorization will disable RBAC for all users Proceed y n If you press Enter at the confirmation prompt the default response is n Note This example shows how to revert to the default AAA authorization ...

Page 65: ...ocal Command Modes Global configuration Command History Modification Release The none keyword was deprecated 5 0 2 This command was introduced 4 2 1 Usage Guidelines To use this command you must enable the TACACS feature using the feature tacacs command The group tacacs and group group list methods refer to a set of previously defined TACACS servers Use the tacacs server host command to configure ...

Page 66: ...e user Note This command does not require a license Examples This example shows how to configure the default AAA authorization methods for configuration commands switch configure terminal switch config aaa authorization config commands default group TacGroup local This example shows how to revert to the default AAA authorization methods for configuration commands switch configure terminal switch c...

Page 67: ...lease This command was introduced 4 0 1 Usage Guidelines To use the aaa authorization cts default group command you must enable the Cisco TrustSec feature using the feature cts command The group list refers to a set of previously defined RADIUS servers Use the radius server host command to configure the host servers Use the aaa group server command to create a named group of servers Use the show a...

Page 68: ...Cisco TrustSec feature feature cts Displays the AAA authorization configuration show aaa authorization Displays the AAA server groups show aaa groups Cisco Nexus 7000 Series Security Command Reference 42 A Commands aaa authorization cts default group ...

Page 69: ...d Modes Global configuration Command History Modification Release This command was introduced 5 0 2 Usage Guidelines To use this command you must enable the TACACS feature using the feature tacacs command or the LDAP feature using the feature ldap command The group tacacs group ldap and group group list methods refer to a set of previously defined TACACS and LDAP servers Use the tacacs server host...

Page 70: ...AA authorization method for LDAP servers switch configure terminal switch config aaa authorization ssh certificate default group LDAPServer1 LDAPServer2 Related Commands Description Command Configures LDAP or local authorization with the SSH public key as the default AAA authorization method for LDAP servers aaa authorization ssh publickey Enables the LDAP feature feature ldap Enables the TACACS f...

Page 71: ...l Command Default Local Command Modes Global configuration Supported User Roles network admin vdc admin Command History Modification Release This command was introduced 5 0 2 Usage Guidelines To use this command you must enable the LDAP feature using the feature ldap command The group ldap and group group list methods refer to a set of previously defined LDAP servers Use the ldap server host comma...

Page 72: ...default AAA authorization method for LDAP servers switch configure terminal switch config aaa authorization ssh publickey default group LDAPServer1 LDAPServer2 Related Commands Description Command Configures LDAP or local authorization with certificate authentication as the default AAA authorization method for LDAP servers aaa authorization ssh certificate Enables the LDAP feature feature ldap Dis...

Page 73: ...es Global configuration Supported User Roles network admin vdc admin Command History Modification Release This command was introduced 5 0 2 Usage Guidelines You must use the feature ldap command before you configure LDAP This command does not require a license Examples This example shows how to create an LDAP server group and enter LDAP server configuration mode switch configure terminal switch co...

Page 74: ...Related Commands Description Command Enables LDAP feature ldap Displays server group information show aaa groups Cisco Nexus 7000 Series Security Command Reference 48 A Commands aaa group server ldap ...

Page 75: ...obal configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to create a RADIUS server group and enter RADIUS server configuration mode switch configure terminal switch config aaa group server radius RadServer switch config radius This example shows how to delete a RADIUS server gr...

Page 76: ...elease This command was introduced 4 0 1 Usage Guidelines You must use the feature tacacs command before you configure TACACS This command does not require a license Examples This example shows how to create a TACACS server group and enter TACACS server configuration mode switch configure terminal switch config aaa group server tacacs TacServer switch config radius This example shows how to delete...

Page 77: ...needed For the default VDC the default role is network operator For nondefault VDCs the default VDC is vdc operator When you disable the AAA default user role feature remote users who do not have a user role cannot log in to the device This command does not require a license Examples This example shows how to enable default user roles for AAA authentication of remote users switch configure termina...

Page 78: ...Cisco Nexus 7000 Series Security Command Reference 52 A Commands aaa user default role ...

Page 79: ...page 71 clear ldap server statistics page 72 clear mac access list counters page 73 clear port security page 75 clear cts role based counters page 77 clear dot1x page 78 clear eou page 79 clear hardware rate limiter page 81 clear ip arp inspection log page 84 clear ip access list counters page 85 clear ip arp inspection statistics vlan page 87 clear ip device tracking page 89 clear ip dhcp relay s...

Page 80: ...tics page 117 clear ssh hosts page 118 clear tacacs server statistics page 119 clear user page 120 cts l3 spi global page 121 cts l3 spi interface page 123 crypto ca enroll page 125 crypto ca export page 127 crypto ca import page 129 crypto ca lookup page 132 crypto ca remote ldap crl refresh time page 134 crypto ca remote ldap server group page 135 crypto ca test verify page 136 crypto ca trustpo...

Page 81: ...nt page 165 cts role based monitor page 167 cts role based policy priority static page 169 cts role based sgt page 170 cts sxp allow default route sgt page 172 cts sxp connection peer page 173 cts sxp default password page 176 cts sxp default source ip page 178 cts sxp enable page 179 cts sxp listener hold time page 180 cts sxp mapping network map page 182 cts sxp node id page 183 cts sxp reconcil...

Page 82: ...on method AES encryption algorithm that uses Extended Packet Numbering XPN of 64 bits and 128 bit encryption GCM AES XPN 128 Specifies the GCM encryption method AES encryption algorithm that uses Extended Packet Numbering XPN of 64 bits and 256 bit encryption GCM AES XPN 256 1 Command Default The default cipher suite chosen for encryption is GCM AES XPN 256 Command Modes MACsec policy configuratio...

Page 83: ...ing key key Creates a keychain or enters the configuration mode of an existing keychain key chain keychain name Configures a MACsec keychain policy macsec keychain policy Configures a MACsec policy macsec policy Displays the configuration of the specified keychain show key chain Displays the details of MKA show macsec mka Displays all the MACsec policies in the system show macsec policy Displays t...

Page 84: ...g IPv6 ACL counters 4 1 2 This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to clear counters for all IPv4 IPv6 and MAC ACLs switch clear access list counters switch This example shows how to clear counters for an IPv4 ACL named acl ipv4 01 switch clear access list counters acl ipv4 01 switch Related Commands Description Comm...

Page 85: ...ars counters for VACLs clear vlan access list counters Displays information about one or all IPv4 IPv6 and MAC ACLs show access lists Cisco Nexus 7000 Series Security Command Reference 59 C Commands clear access list counters ...

Page 86: ...tion Release The logflash keyword was added 5 0 2 This command was introduced 4 0 1 Usage Guidelines The clear accounting log command operates only in the default virtual device context VDC 1 This command does not require a license Examples This example shows how to clear the accounting log switch clear accounting log Related Commands Description Command Displays the accounting log contents show a...

Page 87: ...nd was introduced 4 0 1 Usage Guidelines You can use this command only in the default virtual device context VDC This command does not require a license Examples This example shows how to specify a control plane class map and enter class map configuration mode switch clear copp statistics Related Commands Description Command Displays the CoPP statistics for interfaces show policy map interface con...

Page 88: ...lease This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to clear the Cisco TrustSec authentication and authorization cache switch clear cts cache Related Commands Description Command Enables the Cisco TrustSec feature feat...

Page 89: ...gt value Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to clear all the Cisco TrustSec SGACL policies on the device switch clear ...

Page 90: ...This command was introduced 5 2 1 Usage Guidelines This command does not require a license Examples This example shows how to configure an ACL capture session configuration switch configure terminal switch config ip access list abc1234 switch config acl capture session 7 switch config acl Related Commands Description Command Creates an access list ip access list Configures an ACL capture session m...

Page 91: ...command you must enable and disable the interface using the shutdown no shutdown command sequence for the configuration to take effect This command requires the Advanced Services license Examples This example shows how to enable Cisco TrustSec authentication on an interface switch configure terminal switch config interface ethernet 2 3 switch config if cts dot1x switch config if cts dot1x exit swi...

Page 92: ...Advanced Services license Examples This example shows how to configure Layer 3 Cisco TrustSec global mapping for an SPI and subnet switch config t switch config cts l3 spi 3 10 10 1 1 23 This example shows how to remove Layer 3 global mapping for a subnet switch config t switch config no cts l3 spi 10 10 1 1 23 Related Commands Description Command Enables the Cisco TrustSec feature feature cts Dis...

Page 93: ...efault None Command Modes Policy map configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines You can use this command only in the default virtual device context VDC This command does not require a license Examples This example shows how to configure a class map for a control plane policy map switch configure terminal switch config policy map type contr...

Page 94: ... policy map and enters policy map configuration mode policy map type control plane Displays configuration information for control plane policy maps show policy map type control plane Cisco Nexus 7000 Series Security Command Reference 68 C Commands class policy map ...

Page 95: ...64 characters class map name Command Default match any Command Modes Global configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines You cannot use match all match any or class default as names for control plane class maps You can use this command only in the default virtual device context VDC This command does not require a license Examples This exampl...

Page 96: ...mands Description Command Displays control plane policy map configuration information show class map type control plane Cisco Nexus 7000 Series Security Command Reference 70 C Commands class map type control plane ...

Page 97: ...fication Release This command was introduced 7 3 0 D1 1 Usage Guidelines None Examples The following example shows how to clear all the blocked users switch clear aaa local user blocked all Related Commands Description Command Configures the login block per user aaa authentication rejected Displays the AAA authentication configuration show aaa authentication Displays the blocked local users show a...

Page 98: ...aracters host name Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 5 0 2 Usage Guidelines This command does not require a license Examples This example shows how to clear the statistics for an LDAP server switch clear ldap server statistics 10 10 1 1 Related Commands Description Command Enables LDAP feature ldap Specifies the IPv...

Page 99: ...0 1 Usage Guidelines This command does not require a license Examples This example shows how to clear counters for all MAC ACLs switch clear mac access list counters switch This example shows how to clear counters for a MAC ACL named acl mac 0060 switch clear mac access list counters acl ipv4 0060 switch Related Commands Description Command Clears counters for IPv4 IPv6 and MAC ACLs clear access l...

Page 100: ...formation about one or all IPv4 IPv6 and MAC ACLs show access lists Displays information about one or all MAC ACLs show mac access lists Cisco Nexus 7000 Series Security Command Reference 74 C Commands clear mac access list counters ...

Page 101: ... clear interface Specifies the Ethernet interface of the dynamically learned secure MAC addresses that you want to clear ethernet slot port Optional Specifies the VLAN of the secure MAC addresses to be cleared Valid VLAN IDs are from 1 to 4096 vlan vlan id Specifies the port channel interface of the dynamically learned secure MAC addresses that you want to clear port channel channel number Specifi...

Page 102: ...face ethernet 2 1 This example shows how to remove the dynamically learned secure MAC address 0019 D2D0 00AE switch configure terminal switch config clear port security dynamic address 0019 D2D0 00AE Related Commands Description Command Provides debugging information for port security debug port security Enables port security globally feature port security Shows information about port security sho...

Page 103: ...odification Release This command was introduced 5 0 2 Usage Guidelines This command requires the Advanced Services license Examples This example shows how to clear the RBACL statistics switch clear cts role based counters Related Commands Description Command Enables the RBACL statistics cts role based counters enable Displays the configuration status of RBACL statistics and lists statistics for al...

Page 104: ...command was introduced 4 0 1 Usage Guidelines You must use the feature dot1x command before you configure 802 1X This command does not require a license Examples This example shows how to clear all 802 1X authenticator instances switch clear dot1x all This example shows how to clear the 802 1X authenticator instances for an interface switch clear dot1x interface ethernet 1 1 Related Commands Descr...

Page 105: ...nticated using EAPoUDP eap Specifies sessions authenticated using statically configured exception lists static Specifies an interface interface ethernet slot port Specifies an IPv4 address in the A B C D format ip address ipv4 address Specifies a MAC address mac address mac address Specifies a posture token name posturetoken type Command Default None Command Modes Any command mode Command History ...

Page 106: ... example shows how to clear the EAPoUDP sessions for an IP address switch clear eou ip address 10 10 1 1 This example shows how to clear the EAPoUDP sessions for a MAC address switch clear eou mac address 0019 076c dac4 This example shows how to the EAPoUDP sessions with a posture token type of checkup switch clear eou posturetoken healthy Related Commands Description Command Enables EAPoUDP featu...

Page 107: ...er 2 multicast snooping packets mcast snooping Clears rate limit statistics for Layer 2 port security packets port security Clears rate limit statistics for Layer 2 storm control packets storm control Clears rate limit statistics for Layer 2 control packets over the VPC low queue vpc low Specifies Layer 3 packet rate limits layer 3 Clears rate limit statistics for Layer 3 control packets control C...

Page 108: ...mmand does not require a license Examples This example shows how to clear all the rate limit statistics switch clear hardware rate limiter all This example shows how to clear the rate limit statistics for access list log packets switch clear hardware rate limiter access list log This example shows how to clear the rate limit statistics for Layer 2 storm control packets switch clear hardware rate l...

Page 109: ...s switch clear hardware rate limiter receive Related Commands Description Command Configures rate limits hardware rate limiter Displays rate limit information show hardware rate limiter Cisco Nexus 7000 Series Security Command Reference 83 C Commands clear hardware rate limiter ...

Page 110: ...age Guidelines This command does not require a license Examples This example shows how to clear the DAI logging buffer switch clear ip arp inspection log switch Related Commands Description Command Configures the DAI logging buffer size ip arp inspection log buffer Displays the DAI configuration status show ip arp inspection Displays the DAI log configuration show ip arp inspection log Displays th...

Page 111: ...4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to clear counters for all IPv4 ACLs switch clear ip access list counters switch This example shows how to clear counters for an IP ACL named acl ipv4 101 switch clear ip access list counters acl ipv4 101 switch Related Commands Description Command Clears counters for IPv4 IPv6 and MAC ACLs clear access l...

Page 112: ...nformation about one or all IPv4 IPv6 and MAC ACLs show access lists Displays information about one or all IPv4 ACLs show ip access lists Cisco Nexus 7000 Series Security Command Reference 86 C Commands clear ip access list counters ...

Page 113: ...ode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to clear the DAI statistics for VLAN 2 switch clear ip arp inspection statistics vlan 2 switch This example shows how to clear the DAI statistics for VLANs 5 through 12 switch clear ip arp inspection statistics vlan 5 12 switch This exa...

Page 114: ... inspection log buffer Displays the DAI configuration status show ip arp inspection Displays DAI status for a specified list of VLANs show ip arp inspection vlan Cisco Nexus 7000 Series Security Command Reference 88 C Commands clear ip arp inspection statistics vlan ...

Page 115: ...e Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to clear all the IP device tracking information switch clear ip device tracking all This example shows how to clear the IP device tracking information for an interface switch clear ip device tracking interfa...

Page 116: ...Description Command Enables IP device tracking ip device tracking Displays IP device tracking information show ip device tracking Cisco Nexus 7000 Series Security Command Reference 90 C Commands clear ip device tracking ...

Page 117: ...e Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 6 2 2 Usage Guidelines This command does not require a license Examples This example shows how to clear the global DHCP relay statistics switch clear ip dhcp relay statistics Related Commands Description Command Enables the DHCP relay agent ip dhcp relay Displays the DHCP relay st...

Page 118: ...ment in dotted hexadecimal format mac address mac address Specifies the IPv4 address of the binding database entry to be cleared Enter the ip address argument in dotted decimal format ip ip address Optional Specifies the Ethernet interface of the binding database entry to be cleared interface ethernet slot port Optional Number of the Ethernet interface subinterface The dot separator is required be...

Page 119: ...CP snooping binding database switch clear ip dhcp snooping binding vlan 23 mac 0060 3aeb 54f0 ip 10 34 54 9 interface ethernet 2 11 switch Related Commands Description Command Globally enables DHCP snooping on the device ip dhcp snooping Displays general information about DHCP snooping show ip dhcp snooping Displays IP MAC address bindings including the static IP source entries show ip dhcp snoopi...

Page 120: ... 4 1 2 Usage Guidelines This command does not require a license Examples This example shows how to clear counters for all IPv6 ACLs switch clear ipv6 access list counters switch This example shows how to clear counters for an IPv6 ACL named acl ipv6 3A switch clear ipv6 access list counters acl ipv6 3A switch Related Commands Description Command Clears counters for IPv4 IPv6 and MAC ACLs clear acc...

Page 121: ...ormation about one or all IPv4 IPv6 and MAC ACLs show access lists Displays information about one or all IPv6 ACLs show ipv6 access lists Cisco Nexus 7000 Series Security Command Reference 95 C Commands clear ipv6 access list counters ...

Page 122: ...Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 6 2 2 Usage Guidelines This command does not require a license Examples This example shows how to clear the global DHCPv6 relay statistics switch clear ipv6 dhcp relay statistics Related Commands Description Command Enables the DHCPv6 relay agent ipv6 dhcp relay Displays the DHCPv6 ...

Page 123: ...iguration mode Command History Modification Release This command was introduced 7 3 0 D1 1 Usage Guidelines To use this command you must enable the DHCP feature and LDRA feature Examples This example shows how to clear the LDRA related statistics switch clear ipv6 dhcp ldra statistics Related Commands Description Command Displays the configuration details of LDRA show ipv6 dhcp ldra Cisco Nexus 70...

Page 124: ...ed 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to clear counters for all VACLs switch clear vlan access list counters switch This example shows how to clear counters for a VACL named vlan map 101 switch clear vlan access list counters vlan map 101 switch Related Commands Description Command Clears counters for IPv4 IPv6 and MAC ACLs clear access l...

Page 125: ...information about one or all IPv4 IPv6 and MAC ACLs show access lists Displays information about one or all VACLs show vlan access map Cisco Nexus 7000 Series Security Command Reference 99 C Commands clear vlan access list counters ...

Page 126: ...ured for MKA encryption Command Modes MACsec policy configuration config macsec policy Command History Modification Release This command was introduced 8 2 1 Usage Guidelines To use this command you should enable the MKA feature first Examples This example shows how to set the confidentiality offset switch configure terminal switch config macsec policy p1 switch config macsec policy conf offset CO...

Page 127: ...acsec policy Displays the configuration of the specified keychain show key chain Displays the details of MKA show macsec mka Displays all the MACSec policies in the system show macsec policy Displays the status of MKA show run mka Cisco Nexus 7000 Series Security Command Reference 101 C Commands conf offset ...

Page 128: ...ffix Prefix or suffix string The suffix or prefix can be any alphanumeric string up to 20 characters string Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 5 2 1 Usage Guidelines When you use the copp copy profile command CoPP renames all class maps and policy maps with the specified prefix or suffix This command does not require...

Page 129: ... NX OS device copp profile Displays the CoPP status including the last configuration operation and its status show copp status Displays the CoPP configuration in the running configuration show running config copp Cisco Nexus 7000 Series Security Command Reference 103 C Commands copp copy profile ...

Page 130: ...st use the setup utility to change or reapply the default CoPP policy You can access the setup utility using the setup command Beginning with Cisco NX OS Release 5 2 the CoPP best practice policy is read only If you want to modify its configuration you must clone it using the copp clone profile command Cloned policies are treated as user configurations When you use in service software downgrade IS...

Page 131: ...config no copp profile moderate switch config Related Commands Description Command Creates a copy of the CoPP best practice policy copp copy profile Displays the details of the CoPP best practice policy show copp profile Displays the CoPP status including the last configuration operation and its status show copp status Displays the CoPP configuration in the running configuration show running confi...

Page 132: ...ted name for the LDAP search map The name is alphanumeric case sensitive and has a maximum of 128 characters base DN base DN name Command Default None Command Modes Lightweight Directory Access Protocol LDAP search map configuration Command History Modification Release This command was introduced 5 0 2 Usage Guidelines To use this command you must enable LDAP This command does not require a licens...

Page 133: ...iption Command Enables LDAP feature ldap Configures an LDAP search map ldap search map Displays the configured LDAP search maps show ldap search map Cisco Nexus 7000 Series Security Command Reference 107 C Commands CRLLookup ...

Page 134: ...y configure certificate authority support for the device First create the trustpoint using the crypto ca trustpoint command using the CA certificate fingerprint published by the CA You must compare the certificate fingerprint displayed during authentication with the one published by the CA and accept the CA certificate only if it matches If the CA to authenticate is a subordinate CA it is not self...

Page 135: ...1MDMyMjQ2MzdaFw0wNzA1MDMyMjU1MTdaMIGQMSAwHgYJKoZIhvcN AQkBFhFhbWFuZGtlQGNpc2NvLmNvbTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUth cm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQ4wDAYDVQQKEwVDaXNjbzETMBEG A1UECxMKbmV0c3RvcmFnZTESMBAGA1UEAxMJQXBhcm5hIENBMFwwDQYJKoZIhvcN AQEBBQADSwAwSAJBAMW 7b3 DXJPANBsIHHzluNccNM87ypyzwuoSNZXOMpeRXXI OzyBAgiXT2ASFuUOwQ1iDM8rO 41jf8RxvYKvysCAwEAAaOBvzCBvDALBgNVHQ8E BAMCAcYwDwYDVR0TAQH B...

Page 136: ...onfiguration that you create with the crypto ca trustpoint command persists across device reboots only if you save it explicitly using the copy running config startup config command The certificates and CRL associated to a trustpoint are automatically persistent when you save the trustpoint configuration in the startup configuration Otherwise if you do not save the trustpoint in the startup config...

Page 137: ...Command Configures trustpoint revocation check methods revocation check Displays configured certificate revocation lists CRL show crypto ca crl Cisco Nexus 7000 Series Security Command Reference 111 C Commands crypto ca crl request ...

Page 138: ...racters host name Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 5 0 2 Usage Guidelines This command does not require a license Examples This example shows how to clear the statistics for an LDAP server switch clear ldap server statistics 10 10 1 1 Related Commands Description Command Enables LDAP feature ldap Specifies the IPv4...

Page 139: ...0 1 Usage Guidelines This command does not require a license Examples This example shows how to clear counters for all MAC ACLs switch clear mac access list counters switch This example shows how to clear counters for a MAC ACL named acl mac 0060 switch clear mac access list counters acl ipv4 0060 switch Related Commands Description Command Clears counters for IPv4 IPv6 and MAC ACLs clear access l...

Page 140: ...formation about one or all IPv4 IPv6 and MAC ACLs show access lists Displays information about one or all MAC ACLs show mac access lists Cisco Nexus 7000 Series Security Command Reference 114 C Commands clear mac access list counters ...

Page 141: ...clear interface Specifies the Ethernet interface of the dynamically learned secure MAC addresses that you want to clear ethernet slot port Optional Specifies the VLAN of the secure MAC addresses to be cleared Valid VLAN IDs are from 1 to 4096 vlan vlan id Specifies the port channel interface of the dynamically learned secure MAC addresses that you want to clear port channel channel number Specifie...

Page 142: ...face ethernet 2 1 This example shows how to remove the dynamically learned secure MAC address 0019 D2D0 00AE switch configure terminal switch config clear port security dynamic address 0019 D2D0 00AE Related Commands Description Command Provides debugging information for port security debug port security Enables port security globally feature port security Shows information about port security sho...

Page 143: ... RADIUS server host The name is case sensitive server name Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 2 1 Usage Guidelines This command does not require a license Examples This example shows how to clear statistics for a RADIUS server switch clear radius server statistics 10 10 1 1 Related Commands Description Command Disp...

Page 144: ...ault None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to clear all SSH host sessions and the known host file switch clear ssh hosts Related Commands Description Command Enables the SSH server ssh server enable Cisco Nexus 7000 Series Security Command Re...

Page 145: ... TACACS server host The name is case sensitive server name Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 2 1 Usage Guidelines This command does not require a license Examples This example shows how to clear statistics for a TACACS server switch clear tacacs server statistics 10 10 1 1 Related Commands Description Command Disp...

Page 146: ...cation Release This command was introduced 4 0 1 Usage Guidelines Use the show users command to display the current user sessions on the device This command does not require a license Examples This example shows how to clear all SSH host sessions switch clear user user1 Related Commands Description Command Displays the user session information show users Cisco Nexus 7000 Series Security Command Re...

Page 147: ... introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command You can use only IPv4 addressing with Cisco TrustSec This command requires the Advanced Services license Examples This example shows how to configure Layer 3 Cisco TrustSec global mapping for an SPI and subnet switch config t switch config cts l3 spi 3 10 10 1 1 23 This e...

Page 148: ...Description Command Displays the Layer 3 Cisco TrustSec mapping for SPI values to IPv4 subnets show cts l3 mapping Cisco Nexus 7000 Series Security Command Reference 122 C Commands cts l3 spi global ...

Page 149: ...ust enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to enable Layer 3 Cisco TrustSec for an interface switch config t switch config interface ethernet 2 3 switch config if cts l3 spi 3 10 10 1 1 23 This example shows how to disable Layer 3 Cisco TrustSec for an interface switch config t switch confi...

Page 150: ...Description Command Displays the Layer 3 Cisco TrustSec configuration on the interfaces show cts l3 interface Cisco Nexus 7000 Series Security Command Reference 124 C Commands cts l3 spi interface ...

Page 151: ...ntity certificate from each of your trustpoints that correspond to authenticated CAs The certificate signing request CSR generated is per the Public Key Cryptography Standards PKCS 10 standard and is displayed in the PEM format You then cut and paste the certificate and submit it to the corresponding CA through an e mail or on the CA website The CA administrator issues the certificate and makes it...

Page 152: ...VeMXZSiLJ4JgTzKWdxbLDkTTysnjuCXGvjb wj0hEhv y51T9y P2NJJ8ornqShrvFZgC7ysN PyMwKcgzhbVpj rargZvHtGJ91XTq4WoVkSCzXv8S VqyH0vEvAgMBAAGgTzAVBgkqhkiG9w0BCQcxCBMGbmJ2MTIzMDYGCSqGSIb3DQEJ DjEpMCcwJQYDVR0RAQH BBswGYIRVmVnYXMtMS5jaXNjby5jb22HBKwWH6IwDQYJ KoZIhvcNAQEEBQADgYEAkT60KER6Qo8nj0sDXZVHSfJZh6K6JtDz3Gkd99GlFWgt PftrNcWUE pw6HayfQl2T3ecgNwel2d15133YBF2bktExiI6Ul88nTOjglXMjja8 8a23bNDpNsM8rklwA6hWkrVL...

Page 153: ...ported file The passwords is alphanumeric case sensitive and has maximum of 64 characters pkcs 12 password Command Default None Command Modes Global configuration Command History Modification Release This command was introduced 4 1 2 Usage Guidelines You can export the identity certificate with the associated RSA key pair and CA certificate or certificate chain to a PKCS 12 format file for backup ...

Page 154: ...nd associated RSA key pair and CA certificate chain to a trustpoint crypto ca import trustpoint label pkcs12 Generates an RSA key pair crypto key generate rsa Configures and associates the RSA key pair details to a trustpoint rsakeypair Displays any RSA public key configurations show crypto key mypubkey rsa Cisco Nexus 7000 Series Security Command Reference 128 C Commands crypto ca export ...

Page 155: ...y Modification Release This command was introduced 4 1 2 Usage Guidelines Use the certificate keyword to import by cut and paste means the identity certificate obtained from the CA corresponding to the enrollment request generated earlier in the trustpoint and submitted to the CA Use the pkcs12 source file url pkcs12 password keyword and argumen t to import the complete identity information which ...

Page 156: ...AFCco8kaDG6wjTEVNjskYUBoLFmxxoYGW pIGTMIGQMSAwHgYJKoZIhvcNAQkBFhFhbWFuZGtlQGNpc2NvLmNvbTELMAkGA1UE BhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQ4w DAYDVQQKEwVDaXNjbzETMBEGA1UECxMKbmV0c3RvcmFnZTESMBAGA1UEAxMJQXBh cm5hIENBghAFYNKJrLQZlE9JEiWMrRl6MGsGA1UdHwRkMGIwLqAsoCqGKGh0dHA6 Ly9zc2UtMDgvQ2VydEVucm9sbC9BcGFybmElMjBDQS5jcmwwMKAuoCyGKmZpbGU6 Ly9cXHNzZS0wOFxDZXJ0RW5yb2xsXEFwYXJuYSUyM...

Page 157: ...Cisco Nexus 7000 Series Security Command Reference 131 C Commands crypto ca import ...

Page 158: ...ration Command History Modification Release This command was introduced 5 0 2 Usage Guidelines If you plan to configure a remote cert store you must set up an LDAP server in a remote device and make sure that the CA certificates that are used for authentication are loaded to the Active Directory This command does not require a license Examples This example shows how to specify the remote cert stor...

Page 159: ...municating with LDAP crypto ca remote ldap server group Displays the configured cert store show crypto ca certstore Displays the remote cert store configuration show crypto ca remote certstore Cisco Nexus 7000 Series Security Command Reference 133 C Commands crypto ca lookup ...

Page 160: ...s command was introduced 5 0 2 Usage Guidelines To use this command you must configure a remote cert store and the LDAP server group This command does not require a license Examples This example shows how to configure the refresh time to update the CRL from the remote cert store switch config crypto ca remote ldap crl refresh time 10 Related Commands Description Command Specifies the cert store to...

Page 161: ...ntroduced 5 0 2 Usage Guidelines To use this command you must configure a remote cert store This command does not require a license Examples This example shows how to configure the LDAP server group to be used while communicating with LDAP switch config crypto ca remote ldap server group group1 Related Commands Description Command Specifies the cert store to be used for certificate authentication ...

Page 162: ...in the PEM format by using the trusted CAs configured and by consulting the certificate revocation list CRL if needed as indicated by the revocation checking configuration This command does not require a license Examples This example shows how to verify a certificate file switch config crypto ca test verify bootflash id1 pem verify status oode 0 verify error msg The verify status code value of 0 i...

Page 163: ...o NX OS device can have many trustpoints and all applications on the device can trust a peer certificate issued by any of the trustpoint CAs A trustpoint is not restricted to a specific application The Cisco NX OS device can optionally enroll with a trustpoint CA to get an indemnity certificate for itself You do not need to designate one or more trustpoints to an application Any application should...

Page 164: ...d enter trustpoint configuration mode switch configure terminal switch config crypto ca trustpoint admin ca switch config trustpoint This example shows how to remove the trustpoint CA switch configure terminal switch config no crypto ca trustpoint admin ca Related Commands Description Command Authenticates the certificate of the certificate authority crypto ca authenticate Generates a certificate ...

Page 165: ...ult mapping filter which is already configured You can enter up to 64 alphanumeric characters If you do not use the default map you can specify one or two filter maps for authorization map name1 map name2 Command Default None Command Modes Global configuration Command History Modification Release This command was introduced 5 0 2 Usage Guidelines To use this command you must create a filter map Th...

Page 166: ...atemap mapname Configures one or more certificate mapping filters within the filter map filter Displays the mapping filters configured for SSH authentication show crypto ssh auth map Cisco Nexus 7000 Series Security Command Reference 140 C Commands crypto cert ssh authorize ...

Page 167: ...troduced 5 0 2 Usage Guidelines To use this command you must configure a cert store for certificate authentication This command does not require a license Examples This example shows how to create a new filter map switch config crypto certificatemap mapname filtermap1 Related Commands Description Command Configures one or more certificate mapping filters within the filter map filter Displays the c...

Page 168: ... command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to enable Cisco TrustSec authentication and authorization caching switch config t switch config cts cache enable This example shows how to disable Cisco TrustSec authentication and authorization caching switch config t switch config n...

Page 169: ...dentifier Clear text password Command Modes Global configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command The Cisco TrustSec device identifier name must be unique in your Cisco TrustSec network cloud This command requires the Advanced Services license Examples...

Page 170: ...Description Command Displays the Cisco TrustSec credentials information show cts credentials Cisco Nexus 7000 Series Security Command Reference 144 C Commands cts device id ...

Page 171: ...ge Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command You can use only IPv4 addressing with Cisco TrustSec This command requires the Advanced Services license Examples This example shows how to configure mapping for a Cisco TrustSec SGT switch configure terminal switch config cts role based sgt map 10 10 1 1 3 switch config rbacl This example sh...

Page 172: ...Cisco Nexus 7000 Series Security Command Reference 146 C Commands cts role based sgt map ...

Page 173: ... the tag argument to accept decimal values 6 2 2 This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to configure the Cisco TrustSec SGT for the device switch configure terminal switch config cts sgt 0x3 Related Commands Des...

Page 174: ... introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command You can use only IPv4 addressing with Cisco TrustSec This command requires the Advanced Services license Examples This example shows how to configure Layer 3 Cisco TrustSec global mapping for an SPI and subnet switch config t switch config cts l3 spi 3 10 10 1 1 23 This e...

Page 175: ...Description Command Displays the Layer 3 Cisco TrustSec mapping for SPI values to IPv4 subnets show cts l3 mapping Cisco Nexus 7000 Series Security Command Reference 149 C Commands cts l3 spi global ...

Page 176: ...ust enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to enable Layer 3 Cisco TrustSec for an interface switch config t switch config interface ethernet 2 3 switch config if cts l3 spi 3 10 10 1 1 23 This example shows how to disable Layer 3 Cisco TrustSec for an interface switch config t switch confi...

Page 177: ...Description Command Displays the Layer 3 Cisco TrustSec configuration on the interfaces show cts l3 interface Cisco Nexus 7000 Series Security Command Reference 151 C Commands cts l3 spi interface ...

Page 178: ...ust enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to enable Layer 3 Cisco TrustSec for an interface switch config t switch config interface ethernet 2 3 switch config if cts l3 spi 3 10 10 1 1 23 This example shows how to disable Layer 3 Cisco TrustSec for an interface switch config t switch confi...

Page 179: ...Description Command Displays the Layer 3 Cisco TrustSec configuration on the interfaces show cts l3 interface Cisco Nexus 7000 Series Security Command Reference 153 C Commands cts l3 spi interface ...

Page 180: ...ace using the shutdown no shutdown command sequence for the configuration to take effect This command requires the Advanced Services license Examples This example shows how to enter Cisco TrustSec manual configuration mode for an interface switch configure terminal switch config interface etherent 2 4 switch config if cts manual switch config if cts manual This example shows how to remove the Cisc...

Page 181: ...Description Command Displays Cisco TrustSec configuration information for interfaces show cts interface Cisco Nexus 7000 Series Security Command Reference 155 C Commands cts manual ...

Page 182: ...es To use this command you must enable the Cisco TrustSec feature using the feature cts command Ensure that you are using the Cisco Identity Services Engine ISE Release 1 0 or later releases Examples This example shows how to refresh the Cisco TrustSec environment data downloaded from the AAA server switch cts refresh environment data Related Commands Description Command Enables the Cisco TrustSec...

Page 183: ... command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to enter Cisco TrustSec manual configuration mode for an interface switch cts refresh role based policy Related Commands Description Command Enables the Cisco TrustSec feature ...

Page 184: ... Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to rekey an interface for Cisco TrustSec switch cts rekey ethernet 2 3 Related Commands Description Command Enables the Cisco TrustSec feature feature cts Displays Cisco TrustSec configuration information ...

Page 185: ...troduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to create a Cisco TrustSec SGACL and enter role based access list configuration mode switch configure terminal switch config cts role based access list MySGACL switch config rbacl This exampl...

Page 186: ...Cisco Nexus 7000 Series Security Command Reference 160 C Commands cts role based access list ...

Page 187: ... enable RBACL statistics each policy requires one entry in the If you do not have enough space remaining in the an error message appears and you cannot enable the statistics When you modify an RBACL policy statistics for the previously assigned access control entry ACE are displayed and the newly assigned ACE statistics are initialized to 0 RBACL statistics are lost only when the Cisco NX OS devic...

Page 188: ... counters are reset to 0 clear cts role based counters Displays the configuration status of RBACL statistics and lists statistics for all RBACL policies show cts role based counters Cisco Nexus 7000 Series Security Command Reference 162 C Commands cts role based counters enable ...

Page 189: ...ature using the feature cts command To view the detailed ACLLOGS you need to enable logging ip access list detailed after enabling cts role based detailed logging Note Examples This example shows how to configure RBACL ace level permission and monitor logging switch configure terminal switch config cts role based detailed logging This example shows how to disable RBACL ace level permission and mon...

Page 190: ...Cisco Nexus 7000 Series Security Command Reference 164 C Commands cts role based detailed logging ...

Page 191: ...guration VRF configuration Interface configuration Command History Modification Release Added the support for disabling SGACL policy enforcement on L3 interfaces and L3 port channels 8 0 1 This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This e...

Page 192: ...rface port channel 100 switch config if no cts role based enforcement switch config if exit This example shows how to disable Cisco TrustSec SGACL enforcement switch configure terminal switch config no cts role based enforcement Related Commands Description Command Enables the Cisco TrustSec feature feature cts Displays the Cisco TrustSec SGACL policy enforcement configuration show cts role based ...

Page 193: ...ACL monitor mode enable Specifies the range for the SGT and DGT that needs to be monitored permission Specifies any SGT sgt Specifies the Specifies the destination SGT dgt Specifies an unknown SGT unknown Specifies the IPv4 protocol version ipv4 Specifies the IPv6 protocol version ipv6 Command Default Disabled Command Modes Global configurationVRF configuration Command History Modification Release...

Page 194: ...ble monitoring permissions for all source groups to all destination groups switch configure terminal switch config no cts role based monitor all Related Commands Description Command Enables the Cisco TrustSec feature feature cts Displays the Cisco TrustSec SGACL policy enforcement configuration show cts role based enable Cisco Nexus 7000 Series Security Command Reference 168 C Commands cts role ba...

Page 195: ...se This command was introduced 8 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command Examples This example shows how to set higher install priority for ISE configured SGACLs switch configure terminal switch config no cts role based policy priority static Related Commands Description Command Enables the Cisco TrustSec feature feature cts...

Page 196: ...he destination SGT dgt Destination SGT value The range is 0 to 65533 dgt value Specifies the name for the SGACL access list list name Command Default None Command Modes Global configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command You must configure the SGACL ...

Page 197: ...ch config no cts role based sgt 3 sgt 10 Related Commands Description Command Enables the Cisco TrustSec feature feature cts Displays the Cisco TrustSec SGT mapping for an SGACL show cts role based policy Cisco Nexus 7000 Series Security Command Reference 171 C Commands cts role based sgt ...

Page 198: ... 1 Usage Guidelines To use this command you must enable the Cisco TrustSec SXP feature using the cts sxp enable command Examples This example shows how to expand the network limit switch configure terminal switch config cts sxp allow default route sgt This example shows how to disable the network limit switch configure terminal switch config no cts sxp allow default route sgt Related Commands Desc...

Page 199: ...al Specifies the IPv4 address of the source device source src ipv4 addr Specifies the password option to use for the SXP authentication password Specifies that SXP should use the default SXP password for the peer connection default Specifies that SXP should not use a password none Specifies the password that SXP should use for this peer connection required Clear text password The password is alpha...

Page 200: ...d The hold time keyword and minimum time and maximum time arguments were added 8 0 1 Added the 7 option to allow encrypted passwords 4 1 3 This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command You can use only IPv4 addressing with Cisco TrustSec If you do not specify a source IPv4 address you must configure a...

Page 201: ...peer 10 20 2 2 password default mode local speaker hold time 500 Related Commands Description Command Configures the default SXP password for the device cts sxp default password Configures the default SXP source IPv4 address for the device cts sxp default source ip Enables the Cisco TrustSec feature feature cts Displays the Cisco TrustSec SXP peer connection information show cts sxp connection Cis...

Page 202: ... Command Default None Command Modes Global configuration Command History Modification Release Added the 7 option to allow encrypted passwords 4 1 3 This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to configure the default...

Page 203: ...iption Command Enables the Cisco TrustSec feature feature cts Displays the Cisco TrustSec SXP configuration information show cts sxp Cisco Nexus 7000 Series Security Command Reference 177 C Commands cts sxp default password ...

Page 204: ... command you must enable the Cisco TrustSec feature using the feature cts command You can use only IPv4 addressing with Cisco TrustSec This command requires the Advanced Services license Examples This example shows how to configure the default SXP source IP address for the device switch configure terminal switch config cts sxp default source ip 10 10 3 3 This example shows how to remove the defaul...

Page 205: ...4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to enable SXP switch configure terminal switch config cts sxp enable This example shows how to disable SXP switch configure terminal switch config no cts sxp enable Related Commands Description Comman...

Page 206: ...the hold time period in order to provide more predictable and timely detection of connection loss Hold time can be configured globally on a network device This global configuration will apply the configuration to all SXP connections configured on the device You may configure a hold time period locally on a listener device or a default of 90 seconds to 180 seconds is used A value of 0xFFFF 0xFFFF i...

Page 207: ...00 seconds and a maximum of 500 seconds switch configure terminal switch config cts sxp listener hold time 300 500 Related Commands Description Command Enables Cisco TrustSec SXP on a device cts sxp enable Configures the hold time of a speaker device in an SXPv4 network cts sxp speaker hold time Displays the status of all Cisco TrustSec SXP configurations show cts sxp Cisco Nexus 7000 Series Secur...

Page 208: ... was introduced 7 3 0 D1 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature by using the feature cts command Examples This example shows how to expand the network limit switch configure terminal switch config cts sxp mapping network map 64 This example shows how to disable the network limit switch configure terminal switch config no cts sxp mapping network map 64 Rel...

Page 209: ... An SXP node ID is used to identify the individual devices within the network The node ID is a four octet integer that can be configured by the user If it is not configured by the user SXP picks a node ID itself using the highest IPv4 address in the default VRF domain in the same manner that EIGRP generates its node ID The node ID has to be unique in the network that SXP connections traverse to en...

Page 210: ...id 172 16 1 3 Related Commands Description Command Enables CTS SXP on a device cts sxp enable Displays the status of all CTS SXP configurations show cts sxp Cisco Nexus 7000 Series Security Command Reference 184 C Commands cts sxp node id ...

Page 211: ... down timer starts If the peer reconnects before the internal hold down timer expires the SXP reconcile period timer starts While the SXP reconcile period timer is active the Cisco NX OS software retains the SGT mapping entries learned from the previous connection and removes invalid entries Setting the SXP reconcile period to 0 seconds disables the timer and causes all entries from the previous c...

Page 212: ...n Command Enables the Cisco TrustSec feature feature cts Displays the Cisco TrustSec SXP configuration information show cts sxp connection Cisco Nexus 7000 Series Security Command Reference 186 C Commands cts sxp reconcile period ...

Page 213: ...ts command The SXP retry period determines how often the Cisco NX OS software retries an SXP connection When an SXP connection is not successfully set up the Cisco NX OS software makes a new attempt to set up the connection after the SXP retry period timer expires Setting the SXP retry period to 0 seconds disables the timer and retries are not attempted Note This command requires the Advanced Serv...

Page 214: ...on Command Enables the Cisco TrustSec feature feature cts Displays the Cisco TrustSec SXP peer connection information show cts sxp connection Cisco Nexus 7000 Series Security Command Reference 188 C Commands cts sxp retry period ...

Page 215: ...e a hold time period locally on a speaker device or a default of 120 seconds is used This is the shortest period of time a speaker is willing to send keepalive messages for keeping the connection active Any shorter hold time period would require a faster keepalive rate than the rate the speaker is ready to support A value of 0xFFFF indicates that the keepalive mechanism is not used The hold time n...

Page 216: ...ime 300 Related Commands Description Command Enables Cisco TrustSec SXP on a device cts sxp enable Configures the hold time of a listener device in an SXPv4 network cts sxp listener hold time Displays the status of all Cisco TrustSec SXP configurations show cts sxp Cisco Nexus 7000 Series Security Command Reference 190 C Commands cts sxp speaker hold time ...

Page 217: ...timeout quiet period page 206 dot1x timeout ratelimit period page 208 dot1x timeout re authperiod page 210 dot1x timeout server timeout page 212 dot1x timeout supp timeout page 214 dot1x timeout tx period page 216 deadtime page 218 delete ca certificate page 220 delete certificate page 221 delete crl page 223 deny ARP page 224 deny IPv4 page 228 deny IPv6 page 243 deny MAC page 259 deny role based...

Page 218: ...stination interface page 268 device page 270 device role page 272 dot1x default page 274 dot1x host mode page 275 dot1x initialize page 277 dot1x mac auth bypass page 278 Cisco Nexus 7000 Series Security Command Reference 192 D Commands ...

Page 219: ...nd was introduced 4 0 1 Usage Guidelines You must use the feature dot1x command before you configure 802 1X This command does not require a license Examples This example shows how to change the maximum number of reauthorization request retries for an interface switch configure terminal switch config interface ethernet 1 1 switch config if dot1x max reauth req 3 This example shows how to revert to ...

Page 220: ...Description Command Displays all 802 1X information show dot1x all Cisco Nexus 7000 Series Security Command Reference 194 D Commands dot1x max reauth req ...

Page 221: ...ory Modification Release This command was introduced 4 0 1 Usage Guidelines You must use the feature dot1x command before you configure 802 1X This command does not require a license Examples This example shows how to change the maximum number of request retries for the global 802 1X configuration switch configure terminal switch config dot1x max req 3 This example shows how to revert to the defau...

Page 222: ...switch configure terminal switch config interface ethernet 1 1 switch config if no dot1x max req Related Commands Description Command Enables the 802 1X feature feature dot1x Displays all 802 1X information show dot1x all Cisco Nexus 7000 Series Security Command Reference 196 D Commands dot1x max req ...

Page 223: ...ccess entity PAE instance An authenticator PAE is a protocol entity that supports authentication on the interface When you disable 802 1X on the interface the Cisco NX OS software does not automatically clear the authenticator PAE instances You can explicitly remove the authenticator PAE from the interface and then reapply it as needed This command does not require a license Examples This example ...

Page 224: ...Description Command Displays 802 1X feature status information for an interface show dot1x interface Cisco Nexus 7000 Series Security Command Reference 198 D Commands dot1x pae authenticator ...

Page 225: ...Command Default force authorized Command Modes Interface configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines You must use the feature dot1x command before you configure 802 1X This command does not require a license Examples This example shows how to change the 802 1X authentication action performed on an interface switch configure terminal switch ...

Page 226: ...escription Command Enables the 802 1X feature feature dot1x Displays 802 1X information for an interface show dot1x interface ethernet Cisco Nexus 7000 Series Security Command Reference 200 D Commands dot1x port control ...

Page 227: ...ature dot1x command before you configure 802 1X This command does not require a license Examples This example shows how to enable RADIUS accounting for 802 1X authentication switch configure terminal switch config dot1x radius accounting This example shows how to disable RADIUS accounting for 802 1X authentication switch configure terminal switch config no dot1x radius accounting Related Commands ...

Page 228: ...ge Guidelines You must use the feature dot1x command before you configure 802 1X This command does not require a license Examples This example shows how to reauthenticate 802 1X supplicants manually switch dot1x re authentication This example shows how to reauthenticate the 802 1X supplicant on an interface manually switch dot1x re authentication interface ethernet 2 1 Related Commands Description...

Page 229: ...and configures periodic reauthentication for all supplicants on the Cisco NX OS device In interface configuration mode this command configures periodic reauthentication only for supplicants on the interface This command does not require a license Examples This example shows how to enable periodic reauthentication of 802 1X supplicants switch configure terminal switch config dot1x re authentication...

Page 230: ...nfig interface ethernet 2 1 switch config if no dot1x re authentication Related Commands Description Command Enables the 802 1X feature feature dot1x Displays all 802 1X information show dot1x all Cisco Nexus 7000 Series Security Command Reference 204 D Commands dot1x re authentication global configuration and interface configuration ...

Page 231: ...auth control command does not delete the 802 1X configuration You must use the feature dot1x command before you configure 802 1X This command does not require a license Examples This example shows how to disable 802 1X authentication switch configure terminal switch config no dot1x system auth control This example shows how to enable 802 1X authentication switch configure terminal switch config do...

Page 232: ...uiet period timeout is the number of seconds that the device remains in the quiet state following a failed authentication exchange with a supplicant You must use the feature dot1x command before you configure 802 1X You should change the default value only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain supplicants and authentication server...

Page 233: ... shows how to revert to the default 802 1X quiet period timeout for an interface switch configure terminal switch config interface ethernet 1 1 switch config if no dot1x timeout quiet period Related Commands Description Command Enables the 802 1X feature feature dot1x Displays all 802 1X information show dot1x all Cisco Nexus 7000 Series Security Command Reference 207 D Commands dot1x timeout quie...

Page 234: ...ve successfully authenticated This value overrides the global quiet period timeout You must use the feature dot1x command before you configure 802 1X You should change the default value only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain supplicants and authentication servers Note This command does not require a license Examples This examp...

Page 235: ...tion Command Enables the 802 1X feature feature dot1x Displays 802 1X information for an interface show dot1x interface ethernet Cisco Nexus 7000 Series Security Command Reference 209 D Commands dot1x timeout ratelimit period ...

Page 236: ...02 1X reauthentication timeout period is the number of seconds between reauthentication attempts You must use the feature dot1x command before you configure 802 1X You should change the default value only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain supplicants and authentication servers Note This command does not require a license Examp...

Page 237: ...Commands Description Command Enables the 802 1X feature feature dot1x Displays all 802 1X information show dot1x all Cisco Nexus 7000 Series Security Command Reference 211 D Commands dot1x timeout re authperiod ...

Page 238: ...tion server This value overrides the global reauthentication period timeout You must use the feature dot1x command before you configure 802 1X You should change the default value only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain supplicants and authentication servers Note This command does not require a license Examples This example show...

Page 239: ...ption Command Enables the 802 1X feature feature dot1x Displays 802 1X information for an interface show dot1x interface ethernet Cisco Nexus 7000 Series Security Command Reference 213 D Commands dot1x timeout server timeout ...

Page 240: ...uest frame before the Cisco NX OS device retransmits the frame You must use the feature dot1x command before you configure 802 1X You should change the default value only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain supplicants and authentication servers Note This command does not require a license Examples This example shows how to conf...

Page 241: ...iption Command Enables the 802 1X feature feature dot1x Displays 802 1X information for an interface show dot1x interface ethernet Cisco Nexus 7000 Series Security Command Reference 215 D Commands dot1x timeout supp timeout ...

Page 242: ...riod is the number of seconds that the Cisco NX OS device waits for a response to an EAP request identity frame from the supplicant before retransmitting the request You must use the feature dot1x command before you configure 802 1X You should change the default value only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain supplicants and auth...

Page 243: ...le shows how to revert to the default 802 1X transmission period timeout for an interface switch configure terminal switch config interface ethernet 1 1 switch config if no dot1x timeout tx period Related Commands Description Command Enables the 802 1X feature feature dot1x Displays all 802 1X information show dot1x all Cisco Nexus 7000 Series Security Command Reference 217 D Commands dot1x timeou...

Page 244: ...ommand before you configure TACACS This command does not require a license Examples This example shows how to set the dead time interval to 2 minutes for a RADIUS server group switch configure terminal switch config aaa group server radius RadServer switch config radius deadtime 2 This example shows how to set the dead time interval to 5 minutes for a TACACS server group switch configure terminal ...

Page 245: ...ver radius server host Displays RADIUS server group information show radius server groups Displays TACACS server group information show tacacs server groups Enables TACACS feature tacacs Configures a TACACS server tacacs server host Cisco Nexus 7000 Series Security Command Reference 219 D Commands deadtime ...

Page 246: ...CA certificate may be necessary when you no longer want to trust the CA because the CA is compromised or the CA certificate has expired The trustpoint configuration certificates and key pair configurations are persistent only after saving to the startup configuration Deletions become persistent only after you save the running configuration to the startup configuration Enter the copy running config...

Page 247: ...tificate present or is the last identity certificate in a chain You can use the optional force keyword to remove the certificate The trustpoint configuration certificates and key pair configurations are persistent only after saving to the startup configuration Deletions become persistent only after you save the running configuration to the startup configuration Enter the copy running config startu...

Page 248: ...Description Command Deletes the certificate authority certificate delete ca certificate Deletes the CRL from the trustpoint delete crl Cisco Nexus 7000 Series Security Command Reference 222 D Commands delete certificate ...

Page 249: ...was introduced 4 1 2 Usage Guidelines This command does not require a license Examples This example shows how to delete the CRL from the trustpoint switch configure terminal switch config crypto ca trustpoint admin ca switch config trustpoint delete crl Related Commands Description Command Deletes the certificate authority certificate delete ca certificate Deletes the identity certificate delete c...

Page 250: ...sender IP sender IP mask mac any host sender MAC sender MAC sender MAC mask log no deny response ip any host sender IP sender IP sender IP mask any host target IP target IP target IP mask mac any host sender MAC sender MAC sender MAC mask any host target MAC target MAC target MAC mask log Syntax Description Optional Sequence number of the deny command which causes the device to insert the command ...

Page 251: ...ackets only when the sender MAC address in the packet matches the value of the sender MAC argument Valid values for the sender MAC argument are MAC addresses in dotted hexadecimal format host sender MAC Optional MAC address and mask for the set of MAC addresses that the sender MAC address in the packet can match The sender MAC and sender MAC mask argument must be given in dotted hexadecimal format...

Page 252: ...es ARP packets only when the target MAC address in the packet matches the value of the target MAC argument You can specify host target MAC only when you use the response keyword Valid values for the target MAC argument are MAC addresses in dotted hexadecimal format host target MAC Optional MAC address and mask for the set of MAC addresses that the target MAC address in the packet can match You can...

Page 253: ... message This command does not require a license Examples This example shows how to enter ARP access list configuration mode for an ARP ACL named arp acl 01 and add a rule that denies ARP request messages that contain a sender IP address that is within the 10 32 143 0 subnet switch conf t switch config arp access list arp acl 01 switch config arp acl deny request ip 10 32 143 0 255 255 255 0 mac a...

Page 254: ...number deny igmp source destination igmp message dscp dscp precedence precedence fragments log time range time range name packet length operator packet length packet length Internet Protocol v4 sequence number deny ip source destination dscp dscp precedence precedence fragments log time range time range name packet length operator packet length packet length Transmission Control Protocol sequence ...

Page 255: ...e Use the resequence command to reassign sequence numbers to rules sequence number Name or number of the protocol of packets that the rule matches For details about the methods that you can use to specify this argument see Protocol in the Usage Guidelines section protocol Source IPv4 addresses that the rule matches For details about the methods that you can use to specify this argument see Source ...

Page 256: ...dscp dscp Cisco Nexus 7000 Series Security Command Reference 230 D Commands deny IPv4 ...

Page 257: ...13 AF class 1 high drop probability 001110 af21 AF class 2 low drop probability 010010 af22 AF class 2 medium drop probability 010100 af23 AF class 2 high drop probability 010110 af31 AF class 3 low drop probability 011010 af32 AF class 3 medium drop probability 011100 af33 AF class 3 high drop probability 011110 af41 AF class 4 low drop probability 100010 af42 AF class 4 medium drop probability 1...

Page 258: ...110 network Precedence 7 111 priority Precedence 1 001 routine Precedence 0 000 precedence precedence Optional Specifies that the rule matches only those packets that are noninitial fragments You cannot specify this keyword in the same rule that you specify Layer 4 options such as a TCP port number because the information that the devices requires to evaluate those options is contained only in ini...

Page 259: ...ype argument are an integer from 0 to 255 If the ICMP message type supports message codes you can use the icmp code argument to specify the code that the rule matches For more information about ICMP message types and codes see http www iana org assignments icmp parameters icmp type icmp code IGMP only Optional IGMP message type that the rule matches The igmp message argument can be the IGMP messag...

Page 260: ...than and not equal to the port argument lt Matches only if the port in the packet is less than and not equal to the port argument neq Matches only if the port in the packet is not equal to the port argument range Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument operator port...

Page 261: ...q Matches only if the packet length in bytes is equal to the packet length argument gt Matches only if the packet length in bytes is greater than the packet length argument lt Matches only if the packet length in bytes is less than the packet length argument neq Matches only if the packet length in bytes is not equal to the packet length argument range Requires two packet length arguments and matc...

Page 262: ... of the protocol If you want the rule to apply to all IPv4 traffic use the ip keyword The protocol keyword that you specify affects the additional keywords and arguments that are available Unless otherwise specified only the other keywords that apply to all IPv4 protocols are available Those keywords include the following dscp fragments log packet length precedence time range Valid protocol number...

Page 263: ...rd the operator argument and the portgroup keyword are available in addition to the keywords that are available for all valid values of the protocol argument Source and Destination You can specify the source and destination arguments in one of several ways In each rule the method that you use to specify one of these arguments does not affect how you specify the other argument When you configure a ...

Page 264: ...ddress You can use the any keyword to specify that a source or destination is any IPv4 address For examples of the use of the any keyword see the examples in this section Each example shows how to specify a source or destination by using the any keyword ICMP Message Types The icmp message argument can be one of the following keywords administratively prohibited Administratively prohibited alternat...

Page 265: ... unreachable Protocol unreachable reassembly timeout Reassembly timeout redirect All redirects router advertisement Router discovery advertisements router solicitation Router discovery solicitations source quench Source quenches source route failed Source route failed time exceeded All time exceeded messages timestamp reply Time stamp replies timestamp request Time stamp requests traceroute Tracer...

Page 266: ...otocol 119 pim auto rp PIM Auto RP 496 pop2 Post Office Protocol v2 19 pop3 Post Office Protocol v3 11 smtp Simple Mail Transport Protocol 25 sunrpc Sun Remote Procedure Call 111 tacacs TAC Access Control System 49 talk Talk 517 telnet Telnet 23 time Time 37 uucp UNIX to UNIX Copy Program 54 whois WHOIS NICNAME 43 www World Wide Web HTTP 80 UDP Port Names When you specify the protocol argument as ...

Page 267: ...pc Sun Remote Procedure Call 111 syslog System Logger 514 tacacs TAC Access Control System 49 talk Talk 517 tftp Trivial File Transfer Protocol 69 time Time 37 who Who service rwho 513 xdmcp X Display Manager Control Protocol 177 Examples This example shows how to configure an IPv4 ACL named acl lab 01 with rules that deny all TCP and UDP traffic from the 10 23 0 0 and 192 168 37 0 networks to the...

Page 268: ...itch config acl permit ip any any Related Commands Description Command Configures how an IP ACL processes noninitial fragments fragments Configures an IPv4 ACL ip access list Configures an IPv4 address object group object group ip address Configures an IP port object group object group ip port Configures a permit rule in an IPv4 ACL permit IPv4 Configures a remark in an IPv4 ACL remark Displays al...

Page 269: ...bel flow label value fragments log time range time range name packet length operator packet length packet length Stream Control Transmission Protocol sequence number no deny sctp source operator port port portgroup portgroup destination operator port port portgroup portgroup dscp dscp flow label flow label value fragments log time range time range name packet length operator packet length packet l...

Page 270: ...any integer between 1 and 4294967295 By default the first rule in an ACL has a sequence number of 10 If you do not specify a sequence number the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule Use the resequence command to reassign sequence numbers to rules sequence number Cisco Nexus 7000 Series Security Co...

Page 271: ...protocol Cisco Nexus 7000 Series Security Command Reference 245 D Commands deny IPv6 ...

Page 272: ... apply to all IPv6 protocols are available pcp Specifies that the rule applies to Payload Compression Protocol PCP traffic only When you use this keyword only the other keywords and arguments that apply to all IPv6 protocols are available sctp Specifies that the rule applies to Stream Control Transmission Protocol SCTP traffic only When you use this keyword the operator argument and the portgroup ...

Page 273: ... Source and Destination in the Usage Guidelines section source Destination IPv6 addresses that the rule matches For details about the methods that you can use to specify this argument see Source and Destination in the Usage Guidelines section destination Cisco Nexus 7000 Series Security Command Reference 247 D Commands deny IPv6 ...

Page 274: ...dscp dscp Cisco Nexus 7000 Series Security Command Reference 248 D Commands deny IPv6 ...

Page 275: ... class 1 high drop probability 001110 af21 AF class 2 low drop probability 010010 af22 AF class 2 medium drop probability 010100 af23 AF class 2 high drop probability 010110 af31 AF class 3 low drop probability 011010 af32 AF class 3 medium drop probability 011100 af33 AF class 3 high drop probability 011110 af41 AF class 4 low drop probability 100010 af42 AF class 4 medium drop probability 100100...

Page 276: ...on that the devices requires to evaluate those options is contained only in initial fragments fragments Optional Specifies that the device generates an informational logging message about each packet that matches the rule The message includes the following information ACL name Whether the packet was permitted or denied Whether the protocol was TCP UDP ICMP or a number Source and destination addres...

Page 277: ...nt can be the name or the number of a TCP or UDP port Valid numbers are integers from 0 to 65535 For listings of valid port names see TCP Port Names and UDP Port Names in the Usage Guidelines section A second port argument is required only when the operator argument is a range The operator argument must be one of the following keywords eq Matches only if the port in the packet is equal to the port...

Page 278: ...the object group ip port command to create and change IP port group objects portgroup portgroup TCP only Optional Specifies that the rule matches only packets that belong to an established TCP connection The device considers TCP packets with the ACK or RST bits set to belong to an established connection established TCP only Optional Rule matches only packets that have specific TCP control bit flag...

Page 279: ...r less than the second packet length argument packet lengthoperatorpacket length packet length Command Default None Command Modes IPv6 ACL configuration Command History Modification Release This command was introduced 4 1 2 Usage Guidelines A newly created IPv6 ACL contains no rules When the device applies an IPv6 ACL to a packet it evaluates the packet with every rule in the ACL The device enforc...

Page 280: ...to specify a host as a source or destination The syntax is as follows host IPv6 address This syntax is equivalent to IPv6 address 128 The following example shows how to specify the source argument with the host keyword and the 2001 0db8 85a3 08d3 1319 8a2e 0370 7344 IPv6 address switch config acl deny icmp host 2001 0db8 85a3 08d3 1319 8a2e 0370 7344 any Any address You can use the any keyword to ...

Page 281: ...sequence number reset router advertisement Neighbor discovery router advertisements router renumbering All router renumbering router solicitation Neighbor discovery router solicitations time exceeded All time exceeded messages unreachable All unreachable TCP Port Names When you specify the protocol argument as tcp the port argument can be a TCP port number which is an integer from 0 to 65535 It ca...

Page 282: ...opy Program 54 whois WHOIS NICNAME 43 www World Wide Web HTTP 80 UDP Port Names When you specify the protocol argument as udp the port argument can be a UDP port number which is an integer from 0 to 65535 It can also be one of the following keywords biff Biff mail notification comsat 512 bootpc Bootstrap Protocol BOOTP client 68 bootps Bootstrap Protocol BOOTP server 67 discard Discard 9 dnsix DNS...

Page 283: ...st acl lab13 ipv6 switch config ipv6 acl deny tcp 2001 0db8 85a3 48 2001 0db8 be03 2112 64 switch config ipv6 acl deny udp 2001 0db8 85a3 48 2001 0db8 be03 2112 64 switch config ipv6 acl deny tcp 2001 0db8 69f2 48 2001 0db8 be03 2112 64 switch config ipv6 acl deny udp 2001 0db8 69f2 48 2001 0db8 be03 2112 64 This example shows how to configure an IPv6 ACL named ipv6 eng to marketing with a rule th...

Page 284: ...res a remark in an ACL remark Displays all IPv6 ACLs or one IPv6 ACL show ipv6 access list Enables collection of statistics for each entry in an ACL statistics per entry Configures a time range time range Cisco Nexus 7000 Series Security Command Reference 258 D Commands deny IPv6 ...

Page 285: ...a sequence number that is 10 greater than the sequence number of the preceding rule Use the resequence command to reassign sequence numbers to rules sequence number Source MAC addresses that the rule matches For details about the methods that you can use to specify this argument see Source and Destination in the Usage Guidelines section source Destination MAC addresses that the rule matches For de...

Page 286: ...es not require a license Source and Destination You can specify the source and destination arguments in one of two ways In each rule the method that you use to specify one of these arguments does not affect how you specify the other argument When you configure a rule use the following methods to specify the source and destination arguments Address and mask You can use a MAC address followed by a m...

Page 287: ...es echo VINES Echo 0x0baf Examples This example shows how to configure a MAC ACL named mac ip filter with rules that permit any non IPv4 traffic between two groups of MAC addresses switch configure terminal switch config mac access list mac ip filter switch config mac acl deny 00c0 4f00 0000 0000 00ff ffff 0060 3e00 0000 0000 00ff ffff ip switch config mac acl permit any any Related Commands Descr...

Page 288: ... Management Protocol IGMP traffic igmp Specifies IP traffic ip Specifies TCP traffic tcp Specifies User Datagram Protocol UDP traffic udp Specifies the source port number src Specifies the destination port number dst Specifies equal to the port number eq Specifies greater than the port number gt Specifies less than the port number lt Specifies not equal to the port number neq Port number for TCP o...

Page 289: ...the logging level of CTS manager syslogs to 5 This command requires the Advanced Services license Examples This example shows how to add a deny action to an SGACL and enable RBACL logging switch configure terminal switch config cts role based access list MySGACL switch config rbacl deny icmp log This example shows how to remove a deny action from an SGACL switch configure terminal switch config ct...

Page 290: ...require a license Examples This example shows how to configure the description for an identity policy switch configure terminal switch config identity policy AdminPolicy switch config id policy description Administrator identity policy This example shows how to remove the description from an identity policy switch configure terminal switch config identity policy AdminPolicy switch config id policy...

Page 291: ...Cisco Nexus 7000 Series Security Command Reference 265 D Commands description identity policy ...

Page 292: ...spaces in the user role description text This command does not require a license Examples This example shows how to configure the description for a user role switch configure terminal switch config role name MyRole switch config role description User role for my user account This example shows how to remove the description from a user role switch configure terminal switch config role name MyRole s...

Page 293: ...Cisco Nexus 7000 Series Security Command Reference 267 D Commands description user role ...

Page 294: ...upport ingress forwarding and ingress MAC learning If a destination interface is configured with these options the monitor keeps the ACL capture session down Use the show monitor session all command to see if ingress forwarding and MAC learning are enabled You can use the no switchport monitor command to disable ingress forwarding and MAC learning on the interface Note The source port of the packe...

Page 295: ...h config acl capture destination interface ethernet 5 5 Related Commands Description Command Configures an ACL capture session monitor session session type acl capture Cisco Nexus 7000 Series Security Command Reference 269 D Commands destination interface ...

Page 296: ...sing the policy authenticate Specifies to not allow authentication of the device using the policy not authenticate Specifies the IPv4 address for the supplicant device in the A B C D format ip address ipv4 address Optional IPv4 subnet mask for the IPv4 address subnet mask Specifies the MAC address for the supplicant device in the XXXX XXXX XXXX format mac address mac address Optional Mask for the ...

Page 297: ...a device from the EAPoUDP identity profile switch configure terminal switch config identity profile eapoupd switch config id policy no device authenticate 10 10 2 2 255 255 255 245 policy UserPolicy Related Commands Description Command Creates or specifies an identity policy and enters identity policy configuration mode identity policy Displays identity policy information show identity policy Cisc...

Page 298: ...messages are blocked If the device role is enabled using the router keyword all messages router solicitation RS router advertisement RA or redirect are allowed on this port When the router or monitor keyword is used the multicast RS messages are bridged on the port regardless of whether limited broadcast is enabled However the monitor keyword does not allow inbound RA or redirect messages When the...

Page 299: ...Cisco Nexus 7000 Series Security Command Reference 273 D Commands device role ...

Page 300: ...mand before you configure 802 1X This command does not require a license Examples This example shows how to set the global 802 1X parameters to the default switch configure terminal switch config dot1x default This example shows how to set the interface 802 1X parameters to the default switch configure terminal switch config interface ethernet 2 1 switch config if dot1x default Related Commands De...

Page 301: ...History Modification Release This command was introduced 4 0 1 Usage Guidelines You must use the feature dot1x command before you configure 802 1X This command does not require a license Examples This example shows how to allow 802 1X authentication of multiple supplicants on an interface switch configure terminal switch config interface ethernet 2 1 switch config if dot1x host mode multi host Thi...

Page 302: ...Description Command Displays all 802 1X information show dot1x all Cisco Nexus 7000 Series Security Command Reference 276 D Commands dot1x host mode ...

Page 303: ...e Guidelines You must use the feature dot1x command before you configure 802 1X This command does not require a license Examples This example shows how to initialize 802 1X authentication for supplicants on the Cisco NX OS device switch dot1x initialize This example shows how to initialize 802 1X authentication for supplicants on an interface switch dot1x initialize interface ethernet 2 1 Related ...

Page 304: ... 4 0 1 Usage Guidelines You must use the feature dot1x command before you configure 802 1X This command does not require a license Examples This example shows how to enable MAC address authentication bypass switch configure terminal switch config interface ethernet 1 1 switch config if dot1x mac auth bypass This example shows how to disable MAC address authentication bypass switch configure termin...

Page 305: ...yption re encrypt obfuscated page 292 enrollment terminal page 293 eou allow clientless page 294 eou default page 295 eou initialize page 296 eou logging page 298 eou max retry page 300 eou port page 302 eou ratelimit page 303 eou revalidate EXEC page 305 eou revalidate global configuration and interface configuration page 307 eou timeout page 309 eq page 312 Cisco Nexus 7000 Series Security Comma...

Page 306: ...ommand the pause frames are sent as unencypted When you enter the encrypt pause frame command pause frames are sent encrypted over the Cisco TrustSec link You cannot enable Cisco TrustSec on interfaces in half duplex mode Use the show interface command to determine if an interface is configured for half duplex mode F1 Series modules F2 Series modules F2e Series modules and the N7K M132XP 12 L modu...

Page 307: ...ds Description Command Enables Cisco TrustSec authentication on an interface and enters Cisco TrustSec 802 1X configuration mode cts dot1x Enters Cisco TrustSec manual configuration mode for an interface cts manual Displays the Cisco TrustSec configuration information for interfaces show cts interface Cisco Nexus 7000 Series Security Command Reference 281 E Commands encrypt pause frame ...

Page 308: ...oduced 5 2 1 Usage Guidelines This command does not require a license Examples This example shows how to convert type6 encrypted passwords back to their original state switch encryption decrypt type6 Please enter current Master Key Related Commands Description Command Converts the existing obfuscated passwords to type6 encrypted passwords encryption re encrypt obfuscated Configures the master key ...

Page 309: ... 2 1 Usage Guidelines This command does not require a license Examples This example shows how to delete strongly encrypted passwords switch configure terminal encryption delete type6 Please enter current Master Key switch config Related Commands Description Command Converts the existing obfuscated passwords to type 6 encrypted passwords encryption re encrypt obfuscated Configures the master key fo...

Page 310: ...s for command authorization on TACACS servers using the feature privilege command This command does not require a license Examples This example shows how to enable the user to move to a higher privilege level after being prompted for a secret password switch enable 15 Related Commands Description Command Enables a secret password for a specific privilege level enable secret priv lvl Enables the cu...

Page 311: ...Description Command Enables a user to use privilege levels for authorization username user id priv lvl Cisco Nexus 7000 Series Security Command Reference 285 E Commands enable ...

Page 312: ...xample shows how to enable LDAP users to login only if the user profile lists the subject DN of the user certificate as authorized for login switch configure terminal switch config aaa group server ldap LDAPServer1 switch config ldap server 10 10 2 2 switch config ldap enable Cert DN match switch config ldap Related Commands Description Command Creates an LDAP server group and enters the LDAP serv...

Page 313: ...Cisco Nexus 7000 Series Security Command Reference 287 E Commands enable Cert DN match ...

Page 314: ...longs The range is from 1 to 15 priv lvl priv lvl Adds or removes all privilege level secrets all Command Default Disabled Command Modes Global configuration Command History Modification Release This command was introduced 5 0 2 Usage Guidelines To use this command you must enable the cumulative privilege of roles for command authorization on TACACS servers using the feature privilege command This...

Page 315: ... cumulative privilege of roles for command authorization on TACACS servers feature privilege Displays the current privilege level username and status of cumulative privilege support show privilege Enables a user to use privilege levels for authorization username user id priv lvl Cisco Nexus 7000 Series Security Command Reference 289 E Commands enable secret ...

Page 316: ...ication only if the username is listed as a member of this configured group in the LDAP server This command does not require a license Examples This example shows how to enable group validation for an LDAP server group switch configure terminal switch config aaa group server ldap LDAPServer1 switch config ldap server 10 10 2 2 switch config ldap enable user server group switch config ldap Related ...

Page 317: ...igures the LDAP server as a member of the LDAP server group server Displays the LDAP server group configuration show ldap server groups Cisco Nexus 7000 Series Security Command Reference 291 E Commands enable user server group ...

Page 318: ... encryption re encrypt obfuscated command the encrypted secrets such as plain or weakly encrypted passwords are converted to type 6 encryption if the encryption service is enabled with a master key This command does not require a license Examples This example shows how to convert the existing obfuscated passwords to type 6 encrypted passwords switch encryption re encrypt obfuscated Related Command...

Page 319: ...nd History Modification Release This command was introduced 4 1 2 Usage Guidelines This command does not require a license Examples This example shows how to configure trustpoint enrollment through the switch console switch configure terminal switch config crypto ca trustpoint admin ca switch config trustpoint enrollment terminal This example shows how to discard a trustpoint enrollment through th...

Page 320: ... Modification Release This command was introduced 4 0 1 Usage Guidelines You must use the feature eou command before you configure EAPoUDP This command does not require a license Examples This example shows how to allow EAPoUDP posture validation of clientless endpoint devices switch config t switch config eou allow clientless This example shows how to prevent EAPoUDP posture validation of clientl...

Page 321: ...sage Guidelines You must use the feature eou command before you configure EAPoUDP This command does not require a license Examples This example shows how to change the global EAPoUDP configuration to the default switch config t switch config eou default This example shows how to change the EAPoUDP configuration for an interface to the default switch config t switch config interface ethernet 1 1 sw...

Page 322: ...ation clientless Specifies sessions authenticated using EAPoUDP eap Specifies sessions authenticated using statically configured exception lists static Initializes the EAPoUDP sessions for a specific interface interface ethernet slot port Initializes the EAPoUDP sessions for a specific IPv4 address ip address ipv4 address Initializes the EAPoUDP sessions for a specific MAC address mac address mac ...

Page 323: ...or an interface switch eou initialize interface ethernet 1 1 This example shows how to initialize the EAPoUDP sessions for an IP address switch eou initialize ip address 10 10 1 1 This example shows how to initialize all the EAPoUDP sessions for a MAC address switch eou initialize mac address 0019 076c dac4 This example shows how to initialize all the EAPoUDP sessions for a posture token switch eo...

Page 324: ... logging on an interface overrides the global setting You must use the feature eou command before you configure EAPoUDP This command does not require a license Examples This example shows how to enable global EAPoUDP logging switch config t switch config eou logging This example shows how to disable global EAPoUDP logging switch config t switch config no eou logging This example shows how to enabl...

Page 325: ...Related Commands Description Command Enables EAPoUDP feature eou Displays EAPoUDP information show eou Cisco Nexus 7000 Series Security Command Reference 299 E Commands eou logging ...

Page 326: ... introduced 4 0 1 Usage Guidelines The maximum retries for an interface takes precedence over the globally configured value You must use the feature eou command before you configure EAPoUDP This command does not require a license Examples This example shows how to change the global maximum number of EAPoUDP retry attempts switch config t switch config eou max retry 2 This example shows how to reve...

Page 327: ...r an interface switch config t switch config interface ethernet 1 1 switch config if no eou max retry Related Commands Description Command Enables EAPoUDP feature eou Displays EAPoUDP information show eou Cisco Nexus 7000 Series Security Command Reference 301 E Commands eou max retry ...

Page 328: ...dification Release This command was introduced 4 0 1 Usage Guidelines You must use the feature eou command before you configure EAPoUDP This command does not require a license Examples This example shows how to change the UDP port number for EAPoUDP switch config t switch config eou port 21856 This example shows how to revert to the default UDP port number for EAPoUDP switch config t switch config...

Page 329: ...Modification Release This command was introduced 4 0 1 Usage Guidelines Setting the EAPoUDP rate limit to zero 0 allows no simultaneous posture validation sessions The EAPoUDP rate limit for an interface overrides the globally EAPoUDP rate limit setting You must use the feature eou command before you configure EAPoUDP This command does not require a license Examples This example shows how to chang...

Page 330: ... 30 This example shows how to revert to the default maximum number of simultaneous EAPoUDP posture validation sessions for an interface switch config t switch config interface ethernet 1 1 switch config if no eou ratelimit Related Commands Description Command Enables EAPoUDP feature eou Displays EAPoUDP information show eou Cisco Nexus 7000 Series Security Command Reference 304 E Commands eou rate...

Page 331: ...tion clientless Specifies sessions authenticated using EAPoUDP eap Specifies sessions authenticated using statically configured exception lists static Revalidates the EAPoUDP sessions for a specific interface interface ethernet slot port Revalidates the EAPoUDP sessions for a specific IPv4 address ip address ipv4 address Revalidates the EAPoUDP sessions for a specific MAC address mac address mac a...

Page 332: ... sessions switch eou revalidate authentication static This example shows how to revalidate all the EAPoUDP sessions switch eou revalidate interface ethernet 1 1 This example shows how to revalidate all the EAPoUDP sessions switch eou revalidate ip address 10 10 1 1 This example shows how to revalidate all the EAPoUDP sessions switch eou revalidate mac address 0019 076c dac4 This example shows how ...

Page 333: ... overrides the global setting for automatic revalidation The Cisco NX OS software supports an eou revalidate command in EXEC configuration mode To use an EXEC level eou revalidate command in global configuration mode include the required keywords Note You must use the feature eou command before you configure EAPoUDP This command does not require a license Examples This example shows how to disable...

Page 334: ...revalidate Related Commands Description Command Enables EAPoUDP feature eou Configures the timeout interval for EAPoUDP automatic periodic validation eou timeout Displays EAPoUDP information show eou Cisco Nexus 7000 Series Security Command Reference 308 E Commands eou revalidate global configuration and interface configuration ...

Page 335: ...nds hold period seconds Specifies the retransmit timeout interval The range is from 1 to 60 seconds retransmit seconds Specifies the period automatic revalidation timeout interval The range is from 5 to 86400 seconds revalidation seconds Specifies the status query timeout interval The range is from 10 to 1800 seconds status query seconds Command Default Global AAA timeout interval 60 seconds 1 min...

Page 336: ...s example shows how to change the global retransmit timeout interval switch config t switch config eou timeout retransmit 5 This example shows how to change the retransmit timeout interval for an interface switch config t switch config interface ethernet 1 1 switch config if eou timeout retransmit 4 This example shows how to change the global revalidation timeout interval switch config t switch co...

Page 337: ...Enables EAPoUDP feature eou Enables periodic automatic revalidation of endpoint devices eou revalidate global configuration Displays EAPoUDP information show eou Cisco Nexus 7000 Series Security Command Reference 311 E Commands eou timeout ...

Page 338: ...number that this group member matches Valid port numbers are from 0 to 65535 port number Command Default None Command Modes IP port object group configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines IP port object groups are not directional Whether an eq command matches a source or destination port or whether it applies to inbound or outbound traffic...

Page 339: ...ber in an IP port object group lt Specifies a not equal to group member in an IP port object group neq Configures an IP port object group object group ip port Specifies a port range group member in an IP port object group range Displays object groups show object group Cisco Nexus 7000 Series Security Command Reference 313 E Commands eq ...

Page 340: ...Cisco Nexus 7000 Series Security Command Reference 314 E Commands eq ...

Page 341: ... feature mka page 325 feature password encryption aes page 327 feature port security page 328 feature privilege page 330 feature scp server page 332 feature sftp server page 333 feature ssh page 334 feature tacacs page 335 feature telnet page 336 filter page 337 fips mode enable page 339 fragments page 341 Cisco Nexus 7000 Series Security Command Reference 315 ...

Page 342: ... valid feature names to use in this command This command does not require a license Examples This example shows add features to a user role feature group switch configure terminal switch config role feature group name SecGroup switch config role featuregrp feature aaa switch config role featuregrp feature radius switch config role featuregrp feature tacacs This example shows how to remove a featur...

Page 343: ...cts command even without having any license installed The Cisco TrustSec feature does not have a license grace period You must install the Advanced Services license to configure this feature Note This command requires the Advanced Services license Examples This example shows how to enable the Cisco TrustSec feature switch configure terminal switch config feature cts This example shows how to disab...

Page 344: ...Cisco Nexus 7000 Series Security Command Reference 318 F Commands feature cts ...

Page 345: ... the DHCP snooping feature commands related to DCHP snooping are unavailable Dynamic ARP inspection and IP Source Guard depend upon the DHCP snooping feature If you disable the DHCP snooping feature the device discards all configuration related to DHCP snooping configuration including the following features DHCP snooping DHCP relay DAI IP Source Guard If you want to turn off DHCP snooping and pres...

Page 346: ...y enables DHCP snooping on the device ip dhcp snooping Enables or disables the DHCP relay agent service dhcp Displays general information about DHCP snooping show ip dhcp snooping Displays DHCP snooping configuration including IP Source Guard configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 320 F Commands feature dhcp ...

Page 347: ... command before you configure 802 1X If you disable the 802 1X feature all 802 1X configuration is lost If you want to disable 802 1X authentication use the no dot1x system auth control command Note This command does not require a license Examples This example shows how to enable 802 1X switch configure terminal switch config feature dot1x This example shows how to disable 802 1X switch configure ...

Page 348: ... Usage Guidelines You must use the feature eou command before you configure EAPoUDP When you disable EAPoUDP the Cisco NX OS software removes the EAPoUDP configuration Note This command does not require a license Examples This example shows how to enable EAPoUDP switch configure terminal switch config feature eou This example shows how to disable EAPoUDP switch configure terminal switch config no ...

Page 349: ...e you configure LDAP When you disable LDAP the Cisco NX OS software removes the LDAP configuration Note This command does not require a license Examples This example shows how to enable LDAP switch configure terminal switch config feature ldap This example shows how to disable LDAP switch configure terminal switch config no feature ldap Related Commands Description Command Displays the LDAP config...

Page 350: ...Cisco Nexus 7000 Series Security Command Reference 324 F Commands feature ldap ...

Page 351: ...ch configure terminal switch config feature mka This example shows how to disable the MKA feature switch configure terminal switch config no feature mka Related Commands Description Command Configures the cipher suite for encrypting traffic with MACsec cipher suite Configures the confidentiality offset for MKA encryption conf offset Creates a key or enters the configuration mode of an existing key...

Page 352: ...res the MACsec policy macsec policy Sets an expiry time for a force SAK rekey sak expiry time time Displays the configuration of the specified keychain show key chain Displays the details of MKA show macsec mka Displays all the MACsec policies in the system show macsec policy Displays the status of MKA show run mka Cisco Nexus 7000 Series Security Command Reference 326 F Commands feature mka ...

Page 353: ... feature without a master key but encryption starts only when a master key is present in the system To configure a master key use the key config key command This command does not require a license Examples This example shows how to enable the AES password encryption feature switch configure terminal switch config feature password encryption aes switch config This example shows how to disable the A...

Page 354: ...g this command This command does not require a license Enabling Port Security If you enable port security globally all other commands related to port security become available If you are reenabling port security no port security configuration is restored from the last time that port security was enabled Disabling Port Security If you disable port security globally all port security configuration i...

Page 355: ...rt security Provides debugging information for port security debug port security Shows information about port security show port security Enables port security on a Layer 2 interface switchport port security Cisco Nexus 7000 Series Security Command Reference 329 F Commands feature port security ...

Page 356: ... lower level privilege roles Examples This example shows how to enable the cumulative privilege of roles switch configure terminal switch config feature privilege This example shows how to disable the cumulative privilege of roles switch configure terminal switch config no feature privilege 2010 Feb 12 12 52 06 switch FEATURE MGR 2 FM_AUTOCKPT_IN_PROGRESS AutoCheckpoint system fm privilege s creat...

Page 357: ...ilege level username and status of cumulative privilege support show privilege Enables a user to use privilege levels for authorization username username priv lvl Cisco Nexus 7000 Series Security Command Reference 331 F Commands feature privilege ...

Page 358: ...an execute an SCP command on the remote device to copy the files to or from the Cisco NX OS device The arcfour and blowfish cipher options are not supported for the SCP server This command does not require a license Examples This example shows how to enable the SCP server on the Cisco NX OS device switch configure terminal switch config feature scp server switch config This example shows how to di...

Page 359: ...s After you enable the SFTP server you can execute an SFTP command on the remote device to copy the files to or from the Cisco NX OS device This command does not require a license Examples This example shows how to enable the SFTP server on the Cisco NX OS device switch configure terminal switch config feature sftp server switch config This example shows how to disable the SFTP server on the Cisco...

Page 360: ...d 4 1 2 Usage Guidelines The Cisco NX OS software supports SSH version 2 This command does not require a license Examples This example shows how to enable the SSH server switch configure terminal switch config feature ssh This example shows how to disable the SSH server switch configure terminal switch config no feature ssh XML interface to system may become unavailable since ssh is disabled Relat...

Page 361: ... You must use the feature tacacs command before you configure TACACS When you disable TACACS the Cisco NX OS software removes the TACACS configuration Note This command does not require a license Examples This example shows how to enable TACACS switch configure terminal switch config feature tacacs This example shows how to disable TACACS switch configure terminal switch config no feature tacacs R...

Page 362: ...server enable command 4 1 2 Usage Guidelines This command does not require a license Examples This example shows how to enable the Telnet server switch configure terminal switch config feature telnet This example shows how to disable the Telnet server switch configure terminal switch config no feature telnet XML interface to system may become unavailable since ssh is disabled Related Commands Desc...

Page 363: ...ertificate as a subject alternative name For example username e mail ID Optional Specifies the user principal name as an alternate name altname upn Principal name that must be present in the certificate as a subject alternative name For example username without domain hostname user principal name Command Default None Command Modes Certificate mapping filter configuration Command History Modificati...

Page 364: ... crypto certificatemap mapname filtermap1 switch config certmap filter filter altname email jsmith acme com Related Commands Description Command Creates a filter map crypto certificatemap mapname Displays the certificate mapping filters show crypto certificatemap Cisco Nexus 7000 Series Security Command Reference 338 F Commands filter ...

Page 365: ... only Disable SNMPv1 and v2 Any existing user accounts on the device that have been configured for SNMPv3 should be configured only with SHA for authentication and AES 3DES for privacy Delete all SSH server RSA1 key pairs Enable HMAC SHA1 message integrity checking MIC for use during the Cisco TrustSec Security Association Protocol SAP negotiation To do so enter the sap hash algorithm HMAC SHA 1 c...

Page 366: ...sabled Related Commands Description Command Displays the status of Federal Information Processing Standard FIPS mode show fips status Cisco Nexus 7000 Series Security Command Reference 340 F Commands fips mode enable ...

Page 367: ...idelines The fragments command allows you to simplify the configuration of an IP ACL when you want to permit or deny noninitial fragments that do not match an explicit permit or deny command in the ACL Instead of controlling noninitial fragment handling by using many permit or deny commands that specify the fragments keyword you can use the fragments command instead When a device applies to traffi...

Page 368: ... permit all 10 permit tcp 10 0 0 0 8 172 28 254 254 24 eq tacacs 20 permit tcp 10 0 0 0 8 172 28 254 154 24 eq tacacs 30 permit tcp 10 0 0 0 8 172 28 254 54 24 eq tacacs Related Commands Description Command Configures a deny rule in an IPv4 ACL deny IPv4 Configures a deny rule in an IPv6 ACL deny IPv6 Configures a permit rule in an IPv4 ACL permit IPv4 Configures a permit rule in an IPv6 ACL permi...

Page 369: ...G Commands gt page 344 Cisco Nexus 7000 Series Security Command Reference 343 ...

Page 370: ...up sequence number Port number that traffic matching this group member exceeds The port number argument can be a whole number between 0 and 65535 port number Command Default None Command Modes IP port object group configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines IP port object groups are not directional Whether a gt command matches a source or d...

Page 371: ...er in an IP port object group lt Specifies a not equal to group member in an IP port object group neq Configures an IP port object group object group ip port Specifies a port range group member in an IP port object group range Displays object groups show object group Cisco Nexus 7000 Series Security Command Reference 345 G Commands gt ...

Page 372: ...Cisco Nexus 7000 Series Security Command Reference 346 G Commands gt ...

Page 373: ... 349 hardware access list resource feature bank mapping page 351 hardware access list resource pooling page 352 hardware access list update page 354 hardware rate limiter page 356 hop limit page 360 host IPv4 page 362 host IPv6 page 365 Cisco Nexus 7000 Series Security Command Reference 347 ...

Page 374: ...uced 6 1 3 Usage Guidelines This command does not require a license Deny ace feature is not supported on F1 module Note This example shows how to enable deny ace feature switch configure terminal switch config hardware access list allow deny ace switch config This example shows how to disable deny ace feature switch configure terminal switch config no hardware access list allow deny ace switch con...

Page 375: ...eature and is not supported for the management interface or for control packets originating in the supervisor It is also not supported for software ACLs such as SNMP community ACLs and virtual teletype VTY ACLs Enabling ACL capture disables ACL logging for all VDCs and the rate limiter for ACL logging Only one ACL capture session can be active at any given time in the system across VDCs This comma...

Page 376: ...scription Command Configures how a supervisor module updates an I O module with changes to an ACL hardware access list update Cisco Nexus 7000 Series Security Command Reference 350 H Commands hardware access list capture ...

Page 377: ...ication Release This command was introduced 6 2 2 Usage Guidelines This command is available only in the default virtual device context VDC but applies to all VDCs F1 Series modules do not support ACL TCAM bank mapping Resource pooling and ACL TCAM bank mapping cannot be enabled at the same time Examples This example shows how to enable ACL TCAM bank mapping for feature groups and classes switch c...

Page 378: ...the vlan vlan mode that allows you to configure two VLAN features on a destination per direction vlan vlan Specifies the I O module s The slot number list argument allows you to specify modules by the slot number that they occupy You can specify a single I O module a range of slot numbers or comma separated slot numbers and ranges module number Specifies all the modules Note that the PORT VLAN and...

Page 379: ...for all modules in a 10 slot chassis excluding supervisor slots 5 and 6 switch configure terminal switch config hardware access list resource pooling module 1 4 7 10 When a new module is inserted bank chaining is enabled automatically for that module without you having to remember to enter the command This example shows how to enable VLAN VLAN mode for the module 3 switch configure terminal switch...

Page 380: ...ist update command 4 1 2 Usage Guidelines In Cisco NX OS Release 4 1 4 and later releases the hardware access list update command is available in the default VDC only and affects all VDCs By default when a supervisor module of a Cisco Nexus 7000 Series device updates an I O module with changes to an ACL it performs an atomic ACL update An atomic update does not disrupt traffic that the updated ACL...

Page 381: ...how vdc current vdc command Note This example shows how to disable atomic ACL updates switch configure terminal switch config no hardware access list update atomic This example shows how to permit affected traffic during a nonatomic ACL update switch configure terminal switch config hardware access list update default result permit This example shows how to revert to the atomic update method switc...

Page 382: ... packets disable module modulemodule port start end f1 rl 1 packets disable module module port start end rl 2 packets disable module module port start end rl 3 packets disable module module port start end rl 4 packets disable module module port start end rl 5 packets disable module module port start end layer 2 l2pt packets disable module module port start end mcast snooping packets disable module...

Page 383: ...disabled port security Specifies broadcast multicast and unknown unicast storm control packets The default is disabled storm control Specifies Layer 2 control packets over the virtual port channel vPC low queue It synchronizes control plane communication between vPC peer switches that are of a lower priority and protects the control plane when a vPC peer switch misbehaves or excessive traffic occu...

Page 384: ... Command Default See the Syntax Description for the default rate limits Default rate limits for the F1 Series modules RL 1 4500 packets per second RL 2 1000 packets per second RL 3 1000 packets per second RL 4 100 packets per second RL 5 1500 packets per second Command Modes Global configuration Command History Modification Release Added the portgroup multiplier keyword and the multiplier paramete...

Page 385: ...pps This command does not require a license Examples This example shows how to configure a rate limit for control packets switch configure terminal switch config hardware rate limiter layer 3 control 20000 This example shows how to revert to the default rate limit for control packets switch configure terminal switch config no hardware rate limiter layer 3 control This example shows how to configur...

Page 386: ...an prevent an attacker from setting a low hop count limit value on the hosts to block them from generating traffic to remote destinations that is beyond their default router If the advertised hop count limit value is unspecified which is the same as setting a value of 0 the packet is dropped Configuring the maximum limit keyword and argument enables verification that the advertised hop count limit...

Page 387: ...d Commands Description Command Defines the RA guard policy name and enters RA guard policy configuration mode ipv6 nd raguard policy Cisco Nexus 7000 Series Security Command Reference 361 H Commands hop limit ...

Page 388: ...t group sequence number Specifies that the group member is a single IPv4 address Enter IPv4 address in dotted decimal format host IPv4 address IPv4 address and network wildcard Enter IPv4 address and network wildcard in dotted decimal format Use network wildcard to specify which bits of IPv4 address are the network portion of the address as follows switch config ipaddr ogroup 10 23 176 0 0 0 0 255...

Page 389: ...hat you use to specify a single IPv4 address the device shows the host IP address form of the group member when you use the show object group command This command does not require a license Examples This example shows how to configure an IPv4 address object group named ipv4 addr group 13 with two group members that are specific IPv4 addresses and one group member that is the 10 23 176 0 subnet 10 ...

Page 390: ...Description Command Displays object groups show object group Cisco Nexus 7000 Series Security Command Reference 364 H Commands host IPv4 ...

Page 391: ...eater than the largest sequence number in the current object group sequence number Specifies that the group member is a single IPv6 address Enter IPv6 address in colon separated hexadecimal format host IPv6 address IPv6 address and a variable length subnet mask EnterIPv6 address in colon separated hexadecimal format Use network prefix to specify how many bits of IPv6 address are the network portio...

Page 392: ...bject group named ipv6 addr group A7 with two group members that are specific IPv6 addresses and one group member that is the 2001 db8 0 3ab7 subnet 10 121 57 234 32 switch configure terminal switch config object group ipv6 address ipv6 addr group A7 switch config ipv6addr ogroup host 2001 db8 0 3ab0 1 switch config ipv6addr ogroup 2001 db8 0 3ab0 2 128 switch config ipv6addr ogroup 2001 db8 0 3ab...

Page 393: ...an page 387 ip dhcp packet strict validation page 389 ip dhcp redirect response page 391 ip dhcp relay page 392 ip dhcp relay address page 394 ip dhcp relay information option page 396 ip dhcp relay information option vpn page 398 ip dhcp relay subnet broadcast page 400 ip dhcp relay sub option type cisco page 402 ip dhcp smart relay page 404 ip dhcp smart relay global page 406 ip dhcp snooping pa...

Page 394: ...e 434 ipv6 access list page 436 ipv6 dhcp ldra page 438 ipv6 dhcp guard policy page 439 ipv6 dhcp ldra interface page 440 ipv6 dhcp relay page 441 ipv6 dhcp ldra attach policy interface page 443 ipv6 dhcp ldra attach policy vlan page 445 ipv6 dhcp relay address page 446 ipv6 nd raguard attach policy page 448 ipv6 nd raguard policy page 450 ipv6 neighbor binding page 452 ipv6 neighbor binding loggi...

Page 395: ...figuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to create an identity policy and enter identity policy configuration mode switch configure terminal switch config identity policy AdminPolicy switch config id policy This example shows how to remove an identity policy switch conf...

Page 396: ...on Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to create the EAPoUDP identity profile and enter identity profile configuration mode switch configure terminal switch config identity profile eapoudp switch config id policy This example shows how to remove the EAPoUDP identity profile c...

Page 397: ...role interface policy configuration mode This command does not require a license Examples This example shows how to enter user role interface policy configuration mode for a user role switch configure terminal switch config role name MyRole switch config role interface policy deny switch config role interface This example shows how to revert to the default interface policy for a user role switch c...

Page 398: ...Cisco Nexus 7000 Series Security Command Reference 372 I Commands interface policy deny ...

Page 399: ... Command Default None Command Modes Global configuration Command History Modification Release This command was introduced 5 1 1 Usage Guidelines The VTY ACL feature restricts all traffic for all VTY lines You cannot specify different traffic restrictions for different VTY lines Any router ACL can be configured as a VTY ACL This command does not require a license Examples This example shows how to ...

Page 400: ...lass vtyacl out switch config line Related Commands Description Command Configures an IPv4 ACL ip access list Shows either a specific IPv4 ACL or all IPv4 ACLs show ip access lists Shows the running configuration of all interfaces or of a specific interface show running config interface Cisco Nexus 7000 Series Security Command Reference 374 I Commands ip access class ...

Page 401: ...outbound traffic out Command Default None Command Modes Interface configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines By default no IPv4 ACLs are applied to an interface You can use the ip access group command to apply an IPv4 ACL as a router ACL to the following interface types VLAN interfaces You must enable VLAN interfaces globally before you ca...

Page 402: ...o an interface the device checks the ACL If the first matching rule permits the packet the device sends the packet to its destination If the first matching rule denies the packet the device drops the packet and returns an ICMP host unreachable message If you delete the specified ACL from the device without removing the ACL from an interface the deleted ACL does not affect traffic on the interface ...

Page 403: ...cription Command Shows the running configuration of all interfaces or of a specific interface show running config interface Cisco Nexus 7000 Series Security Command Reference 377 I Commands ip access group ...

Page 404: ...ou enter this command Use the ip access group command to apply the ACL to an interface as a router ACL Use the ip port access group command to apply the ACL to an interface as a port ACL Every IPv4 ACL has the following implicit rule as its last rule deny ip any any This implicit rule ensures that the device denies unmatched IP traffic Unlike IPv6 ACLs IPv4 ACLs do not include additional implicit ...

Page 405: ...n IPv4 ACL deny IPv4 Applies an IPv4 ACL to an interface as a router ACL ip access group Applies an IPv4 ACL to an interface as a port ACL ip port access group Configures a permit rule in an IPv4 ACL permit IPv4 Displays all IPv4 ACLs or a specific IPv4 ACL show ip access lists Enables collection of statistics for each entry in an ACL statistics per entry Cisco Nexus 7000 Series Security Command R...

Page 406: ...r comma separated IDs and ranges see the Examples section Valid VLAN IDs are from 1 to 4096 vlan vlan list Command Default None Command Modes Global configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to apply an ARP ACL named arp acl 01 to VLANs 15 and 37 through 48 switch con...

Page 407: ... DAI configuration status show ip arp inspection Displays DHCP snooping configuration including the DAI configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 381 I Commands ip arp inspection filter ...

Page 408: ...a range of 0 to 1024 entries logs number Command Default None Command Modes Global configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines By default the DAI logging buffer size is 32 messages This command does not require a license Examples This example shows how to configure the DAI logging buffer size switch configure terminal switch config ip arp i...

Page 409: ...ear ip arp inspection log Displays the DAI configuration status show ip arp inspection Displays DHCP snooping configuration including DAI configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 383 I Commands ip arp inspection log buffer ...

Page 410: ...can configure only Layer 2 Ethernet interfaces as trusted ARP interfaces This command does not require a license Examples This example shows how to configure a Layer 2 interface as a trusted ARP interface switch configure terminal switch config interface ethernet 2 1 switch config if ip arp inspection trust switch config if Related Commands Description Command Displays the Dynamic ARP Inspection D...

Page 411: ...ice classifies packets with different MAC addresses as invalid and drops them dst mac Optional Enables validation of the ARP body for invalid and unexpected IP addresses Addresses include 0 0 0 0 255 255 255 255 and all IP multicast addresses The device checks the sender IP addresses in all ARP requests and responses and checks the target IP addresses only in ARP responses ip Optional Enables vali...

Page 412: ...itional DAI validation switch configure terminal switch config ip arp inspection validate src mac dst mac ip switch config Related Commands Description Command Displays the DAI configuration status show ip arp inspection Displays DHCP snooping configuration including DAI configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 386 I Commands ip arp inspection valid...

Page 413: ... see the Examples section Valid VLAN IDs are from 1 to 4096 vlan list Optional Enables DAI logging for the VLANs specified all Logs all packets that match DHCP bindings none Does not log DHCP bindings packets Use this option to disable logging permit Logs DHCP binding permitted packets logging Enables logging based on DHCP binding matches dhcp bindings Enables logging of packets permitted by a DHC...

Page 414: ...tion vlan 13 15 17 23 switch config Related Commands Description Command Enables additional DAI validation ip arp inspection validate Displays the DAI configuration status show ip arp inspection Displays DAI status for a specified list of VLANs show ip arp inspection vlan Displays DHCP snooping configuration including DAI configuration show running config dhcp Cisco Nexus 7000 Series Security Comm...

Page 415: ...and Strict validation of DHCP packets checks that the DHCP options field in DCHP packets is valid including the magic cookie value in the first four bytes of the options field When strict validation of DHCP packets is enabled the device drops DHCP packets that fail validation Examples This example shows how to enable the strict validation of DHCP packets switch configure terminal switch config ip ...

Page 416: ...ion about DHCP snooping show ip dhcp snooping Displays DHCP snooping configuration including IP Source Guard configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 390 I Commands ip dhcp packet strict validation ...

Page 417: ...edirect response feature is supported only on the Cisco M3 Series modules To use this command you must enable the DHCP feature using the feature dhcp command You can configure the ip dhcp redirect response command on any SVI or L3 interfaces Examples This example shows how to configure DHCP redirect response feature switch configure terminal switch config interface Ethernet 2 1 switch config if ip...

Page 418: ...y enable DHCP snooping switch configure terminal switch config ip dhcp relay switch config Related Commands Description Command Enables the DHCP snooping feature on the device feature dhcp Configures an IP address of a DHCP server on an interface ip dhcp relay address Enables the insertion and removal of option 82 information from DHCP packets forwarded by the DHCP relay agent ip dhcp relay inform...

Page 419: ...cp snooping Displays general information about DHCP snooping show ip dhcp snooping Displays the DHCP snooping configuration including the IP source guard configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 393 I Commands ip dhcp relay ...

Page 420: ...use vrf vrf name option 5 0 2 Up to four ip dhcp relay address commands can be added to the configuration of a Layer 3 Ethernet interface or subinterface 4 0 3 This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the DHCP snooping feature see the feature dhcp command You can configure up to four DHCP server IP addresses on Layer 3 Ethernet interfaces and subinterf...

Page 421: ...ace port channel 7 switch config if ip dhcp relay address 10 132 7 120 switch config if Related Commands Description Command Enables or disables the DHCP relay agent ip dhcp relay Enables the insertion and removal of option 82 information from DHCP packets forwarded by the DHCP relay agent ip dhcp relay information option Enables VRF support for the DHCP relay agent ip dhcp relay information optio...

Page 422: ...0 1 Usage Guidelines To use this command you must enable the DHCP snooping feature see the feature dhcp command This command does not require a license Examples This example shows how to enable the DHCP relay agent to insert and remove option 82 information to and from packets it forwards switch configure terminal switch config ip dhcp relay information option switch config Related Commands Descri...

Page 423: ... 82 information for DHCP packets forwarded without the use of the DHCP relay agent ip dhcp snooping information option Displays the DHCP snooping configuration including the IP source guard configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 397 I Commands ip dhcp relay information option ...

Page 424: ...s in multiple VRFs you can conserve IP addresses by using a single IP address pool rather than one for each VRF If a DHCP request arrives on an interface that you have configured with a DHCP relay address and VRF information and the address of the DCHP server belongs to a network on an interface that is a member of a different VRF the device inserts Option 82 information in the request and forward...

Page 425: ...isables the DHCP relay agent ip dhcp relay Configures the IP address of a DHCP server on an interface ip dhcp relay address Enables the insertion and removal of option 82 information from DHCP packets forwarded by the DHCP relay agent ip dhcp relay information option Enables DHCP to use Cisco proprietary numbers 150 152 and 151 when filling the link selection server ID override and VRF name VPN ID...

Page 426: ...CP smart relay and DHCP subnet broadcast support DHCP smart relay and DHCP subnet broadcast support are limited to the first 100 IP addresses of the interface on which they are enabled In a vPC environment with DHCP smart relay enabled the subnet of the primary and secondary addresses of an interface should be the same on both Cisco NX OS devices This command does not require a license Examples Th...

Page 427: ...nds Description Command Enables the DHCP feature on the device feature dhcp Enable the DHCP relay agent ip dhcp relay Cisco Nexus 7000 Series Security Command Reference 401 I Commands ip dhcp relay subnet broadcast ...

Page 428: ...ry Modification Release This command was introduced 5 0 2 Usage Guidelines This command does not require a license Examples This example shows how to enable DHCP to use Cisco proprietary numbers 150 152 and 151 when filling the link selection server ID override and VRF name VPN ID relay agent option 82 suboptions switch configure terminal switch config ip dhcp relay sub option type cisco switch co...

Page 429: ... Displays general information about DHCP snooping show ip dhcp snooping Displays the DHCP snooping configuration including the IP source guard configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 403 I Commands ip dhcp relay sub option type cisco ...

Page 430: ... subnet broadcast support are limited to the first 100 IP addresses of the interface on which they are enabled You must configure a helper address on the interface in order to use DHCP smart relay and DHCP subnet broadcast support DHCP smart relay and DHCP subnet broadcast support are limited to the first 100 IP addresses of the interface on which they are enabled A maximum of 10 000 clients can u...

Page 431: ...ethernet 7 2 switch config if no ip dhcp smart relay switch config if Related Commands Description Command Enables the DHCP smart relay globally on the Cisco NX OS device ip dhcp smart relay global Enable the DHCP relay agent ip dhcp relay Cisco Nexus 7000 Series Security Command Reference 405 I Commands ip dhcp smart relay ...

Page 432: ...mand DHCP smart relay and DHCP subnet broadcast support are limited to the first 100 IP addresses of the interface on which they are enabled You must configure a helper address on the interface in order to use DHCP smart relay and DHCP subnet broadcast support A maximum of 10 000 clients can use DHCP smart relay at any given time In a vPC environment with DHCP smart relay enabled the subnet of the...

Page 433: ...ch config Related Commands Description Command Enables DHCP smart relay on a Layer 3 interface ip dhcp smart relay Enable the DHCP relay agent ip dhcp relay Cisco Nexus 7000 Series Security Command Reference 407 I Commands ip dhcp smart relay global ...

Page 434: ...he feature dhcp command The device preserves DHCP snooping configuration when you disable DHCP snooping with the no ip dhcp snooping command This command does not require a license Examples This example shows how to globally enable DHCP snooping switch configure terminal switch config ip dhcp snooping switch config Related Commands Description Command Enables the DHCP snooping feature on the devic...

Page 435: ...DHCP snooping on the specified VLANs ip dhcp snooping vlan Displays general information about DHCP snooping show ip dhcp snooping Displays DHCP snooping configuration including IP Source Guard configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 409 I Commands ip dhcp snooping ...

Page 436: ...e Guidelines To use this command you must enable the DHCP snooping feature see the feature dhcp command This command does not require a license Examples This example shows how to globally enable DHCP snooping switch configure terminal switch config ip dhcp snooping information option switch config Related Commands Description Command Enables the insertion and removal of option 82 information from ...

Page 437: ...on about DHCP snooping show ip dhcp snooping Displays DHCP snooping configuration including IP Source Guard configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 411 I Commands ip dhcp snooping information option ...

Page 438: ... 1 Usage Guidelines To use this command you must enable the DHCP snooping feature see the feature dhcp command You can configure DHCP trust on the following types of interfaces Layer 3 Ethernet interfaces and subinterfaces Layer 2 Ethernet interfaces Private VLAN interfaces This command does not require a license Examples This example shows how to configure an interface as a trusted source of DHCP...

Page 439: ... verification as part of DHCP snooping ip dhcp snooping verify mac address Enables DHCP snooping on the specified VLANs ip dhcp snooping vlan Displays general information about DHCP snooping show ip dhcp snooping Displays DHCP snooping configuration including IP Source Guard configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 413 I Commands ip dhcp snooping tr...

Page 440: ...the feature dhcp command If the device receives a packet on an untrusted interface and the source MAC address and the DHCP client address do not match address verification causes the device to drop the packet This command does not require a license Examples This example shows how to enable DHCP snooping MAC address verification switch configure terminal switch config ip dhcp snooping verify mac ad...

Page 441: ...ing on the specified VLANs ip dhcp snooping vlan Displays general information about DHCP snooping show ip dhcp snooping Displays DHCP snooping configuration including IP Source Guard configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 415 I Commands ip dhcp snooping verify mac address ...

Page 442: ...odes Global configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the DHCP snooping feature see the feature dhcp command This command does not require a license Examples This example shows how to enable DHCP snooping on VLANs 100 200 and 250 through 252 switch configure terminal switch config ip dhcp snooping vlan ...

Page 443: ...fication as part of DHCP snooping ip dhcp snooping verify mac address Displays general information about DHCP snooping show ip dhcp snooping Displays DHCP snooping configuration including IP Source Guard configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 417 I Commands ip dhcp snooping vlan ...

Page 444: ...lines To use this command you must enable the DHCP feature by using the feature dhcp command Examples This example shows how to enable the UDP relay feature switch configure terminal switch config ip forward protocol udp This example shows how to disable the UDP relay feature switch configure terminal switch config no ip forward protocol udp Related Commands Description Command Enables the UDP rel...

Page 445: ...se This command was introduced 4 0 1 Usage Guidelines By default no IPv4 ACLs are applied to an interface You can use the ip port access group command to apply an IPv4 ACL as a port ACL to the following interface types Layer 2 Ethernet interfaces Layer 2 Ethernet port channel interfaces You can also use the ip port access group command to apply an IPv4 ACL as a port ACL to the following interface ...

Page 446: ...oup command on the interface This command does not require a license Examples This example shows how to apply an IPv4 ACL named ip acl 01 to Ethernet interface 2 1 as a port ACL switch configure terminal switch config interface ethernet 2 1 switch config if ip port access group ip acl 01 in This example shows how to remove an IPv4 ACL named ip acl 01 from Ethernet interface 2 1 switch configure te...

Page 447: ... mac packet classify Displays all ACLs show access lists Shows either a specific IPv4 ACL or all IPv4 ACLs show ip access lists Shows the running configuration of all interfaces or of a specific interface show running config interface Enables collection of statistics for each entry in an ACL statistics per entry Cisco Nexus 7000 Series Security Command Reference 421 I Commands ip port access group...

Page 448: ... History Modification Release This command was introduced 4 1 2 Usage Guidelines This command does not require a license Examples This example shows how to configure the global source interface for RADIUS server groups switch configure terminal switch config ip radius source interface mgmt 0 This example shows how to remove the global source interface for RADIUS server groups switch configure term...

Page 449: ...adecimal format MAC address Specifies the VLAN associated with the IP source entry vlan vlan id Specifies the Layer 2 Ethernet interface associated with the static IP entry interface ethernetslot port Command Default None Command Modes Global configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines By default there are no static IP source entries This c...

Page 450: ...ip verify source dhcp snooping vlan Displays IP to MAC address bindings show ip verify source Displays DHCP snooping configuration including IP Source Guard configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 424 I Commands ip source binding ...

Page 451: ...ed 4 1 2 Usage Guidelines You must use the feature tacacs command before you configure TACACS This command does not require a license Examples This example shows how to configure the global source interface for TACACS server groups switch configure terminal switch config ip tacacs source interface mgmt 0 This example shows how to remove the global source interface for TACACS server groups switch c...

Page 452: ...e this command you must configure an object group by using the object group udp relay ip address command Examples This example shows how to associate an object group with an L3 interface switch config interface ethernet e0 0 switch config if ip udp relay addrgroup udprelay1 This example shows how to disassociate the object group switch config if no ip udp relay addrgroup udprelay1 Related Commands...

Page 453: ...ch configure terminal switch config feature dhcp switch config ip forward protocol udp switch config object group udp relay ip address udprelay1 switch config udp ogroup host 20 1 2 2 switch config udp ogroup 30 1 1 1 255 255 255 0 switch config udp ogroup 40 1 1 1 24 switch config udp ogroup exit switch config interface ethernet e0 0 switch config if ip udp relay addrgroup udprelay1 switch config...

Page 454: ...Cisco Nexus 7000 Series Security Command Reference 428 I Commands ip udp relay subnet broadcast ...

Page 455: ...elease This command was introduced 4 0 1 Usage Guidelines By default IP Source Guard is not enabled on any interface This command does not require a license Examples This example shows how to enable IP Source Guard on an interface switch configure terminal switch config interface ethernet 2 1 switch config if ip verify source dhcp snooping vlan switch config if Related Commands Description Command...

Page 456: ...s interface Strict Unicast RPF mode A strict mode check is successful when the following matches occur Unicast RPF finds a match in the Forwarding Information Base FIB for the packet source address The ingress interface through which the packet is received matches one of the Unicast RPF interfaces in the FIB match If these checks fail the packet is discarded You can use this type of Unicast RPF ch...

Page 457: ...le via rx Related Commands Description Command Displays the IP related information for an interface show ip interface ethernet Displays the interface configuration in the running configuration show running config interface ethernet Displays the IP configuration in the running configuration show running config ip Displays the interface configuration in the startup configuration show startup config ...

Page 458: ...es the outgoing packets out Command Default None Command Modes Global configuration Command History Modification Release This command was introduced 5 1 1 Usage Guidelines The VTY ACL feature restricts all traffic for all VTY lines You cannot specify different traffic restrictions for different VTY lines Any router ACL can be configured as a VTY ACL This command does not require a license Examples...

Page 459: ...ass vtyacl1 in switch config line Related Commands Description Command Configures an IPv6 ACL ip6 access list Shows either a specific IPv6 ACL or all IPv4 ACLs show ip6 access lists Shows the running configuration of all interfaces or of a specific interface show running config interface Cisco Nexus 7000 Series Security Command Reference 433 I Commands ipv6 access class ...

Page 460: ... applies the ACL to outbound traffic out Command Default None Command Modes Line configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to remove dynamically learned secure MAC addresses from the Ethernet 2 1 interface switch configure terminal switch config line vty switch config...

Page 461: ...Description Command Shows all IPv6 ACLs or a specific IPv6 ACL show ipv6 access list Cisco Nexus 7000 Series Security Command Reference 435 I Commands ipv6 access class ...

Page 462: ...command Use the ipv6 traffic filter command to apply the ACL to an interface as a router ACL Use the ipv6 port traffic filter command to apply the ACL to an interface as a port ACL Every IPv6 ACL has the following implicit rules as its last rules permit icmp any any nd na permit icmp any any nd ns permit icmp any any router advertisement permit icmp any any router solicitation deny ipv6 any any Un...

Page 463: ...ACL named ipv6 acl 01 switch configure terminal switch config ipv6 access list ipv6 acl 01 switch config acl Related Commands Description Command Configures a deny rule in an IPv6 ACL deny IPv6 Applies an IPv6 ACL to an interface as a port ACL ipv6 port traffic filter Applies an IPv6 ACL to an interface as a router ACL ipv6 traffic filter Configures a permit rule in an IPv6 ACL permit IPv6 Display...

Page 464: ...ed 7 3 0 D1 1 Usage Guidelines To use this command you must enable the DHCP feature by using the feature dhcp command Examples This example shows how to enable the LDRA feature switch configure terminal switch config feature dhcp switch config ipv6 dhcp ldra This example shows how to disable the LDRA feature switch config no ipv6 dhcp ldra Related Commands Description Command Displays the configur...

Page 465: ...y Modification Release This command was introduced 8 0 1 Usage Guidelines This command allows you to enter DHCPv6 guard configuration mode DHCPv6 guard policies can be used to block reply and advertisement messages that come from unauthorized DHCP servers and relay agents that forward DHCP packets from servers to clients Client messages or messages sent by relay agents from clients to servers are ...

Page 466: ...s server facing server facing Command Default Disabled Command Modes Interface configuration Command History Modification Release This command was introduced 7 3 0 D1 1 Usage Guidelines To use this command you must enable the LDRA feature by using the ipv6 dhcp ldra command Examples This example shows how to enable the LDRA feature on the specified interface switch config ipv6 dhcp ldra switch con...

Page 467: ...onfiguration Command History Modification Release This command was introduced 6 2 2 Usage Guidelines You can use the ipv6 dhcp relay option vpn command to relay DHCPv6 requests that arrive on an interface in one VRF to a DHCPv6 server in a different VRF The ipv6 dhcp relay option type cisco command causes the DHCPv6 relay agent to insert virtual subnet selection VSS details as part of the vendor s...

Page 468: ... how to enable VRF support for the DHCPv6 relay agent switch config ipv6 dhcp relay option vpn This example shows how to enable the DHCPv6 relay agent using option type Cisco switch config ipv6 dhcp relay option type cisco This example shows how to configure the source interface for the DHCPv6 relay switch config ipv6 dhcp relay option source interface ethernet 25 Related Commands Description Comm...

Page 469: ...s server facing server facing Command Default Disabled Command Modes Interface configuration Command History Modification Release This command was introduced 7 3 0 D1 1 Usage Guidelines To use this command you must enable the LDRA feature by using the ipv6 dhcp ldra command Examples This example shows how to enable the LDRA feature on the specified interface switch config ipv6 dhcp ldra switch con...

Page 470: ...Cisco Nexus 7000 Series Security Command Reference 444 I Commands ipv6 dhcp ldra attach policy interface ...

Page 471: ...nd Default Disabled Command Modes Global configuration Command History Modification Release This command was introduced 7 3 0 D1 1 Usage Guidelines To use this command you must enable the LDRA feature by using the ipv6 dhcp ldra command Examples This example shows how to enable the LDRA feature on the specified interface switch config ipv6 dhcp ldra switch config ipv6 dhcp ldra attach policy vlan ...

Page 472: ...mmand Default None Command Modes Interface configuration Command History Modification Release This command was introduced 6 2 2 Usage Guidelines The ipv6 dhcp relay address command configures an IPv6 address for a DHCPv6 server to which the relay agent forwards BOOTREQUEST packets received on the configured interface Use the use vrf option to specify the VRF name of the server if it is in a differ...

Page 473: ...1 switch config if ipv6 dhcp relay address FF02 1 FF0E 8C6C interface vlan 25 Related Commands Description Command Enables or disables the DHCPv6 relay agent ipv6 dhcp relay Displays the DHCPv6 relay configuration show ipv6 dhcp relay Displays the DHCPv6 relay statistics show ipv6 dhcp relay statistics Cisco Nexus 7000 Series Security Command Reference 447 I Commands ipv6 dhcp relay address ...

Page 474: ...none Removes the specified VLAN from RA guard inspection remove ND traffic from all VLANs on the port is inspected all Optional A specific VLAN on the interface More than one VLAN can be specified vlan1 vlan2 vlan3 The range of available VLAN numbers is from 1 through 4094 vlan Command Default An IPv6 RA guard policy is not configured Command Modes Interface configuration config if Command History...

Page 475: ... two VLAN numbers the lesser one first separated by a dash Do not enter any spaces between comma separated vlan parameters or in dash specified ranges for example vlan 1 100 200 300 400 Examples In the following example the IPv6 RA guard feature is applied on GigabitEthernet interface 0 0 switch config interface GigabitEthernet 0 0 switch config if ipv6 nd raguard attach policy Cisco Nexus 7000 Se...

Page 476: ...ard policy command to configure RA guard globally on a router Once the device is in ND inspection policy configuration mode you can use any of the following commands device role limit address count sec level minimum trusted port validate source mac After IPv6 RA guard is configured globally you can use the ipv6 nd raguard attach policy command to enable IPv6 RA guard on a specific interface Exampl...

Page 477: ...he number of IPv6 addresses allowed to be used on the port limit address count Specifies the minimum security level parameter value when CGA options are used sec level minimum Configures a port to become a trusted port trusted port Checks the source MAC address against the link layer address validate source mac Cisco Nexus 7000 Series Security Command Reference 451 I Commands ipv6 nd raguard polic...

Page 478: ...me in seconds a stale entry is kept in the binding table before the entry is deleted or proof is received that the entry is reachable The default is 24 hours 86 400 seconds stale lifetime value Optional The maximum time in seconds an entry learned from a down interface is kept in the binding table before the entry is deleted or proof is received that the entry is reachable The default is 24 hours ...

Page 479: ...ime configuration Examples The following example shows how to change the reachable lifetime for binding entries to 100 seconds switch config ipv6 neighbor binding reachable entries 100 Related Commands Description Command Tracks entries in the binding table ipv6 neighbor tracking Overrides the default tracking policy on a port tracking Cisco Nexus 7000 Series Security Command Reference 453 I Comma...

Page 480: ... binding table events An entry is inserted into the binding table A binding table entry was updated A binding table entry was deleted from the binding table A binding table entry was not inserted into the binding table possibly because of a collision with an existing entry or because the maximum number of entries has been reached Examples The following example shows how to enable binding table eve...

Page 481: ...isabled Command Modes Global configuration config Command History Modification Release This command was introduced 8 0 1 Usage Guidelines The ipv6 neighbor binding max entries command is used to control the content of the binding table This command specifies the maximum number of entries that are allowed to be inserted in the binding table cache Once this limit is reached new entries are refused a...

Page 482: ...d Adds a static entry to the binding table database ipv6 neighbor binding vlan Tracks entries in the binding table ipv6 neighbor tracking Cisco Nexus 7000 Series Security Command Reference 456 I Commands ipv6 neighbor binding max entries ...

Page 483: ...y the optional retry interval keyword or every 300 seconds which is the default retry interval using the neighbor unreachability detection NUD mechanism used for directly tracking neighbor reachability Reachability can also be established indirectly by using Neighbor Discovery Protocol NDP inspection up to the VERIFY_MAX_RETRIES value the default is 10 seconds When there is no response entries are...

Page 484: ... Commands Description Command Changes the defaults of neighbor binding entries in a binding table ipv6 neighbor binding Cisco Nexus 7000 Series Security Command Reference 458 I Commands ipv6 neighbor tracking ...

Page 485: ...ory Modification Release This command was introduced 4 1 2 Usage Guidelines By default no IPv6 ACLs are applied to an interface You can use the ipv6 port traffic filter command to apply an IPv6 ACL as a port ACL to the following interface types Layer 2 Ethernet interfaces Layer 2 Ethernet port channel interfaces You can also use the ipv6 port traffic filter command to apply an IPv6 ACL as a port A...

Page 486: ...n a Layer 2 interface you cannot use the ipv6 port traffic filter command on the interface This command does not require a license Examples This example shows how to apply an IPv6 ACL named ipv6 acl L2 to Ethernet interface 1 3 switch configure terminal switch config interface ethernet 1 3 switch config if ipv6 port traffic filter ipv6 acl L2 in This example shows how to remove an IPv6 ACL named i...

Page 487: ...2 interface mac packet classify Displays all ACLs show access lists Shows either a specific IPv6 ACL or all IPv6 ACLs show ipv6 access lists Shows the running configuration of all interfaces or of a specific interface show running config interface Cisco Nexus 7000 Series Security Command Reference 461 I Commands ipv6 port traffic filter ...

Page 488: ...ation config ipv6 snooping Command History Modification Release This command was introduced 8 0 1 Usage Guidelines Once a policy has been identified or configured it is applied on a target using the ipv6 snooping attach policy command This command is applied on any target which varies depending on the platform Examples of targets depending on the platform used include device ports switchports Laye...

Page 489: ... traffic out Command Default None Command Modes Interface configuration Command History Modification Release This command was introduced 4 1 2 Usage Guidelines By default no IPv6 ACLs are applied to an interface You can use the ipv6 traffic filter command to apply an IPv6 ACL as a router ACL to the following interface types VLAN interfaces You must enable VLAN interfaces globally before you can co...

Page 490: ...e device checks the ACL If the first matching rule permits the packet the device continues to process the packet If the first matching rule denies the packet the device drops the packet and returns an ICMP host unreachable message If you delete the specified ACL from the device without removing the ACL from an interface the deleted ACL does not affect traffic on the interface This command does not...

Page 491: ...K Commands key page 466 key chain page 468 key config key page 470 key octet string page 472 key server priority page 474 key string page 476 Cisco Nexus 7000 Series Security Command Reference 465 ...

Page 492: ...uration config macseckeychain Command History Modification Release This command was modified Support for the MACsec keychain configuration mode was added 8 2 1 This command was introduced 4 0 1 Usage Guidelines A new key contains no key strings This command does not require a license To use this command in MACsec keychain configuration mode you should enable the MKA feature first Examples This exa...

Page 493: ...ychain name Configures the text for a MACsec key key octet string Configures the preference for a device to serve as the key server for MKA encryption key server priority Configures the shared secret text for a specific key key string Configures the MACsec keychain policy macsec keychain policy Configures the MACsec policy macsec policy Configures a send lifetime for a key send lifetime Displays k...

Page 494: ...es a keychain if it does not already exist A new keychain contains no keys Note that removing a keychain also removes the keys that are a part of this keychain Before you remove a keychain ensure that no feature is using it If a feature is configured to use a keychain that you remove that feature is likely to fail to communicate with other devices This command does not require a license To configu...

Page 495: ...n key server priority Configures a key string key string Configures the MACsec keychain policy macsec keychain policy Configures the MACsec policy macsec policy Configures a send lifetime for a key send lifetime Displays the keychain configuration show key chain Displays the details of MKA show macsec mka Displays all the MACsec policies in the system show macsec policy Displays the status of MKA ...

Page 496: ...d was introduced 5 2 1 Usage Guidelines This command does not require a license Examples This example shows how to configure the master key for type 6 encryption switch key config key ascii New Master Key Retype Master Key This example shows how to delete the master key and stop type 6 encryption switch no key config key ascii Warning deletion of master key will stop further type 6 encryption Do y...

Page 497: ...Cisco Nexus 7000 Series Security Command Reference 471 K Commands key config key ...

Page 498: ...hen you are entering a text string based on the encrypted output of the show key chain command that you run on another Cisco NX OS device 7 Text of the key octet string The text is alphanumeric case sensitive and can have up to 64 characters The text can have up to 130 characters for encryption type 7 Note key octet string Specifies the Cipher based Message Authentication Code CMAC algorithm for a...

Page 499: ...6789aabbcc cryptographic algorithm AES_128_CMAC switch config macseckeychain macseckey Related Commands Description Command Enables the MKA feature feature mka Creates a key or enters the configuration mode of an existing key key Creates a keychain or enters the configuration mode of an existing keychain key chain keychain name Configures the MACsec keychain policy macsec keychain policy Configure...

Page 500: ...sec policy Command History Modification Release This command was introduced 8 2 1 Usage Guidelines To use this command enable the MKA feature Examples This example shows how to set the key server priority switch configure terminal switch config macsec policy p1 switch config macsec policy key server priority 9 Related Commands Description Command Enables the MKA feature feature mka Creates a key o...

Page 501: ...uration of the specified keychain show key chain Displays the details of MKA show macsec mka Displays all the MACsec policies in the system show macsec policy Displays the status of MKA show run mka Cisco Nexus 7000 Series Security Command Reference 475 K Commands key server priority ...

Page 502: ... another Cisco NX OS device encryption type Text of the key string up to 63 case sensitive alphanumeric characters The value of the first 2 digits of a type 7 key string configured by using the key string 7 text string command has to be between 0 and 15 For example you can configure 07372b557e2c1a as the key string value in which case the sum value of the first 2 digits will be 7 But you cannot co...

Page 503: ...13 switch configure terminal switch config key chain glbp keys switch config keychain key 13 switch config keychain key key string 7 071a33595c1d0c1702170203163e3e21213c20361a021f11 switch config keychain key Related Commands Description Command Configures an accept lifetime for a key accept lifetime Configures a key key Configures a keychain key chain Configures a send lifetime for a key send lif...

Page 504: ...Cisco Nexus 7000 Series Security Command Reference 478 K Commands key string ...

Page 505: ... deadtime page 480 ldap server host page 481 ldap server port page 484 ldap server timeout page 485 ldap search map page 486 logging drop threshold page 488 It page 490 Cisco Nexus 7000 Series Security Command Reference 479 ...

Page 506: ...rvers The range is from 1 to 60 minutes minutes Command Default 0 minutes Command Modes Global configuration Command History Modification Release This command was introduced 5 0 2 Usage Guidelines To use this command you must enable LDAP When the dead time interval is 0 minutes LDAP servers are not marked as dead even if they are not responding This command does not require a license Examples This...

Page 507: ...4 address Server IPv6 address in the X X X X format ipv6 address Server name The name is alphanumeric case sensitive and has a maximum of 256 characters host name Optional Ensures the integrity and confidentiality of the transferred data by causing the LDAP client to establish a Secure Sockets Layer SSL session before sending the bind or search request enable ssl Optional Specifies the TCP port to...

Page 508: ...ou plan to enable the SSL protocol make sure that the LDAP server certificate is manually configured on the Cisco NX OS device By default when you configure an LDAP server IP address or hostname on the Cisco NX OS device the LDAP server is added to the default LDAP server group You can also add the LDAP server to another LDAP server group The timeout interval value specified for an LDAP server ove...

Page 509: ...Related Commands Description Command Enables LDAP feature ldap Displays the LDAP server configuration show ldap server Cisco Nexus 7000 Series Security Command Reference 483 L Commands ldap server host ...

Page 510: ... port Command Default TCP port 389 Command Modes Global configuration Command History Modification Release This command was deprecated 5 2 1 This command was introduced 5 0 2 Usage Guidelines To use this command you must enable LDAP This command does not require a license Examples This example shows how to configure a global TCP port for LDAP messages switch configure terminal switch config ldap s...

Page 511: ... servers The range is from 1 to 60 seconds seconds Command Default 5 seconds Command Modes Global configuration Command History Modification Release This command was introduced 5 0 2 Usage Guidelines To use this command you must enable LDAP This command does not require a license Examples This example shows how to configure the global timeout interval for LDAP servers switch configure terminal swi...

Page 512: ...guration Command History Modification Release This command was introduced 5 0 2 Usage Guidelines To use this command you must enable LDAP This command does not require a license Examples This example shows how to configure an LDAP search map switch configure terminal switch config ldap search map map1 Related Commands Description Command Enables LDAP feature ldap Displays the configured LDAP searc...

Page 513: ...res the attribute name search filter and base DN for the public key match search operation in order to send a search query to the LDAP server user pubkey match Configures the attribute name search filter and base DN for the user switchgroup search operation in order to send a search query to the LDAP server user switch bind Configures the attribute name search filter and base DN for the user profi...

Page 514: ... that you have configured the IP ACLs if you want to use ACE hit counters in the class maps This command does not require a license Examples This example shows how to configure the threshold value for dropped packets and generate a syslog if the drop count exceeds the configured threshold in a policy map for CoPP switch configure terminal switch config policy map type control plane ClassMapA switc...

Page 515: ... Description Command Configures a control plane policy map and enters policy map configuration mode policy map type control plane Cisco Nexus 7000 Series Security Command Reference 489 L Commands logging drop threshold ...

Page 516: ... group sequence number Port number that traffic matching this group member does not exceed or equal Valid values are from 0 to 65535 port number Command Default None Command Modes IP port object group configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines IP port object groups are not directional Whether a lt command matches a source or destination po...

Page 517: ...ber in an IP port object group gt Specifies a not equal to group member in an IP port object group neq Configures an IP port object group object group ip port Specifies a port range group member in an IP port object group range Displays object groups show object group Cisco Nexus 7000 Series Security Command Reference 491 L Commands It ...

Page 518: ...Cisco Nexus 7000 Series Security Command Reference 492 L Commands It ...

Page 519: ...age 496 mac port access group page 498 macsec keychain policy page 500 macsec policy page 502 managed config flag page 504 match class map page 505 match VLAN access map page 507 monitor session page 509 Cisco Nexus 7000 Series Security Command Reference 493 ...

Page 520: ...mac access list command the device enters MAC access list configuration mode where you can use the MAC deny and permit commands to configure rules for the ACL If the ACL specified does not exist the device creates it when you enter this command Use the mac port access group command to apply the ACL to an interface Every MAC ACL has the following implicit rule as its last rule deny any any protocol...

Page 521: ...mmands Description Command Configures a deny rule in a MAC ACL deny MAC Applies a MAC ACL to an interface mac port access group Configures a permit rule in a MAC ACL permit MAC Displays all MAC ACLs or a specific MAC ACL show mac access lists Enables collection of statistics for each entry in an ACL statistics per entry Cisco Nexus 7000 Series Security Command Reference 495 M Commands mac access l...

Page 522: ...on the interface When MAC packet classification is disabled on a Layer 2 interface a MAC ACL that is on the interface applies only to non IP traffic entering the interface Also you can apply an IP port ACL on the interface To configure an interface as a Layer 2 interface use the switchport command Examples This example shows how to configure an Ethernet interface to operate as a Layer 2 interface ...

Page 523: ...ket classification is enable d on this port switch config if Related Commands Description Command Applies a IPv4 ACL to an interface as a port ACL ip port access group Applies a IPv6 ACL to an interface as a port ACL ipv6 port traffic filter Configures an interface to operate as a Layer 2 interface switchport Cisco Nexus 7000 Series Security Command Reference 497 M Commands mac packet classify ...

Page 524: ...ed MAC ACLs apply to all traffic You can use the mac port access group command to apply a MAC ACL as a port ACL to the following interface types Layer 2 interfaces Layer 2 Ethernet port channel interfaces You can also apply a MAC ACL as a VLAN ACL For more information see the match VLAN access map command The device applies MAC ACLs only to inbound traffic When the device applies a MAC ACL the dev...

Page 525: ...1 switch configure terminal switch config interface ethernet 2 1 switch config if no mac port access group mac acl 01 in Related Commands Description Command Configures a MAC ACL mac access list Displays all ACLs show access lists Shows either a specific MAC ACL or all MAC ACLs show mac access lists Shows the running configuration of all interfaces or of a specific interface show running config in...

Page 526: ...uration config if Command History Modification Release This command was introduced 8 2 1 Usage Guidelines To use this command you should enable the MKA feature first Examples This example shows how to apply a MACsec policy on an interface switch configure terminal switch config interface ethernet 11 31 switch config if macsec keychain k3 policy p1 This example shows how to apply a MACsec policy on...

Page 527: ... MACsec policy macsec policy Displays the configuration of the specified keychain show key chain Displays the details of MKA show macsec mka Displays all the MACsec policies in the system show macsec policy Displays the status of MKA show run mka Cisco Nexus 7000 Series Security Command Reference 501 M Commands macsec keychain policy ...

Page 528: ... 8 2 1 Usage Guidelines To use this command you should enable the MKA feature first Examples This example shows how to configure a MACsec policy switch configure terminal switch config macsec policy p1 Related Commands Description Command Enables the MKA feature feature mka Creates a key or enters the configuration mode of an existing key key Creates a keychain or enters the configuration mode of ...

Page 529: ...lays the details of MKA show macsec mka Displays all the MACsec policies in the system show macsec policy Displays the status of MKA show run mka Cisco Nexus 7000 Series Security Command Reference 503 M Commands macsec policy ...

Page 530: ...the advertised managed address configuration parameter or M flag This flag could be set by an attacker to force hosts to obtain addresses through a DHCPv6 server that may not be trustworthy Examples The following example shows how the command defines a router advertisement RA guard policy name as raguard1 places the router in RA guard policy configuration mode and enables M flag verification switc...

Page 531: ... or MAC access control list access group name access list Matches exception packets exception Optional Matches IPv4 exception packets ip Optional Matches IPv6 exception packets ipv6 Optional Matches IPv4 Unicast Reverse Path Forwarding Unicast RPF packets unicast rpf failure Matches IPv4 or IPv6 ICMP packets icmp Matches IPv4 or IPv6 ICMP redirect packets redirect Matches IPv4 or IPv6 ICMP unreach...

Page 532: ... configure terminal switch config class map type control plane ClassMapA switch config pmap match exception ip icmp redirect switch config pmap match redirect arp inspect This example shows how to remove a criteria for a control plane class map switch configure terminal switch config class map type control plane ClassMapA switch config pmap no match exception ip icmp redirect Related Commands Desc...

Page 533: ... was added 4 1 2 This command was introduced 4 0 1 Usage Guidelines You can specify one or more match commands per entry in a VLAN access map By default the device classifies traffic and applies IPv4 ACLs to IPv4 traffic IPv6 ACLs to IPv6 traffic and MAC ACLs to all other traffic This command does not require a license Examples This example shows how to create a VLAN access map named vlan map 01 a...

Page 534: ...tch mac mac acl 00e action drop Related Commands Description Command Specifies an action for traffic filtering in a VLAN access map action Displays all VLAN access maps or a VLAN access map show vlan access map Displays information about how a VLAN access map is applied show vlan filter Configures a VLAN access map vlan access map Applies a VLAN access map to one or more VLANs vlan filter Cisco Ne...

Page 535: ... Release This command was introduced 5 2 1 Usage Guidelines This command does not require a license Examples This example shows how to configure an ACL capture session switch configure terminal switch config monitor session 5 type acl capture switch config acl capture Related Commands Description Command Enables access control list ACL capture on all virtual device contexts VDCs access list captur...

Page 536: ...Cisco Nexus 7000 Series Security Command Reference 510 M Commands monitor session ...

Page 537: ...N Commands nac enable page 512 neq page 513 Cisco Nexus 7000 Series Security Command Reference 511 ...

Page 538: ...the nac enable command You can enable EAPoUDP only on an access mode interface This command does not require a license Examples This example shows how to enable NAC on an interface switch configure terminal switch config interface ethernet 1 1 switch config if switchport switch config if switchport mode access switch config if nac enable This example shows how to disable NAC on an interface switch...

Page 539: ... 0 to 65535 port number Command Default None Command Modes IP port object group configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines A not equal to group member matches port numbers that are not equal to the port number specified in the entry IP port object groups are not directional Whether an neq command matches a source or destination port or whe...

Page 540: ...ember in an IP port object group gt Specifies a less than group member in an IP port object group lt Configures an IP port object group object group ip port Specifies a port range group member in an IP port object group range Displays object groups show object group Cisco Nexus 7000 Series Security Command Reference 514 N Commands neq ...

Page 541: ...licy page 516 object group ip address page 518 object group ip port page 520 object group ipv6 address page 522 object group udp relay ip address page 524 other config flag page 525 Cisco Nexus 7000 Series Security Command Reference 515 ...

Page 542: ...This command does not require a license Examples This example shows how to configure an ACL for an identity policy switch configure terminal switch config identity policy AdminPolicy switch config id policy object group This example shows how to remove an ACL from an identity policy switch configure terminal switch config identity policy AdminPolicy switch config id policy no object group Related ...

Page 543: ...Cisco Nexus 7000 Series Security Command Reference 517 O Commands object group identity policy ...

Page 544: ...ot directional Whether group members match a source or destination address or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an IPv4 ACL This command does not require a license Examples This example shows how to configure an IPv4 address object group named ipv4 addr group 13 with two group members that are specific IPv4 addresses and one...

Page 545: ...Description Command Configures a group member for an IPv4 address object group host IPv4 Displays object groups show object group Cisco Nexus 7000 Series Security Command Reference 519 O Commands object group ip address ...

Page 546: ...t groups in permit and deny commands for IPv4 and IPv6 access control lists ACLs IP port object groups are not directional Whether group members match a source or destination port or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an ACL This command does not require a license Examples This example shows how to configure an IP port object...

Page 547: ...port object group gt Specifies a less than group member in an IP port object group lt Specifies a not equal to group member in an IP port object group neq Specifies a port range group member in an IP port object group range Displays object groups show object group Cisco Nexus 7000 Series Security Command Reference 521 O Commands object group ip port ...

Page 548: ...ther group members match a source or destination address or whether an object group applies to inbound or outbound traffic depends upon how you use the object group in an IPv6 ACL This command does not require a license Examples This example shows how to configure an IPv6 address object group named ipv6 addr group A7 with two group members that are specific IPv6 addresses and one group member that...

Page 549: ...escription Command Configures a group member for an IPv6 address object group host IPv6 Displays object groups show object group Cisco Nexus 7000 Series Security Command Reference 523 O Commands object group ipv6 address ...

Page 550: ...was introduced 7 3 0 D1 1 Usage Guidelines To use this command you must enable the UDP relay feature by using the ip forward protocol udp command You can create up to 4096 object groups Examples This example shows how to configure the object group switch configure terminal switch config ip forward protocol udp switch config object group udp relay ip address udprelay1 This example shows how to dele...

Page 551: ...rameter or O flag This flag could be set by an attacker to force hosts to retrieve other configuration information through a Dynamic Host Configuration Protocol for IPv6 DHCPv6 server that may not be trustworthy Examples The following example shows how the command defines a router advertisement RA guard policy name as raguard1 places the router in RA guard policy configuration mode and enables O f...

Page 552: ...Cisco Nexus 7000 Series Security Command Reference 526 O Commands other config flag ...

Page 553: ...rmit MAC page 572 permit role based access control list page 575 permit interface page 577 permit vlan page 579 permit vrf page 581 platform access list update page 583 platform rate limit page 585 police policy map page 587 policy page 590 policy map type control plane page 592 preference page 593 propagate sgt page 594 Cisco Nexus 7000 Series Security Command Reference 527 ...

Page 554: ...odification Release This command was introduced 6 1 4 Usage Guidelines This command does not require a license Examples This example shows how to enable secure mode for changing password switch configure terminal switch config password secure mode This example shows how to disable secure mode for changing password switch configure terminal switch config no password secure mode Related Commands Des...

Page 555: ... OS software only allows you to create strong passwords The characteristics for strong passwords include the following At least eight characters long Does not contain many consecutive characters such as abcd Does not contain many repeating characters such as aaabbb Does not contain dictionary words Does not contain proper names Contains both uppercase and lowercase characters Contains numbers The ...

Page 556: ...w to disable password strength checking switch configure terminal switch config no password strength check Related Commands Description Command Enables password strength checking show password strength check Displays security feature configuration in the running configuration show running config security Cisco Nexus 7000 Series Security Command Reference 530 P Commands password strength check ...

Page 557: ...tween 1 and 4294967295 By default the first rule in a time range has a sequence number of 10 If you do not specify a sequence number the device adds the rule to the end of the time range and assigns a sequence number that is 10 greater than the sequence number of the preceding rule Use the resequence command to reassign sequence numbers to rules sequence number Day of the week that the range begin...

Page 558: ... as the following monday thursday friday daily All days of the week weekdays Monday through Friday weekend Saturday through Sunday list of weekdays Command Default to Command Modes Time range configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to create a time range named weeke...

Page 559: ... switch configure terminal switch config time range mwf evening switch config time range periodic monday wednesday friday 18 00 00 to 22 00 00 Related Commands Description Command Configures an absolute time range rule absolute Configures a time range that you can use in IPv4 and IPv6 ACLs time range Cisco Nexus 7000 Series Security Command Reference 533 P Commands periodic ...

Page 560: ...l Specifies Cisco s GRE tunneling gre Optional Specifies Internet Control Message Protocol icmp Optional Specifies Internet Group Management Protocol igmp Optional Specifies any IP protocol ip Optional Specifies KA9Q NOS compatible IP over IP tunneling nos Optional Specifies OSPF routing protocol ospf Optional Specifies Payload Compression Protocol pcp Optional Specifies protocol independent multi...

Page 561: ...session for the ACEs capture session Session ID The range is from 1 to 48 session Command Default None Command Modes ACL configuration mode Command History Modification Release This command was introduced 5 2 1 Usage Guidelines This command does not require a license Examples This example shows how to enable a capture session for the access control entries ACEs of the access control list switch co...

Page 562: ... Description Command Applies an ACL with capture session ACEs to the interface ip access group name in Creates an access list ip access list Cisco Nexus 7000 Series Security Command Reference 536 P Commands permit ACL ...

Page 563: ...ponse ip any host sender IP sender IP sender IP mask any host target IP target IP target IP mask mac any host sender MAC sender MAC sender MAC mask any host target MAC target MAC target MAC mask log Syntax Description Optional Sequence number of the permit command which causes the device to insert the command in that numbered position in the access list Sequence numbers maintain the order of rules...

Page 564: ...er MAC address in the packet can match The sender MAC and sender MAC mask argument must be in dotted hexadecimal format Specifying ffff ffff ffff as the sender MAC mask argument is the equivalent of using the host keyword sender MAC sender MAC mask Optional Specifies that the device logs ARP packets that match the rule log Optional Specifies that the rule applies only to packets containing ARP req...

Page 565: ... use the response keyword The target MAC and target MAC mask argument must be in dotted hexadecimal format Specifying ffff ffff ffff as the target MAC mask argument is the equivalent of using the host keyword target MAC target MAC mask Command Default ip Command Modes ARP ACL configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines A newly created ARP A...

Page 566: ...nfigure terminal switch config arp access list arp acl 01 switch config arp acl permit request ip 10 32 143 0 255 255 255 0 mac any Related Commands Description Command Configures a deny rule in an ARP ACL deny ARP Configures an ARP ACL arp access list Applies an ARP ACL to a VLAN ip arp inspection filter Configures a remark in an ACL remark Displays all ARP ACLs or one ARP ACL show arp access lis...

Page 567: ...l sequence number permit igmp source destination igmp message dscp dscp precedence precedence fragments log time range time range name packet length operator packet length packet length Internet Protocol v4 sequence number permit ip source destination dscp dscp precedence precedence fragments log time range time range name packet length operator packet length packet length Transmission Control Pro...

Page 568: ...e Use the resequence command to reassign sequence numbers to rules sequence number Name or number of the protocol of packets that the rule matches For details about the methods that you can use to specify this argument see Protocol in the Usage Guidelines section protocol Source IPv4 addresses that the rule matches For details about the methods that you can use to specify this argument see Source ...

Page 569: ...dscp dscp Cisco Nexus 7000 Series Security Command Reference 543 P Commands permit IPv4 ...

Page 570: ...3 AF class 1 high drop probability 001110 af21 AF class 2 low drop probability 010010 af22 AF class 2 medium drop probability 010100 af23 AF class 2 high drop probability 010110 af31 AF class 3 low drop probability 011010 af32 AF class 3 medium drop probability 011100 af33 AF class 3 high drop probability 011110 af41 AF class 4 low drop probability 100010 af42 AF class 4 medium drop probability 10...

Page 571: ...twork Precedence 7 111 priority Precedence 1 001 routine Precedence 0 000 precedence precedence Optional Specifies that the rule matches only those packets that are noninitial fragments You cannot specify this keyword in the same rule that you specify Layer 4 options such as a TCP port number because the information that the devices requires to evaluate those options is contained only in initial f...

Page 572: ...pports message codes you can use the icmp code argument to specify the code that the rule matches For more information about ICMP message types and codes see http www iana org assignments icmp parameters icmp type icmp code IGMP only Optional IGMP message type that the rule matches The igmp message argument can be the IGMP message number which is an integer from 0 to 15 It can also be one of the f...

Page 573: ...an and not equal to the port argument lt Matches only if the port in the packet is less than and not equal to the port argument neq Matches only if the port in the packet is not equal to the port argument range Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument operator port p...

Page 574: ...Matches only if the packet length in bytes is equal to the packet length argument gt Matches only if the packet length in bytes is greater than the packet length argument lt Matches only if the packet length in bytes is less than the packet length argument neq Matches only if the packet length in bytes is not equal to the packet length argument range Requires two packet length arguments and matche...

Page 575: ...of the protocol If you want the rule to apply to all IPv4 traffic use the ip keyword The protocol keyword that you specify affects the additional keywords and arguments that are available Unless otherwise specified only the other keywords that apply to all IPv4 protocols are available Those keywords include the following dscp fragments log packet length precedence time range Valid protocol numbers...

Page 576: ...able for all valid values of the protocol argument Source and Destination You can specify the source and destination arguments in one of several ways In each rule the method you use to specify one of these arguments does not affect how you specify the other When you configure a rule use the following methods to specify the source and destination arguments IP address group object You can use an IPv...

Page 577: ... example shows how to specify a source or destination by using the any keyword ICMP Message Types The icmp message argument can be one of the following keywords administratively prohibited Administratively prohibited alternate address Alternate address conversion error Datagram conversion dod host prohibited Host prohibited dod net prohibited Net prohibited echo Echo ping echo reply Echo reply gen...

Page 578: ...nt Router discovery advertisements router solicitation Router discovery solicitations source quench Source quenches source route failed Source route failed time exceeded All time exceeded messages timestamp reply Timestamp replies timestamp request Timestamp requests traceroute Traceroute ttl exceeded TTL exceeded unreachable All unreachables TCP Port Names When you specify the protocol argument a...

Page 579: ...il Transport Protocol 25 sunrpc Sun Remote Procedure Call 111 tacacs TAC Access Control System 49 talk Talk 517 telnet Telnet 23 time Time 37 uucp UNIX to UNIX Copy Program 54 whois WHOIS NICNAME 43 www World Wide Web HTTP 80 UDP Port Names When you specify the protocol argument as udp the port argument can be a UDP port number which is an integer from 0 to 65535 It can also be one of the followin...

Page 580: ...to configure an IPv4 ACL named acl lab 01 with rules permitting all TCP and UDP traffic from the 10 23 0 0 and 192 168 37 0 networks to the 10 176 0 0 network switch configure terminal switch config ip access list acl lab 01 switch config acl permit tcp 10 23 0 0 16 10 176 0 0 16 switch config acl permit udp 10 23 0 0 16 10 176 0 0 16 switch config acl permit tcp 192 168 37 0 16 10 176 0 0 16 swit...

Page 581: ...bject group ip address Configures an IP port object group object group ip port Configures a remark in an ACL remark Displays all IPv4 ACLs or one IPv4 ACL show ip access list Enables collection of statistics for each entry in an ACL statistics per entry Configures a time range time range Cisco Nexus 7000 Series Security Command Reference 555 P Commands permit IPv4 ...

Page 582: ... label flow label value fragments log time range time range name packet length operator packet length packet length Stream Control Transmission Protocol sequence number no permit sctp source operator port port portgroup portgroup destination operator port port portgroup portgroup dscp dscp flow label flow label value fragments log time range time range name packet length operator packet length pac...

Page 583: ...any integer between 1 and 4294967295 By default the first rule in an ACL has a sequence number of 10 If you do not specify a sequence number the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule Use the resequence command to reassign sequence numbers to rules sequence number Cisco Nexus 7000 Series Security Co...

Page 584: ...protocol Cisco Nexus 7000 Series Security Command Reference 558 P Commands permit IPv6 ...

Page 585: ...apply to all IPv6 protocols are available pcp Specifies that the rule applies to Payload Compression Protocol PCP traffic only When you use this keyword only the other keywords and arguments that apply to all IPv6 protocols are available sctp Specifies that the rule applies to Stream Control Transmission Protocol SCTP traffic only When you use this keyword the operator argument and the portgroup k...

Page 586: ...Source and Destination in the Usage Guidelines section source Destination IPv6 addresses that the rule matches For details about the methods that you can use to specify this argument see Source and Destination in the Usage Guidelines section destination Cisco Nexus 7000 Series Security Command Reference 560 P Commands permit IPv6 ...

Page 587: ...dscp dscp Cisco Nexus 7000 Series Security Command Reference 561 P Commands permit IPv6 ...

Page 588: ...class 1 high drop probability 001110 af21 AF class 2 low drop probability 010010 af22 AF class 2 medium drop probability 010100 af23 AF class 2 high drop probability 010110 af31 AF class 3 low drop probability 011010 af32 AF class 3 medium drop probability 011100 af33 AF class 3 high drop probability 011110 af41 AF class 4 low drop probability 100010 af42 AF class 4 medium drop probability 100100 ...

Page 589: ... because the information that the devices requires to evaluate those options is contained only in initial fragments fragments Optional Specifies that the device generates an informational logging message about each packet that matches the rule The message includes the following information Whether the protocol was TCP UDP ICMP or a number protocol Source and destination addresses Source and destin...

Page 590: ...t can be the name or the number of a TCP or UDP port Valid numbers are integers from 0 to 65535 For listings of valid port names see TCP Port Names and UDP Port Names in the Usage Guidelines section A second port argument is required only when the operator argument is a range The operator argument must be one of the following keywords eq Matches only if the port in the packet is equal to the port ...

Page 591: ...he object group ip port command to create and change IP port group objects portgroup portgroup TCP only Optional Specifies that the rule matches only packets that belong to an established TCP connection The device considers TCP packets with the ACK or RST bits set to belong to an established connection established TCP only Optional Rule matches only packets that have specific TCP control bit flags...

Page 592: ... less than the second packet length argument packet lengthoperatorpacket length packet length Command Default None Command Modes IPv6 ACL configuration Command History Modification Release This command was introduced 4 1 2 Usage Guidelines A newly created IPv6 ACL contains no rules When the device applies an IPv6 ACL to a packet it evaluates the packet with every rule in the ACL The device enforce...

Page 593: ...st IPv6 address This syntax is equivalent to IPv6 address 128 The following example shows how to specify the source argument with the host keyword and the 2001 0db8 85a3 08d3 1319 8a2e 0370 7344 IPv6 address switch config acl permit icmp host 2001 0db8 85a3 08d3 1319 8a2e 0370 7344 any Any address You can use the any keyword to specify that a source or destination is any IPv6 address For examples ...

Page 594: ... renumbering router solicitation Neighbor discovery router solicitations time exceeded All time exceeded messages unreachable All unreachable TCP Port Names When you specify the protocol argument as tcp the port argument can be a TCP port number which is an integer from 0 to 65535 It can also be one of the following keywords bgp Border Gateway Protocol 179 chargen Character generator 19 cmd Remote...

Page 595: ...t as udp the port argument can be a UDP port number which is an integer from 0 to 65535 It can also be one of the following keywords biff Biff mail notification comsat 512 bootpc Bootstrap Protocol BOOTP client 68 bootps Bootstrap Protocol BOOTP server 67 discard Discard 9 dnsix DNSIX security protocol auditing 195 domain Domain Name Service DNS 53 echo Echo 7 isakmp Internet Security Association ...

Page 596: ...8 be03 2112 64 switch config ipv6 acl permit tcp 2001 0db8 69f2 48 2001 0db8 be03 2112 64 switch config ipv6 acl permit udp 2001 0db8 69f2 48 2001 0db8 be03 2112 64 This example shows how to configure an IPv6 ACL named ipv6 eng to marketing with a rule that permits all IPv6 traffic from an IPv6 address object group named eng_ipv6 to an IPv6 address object group named marketing_group switch configu...

Page 597: ...iption Command Enables collection of statistics for each entry in an ACL statistics per entry Configures a time range time range Cisco Nexus 7000 Series Security Command Reference 571 P Commands permit IPv6 ...

Page 598: ...uence number that is 10 greater than the sequence number of the preceding rule Use the resequence command to reassign sequence numbers to rules sequence number Source MAC addresses that the rule matches For details about the methods that you can use to specify this argument see Source and Destination in the Usage Guidelines section source Destination MAC addresses that the rule matches For details...

Page 599: ...does not require a license Source and Destination You can specify the source and destination arguments in one of two ways In each rule the method you use to specify one of these arguments does not affect how you specify the other When you configure a rule use the following methods to specify the source and destination arguments Address and mask You can use a MAC address followed by a mask to speci...

Page 600: ...dump DEC MOP dump 0x6001 vines echo VINES Echo 0x0baf Examples This example shows how to configure a MAC ACL named mac filter with a rule that permits traffic between two groups of MAC addresses switch configure terminal switch config mac access list mac filter switch config mac acl permit 00c0 4f00 0000 0000 00ff ffff 0060 3e00 0000 0000 00ff ffff Related Commands Description Command Configures a...

Page 601: ...p Specifies IP traffic ip Specifies TCP traffic tcp Specifies User Datagram Protocol UDP traffic udp Specifies the source port number src Specifies the destination port number dst Specifies equal to the port number eq Specifies greater than the port number gt Specifies less than the port number lt Specifies not equal to the port number neq Port number for TCP or UDP The range is from 0 to 65535 po...

Page 602: ...d Services license Examples This example shows how to add a permit action to an SGACL and enable RBACL logging switch configure terminal switch config cts role based access list MySGACL switch config rbacl permit icmp log This example shows how to remove a permit action from an SGACL switch configure terminal switch config cts role based access list MySGACL switch config rbacl no permit icmp log R...

Page 603: ...o all interfaces except for those that you allow with the permit interface command This command does not require a license Examples This example shows how to permit a range of interfaces for a user role interface policy switch configure terminal switch config role name MyRole switch config role interface policy deny switch config role interface permit interface ethernet 2 1 8 This example shows ho...

Page 604: ...mmands Description Command Enters interface policy configuration mode for a user role interface policy deny Creates or specifies a user role and enters user role configuration mode role name Displays user role information show role Cisco Nexus 7000 Series Security Command Reference 578 P Commands permit interface ...

Page 605: ...deny command denies a user role access to all VLANs except for those that you allow with the permit vlan command This command does not require a license Examples This example shows how to permit a VLAN identifier for a user role VLAN policy switch configure terminal switch config role name MyRole switch config role vlan policy deny switch config role vlan permit vlan 8 This example shows how to pe...

Page 606: ...ame MyRole switch config role vlan policy deny switch config role vlan no permit vlan 2 Related Commands Description Command Enters VLAN policy configuration mode for a user role vlan policy deny Creates or specifies a user role and enters user role configuration mode role name Displays user role information show role Cisco Nexus 7000 Series Security Command Reference 580 P Commands permit vlan ...

Page 607: ...ermit vrf command You can repeat this command to allow more than on VRF name for the user role This command does not require a license Examples This example shows how to permit a VRF name for a user role VRF policy switch configure terminal switch config role name MyRole switch config role vrf policy deny switch config role vrf permit vrf management This example shows how to permit a VRF name from...

Page 608: ...on Command Creates or specifies a user role and enters user role configuration mode role name Displays user role information show role Cisco Nexus 7000 Series Security Command Reference 582 P Commands permit vrf ...

Page 609: ...s By default a Cisco NX OS device performs atomic ACL updates which do not disrupt traffic that the updated ACL applies to however atomic updates require that the I O modules that receive the updates have enough available resources to store each of the updated entries in the affected ACL After the update occurs the additional resources used for the update are freed If the I O module lacks the requ...

Page 610: ...m access list update default result permit This example shows how to revert to the atomic update method switch configure terminal switch config no platform access list update default result permit switch config platform access list update atomic Related Commands Description Command Displays the running configuration including the default configuration show running config all Cisco Nexus 7000 Serie...

Page 611: ... is 30000 packets per second copy Specifies Layer 2 packets rate limits layer 2 Specifies port security packets The default is disabled port security Specifies storm control packets The default is disabled storm control Specifies Layer 3 packets layer 3 Specifies Layer 3 control packets The default rate is 10000 packets per second control Specifies Layer 3 glean packets The default rate is 100 pac...

Page 612: ... with the rate limiter command 4 1 2 Added the port security keyword 4 0 3 This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to configure a rate limit for control packets switch configure terminal switch config platform rate limit layer 3 control 20000 This example shows how to revert to the default rate limit for control pac...

Page 613: ...ir cir rate bps gbps kbps mbps pps conform drop set cos transmit cos value set dscp transmit dscp value set prec transmit prec valu e transmit exceed drop set dscp dscp table cir markdown map transmit violate drop set dscp dscp table pir markdown map transmit no police cir cir rate bps gbps kbps mbps pps pir pir rate bps gbps kbps mbps pps be extended burst size bytes kbytes mbytes ms packets us S...

Page 614: ...e point DSCP value for IPv4 and IPv6 packets The range is from 0 to 63 set dscp transmit dscp value Specifies the precedence value for IPv4 and IPv6 packets The range is from 0 to 7 set prec transmit prec value Specifies the transmit action transmit Configures an action when the traffic exceeds the specified rates and bursts exceed Flags the packet on the CIR markdown map set dscp dscp table cir m...

Page 615: ...onfig pmap class ClassMapA switch config pmap c police cir 2000 kbps This example shows how to delete a control plane policy map switch configure terminal switch config policy map type control plane PolicyMapA switch config pmap class ClassMapA switch config pmap c no police 2000 kbps Related Commands Description Command Specifies a control plane class map for a control plane policy map and enters...

Page 616: ... The sgt value is either a decimal value or a hexadecimal value in the format 0xhhhh The decimal range is from 2 to 65519 and the hexadecimal range is from 0x2 to 0xffef sgt value Optional Specifies that the traffic coming on the interface with the SGT should not have its tag overridden trusted Command Default None Command Modes Cisco TrustSec manual configuration Command History Modification Rele...

Page 617: ...al exit switch config if shutdown switch config if no shutdown This example shows how to manually configure a static Cisco TrustSec policy on an interface switch configure terminal switch config interface ethernet 2 4 switch config if cts manual switch config if cts manual policy static sgt 0x100 switch config if cts manual exit switch config if shutdown switch config if no shutdown This example s...

Page 618: ...ation Release This command was introduced 4 0 1 Usage Guidelines You can use this command only in the default VDC This command does not require a license Examples This example shows how to specify a control plane policy map and enter policy map configuration mode switch configure terminal switch config policy map type control plane PolicyMapA switch config pmap This example shows how to delete a c...

Page 619: ...nfig dhcp guard Command History Modification Release This command was introduced 8 0 1 Usage Guidelines This command enables verification that the advertised preference is not greater than the maximum specified limit or less than the minimum specified limit Examples The following example defines an DHCPv6 guard policy name as policy1 places the router in DHCPv6 guard configuration mode and enables...

Page 620: ...o TrustSec feature using the feature cts command After using this command you must enable and disable the interface using the shutdown no shutdown command sequence for the configuration to take effect Use the no propagate sgt l2 control command to enable SGT tagging exemption for L2 control packets This exemption ensures that the L2 control protocols are transmitted without any SGT tags from the C...

Page 621: ...tch config if cts manual switch config if cts manual no propagate sgt l2 control This example displays the error message when you enable SGT tagging exemption for the L2 protocols on non supported modules switch configure terminal switch config interface ethernet 7 2 switch config if cts manual switch config if cts manual no propagate sgt l2 control ERROR no propagate sgt l2 control is not allowed...

Page 622: ...Cisco Nexus 7000 Series Security Command Reference 596 P Commands propagate sgt ...

Page 623: ...609 radius server test page 610 radius server timeout page 612 range page 613 rate limit cpu direction page 615 remark page 617 replay protection page 619 resequence page 621 revocation check page 623 role abort page 625 role commit page 626 role distribute page 627 role feature group name page 628 role name page 630 router preference maximum page 632 rsakeypair page 634 rule page 636 Cisco Nexus ...

Page 624: ...fication Release This command was introduced 4 1 2 Usage Guidelines This command does not require a license Examples This example shows how to discard a RADIUS Cisco Fabric Services distribution session in progress switch configure terminal switch config radius abort Related Commands Description Command Displays the RADIUS Cisco Fabric Services distribution status and other details show radius Cis...

Page 625: ...istribute command CFS does not distribute the RADIUS server group configurations periodic RADIUS server testing configurations or server and global keys The keys are unique to the Cisco NX OS device and are not shared with other Cisco NX OS devices This command does not require a license Examples This example shows how to initiate distribution of a RADIUS configuration to the switches in the fabri...

Page 626: ...ions periodic RADIUS server testing configurations or server and global keys The keys are unique to the Cisco NX OS device and are not shared with other Cisco NX OS devices This command does not require a license Examples This example shows how to enable RADIUS fabric distribution switch configure terminal switch config radius distribute This example shows how to disable RADIUS fabric distribution...

Page 627: ...minutes before the Cisco NX OS device checks a RADIUS server that was previously unresponsive The default idle timer value is 0 minutes When the idle time interval is 0 minutes periodic RADIUS server monitoring is not performed Note The command does not require a license Examples This example shows how to configure the global dead time interval for all RADIUS servers to perform periodic monitoring...

Page 628: ...Related Commands Description Command Displays RADIUS server information show radius server Cisco Nexus 7000 Series Security Command Reference 602 R Commands radius server deadtime ...

Page 629: ...fname is the virtual routing and forwarding VRF instance to use and hostname is the name of a configured RADIUS server The username is sent to the RADIUS server for authentication This command does not require a license Examples This example shows how to allow users to send authentication requests to a specific RADIUS serve when logging in switch configure terminal switch config radius server dire...

Page 630: ...pv4 address RADIUS server IPv6 address in the X X X X format ipv6 address Optional Configures the RADIUS server preshared secret key key Optional Configures a preshared key specified in clear text to authenticate communication between the RADIUS client and server This is the default 0 Optional Configures a preshared key specified in encrypted text indicated by 7 to authenticate communication betwe...

Page 631: ...ifies a user password in the test packets The password is alphanumeric case sensitive and has a maximum of 32 characters passwordpassword Specifies a username in the test packets The name is alphanumeric not case sensitive and has a maximum of 32 characters usernamename Specifies the timeout in seconds between retransmissions to the RADIUS server The default is 5 seconds and the range is from 1 to...

Page 632: ...us server host 10 10 2 3 auth port 2003 switch config radius server host 10 10 2 3 acct port 2004 switch config radius server host 10 10 2 3 accounting switch config radius server host radius2 key 0 abcd switch config radius server host radius3 key 7 1234 switch config radius server host 10 10 2 3 test idle time 10 switch config radius server host 10 10 2 3 test username tester switch config radiu...

Page 633: ...thenticate communication between the RADIUS client and server The preshared key can include any printable ASCII characters white spaces are not allowed is case sensitive and has a maximum of 63 characters shared secret Command Default Clear text Command Modes Global configuration Command History Modification Release Added the 5 2 1 This command was introduced 4 0 1 Usage Guidelines You must config...

Page 634: ...tion switch configure terminal switch config radius server key AnyWord switch config radius server key 0 AnyWord switch config radius server key 7 public pac Related Commands Description Command Displays RADIUS server information show radius server Cisco Nexus 7000 Series Security Command Reference 608 R Commands radius server key ...

Page 635: ...ssion Command Modes Global configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to configure the number of retransmissions to RADIUS servers switch configure terminal switch config radius server retransmit 3 This example shows how to revert to the default number of retransmissio...

Page 636: ...sword is alphanumeric case sensitive and has a maximum of 32 characters passwordpassword Specifies a username in the test packets The name is alphanumeric not case sensitive and has a maximum of 32 characters To protect network security we recommend that you use a username that is not the same as an existing username in the RADIUS database Note usernamename Command Default Server monitoring Disabl...

Page 637: ... shows how to configure the parameters for global RADIUS server monitoring switch configure terminal switch config radius server test username user1 password Ur2Gd2BH idle time 3 Related Commands Description Command Displays RADIUS server information show radius server Cisco Nexus 7000 Series Security Command Reference 611 R Commands radius server test ...

Page 638: ...Command Modes Global configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to configure the timeout interval switch configure terminal switch config radius server timeout 30 This example shows how to revert to the default interval switch configure terminal switch config no radius...

Page 639: ...s Valid values are from 0 to 65535 starting port number Highest port number that this group member matches Valid values are from 0 to 65535 ending port number Command Default None Command Modes IP port object group configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines IP port object groups are not directional Whether a range command matches a source ...

Page 640: ...mber in an IP port object group gt Specifies a less than group member in an IP port object group lt Specifies a not equal to group member in an IP port object group neq Configures an IP port object group object group ip port Displays object groups show object group Cisco Nexus 7000 Series Security Command Reference 614 R Commands range ...

Page 641: ...le The range is from 1 to 100000 packets Specifies the action to be taken when the rate of incoming or outgoing packets exceeds the configured rate limit action Logs a system message when the rate of incoming or outgoing packets exceeds the configured rate limit log Command Default 10000 packets per second Command Modes Global configuration Command History Modification Release This command was int...

Page 642: ...ow to remove the global rate limit configuration switch configure terminal switch config no rate limit cpu direction both pps 10000 action log switch config Related Commands Description Command Displays the inband and outband global rate limit configuration for packets that reach the supervisor module show system internal pktmgr internal control sw rate limit Cisco Nexus 7000 Series Security Comma...

Page 643: ...er of 10 If you do not specify a sequence number the device adds the rule to the end of the ACL and assigns to it a sequence number that is 10 greater than the sequence number of the preceding rule Use the resequence command to reassign sequence numbers to remarks and rules sequence number Text of the remark This argument can be up to 100 alphanumeric case sensitive characters remark Command Defau...

Page 644: ...1 switch config acl 100 remark this ACL denies the marketing department access to the lab switch config acl show access list acl ipv4 01 IP access list acl ipv4 01 100 remark this ACL denies the marketing department access to the lab ciscobox config acl Related Commands Description Command Configures an IPv4 ACL ip access list Configures an IPv6 ACL ipv6 access list Configures a MAC ACL mac access...

Page 645: ... and disable the interface using the shutdown no shutdown command sequence for the configuration to take effect This command requires the Advanced Services license Examples This example shows how to enable data path protect for Cisco TrustSec authentication on an interface switch configure terminal switch config interface ethernet 2 3 switch config if cts dot1x switch config if cts dot1x replay pr...

Page 646: ... 802 1X configuration mode for an interface cts dot1x Enables the Cisco TrustSec feature feature cts Displays the Cisco TrustSec configuration for interfaces show cts interface Cisco Nexus 7000 Series Security Command Reference 620 R Commands replay protection ...

Page 647: ...e name of the ACL which can be up to 64 alphanumeric case sensitive characters access list access list name Specifies the name of the time range which can be up to 64 alphanumeric case sensitive characters time rangetime range name Sequence number for the first rule in the ACL or time range starting sequence number Number that the device adds to each subsequent sequence number increment Command De...

Page 648: ...ists command to verify sequence numbering before and after the use of the resequence command switch configure terminal switch config show ip access lists ip acl 01 IP access list ip acl 01 7 permit tcp addrgroup lab machines any 10 permit udp addrgroup lab machines any 13 permit icmp addrgroup lab machines any 17 deny igmp any any switch config resequence ip access list ip acl 01 100 10 switch con...

Page 649: ... as an ordered list During peer certificate verification each method is tried in the specified order until one method succeeds by providing the revocation status When you specify none as the method it means that there is no need to check the revocation status and the peer certificate is not revoked If none is the first method that you specify in the method list you cannot specify subsequent method...

Page 650: ...Description Command Displays configured CRLs show crypto ca crl Cisco Nexus 7000 Series Security Command Reference 624 R Commands revocation check ...

Page 651: ...cation Release This command was introduced 4 1 2 Usage Guidelines This command does not require a license Examples This example shows how to discard a user role Cisco Fabric Services distribution session in progress switch configure terminal switch config role abort Related Commands Description Command Displays the user role Cisco Fabric Services distribution status and other details show role Cis...

Page 652: ...user role configuration to the fabric all switches in the fabric must have distribution enabled using the role distribute command This command does not require a license Examples This example shows how to initiate distribution of a user role configuration to the switches in the fabric switch configure terminal switch config role commit Related Commands Description Command Enables Cisco Fabric Serv...

Page 653: ...ation Release This command was introduced 4 1 2 Usage Guidelines This command does not require a license Examples This example shows how to enable role fabric distribution switch configure terminal switch config role distribute This example shows how to disable role fabric distribution switch configure terminal switch config no role distribute Related Commands Description Command Displays role Cis...

Page 654: ...uidelines The Cisco NX OS software provides the default user role feature group L3 for Layer 3 features You cannot modify or delete the L3 user role feature group This command does not require a license Examples This example shows how to create a user role feature group and enter user role feature group configuration mode switch configure terminal switch config role feature group name MyGroup swit...

Page 655: ...Description Command Displays the user role feature groups show role feature group Cisco Nexus 7000 Series Security Command Reference 629 R Commands role feature group name ...

Page 656: ...on Release The priv n keyword was added 5 0 2 This command was introduced 4 0 1 Usage Guidelines The Cisco NX OS software provides four default user roles network admin Complete read and write access to the entire Cisco NX OS device only available in the default VDC network operator Complete read access to the entire Cisco NX OS device only available in the default VDC vdc admin Read and write acc...

Page 657: ...h config role name MyRole switch config role This example shows how to remove a user role switch configure terminal switch config no role name MyRole This example shows how to enable privilege level 5 for users switch configure terminal switch config role name priv 5 switch config role Related Commands Description Command Configure rules for a user role or for users of privilege roles rule Display...

Page 658: ...er preference parameter value is lower than or equal to a specified limit You can use this command to give a lower priority to default routers advertised on trunk ports and to give precedence to default routers advertised on access ports The router preference maximum command limit are high medium or low If for example this value is set to medium and the advertised default router preference is set ...

Page 659: ...ds Description Command Defines the RA guard policy name and enters RA guard policy configuration mode ipv6 nd raguard policy Cisco Nexus 7000 Series Security Command Reference 633 R Commands router preference maximum ...

Page 660: ...e RSA key pair with a trustpoint CA even though you can associate the same key pair with many trustpoint CAs This association must occur before you enroll with the CA to obtain an identity certificate If the key pair was previously generated using the crypto key generate command then the key pair size if specified should be the same size as that was used during the generation If the specified key ...

Page 661: ...n RSA key pair from a trustpoint switch config trustpoint no rsakeypair adminid key Related Commands Description Command Requests certificates for the switch s RSA key pair created for the trustpoint CA crypto ca enroll Configures RSA key pair information crypto key generate rsa Displays information about configured RSA key pairs show crypto key mypubkey rsa Cisco Nexus 7000 Series Security Comman...

Page 662: ...ny Permits access to commands or features permit Specifies a command string command command string Specifies read access read Specifies read and write access read write Specifies a read only or read and write rule for an SNMP object identifier OID The range it 1 to 32 elements oid snmp_oid_name Optional Specifies a feature name Use the show role feature command to list the Cisco NX OS feature name...

Page 663: ...w to add rules to a user role switch configure terminal switch config role MyRole switch config role rule 1 deny command clear users switch config role rule 1 permit read write feature group L3 This example shows how to remove rule from a user role switch configure terminal switch config role MyRole switch config role no rule 10 Related Commands Description Command Creates or specifies a user role...

Page 664: ...Cisco Nexus 7000 Series Security Command Reference 638 R Commands rule ...

Page 665: ... 661 ssh page 663 ssh key page 665 ssh login attempts page 667 ssh server enable page 668 ssh6 page 669 statistics per entry page 671 storm control level page 673 switchport port security page 675 switchport port security aging type page 677 switchport port security mac address page 679 switchport port security mac address sticky page 681 switchport port security maximum page 683 switchport port s...

Page 666: ...y Modification Release This command was introduced 8 2 1 Usage Guidelines To use this command you should enable the MKA feature first Examples This example shows how to set the SAK expiry time switch configure terminal switch config macsec policy p1 switch config macsec policy sak expiry time 60 Related Commands Description Command Configures the cipher suite for encrypting traffic with MACsec cip...

Page 667: ...for MKA encryption key server priority Configures the MACsec keychain policy macsec keychain policy Configures the MACsec policy macsec policy Displays the configuration of the specified keychain show key chain Displays the details of MKA show macsec mka Displays all the MACsec policies in the system show macsec policy Displays the status of MKA show run mka Cisco Nexus 7000 Series Security Comman...

Page 668: ...co TrustSec 802 1X configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command After using this command you must enable and disable the interface using the shutdown no shutdown command sequence for the configuration to take effect This command requires the Advanced...

Page 669: ... sap modelist gmac switch config if cts dot1x exit switch config if shutdown switch config if no shutdown Related Commands Description Command Enters Cisco TrustSec 802 1X configuration mode for an interface cts dot1x Enables the Cisco TrustSec feature feature cts Displays the Cisco TrustSec configuration for interfaces show cts interface Cisco Nexus 7000 Series Security Command Reference 643 S Co...

Page 670: ...d in AES encrypted format in the running configuration display encrypt Specifies an encrypted PMK string of 64 bytes 128 hexadecimal characters encrypted encrypted_pmk Specifies that the peer device does not support Cisco TrustSec 802 1X authentication or authorization but does support SAP data path encryption and authentication use dot1x Optional Specifies the SAP operation mode modelist Specifie...

Page 671: ...SAP on an interface switch configure terminal switch config interface ethernet 2 3 switch config if cts manual switch config if cts manual sap pmk fedbaa modelist gmac switch config if cts manual exit switch config if shutdown switch config if no shutdown This example shows how to remove a manual Cisco TrustSec SAP configuration from an interface switch configure terminal switch config interface e...

Page 672: ...h is 2147483646 seconds approximately 68 years duration duration value Optional Specifies that the key never expires infinite Optional Time of day and date that the key becomes inactive For information about valid values for the end time argument see the Usage Guidelines section end time Command Default infinite Command Modes Key configuration Command History Modification Release This command was ...

Page 673: ...8 and ends at 11 59 59 p m on August 12 2008 switch configure terminal switch config key chain glbp keys switch config keychain key 13 switch config keychain key send lifetime 00 00 00 Jun 13 2008 23 59 59 Aug 12 2008 switch config keychain key Related Commands Description Command Configures an accept lifetime for a key accept lifetime Configures a key key Configures a keychain key chain Configure...

Page 674: ...guration Command History Modification Release Support for LDAP server groups was added 5 0 2 This command was introduced 4 0 1 Usage Guidelines You can configure up to 64 servers in a server group Use the aaa group server radius command to enter RADIUS server group configuration mode the aaa group server tacacs command to enter TACACS server group configuration mode or the aaa group server ldap co...

Page 675: ...no server 10 10 2 2 This example shows how to add a server to an LDAP server group switch configure terminal switch config feature ldap switch config aaa group server ldap LdapServer switch config ldap server 10 10 3 3 This example shows how to delete a server from an LDAP server group switch configure terminal switch config feature ldap switch config aaa group server ldap LdapServer switch config...

Page 676: ...nd does not require a license Examples This example shows how to globally enable DHCP snooping switch configure terminal switch config service dhcp switch config Related Commands Description Command Enables the DHCP snooping feature on the device feature dhcp Configures an IP address of a DHCP server on an interface ip dhcp relay address Enables the insertion and removal of option 82 information f...

Page 677: ...Description Command Displays DHCP snooping configuration including IP Source Guard configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 651 S Commands service dhcp ...

Page 678: ...policy map to the control plane To assign a new control plane policy map to the control plane you must remove the old control plane policy map This command does not require a license Examples This example shows how to assign a control plane policy map to the control plane switch configure terminal switch config control plane switch config cp service policy input PolicyMapA This example shows how t...

Page 679: ...scription Command Displays configuration information for control plane policy maps show policy map type control plane Cisco Nexus 7000 Series Security Command Reference 653 S Commands service policy input ...

Page 680: ...mmand was introduced 4 0 1 Usage Guidelines You can use this command only in the default virtual device context VDC This command does not require a license Examples This example shows how to configure the CoS value for a control plane policy map switch configure terminal switch config policy map type control plane PolicyMapA switch config pmap class ClassMapA switch config pmap c set cos 4 This ex...

Page 681: ...p class configuration mode class policy map Specifies a control plane policy map and enters policy map configuration mode policy map type control plane Displays configuration information for control plane policy maps show policy map type control plane Cisco Nexus 7000 Series Security Command Reference 655 S Commands set cos ...

Page 682: ...ifies assured forwarding 11 DSCP 001010 af11 Specifies assured forwarding 12 DSCP 001100 af12 Specifies assured forwarding 13 DSCP 001110 af13 Specifies assured forwarding 21 DSCP 010010 af21 Specifies assured forwarding 22 DSCP 010100 af22 Specifies assured forwarding 23 DSCP 010110 af23 Specifies assured forwarding 31 DSCP 011010 af31 Specifies assured forwarding 32 DSCP 011100 af32 Specifies as...

Page 683: ...use this command only in the default virtual device context VDC This command does not require a license Examples This example shows how to configure the DSCP value for a control plane policy map switch configure terminal switch config policy map type control plane PolicyMapA switch config pmap class ClassMapA switch config pmap c set dscp 4 This example shows how to revert to the default DSCP valu...

Page 684: ...onfiguration mode class policy map Specifies a control plane policy map and enters policy map configuration mode policy map type control plane Displays configuration information for control plane policy maps show policy map type control plane Cisco Nexus 7000 Series Security Command Reference 658 S Commands set dscp policy map class ...

Page 685: ... policy map The range is from 0 to 7 prec value Specifies critical precedence equal to precedence value 5 critical Specifies flash precedence equal to precedence value 3 flash Specifies flash override precedence equal to precedence value 4 flash override Specifies immediate precedence equal to precedence value 2 immediate Specifies internet precedence equal to precedence value 6 internet Specifies...

Page 686: ...he default CoS value for a control plane policy map switch configure terminal switch config policy map type control plane PolicyMapA switch config pmap class ClassMapA switch config pmap c no set precedence critical Related Commands Description Command Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode class policy map Specifies a cont...

Page 687: ...ommand to override the global source interface assigned by the ip radius source interface command or ip tacacs source interface command You must use the feature tacacs command before you configure TACACS This command does not require a license Examples This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip acl 01 switch configure terminal switch config ip radius...

Page 688: ...gured on the Cisco NX OS device ip tacacs source interface Displays the RADIUS server group configuration show radius server groups Displays the TACACS server group configuration show tacacs server groups Cisco Nexus 7000 Series Security Command Reference 662 S Commands source interface ...

Page 689: ...ines The Cisco NX OS software supports SSH version 2 To use IPv6 addressing for an SSH session use the ssh6 command The Cisco NX OS software supports a maximum of 60 concurrent SSH and Telnet sessions If you are planning to create an SSH session to a remote device from the boot mode of a Cisco NX OS device you must obtain the hostname for the remote device enable the SSH server on the remote devic...

Page 690: ... device from the boot mode of the Cisco NX OS device switch boot ssh user1 10 10 1 1 Related Commands Description Command Clears SSH sessions clear ssh session Copies a file from the Cisco NX OS device to a remote device using the Secure Copy Protocol SCP copy scp Enables the SSH server feature ssh Starts an SSH session using IPv6 addressing ssh6 Cisco Nexus 7000 Series Security Command Reference ...

Page 691: ...ey The range is from 1024 to 2048 length Command Default 1024 bit length Command Modes Global configuration Command History Modification Release Removed support for RSA keys less than 1024 bits 5 1 1 This command was introduced 4 0 1 Usage Guidelines The Cisco NX OS software supports SSH version 2 If you want to remove or replace an SSH server key you must first disable the SSH server using the no...

Page 692: ...eleting old dsa key generating dsa key 1024 bits generated dsa key switch config feature ssh This example shows how to remove the DSA SSH server key switch configure terminal switch config no feature ssh XML interface to system may become unavailable since ssh is disabled switch config no ssh key dsa switch config feature ssh This example shows how to remove all SSH server keys switch configure te...

Page 693: ...public key authentication certificate based authentication and password based authentication This command does not require a license If the user exceeds the maximum number of permitted login attempts the session disconnects Examples This example shows how to configure the maximum number of times that a user can attempt to log in to an SSH session switch configure terminal switch config ssh login a...

Page 694: ...ture ssh command 4 1 2 This command was introduced 4 0 1 Usage Guidelines The Cisco NX OS software supports SSH version 2 This command does not require a license Examples This example shows how to enable the SSH server switch configure terminal switch config ssh server enable This example shows how to disable the SSH server switch configure terminal switch config no ssh server enable XML interface...

Page 695: ...nsitive vrfvrf name Command Default Default VRF Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines The Cisco NX OS software supports SSH version 2 To use IPv4 addressing to start an SSH session use the ssh command The Cisco NX OS software supports a maximum of 60 concurrent SSH and Telnet sessions This command does not require a l...

Page 696: ...Description Command Starts an SSH session using IPv4 addressing ssh Enables the SSH server feature ssh Cisco Nexus 7000 Series Security Command Reference 670 S Commands ssh6 ...

Page 697: ...C or VLAN ACL applies to a packet it tests the packet against the conditions of all entries in the ACLs ACL entries are derived from the rules that you configure with the applicable permit and deny commands The first matching rule determines whether the packet is permitted or denied Enter the statistics per entry command to start recording how many packets are permitted or denied by each entry in ...

Page 698: ...st ip acl 101 switch config acl no statistics per entry switch config acl This example shows how to start recording per entry statistics for the ACLs in entry 20 in a VLAN access map named vlan map 01 switch config vlan access map vlan map 01 20 switch config access map statistics per entry switch config access map This example shows how to stop recording per entry statistics for the ACLs in entry...

Page 699: ...and was introduced 4 0 1 Usage Guidelines Enter the storm control level command to enable traffic storm control on the interface configure the traffic storm control level and apply the traffic storm control level to all traffic storm control modes that are enabled on the interface Only one suppression level is shared by all three suppression modes For example if you set the broadcast level to 30 a...

Page 700: ...erminal switch config interface ethernet 1 1 switch config if storm control broadcast level 30 This example shows how to disable the suppression mode for multicast traffic switch configure terminal switch config interface ethernet 1 1 switch config if no storm control multicast level Related Commands Description Command Displays the storm control suppression counters for an interface show interfac...

Page 701: ... security command before you can use the switchport port security command If port security is enabled on any member port of the Layer 2 port channel interface the device does not allow you to disable port security on the port channel interface To do so remove all secure member ports from the port channel interface first After disabling port security on a member port you can add it to the port chan...

Page 702: ...ses switchport port security aging time Configures the aging type for dynamically learned secure MAC addresses switchport port security aging type Configures a static MAC address switchport port security mac address Enables the sticky method for learning secure MAC addresses switchport port security mac address sticky Configures an interface or a VLAN maximum for secured MAC addresses on an interf...

Page 703: ...n the current interface inactivity Command Default absolute Command Modes Interface configuration Command History Modification Release Support for Layer 2 port channel interfaces was added 4 2 1 This command was introduced 4 0 1 Usage Guidelines The default aging type is absolute aging You must enable port security by using the feature port security command before you can use the switchport port s...

Page 704: ...arned secure MAC addresses switchport port security aging time Configures a static MAC address switchport port security mac address Enables the sticky method for learning secure MAC addresses switchport port security mac address sticky Configures an interface or a VLAN maximum for secured MAC addresses on an interface switchport port security maximum Configures the security violation action for an...

Page 705: ...d History Modification Release Support for Layer 2 port channel interfaces was added 4 2 1 This command was introduced 4 0 1 Usage Guidelines There are no default static secure MAC addresses You must enable port security by using the feature port security command before you can use the switchport port security mac address command Before using this command you must use the switchport command to con...

Page 706: ...me Configures the aging type for dynamically learned secure MAC addresses switchport port security aging type Enables the sticky method for learning secure MAC addresses switchport port security mac address sticky Configures an interface or a VLAN maximum for secured MAC addresses on an interface switchport port security maximum Configures the security violation action for an interface switchport ...

Page 707: ...ded 4 2 1 This command was introduced 4 0 1 Usage Guidelines You must enable port security by using the feature port security command before you can use the switchport port security mac address sticky command Before using this command you must use the switchport command to configure the interface to operate as a Layer 2 interface This command does not require a license Examples This example shows ...

Page 708: ...d secure MAC addresses switchport port security aging type Configures a static MAC address switchport port security mac address Configures an interface or a VLAN maximum for secured MAC addresses on an interface switchport port security maximum Configures the security violation action for an interface switchport port security violation Cisco Nexus 7000 Series Security Command Reference 682 S Comma...

Page 709: ... None Command Modes Interface configuration Command History Modification Release Support for Layer 2 port channel interfaces was added 4 2 1 This command was introduced 4 0 1 Usage Guidelines The default interface maximum is one secure MAC address Enabling port security on an interface also enables the default method for learning secure MAC addresses which is the dynamic method To enable the stick...

Page 710: ... the command Examples This example shows how to configure an interface maximum of 10 secure MAC addresses on the Ethernet 2 1 interface switch configure terminal switch config interface ethernet 2 1 switch config if switchport port security maximum 10 switch config if Related Commands Description Command Enables port security globally feature port security Shows information about port security sho...

Page 711: ...dresses Address learning continues until 100 security violations have occurred on the interface Traffic from addresses learned after the first security violation is dropped After 100 security violations occur the device disables learning on the interface and drops all ingress traffic from nonsecure MAC addresses In addition the device generates an SNMP trap for each security violation restrict Spe...

Page 712: ...nterface Ingress traffic from a secure MAC address arrives at a different interface in the same VLAN as the interface on which the address is secured After a secure MAC address is configured or learned on one secure port the sequence of events that occurs when port security detects that secure MAC address on a different port in the same VLAN is known as a MAC move violation Note When a security vi...

Page 713: ...e protect action switch configure terminal switch config interface ethernet 2 1 switch config if switchport port security violation protect switch config if Related Commands Description Command Enables port security globally feature port security Shows information about port security show port security Enables port security on a Layer 2 interface switchport port security Configures the aging time ...

Page 714: ...Cisco Nexus 7000 Series Security Command Reference 688 S Commands switchport port security violation ...

Page 715: ...ts page 710 show class map type control plane page 712 show cli syntax roles network admin page 713 show cli syntax roles network operator page 715 show copp diff profile page 717 show copp profile page 719 show copp status page 721 show crypto ca certificates page 722 show crypto ca certstore page 724 show crypto ca crl page 725 show crypto ca remote certstore page 727 show crypto ca trustpoints ...

Page 716: ...cts role based policy page 749 show cts role based sgt vlan page 751 show cts role based sgt map page 752 show cts sap pmk page 754 show cts sxp page 755 show cts sxp connection page 758 show data corruption page 759 show dot1x page 760 show dot1x all page 761 show dot1x interface ethernet page 763 show encryption service stat page 765 show eou page 766 show fips status page 768 show hardware acce...

Page 717: ...show ipv6 access lists page 809 show ipv6 dhcp relay page 812 show ipv6 dhcp relay statistics page 813 show ipv6 dhcp ldra page 814 show ipv6 dhcp guard policy page 816 show ipv6 nd raguard policy page 818 show ipv6 neighbor binding page 819 show ipv6 snooping capture policy page 821 show ipv6 snooping counters page 823 show ipv6 snooping features page 825 show ipv6 snooping policies page 826 show...

Page 718: ...f page 871 show role session page 872 show role status page 873 show run mka page 874 show running config aaa page 876 show running config aclmgr page 877 show running config copp page 880 show running config cts page 882 show running config dhcp page 883 show running config dot1x page 885 show running config eou page 886 show running config ldap page 887 show running config port security page 888...

Page 719: ...ow system internal access list feature bank chain map page 910 show system internal access list feature bank class map page 912 show system internal access list globals page 914 show system internal pktmgr internal control sw rate limit page 916 show system internal udp relay database page 917 show tacacs page 919 show tacacs server page 921 show telnet server page 924 show time range page 925 sho...

Page 720: ...mand History Modification Release This command was introduced 4 2 1 Usage Guidelines This command does not require a license If no I O modules are configured with the command the show command has no output Examples This example shows how to display the I O modules that are configured with the command switch show Module 1 enabled Module 3 enabled switch Cisco Nexus 7000 Series Security Command Refe...

Page 721: ...ommand Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the configuration of the accounting log switch show aaa accounting default local Cisco Nexus 7000 Series Security Command Reference 695 Show Commands show aaa accounting ...

Page 722: ...ion login mschap Optional Displays the configuration for MS CHAP V2 authentication login mschapv2 Optional Displays the configuration for ASCII authentication for passwords on TACACS servers login ascii authentication Command Default Displays the console and login authentication methods configuration Command Modes Any command mode Command History Modification Release Added the chap keyword 5 0 2 A...

Page 723: ... authentication login MSCHAP V2 configuration switch show aaa authentication login mschapv2 enabled This example shows how to display the status of the ASCII authentication for passwords feature switch config show aaa authentication login ascii authentication disabled Related Commands Description Command Enables ASCII authentication for passwords on a TACACS server aaa authentication login ascii a...

Page 724: ... methods switch show aaa authorization pki ssh cert local pki ssh pubkey local AAA command authorization default authorization for config commands none cts group radius This example shows how to display the configured authorization methods and defaults switch show aaa authorization all pki ssh cert local pki ssh pubkey local AAA command authorization default authorization for config commands none ...

Page 725: ...Description Command Enables the LDAP feature feature ldap Enables the TACACS feature feature tacacs Cisco Nexus 7000 Series Security Command Reference 699 Show Commands show aaa authorization ...

Page 726: ...Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display AAA group information switch show aaa groups radius TacServer Cisco Nexus 7000 Series Security Command Reference 700 Show Commands show aaa groups ...

Page 727: ...was introduced 7 3 0 D1 1 Usage Guidelines This command does not require a license Examples This example shows how to display the blocked users switch show aaa local user blocked Local user State testuser Watched till 11 34 42 IST Feb 5 2015 Related Commands Description Command Configures the login block per user aaa authentication rejected Clears the blocked users clear aaa local user blocked Cis...

Page 728: ... Release This command was introduced 4 0 3 Usage Guidelines User the aaa user default role command to configure the AAA user default role This command does not require a license Examples This example shows how to display the AAA user default role configuration switch show aaa user default role enabled Related Commands Description Command Enables the AAA user default role aaa user default role Cisc...

Page 729: ...roduced 5 2 1 Usage Guidelines This command does not require a license Examples This example shows how to display the access control list ACL capture configuration switch config show access list status module 5 Non Atomic ACL updates Disabled TCAM Default Result is Deny Resource pooling Disabled switch config Related Commands Description Command Enables access control list ACL capture on all virtu...

Page 730: ...ACL names Support was added for the fragments command 4 2 1 Support for IPv6 ACLs was added 4 1 2 This command was introduced 4 0 1 Usage Guidelines The device shows all ACLs unless you use the access list name argument to specify an ACL If you do not specify an ACL name the device lists ACLs alphabetically by the ACL names The expanded keyword allows you to display the details of object groups us...

Page 731: ...0060 3e00 0000 0000 00ff ffff ip This example shows how to use the show access lists command to display an IPv4 ACL named ipv4 RandD outbound web including per entry statistics for the entries except for the MainLab object group switch show access lists ipv4 RandD outbound web IP access list ipv4 RandD outbound web statistics per entry 1000 permit ahp any any match 732 1005 permit tcp addrgroup Ma...

Page 732: ...ents Configures an IPv4 ACL ip access list Configures an IPv6 ACL ipv6 access list Configures a MAC ACL mac access list Displays all IPv4 ACLs or a specific IPv4 ACL show ip access lists Displays all IPv6 ACLs or a specific IPv6 ACL show ipv6 access lists Displays all MAC ACLs or a specific MAC ACL show mac access lists Cisco Nexus 7000 Series Security Command Reference 706 Show Commands show acce...

Page 733: ... argument is in yyyy format The month is the three letter English abbreviation The day argument range is from 1 to 31 The HH MM SS argument is in the standard 24 hour format start timeyear month day HH MM SS Command Default None Command Modes Any command mode Command History Modification Release Added the last index and start seqnum keyword options 4 2 1 This command was introduced 4 0 1 Usage Gui...

Page 734: ...lay the accounting log starting at 16 00 00 on February 16 2008 switch config show accounting log start time 2008 Feb 16 16 00 00 Sat Feb 16 16 00 18 2008 update dev pts 1_172 28 254 254 admin show logging log file start time 2008 Feb 16 15 59 16 Sat Feb 16 16 00 26 2008 update dev pts 1_172 28 254 254 admin show accounting log start time 2008 Feb 16 12 05 16 Sat Feb 16 16 00 27 2008 update dev pt...

Page 735: ...tdown REDIRECT Fri Mar 15 10 20 03 2013 type update id console0 user Ciscoadmin cmd configure terminal interface Ethernet1 1 no shutdown SUCCESS Related Commands Description Command Clears the accounting log clear accounting log Cisco Nexus 7000 Series Security Command Reference 709 Show Commands show accounting log ...

Page 736: ... require a license Examples This example shows how to use the show arp access lists command to display all ARP ACLs on a device that has two ARP ACLs switch show arp access lists ARP access list arp permit all 10 permit ip any mac any ARP access list arp lab subnet 10 permit request ip 10 32 143 0 255 255 255 0 mac any This example shows how to use the show arp access lists command to display an A...

Page 737: ...Cisco Nexus 7000 Series Security Command Reference 711 Show Commands show arp access lists ...

Page 738: ... display control plane class map information switch show class map type control plane class map type control plane match any copp system class critical match access grp name copp system acl arp match access grp name copp system acl msdp class map type control plane match any copp system class important match access grp name copp system acl gre match access grp name copp system acl tacas class map ...

Page 739: ...bug device_test 5 show debug diagmgr 6 show debug diagclient 7 show debug ntp 8 show debug port_lb 9 show debug copp 10 show debug copp bypass 11 show license usage vdc all detail license feature 12 show system internal license event history 13 show system internal license mem stats detail 14 show system internal loader configuration 15 show system internal bootvar log 16 show system internal cmpp...

Page 740: ...ng config diagnostic all 44 show running config cmp 45 show running config ntp all 46 show running config vdc all all 47 show running config copp all 48 show startup config vdc all 49 show startup config diagnostic all 50 show startup config ntp all 51 show startup config vdc all 52 show startup config copp all 53 show tech support gold 54 show tech support cmp 55 show tech support dcbx 56 show te...

Page 741: ...mpproxy 2 show debug exceptionlog 3 show debug device_test 4 show debug diagmgr 5 show debug diagclient 6 show debug ntp 7 show debug port_lb 8 show debug copp 9 show license usage vdc all detail license feature 10 show system internal license event history 11 show system internal license mem stats detail 12 show system internal loader configuration 13 show system internal bootvar log 14 show syst...

Page 742: ...plays the syntax of the commands that the network admin role can use but the vdc admin role cannot show cli syntax roles network admin Cisco Nexus 7000 Series Security Command Reference 716 Show Commands show cli syntax roles network operator ...

Page 743: ...oduced 5 2 1 Usage Guidelines When you do not include the prior ver option this command displays the difference between two currently applied default CoPP best practice policies such as the currently applied strict and currently applied moderate policies When you include the prior ver option this command displays the difference between a currently applied default CoPP best practice policy and a pr...

Page 744: ...cription Command Displays the details of the CoPP best practice policy along with the classes and policer values show copp profile Cisco Nexus 7000 Series Security Command Reference 718 Show Commands show copp diff profile ...

Page 745: ...along with the classes and policer values switch show copp profile moderate ip access list copp system p acl bgp permit tcp any gt 1024 any eq bgp permit tcp any eq bgp any gt 1024 ipv6 access list copp system p acl bgp6 permit tcp any gt 1024 any eq bgp permit tcp any eq bgp any gt 1024 ip access list copp system p acl cts permit tcp any any eq 64999 permit tcp any eq 64999 any ip access list cop...

Page 746: ...e Displays the difference between the currently applied default CoPP best practice policy and the latest or previous CoPP best practice policy show copp diff profile Displays the CoPP status including the last configuration operation and its status show copp status Displays the CoPP configuration in the running configuration show running config copp Cisco Nexus 7000 Series Security Command Referen...

Page 747: ...Guidelines You can use this command only in the default virtual device context VDC This command does not require a license Examples This example shows how to display the CoPP configuration status information switch show copp status Last Config Operation service policy input copp system policy Last Config Operation Timestamp 21 57 58 UTC Jun 4 2008 Last Config Operation Status Success Policy map at...

Page 748: ...nfigured trustpoint certificates switch show crypto ca certificates Trustpoint admin ca certificate subject CN switch160 issuer C US O cisco CN Aparna CA2 serial 6CDB2D9E000100000006 notBefore Jun 9 10 51 45 2005 GMT notAfter May 3 23 10 36 2006 GMT MD5 Fingerprint 0A 22 DC A3 07 2A 9F 9A C2 2C BA 96 EC D8 0A 95 purposes sslserver sslclient ike CA certificate 0 subject C US O cisco CN Aparna CA2 i...

Page 749: ...mandke cisco com C IN ST Karnataka L Bangalore O Cisco OU netstorage CN Aparna CA serial 0560D289ACB419944F4912258CAD197A notBefore May 3 22 46 37 2005 GMT notAfter May 3 22 55 17 2007 GMT MD5 Fingerprint 65 84 9A 27 D5 71 03 33 9C 12 23 92 38 6F 78 12 purposes sslserver sslclient ike Related Commands Description Command Authenticates the certificate of the CA crypto ca authenticate Displays trust...

Page 750: ...d was introduced 5 0 2 Usage Guidelines This command does not require a license Examples This example shows how to display the cert store configuration switch show crypto ca certstore Certstore lookup REMOTE Related Commands Description Command Specifies the cert store to be used for certificate authentication crypto ca lookup Displays the remote cert store configuration show crypto ca remote cert...

Page 751: ...vocation List CRL Version 2 0x1 Signature Algorithm sha1WithRSAEncryption Issuer emailAddress rviyyoka cisco com C IN ST Kar L Bangalore O Cisco Systems OU 1 CN cisco blr Last Update Sep 22 07 05 23 2005 GMT Next Update Sep 29 19 25 23 2005 GMT CRL extensions X509v3 Authority Key Identifier keyid CF 72 E1 FE 14 60 14 6E B0 FA 8D 87 18 6B E8 5F 70 69 05 3F 1 3 6 1 4 1 311 21 1 Revoked Certificates ...

Page 752: ...ocation Date Apr 5 10 38 38 2005 GMT Serial Number 436E43A9000000000023 Revocation Date Sep 9 09 01 23 2005 GMT CRL entry extensions X509v3 CRL Reason Code Cessation Of Operation Serial Number 152D3C5E000000000047 Revocation Date Sep 22 07 12 41 2005 GMT Serial Number 1533AD7F000000000048 Revocation Date Sep 22 07 13 11 2005 GMT Serial Number 1F9EB8EA00000000006D Revocation Date Jul 19 09 58 45 20...

Page 753: ...e This command was introduced 5 0 2 Usage Guidelines This command does not require a license Examples This example shows how to display the remote cert store configuration switch show crypto ca remote certstore Remote Certstore NONE Related Commands Description Command Specifies the cert store to be used for certificate authentication crypto ca lookup Displays the configured cert store show crypto...

Page 754: ...s command does not require a license Examples This example shows how to display configured trustpoints switch show crypto ca trustpoints trustpoint CAname key revokation methods crl Related Commands Description Command Authenticates the certificate of the CA crypto ca authenticate Declares the trustpoint certificate authority that the device should trust crypto ca trustpoint Displays configured tr...

Page 755: ...fication Release This command was introduced 5 0 2 Usage Guidelines This command does not require a license Examples This example shows how to display the certificate mapping filters switch show crypto certificatemap Related Commands Description Command Creates a filter map crypto certificatemap mapname Configures one or more certificate mapping filters within the filter map filter Cisco Nexus 700...

Page 756: ...duced 4 1 2 Usage Guidelines This command does not require a license Examples This example shows how to display RSA public key configurations switch show crypto key mypubkey rsa key label myrsa key size 512 exportable yes Related Commands Description Command Requests certificates for the switch s RSA key pair crypto ca enroll Generate an RSA key pair crypto key generate rsa Configure trustpoint RS...

Page 757: ...Usage Guidelines This command does not require a license Examples This example shows how to display the mapping filters configured for SSH authentication switch show crypto ssh auth map Default Map filtermap1 Related Commands Description Command Creates a filter map crypto certificatemap mapname Configures a certificate mapping filter for the SSH protocol crypto cert ssh authorize Configures one o...

Page 758: ...nable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to display the Cisco TrustSec global configuration switch show cts CTS Global Configuration CTS support enabled CTS device identity Device1 CTS caching support disabled Number of CTS interfaces in DOT1X mode 0 Manual mode 0 Related Commands Description ...

Page 759: ...switch show cts capability interface all CTS capability information for interface s Interface SGT MacSec Comments Eth6 1 Yes Yes cts dot1x and manual configs allowed Eth8 1 Yes Yes cts dot1x and manual configs allowed Eth8 17 Yes Yes cts dot1x and manual configs allowed Eth8 33 Yes Yes cts dot1x and manual configs allowed Eth6 2 Yes Yes cts dot1x and manual configs allowed Eth8 2 Yes Yes cts dot1x...

Page 760: ... dot1x and manual configs allowed Eth8 5 Yes Yes cts dot1x and manual configs allowed Related Commands Description Command Enables the Cisco TrustSec feature feature cts Displays the global Cisco TrustSec configuration show cts Cisco Nexus 7000 Series Security Command Reference 734 Show Commands show cts capability interface ...

Page 761: ...roduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to display the Cisco TrustSec credentials configuration switch show cts credentials CTS password is defined in keystore device id Device1 Related Commands Description Command Enables the Cisco...

Page 762: ...ntials for the device and configured authentication authorization and accounting AAA This command requires the Advanced Services license Examples This example shows how to display the Cisco TrustSec environment data switch show cts environment data CTS Environment Data Current State CTS_ENV_DNLD_ST_ENV_DOWNLOAD_DONE Last Status CTS_ENV_SUCCESS Local Device SGT 0x0002 Transport Type CTS_ENV_TRANSPO...

Page 763: ... TrustSec feature using the feature cts command After using this command you must enable and disable the interface using the shutdown no shutdown command sequence for the configuration to take effect Use the no propagate sgt l2 control command to enable SGT tagging exemption for L2 control packets This exemption ensures that the L2 control protocols are transmitted without any SGT tags from the Ci...

Page 764: ...config if cts manual switch config if cts manual no propagate sgt l2 control This example displays the error message when you enable SGT tagging exemption for the L2 protocols on non supported modules switch configure terminal switch config interface ethernet 7 2 switch config if cts manual switch config if cts manual no propagate sgt l2 control ERROR no propagate sgt l2 control is not allowed on ...

Page 765: ...ase This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to display the Layer 3 Cisco TrustSec configuration for the interfaces switch show cts l3 interface Related Commands Description Command Enables the Cisco TrustSec feat...

Page 766: ...n Release This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to display the Layer 3 Cisco TrustSec mapping for the device switch show cts l3 mapping Related Commands Description Command Enables the Cisco TrustSec feature fe...

Page 767: ...es license Examples This example shows how to display the Cisco TrustSec global configuration switch show cts pacs PAC Info PAC Type unknown AID 74656d706f72617279 I ID india1 AID Info ACS Info Credential Lifetime Thu Apr 3 00 36 04 2008 PAC Opaque 0002008300020004000974656d706f7261727900060070000101001d 6321a2a55fa81e05cd705c714bea116907503aab89490b07fcbb2bd455b8d873f21b5b6b403eb1d8 125897d93b946...

Page 768: ...mbers are from 1 to 4096 port channel channel number Command Default None Command Modes Any configuration mode Command History Modification Release This command was introduced 8 1 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples The following example displays all interfaces c...

Page 769: ...ion Command Enable SGT propagation on Layer 2 Cisco TrustSec interfaces propagate sgt Enables the Cisco TrustSec feature feature cts Cisco Nexus 7000 Series Security Command Reference 743 Show Commands show cts propagate status ...

Page 770: ...se this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to display the Cisco TrustSec SGACL configuration switch show cts role based access list rbacl test 3 deny ip rbacl test 1 deny ip deny icmp deny tcp src eq 1000 dest eq 2000 deny udp src range 1000 2000 rbacl test 2 permit icm...

Page 771: ...gt value Command Default None Command Modes Any configuration mode Command History Modification Release The command output was updated 8 0 1 This command was introduced 5 0 2 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to display the configuration st...

Page 772: ...p 0 permit tcp 0 permit ip log 0 sgt any dgt any 0 rbacl Permit IP monitored permit ip 0 Related Commands Description Command Clears the RBACL statistics so that all counters are reset to 0 clear cts role based counters Enables the RBACL statistics cts role based counters enable Cisco Nexus 7000 Series Security Command Reference 746 Show Commands show cts role based counters ...

Page 773: ...ory Modification Release This command was introduced 8 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to verify that SGACL policy enforcement is disabled on interfaces switch show cts role based disabled interface Ethernet4 5 Ethernet4 17 Related Co...

Page 774: ...mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to display the Cisco TrustSec SGACL enforcement status switch show cts role based enable vlan 1 vrf 1 vrf 3 Related Commands Descr...

Page 775: ...t Destination SGT value The range is from 0 to 65535 dgt value Displays the SGACLs configured by using CLI configured Displays the SGACLs downloaded from ISE downloaded Displays the monitored SGACLs monitored Command Default None Command Modes Any configuration mode Command History Modification Release The sgt dgt configured downloaded and monitored keywords were added Additionally the command out...

Page 776: ...l deny_ip Downloaded Monitored deny ip sgt 101 101 dgt 102 102 rbacl rb2 Configured deny eigrp sgt 101 101 dgt 102 102 rbacl ise_rbacl_1_ace Downloaded deny gre Related Commands Description Command Enables the Cisco TrustSec feature feature cts Cisco Nexus 7000 Series Security Command Reference 750 Show Commands show cts role based policy ...

Page 777: ... was introduced 6 2 2 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command does not require a license Examples This example shows how to display the Cisco TrustSec SGT mapping configuration for all VLANs switch show cts role based sgt vlan all Related Commands Description Command Enables the Cisco TrustSec feature feature cts Di...

Page 778: ...d Default None Command Modes Any configuration mode Command History Modification Release The summary sxp peer peer ipv4 addr vlan vlan id and vrf vrf name keywords and arguments were added 6 2 2 This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples ...

Page 779: ...d Related Commands Description Command Enables the Cisco TrustSec feature feature cts Manually configures the Cisco TrustSec SGT mapping to IP addresses cts role based sgt map Cisco Nexus 7000 Series Security Command Reference 753 Show Commands show cts role based sgt map ...

Page 780: ...and Default None Command Modes Any configuration mode Command History Modification Release This command was introduced 6 2 2 Usage Guidelines To use this command you must enable the Cisco TrustSec feature using the feature cts command This command does not require a license Examples This example shows how to display the Cisco TrustSec SAP PMK configuration switch show cts sap pmk interface etherne...

Page 781: ...tual Routing and Forwarding VRF instance name vrf instance name Command Default None Command Modes Any command mode Command History Modification Release The keywords connections sgt map detail and vrf were introduced 8 0 1 The output was modified to include details about the SXPv3 version and network map expansion limit 7 3 0 D1 1 This command was introduced 4 0 1 Examples The following example di...

Page 782: ... 0 0 2 Conn status On Speaker On Listener Conn version 4 Local mode Both Connection inst 1 TCP conn fd 1 Speaker 3 Listener TCP conn password default SXP password Duration since last state change 1 03 38 03 dd hr mm sec 0 00 00 46 dd hr mm sec The following example displays output from a CTS SXP listener with a torn down connection to the SXP speaker Source IP to SGT mappings are held for 120 seco...

Page 783: ...peer connection cts sxp connection peer Configures the Cisco TrustSec SXP default password cts sxp default password Configures the Cisco TrustSec SXP source IPv4 address cts sxp default source ip Enables Cisco TrustSec SXP on a device cts sxp enable Enables logging for IP to SGT binding changes cts sxp log Changes the Cisco TrustSec SXP reconciliation period cts sxp reconciliation Changes the Cisc...

Page 784: ... use this command you must enable the Cisco TrustSec feature using the feature cts command This command requires the Advanced Services license Examples This example shows how to display the Cisco TrustSec Security Group Tag SGT Exchange Protocol SXP connections information switch show cts sxp connection PEER_IP_ADDR VRF PEER_SXP_MODE SELF_SXP_MODE CONNECTION STATE VERSION 30 1 1 3 default listener...

Page 785: ...ORRUPTION DATAINCONSISTENCY Traceback vmtracker libhmm_dll so 0x1b4d0 libhmm so 0x2cf0 libhmm_dll so 0x1ba0a libhmm_dll so 0x1c9e7 libhmm so 0x2f49 0x209d0 libvmtracker so 0x4d586 libvmtracker so 0x9b0c1 libvmtracker so 0x43154 libvmtracker so 0x42c happened 20 times since Mon Feb 15 09 05 20 2016 DATACORRUPTION DATAINCONSISTENCY Traceback hmm 0x40faf 0xbf870 0xc0b4c 0x40292 0xa37fa 0xa9f29 0xc05a...

Page 786: ...oduced 4 0 1 Usage Guidelines You must enable the 802 1X feature by using the feature dot1x command before using this command This command does not require a license Examples This example shows how to display the 802 1X feature status switch show dot1x Sysauthcontrol Enabled Dot1x Protocol Version 2 Related Commands Description Command Enables the 802 1X feature feature dot1x Cisco Nexus 7000 Seri...

Page 787: ...e This command was introduced 4 0 1 Usage Guidelines You must enable the 802 1X feature by using the feature dot1x command before using this command This command does not require a license Examples This example shows how to display all 802 1X feature status and configuration information switch show dot1x all Sysauthcontrol Enabled Dot1x Protocol Version 2 Dot1x Info for Ethernet2 1 PAE AUTHENTICAT...

Page 788: ...Related Commands Description Command Enables the 802 1X feature feature dot1x Cisco Nexus 7000 Series Security Command Reference 762 Show Commands show dot1x all ...

Page 789: ...terface 802 1X configuration Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines You must enable the 802 1X feature by using the feature dot1x command before using this command This command does not require a license Examples This example shows how to display the 802 1X feature status and configuration information for an Ethernet i...

Page 790: ...2 TxPeriod 30 RateLimitPeriod 0 Related Commands Description Command Enables the 802 1X feature feature dot1x Cisco Nexus 7000 Series Security Command Reference 764 Show Commands show dot1x interface ethernet ...

Page 791: ...command was introduced 5 2 1 Usage Guidelines This command does not require a license Examples This example shows how to display the status of the encryption service switch show encryption service stat Encryption service is enabled Master Encryption Key is configured Type 6 encryption is being used switch Related Commands Description Command Displays the configuration for a specific keychain show ...

Page 792: ...ns authenticated using EAPoUDP eap Specifies sessions statically authenticated using statically configured exception lists static Optional Displays the EAPoUDP sessions for a specific interface interface ethernet slot port Optional Displays the EAPoUDP sessions for a specific IPv4 address ip addressipv4 address Optional Displays the EAPoUDP sessions for a specific MAC address mac addressmac addres...

Page 793: ...information switch show eou authentication eap This example shows how to display 802 1X static authentication information switch show eou interface ethernet 2 1 This example shows how to display 802 1X information for an Ethernet interface switch show eou ip address 10 10 10 1 This example shows how to display 802 1X information for a MAC address switch show eou mac address 0019 076c dac4 This exa...

Page 794: ...None Command Modes Any Command History Modification Release This command was introduced 5 1 1 Usage Guidelines This command does not require a license Examples This example shows how to display the status of FIPS mode switch show fips status FIPS mode is disabled Related Commands Description Command Enables FIPS mode fips mode enable Cisco Nexus 7000 Series Security Command Reference 768 Show Comm...

Page 795: ...ommand Modes Any command mode Command History Modification Release This command was introduced 6 2 10 Usage Guidelines This command does not require a license The following are the features you can enter arp Address Resolution Protocol bfd Bidirectional Forwarding Detection cbts Class Based Tunnel Selection cts_impl_tunnel CTS Implicit Tunnel dhcp Dynamic Host Configuration Protocol erspan_dst Enc...

Page 796: ...d netflow switch show hardware access list input interface feature combo racl pbr_stats wccp qos netflow ______________________________________________________________________________ Feature Rslt Type T0B0 T0B1 T1B0 T1B1 ______________________________________________________________________________ RACL Interface Acl X Netflow Acl X QoS Interface Qos X WCCP Interface Acl X PBR Interface Stats Acl...

Page 797: ..._____________________________________________________ Feature Rslt Type T0B0 T0B1 T1B0 T1B1 ______________________________________________________________________________ PACL Acl X QoS Qos X Related Commands Description Command Configures the device to allow ACL TCAM bank mappings hardware access list resource feature bank mapping Cisco Nexus 7000 Series Security Command Reference 771 Show Comman...

Page 798: ...ate limit statistics for access list log packets access list log Specifies a module number The range is from 1 to 18 modulemodule Specifies rate limit statistics for copy packets copy Specifies the control packets from the F1 modules to the supervisor f1 Specifies the F1 rate limiter 1 rl 1 Specifies the F1 rate limiter 2 rl 2 Specifies the F1 rate limiter 3 rl 3 Specifies the F1 rate limiter 4 rl...

Page 799: ...s for Layer 3 directly connected multicast packets directly connected Specifies rate limit statistics for Layer 3 local group multicast packets local groups Specifies rate limit statistics for Layer 3 reverse path forwarding RPF leak multicast packets rpf leak Specifies rate limit statistics for Layer 3 time to live TTL packets ttl Optional Displays rate limit statistics for receive packets receiv...

Page 800: ...ed 0 Dropped 0 Total 0 layer 3 control Config 10000 Allowed 0 Dropped 0 Total 0 layer 3 glean Config 100 Allowed 0 Dropped 0 Total 0 layer 3 multicast directly connected Config 3000 Allowed 0 Dropped 0 Total 0 layer 3 multicast local groups Config 3000 Allowed 0 Dropped 0 Total 0 layer 3 multicast rpf leak Config 500 Allowed 0 Dropped 0 Total 0 layer 2 storm control Config Disabled access list log...

Page 801: ...ss list log Units for Config packets per second Allowed Dropped Total aggregated since last clear counters Rate Limiter Class Parameters access list log Config 100 Allowed 0 Dropped 0 Total 0 Related Commands Description Command Clears rate limit statistics clear hardware rate limiter Configures rate limits hardware rate limiter Cisco Nexus 7000 Series Security Command Reference 775 Show Commands ...

Page 802: ...y Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display information for all of the identity policies switch show identity policy This example shows how to display information for a specific identity policy switch show identity policy AdminPolicy Related Commands Description Command Configures ident...

Page 803: ...y command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the identity profiles switch show identity profile This example shows how to display the EAPoUDP identity profile configuration switch show identity profile eapoudp Related Commands Description Command Configures E...

Page 804: ...is sorted alphabetically by the ACL names Support was added for the fragments command 4 2 1 This command was introduced 4 0 1 Usage Guidelines The device shows all IPv4 ACLs unless you use the access list name argument to specify an ACL If you do not specify an ACL name the device lists ACLs alphabetically by the ACL names IPv4 address object groups and IP port object groups show only by name unle...

Page 805: ...example shows how to use the show ip access lists command to display an IPv4 ACL named ipv4 RandD outbound web including per entry statistics for the entries except for the MainLab object group switch show ip access lists ipv4 RandD outbound web IP access list ipv4 RandD outbound web statistics per entry fragments deny all 1000 permit ahp any any match 732 1005 permit tcp addrgroup MainLab any eq ...

Page 806: ...agments Configures an IPv4 ACL ip access list Displays all ACLs or a specific ACL show access lists Displays all IPv6 ACLs or a specific IPv6 ACL show ipv6 access lists Displays all MAC ACLs or a specific MAC ACL show mac access lists Starts recording statistics for packets permitted or denied by each entry in an ACL statistics per entry Cisco Nexus 7000 Series Security Command Reference 780 Show ...

Page 807: ...fication Release This command was introduced 5 2 1 Usage Guidelines This command does not require a license Examples This example shows how to display the ACL capture session configuration switch show ip access lists capture session 5 switch Related Commands Description Command Configures an ACL capture session monitor session session type acl capture Configures a destination for ACL capture packe...

Page 808: ...show ip arp inspection Source Mac Validation Enabled Destination Mac Validation Enabled IP Address Validation Enabled Vlan 1 Configuration Enabled Operation State Active ARP Req Forwarded 0 ARP Res Forwarded 0 ARP Req Dropped 0 ARP Res Dropped 0 DHCP Drops 0 DHCP Permits 0 SMAC Fails ARP Req 0 SMAC Fails ARP Res 0 DMAC Fails ARP Res 0 IP Fails ARP Req 0 IP Fails ARP Res 0 Related Commands Descript...

Page 809: ...atistics show ip arp inspection statistics Displays DAI status for a specified list of VLANs show ip arp inspection vlan Displays DHCP snooping configuration including DAI configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 783 Show Commands show ip arp inspection ...

Page 810: ...ault None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the trust state and the ARP packet rate for a trusted interface switch show ip arp inspection interface ethernet 2 1 Interface Trust State Rate pps Burst Interval Ethernet2 46 Trusted 15 5...

Page 811: ...ics show ip arp inspection statistics Displays DAI status for a specified list of VLANs show ip arp inspection vlan Displays DHCP snooping configuration including DAI configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 785 Show Commands show ip arp inspection interface ...

Page 812: ...the DAI log configuration switch show ip arp inspection log Syslog Buffer Size 32 Syslog Rate 5 entries per 1 seconds switch Related Commands Description Command Clears the DAI logging buffer clear ip arp inspection log Configures the DAI logging buffer size ip arp inspection log buffer Displays the DAI configuration status show ip arp inspection Displays the trust state and the ARP packet rate fo...

Page 813: ... Supported User Roles network admin network operator vdc admin vdc operator Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the DAI statistics for VLAN 1 switch show ip arp inspection statistics vlan 1 Vlan 1 ARP Req Forwarded 0 ARP Res Forwarded 0 ARP Req Dropped 0 ARP Res Dr...

Page 814: ...s show ip arp inspection Displays the trust state and the ARP packet rate for a specified interface show ip arp inspection interface Displays the DAI log configuration show ip arp inspection log Displays DHCP snooping configuration including DAI configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 788 Show Commands show ip arp inspection statistics ...

Page 815: ... vlan list Command Default None Command Modes Any command mode Supported User Roles network admin network operator vdc admin vdc operator Command History Modification Release This command was introduced 4 0 1 Examples This example shows how to display DAI status for VLANs 1 and 13 switch show ip arp inspection vlan 1 13 Source Mac Validation Enabled Destination Mac Validation Enabled IP Address Va...

Page 816: ...p inspection vlan Displays the DAI configuration status show ip arp inspection Displays the trust state and the ARP packet rate for a specified interface show ip arp inspection interface Displays DHCP snooping configuration including DAI configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 790 Show Commands show ip arp inspection vlan ...

Page 817: ...lt None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display all IP device tracking information switch show ip device tracking all This example shows how to display the IP device tracking information for an interface switch show ip device tracking eth...

Page 818: ...Related Commands Description Command Configures IP device tracking ip device tracking Cisco Nexus 7000 Series Security Command Reference 792 Show Commands show ip device tracking ...

Page 819: ...nsertion of option 82 is enabled Insertion of VPN suboptions is enabled Helper addresses are configured on the following interfaces Interface Relay Address VRF Name Ethernet1 4 10 10 10 1 red This example shows how to display the DHCP relay status and configured DHCP server addresses In this example the helper address is configured on a bridge domain interface switch show ip dhcp relay DHCP relay ...

Page 820: ...nables the DHCP snooping feature on the device feature dhcp Enables the DHCP relay agent ip dhcp relay Shows DHCP server addresses configured on the device show ip dhcp relay address Cisco Nexus 7000 Series Security Command Reference 794 Show Commands show ip dhcp relay ...

Page 821: ... range of interfaces or comma separated interfaces and ranges see the Examples section list Optional Restricts the output to a DHCP addresses configured on range or set of port channel interfaces and subinterfaces port channel Command Default None Command Modes Any command mode Command History Modification Release Support was added for the interface keyword and for VRF awareness 5 0 2 This command...

Page 822: ...cp relay address interface ethernet 1 2 4 ethernet 1 8 Interface Relay Address VRF Name Ethernet1 2 10 1 1 1 Ethernet1 3 10 1 1 1 red Ethernet1 4 10 1 1 1 red Ethernet1 8 10 1 1 1 red Related Commands Description Command Enables the DHCP snooping feature on the device feature dhcp Enables the DHCP relay agent ip dhcp relay Shows DHCP relay status and server addresses configured on the device show ...

Page 823: ...2 This command was modified An example for DHCP relay statistics information for a Bridge Domain Interface BDI was added 7 2 0 D1 1 Usage Guidelines This command does not require a license Examples This example shows how to display DHCP relay statistics for an interface switch show ip dhcp relay statistics interface bdi 14 Message Type Rx Tx Drops Discover 7 7 0 Offer 0 0 0 Request 0 0 0 Ack 0 0 0...

Page 824: ...Non DHCP Total Packets Received 0 Total Packets Forwarded 0 Related Commands Description Command Enables the DHCP relay agent ip dhcp relay Displays the DHCP configuration show ip dhcp relay Cisco Nexus 7000 Series Security Command Reference 798 Show Commands show ip dhcp relay statistics ...

Page 825: ...ent Total packets dropped The total number of packets containing DHCP messages that were dropped The reasons for dropping the packets are as follows Received from untrusted ports The number of packets containing DHCP messages particularly DHCPOFFER packets received from untrusted ports MAC address check failure Option 82 insertion failure O P Intf unknown Unknown reason Examples This example shows...

Page 826: ...les the DHCP snooping feature on the device feature dhcp Globally enables DHCP snooping on the device ip dhcp snooping Displays IP MAC address bindings including the static IP source entries show ip dhcp snooping binding Displays DHCP snooping statistics show ip dhcp snooping statistics Displays DHCP snooping configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference...

Page 827: ... address that the bindings shown must include Valid entries are in dotted hexadecimal format MAC address Optional Specifies the Ethernet interface that the bindings shown must be associated with interface ethernetslot port Optional Specifies a VLAN ID that the bindings shown must be associated with Valid VLAN IDs are from 1 to 4096 vlan vlan id Optional Limits the output to all dynamic IP MAC addr...

Page 828: ... clear ip dhcp snooping binding Enables the DHCP snooping feature on the device feature dhcp Enables or disables the DHCP relay agent ip dhcp relay Globally enables DHCP snooping on the device ip dhcp snooping Displays general information about DHCP snooping show ip dhcp snooping Displays DHCP snooping statistics show ip dhcp snooping statistics Displays DHCP snooping configuration including IP So...

Page 829: ...he relay agent Total packets dropped The total number of packets containing DHCP messages that were dropped The reasons for dropping the packets are as follows Received from untrusted ports The number of packets containing DHCP messages particularly DHCPOFFER packets received from untrusted ports MAC address check failure Option 82 insertion failure O P Intf unknown Unknown reason Examples This ex...

Page 830: ...eded 0 switch Related Commands Description Command Enables the DHCP snooping feature on the device feature dhcp Globally enables DHCP snooping on the device ip dhcp snooping Enables or disables the DHCP relay agent service dhcp Displays general information about DHCP snooping show ip dhcp snooping Displays IP MAC address bindings including the static IP source entries show ip dhcp snooping binding...

Page 831: ...ommand does not require a license Examples This example shows how to display the details of the UDP relay feature switch show ip udp relay UDP relay service is enabled UDP relay on default UDP ports Default UDP Ports Status Time service port 37 enabled IEN 116 Name Service port 42 enabled TACACS service port 49 enabled Domain Naming System port 53 enabled Trivial File Transfer Protocol port 69 ena...

Page 832: ...scription Command Enables the UDP relay feature ip forward protocol udp Configures the object group object group udp relay ip address Cisco Nexus 7000 Series Security Command Reference 806 Show Commands show ip udp relay ...

Page 833: ...e port channel interface given Valid port channel numbers are from 1 to 4096 port channel channel number Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the IP to MAC address bindings switch show ip verify source switch Relat...

Page 834: ...iption Command Displays DHCP snooping configuration including IP Source Guard configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 808 Show Commands show ip verify source ...

Page 835: ... is sorted alphabetically by the ACL names Support was added for the fragments command 4 2 1 This command was introduced 4 1 2 Usage Guidelines The device shows all IPv6 ACLs unless you use the access list name argument to specify an ACL If you do not specify an ACL name the device lists ACLs alphabetically by the ACL names IPv6 address object groups and IP port object groups show only by name unl...

Page 836: ... how to use the show ipv6 access lists command to display an IPv6 ACL named ipv6 RandD outbound web including per entry statistics for the entries except for the LowerLab object group switch show ipv6 access lists ipv6 RandD outbound web IPv6 access list ipv6 RandD outbound web statistics per entry fragments deny all 1000 permit ahp any any match 732 1005 permit tcp addrgroup LowerLab any eq telne...

Page 837: ...gments Configures an IPv6 ACL ipv6 access list Displays all ACLs or a specific ACL show access lists Displays all IPv4 ACLs or a specific IPv4 ACL show ip access lists Displays all MAC ACLs or a specific MAC ACL show mac access lists Starts recording statistics for packets permitted or denied by each entry in an ACL statistics per entry Cisco Nexus 7000 Series Security Command Reference 811 Show C...

Page 838: ...his command was introduced 6 2 2 Usage Guidelines This command does not require a license Examples This example shows how to display the globally configured DHCPv6 relay status and DHCPv6 server addresses switch show ipv6 dhcp relay DHCPv6 relay service Enabled Insertion of VPN options Disabled Insertion of CISCO options Disabled DHCPv6 Relay is configured on the following interfaces Interface Rel...

Page 839: ...d Default None Command Modes Any command mode Command History Modification Release This command was introduced 6 2 2 Usage Guidelines This command does not require a license Examples This example shows how to display the globally configured DHCPv6 relay statistics switch show ipv6 dhcp relay statistics Related Commands Description Command Enables the DHCPv6 relay agent ipv6 dhcp relay Displays the...

Page 840: ...6 dhcp ldra command Examples This example shows how to enable the LDRA feature on the specified interface switch config ipv6 dhcp ldra switch config show ipv6 dhcp ldra statistics DHCPv6 LDRA client facing statistics Messages received 2 Messages sent 2 Messages discarded 0 Messages Received SOLICIT 1 REQUEST 1 Messages Sent RELAY FORWARD 2 DHCPv6 LDRA server facing statistics Messages received 2 M...

Page 841: ...Cisco Nexus 7000 Series Security Command Reference 815 Show Commands show ipv6 dhcp ldra ...

Page 842: ...played for all policies Examples The following is sample output switch show ipv6 dhcp guard policy Dhcp guard policy default Device Role dhcp client Target Et0 3 Dhcp guard policy test1 Device Role dhcp server Target vlan 0 vlan 1 vlan 2 vlan 3 vlan 4 Max Preference 200 Min Preference 0 Source Address Match Access List acl1 Prefix List Match Prefix List pfxlist1 Dhcp guard policy test2 Device Role...

Page 843: ...Description Field The name of the target The target is either an interface or a VLAN Target Cisco Nexus 7000 Series Security Command Reference 817 Show Commands show ipv6 dhcp guard policy ...

Page 844: ... configuration for a policy named raguard1 and all the interfaces where the policy is applied switch show ipv6 nd raguard policy interface raguard1 Policy raguard1 configuration device role host Policy applied on the following interfaces Et0 0 vlan all Et1 0 vlan all The table below describes the significant fields shown in the display Table 2 show ipv6 nd raguard policy Field Descriptions Descrip...

Page 845: ... The display output can be specified by the specified VLAN interface IPv6 address or MAC address If no keywords or arguments are entered all binding table contents are displayed Examples The following example displays the contents of a binding table switch show ipv6 neighbor binding address DB has 4 entries Codes L Local S Static ND Neighbor Discovery Preflevel prlvl values 1 Not secure 2 MAC and ...

Page 846: ...E N A The table below describes the significant fields shown in the display Table 3 show ipv6 neighbor binding Field Descriptions Description Field Number of entries in the specified database address DB has n entries Cisco Nexus 7000 Series Security Command Reference 820 Show Commands show ipv6 neighbor binding ...

Page 847: ...y Protocol NDP Inspection and Router Advertisement RA Guard features are configured switch show ipv6 snooping capture policy Hardware policy registered on Et0 0 Protocol Protocol value Message Value Action Feature ICMP 58 RS 85 punt RA Guard punt ND Inspection ICMP 58 RA 86 drop RA guard punt ND Inspection ICMP 58 NS 87 punt ND Inspection ICMP 58 NA 88 punt ND Inspection ICMP 58 REDIR 89 drop RA G...

Page 848: ...of message being inspected Message Action to be taken on the packet Action The inspection feature for this information Feature Cisco Nexus 7000 Series Security Command Reference 822 Show Commands show ipv6 snooping capture policy ...

Page 849: ...face and records whether the packet was received sent or dropped If a packet is dropped the reason for the drop and the feature that caused the drop are both also provided Examples The following examples shows information about packets counted on Fast Ethernet interface 4 12 switch show ipv6 snooping counters interface Fa4 12 Received messages on Fa4 12 Protocol Protocol message ICMPv6 RS RA NS NA...

Page 850: ...ocol messages being counted Protocol message Bridged messages from the interface Bridged messages from The messages dropped on the interface Dropped messages on The feature that caused the drop and the type and number of messages dropped Feature message The reason that these messages were dropped RA drop reason Cisco Nexus 7000 Series Security Command Reference 824 Show Commands show ipv6 snooping...

Page 851: ...red on the router Examples The following example shows that both IPv6 NDP inspection and IPv6 RA guard are configured on the router Router show ipv6 snooping features Feature name priority state RA guard 100 READY NDP inspection 20 READY The table below describes the significant fields shown in the display Table 6 show ipv6 snooping features Field Descriptions Description Field The names of the IP...

Page 852: ...ion Release This command was introduced 8 0 1 Usage Guidelines The show ipv6 snooping policies command displays all policies that are configured and lists the interfaces to which they are attached Examples The following example shows information about all policies configured switch show ipv6 snooping policies NDP inspection policies configured Policy Interface Vlan trusted Et0 0 all Et1 0 all untr...

Page 853: ... of the policies configured for a specific feature NDP inspection policies configured Whether the policy is trusted or untrusted Policy The interface to which a policy is attached Interface Cisco Nexus 7000 Series Security Command Reference 827 Show Commands show ipv6 snooping policies ...

Page 854: ...ured 8 2 1 This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the keychain configuration for the glbp key keychain that contains one key key 13 with specific accept and send lifetimes switch show key chain Key Chain glbp keys Key 13 text 7 071a33595c1d0c1702170203163e3e21213c20361a021f11 accept lifetime UTC 00 00 00...

Page 855: ...an accept lifetime for a key accept lifetime Configures a key key Configures a keychain key chain Configures the text for a MACsec key key octet string Configures a key string key string Configures a send lifetime for a key send lifetime Cisco Nexus 7000 Series Security Command Reference 829 Show Commands show key chain ...

Page 856: ...uire a license Examples This example shows how to display information about the configured LDAP attribute maps switch show ldap search map total number of search maps 1 following LDAP search maps are configured SEARCH MAP s0 User Profile BaseDN DN1 Attribute Name map1 Search Filter filter1 Related Commands Description Command Configures the attribute name search filter and base DN for the user pro...

Page 857: ...Description Command Specifies the IPv4 or IPv6 address or hostname for an LDAP server ldap server host Cisco Nexus 7000 Series Security Command Reference 831 Show Commands show ldap search map ...

Page 858: ...5 0 2 Usage Guidelines You must use the feature ldap command before you can display LDAP information This command does not require a license Examples This example shows how to display the LDAP server configuration switch show ldap server timeout 5 port 389 deadtime 0 total number of servers 0 Related Commands Description Command Enables LDAP feature ldap Specifies the IPv4 or IPv6 address or hostn...

Page 859: ...is example shows how to display the LDAP server group configuration switch show ldap server groups total number of groups 1 following LDAP server groups are configured group LDAPgroup1 Use vrf default Mode UnSecure Authentication Search and Bind Bind and Search append with basedn cn userid Authentication Do bind instead of compare Bind and Search compare passwd attribute userPassword Authenticatio...

Page 860: ...ory Modification Release This command was introduced 5 0 2 Usage Guidelines You must use the feature ldap command before you can display LDAP information This command does not require a license Examples This example shows how to display the statistics for an LDAP server switch show ldap server statistics 10 10 1 1 Server is not monitored Authentication Statistics failed transactions 0 sucessfull t...

Page 861: ...Description Command Specifies the IPv4 or IPv6 address or hostname for an LDAP server ldap server host Cisco Nexus 7000 Series Security Command Reference 835 Show Commands show ldap server statistics ...

Page 862: ...ACLs unless you use the access list name argument to specify an ACL If you do not specify an ACL name the device lists ACLs alphabetically by the ACL names The expanded keyword allows you to display the details of object groups used in an ACL rather than only the name of the object groups For more information about object groups see the object group ip address object group ipv6 address and object ...

Page 863: ...lter MAC access list mac lab filter statistics per entry 10 permit 0600 ea5f 22ff 0000 0000 0000 any match 820421 20 permit 0600 050b 3ee3 0000 0000 0000 any match 732 This example shows how to use the show mac access lists command with the summary keyword to display information about a MAC ACL named mac lab filter such as which interfaces the ACL is applied to and active on switch show mac access...

Page 864: ... Ethernet interface ethernet slot port Optional Shows MKA session information session Optional Shows information about the specified Ethernet interface interface ethernet slot port Optional Shows detailed information about MKA details Optional Shows internal detailed information about MKA internal details Optional Shows MKA statistics statistics Optional Shows MKA summary information summary Comma...

Page 865: ...SCI Key Server Priority 7F649D00075CA2B14065F50D 12466 00b0 e135 9c23 0001 4 9 67DF7F5DE06AFC9A2F125914 12464 9c57 adfd 8acb 0001 2 9 57BCB803EB00453525F7382C 12466 9c57 adfd 8acc 0001 1 9 Detailed Status for MKA Session Interface Name Ethernet4 27 Session Status Secured Local Tx SCI 5006 ab91 9f4e 0001 Local Tx SSCI 2 MKA Port Identifier 2 CAK Name CKN 10000000000000000000000000000000000000000000...

Page 866: ...0 SAKs Received 60 SAK Responses Received 0 MKPDU Statistics MKPDUs Transmitted 18676 Distributed SAK 0 MKPDUs Validated Rx 55986 Distributed SAK 60 MKA IDB Statistics MKPDUs Tx Success 19147 MKPDUs Tx Fail 0 MKPDUS Tx Pkt build fail 0 MKPDUS No Tx on intf down 0 MKPDUS No Rx on intf down 0 MKPDUs Rx CA Not found 0 MKPDUs Rx Error 0 MKPDUs Rx Success 55986 MKPDU Failures MKPDU Rx Validation 0 MKPD...

Page 867: ...set for MKA encryption conf offset Enables the MKA feature feature mka Creates a key or enters the configuration mode of an existing key key Creates a keychain or enters the configuration mode of an existing keychain key chain keychain name Configures the text for a MACsec key key octet string Configures the preference for a device to serve as the key server for MKA encryption key server priority ...

Page 868: ...l the MACsec policies switch show macsec policy MACsec Policy Cipher Pri Window Offset Security SAK Rekey time p1 GCM AES XPN 128 9 0 0 must secure 60 system default macsec policy GCM AES XPN 256 16 0 0 must secure pn exhaust This example shows how to display the details of the user defined MACsec policy switch show macsec policy p1 MACsec Policy Cipher Pri Window Offset Security SAK Rekey time p1...

Page 869: ...ey key octet string Configures the preference for a device to serve as the key server for MKA encryption key server priority Configures the MACsec keychain policy macsec keychain policy Configures the MACsec policy macsec policy Sets an expiry time for a force SAK rekey sak expiry time time Displays the configuration of the specified keychain show key chain Displays the details of MKA show macsec ...

Page 870: ...mmand History Modification Release This command was introduced 6 1 4 Usage Guidelines This command does not require a license Examples This example shows how to display the secure mode for changing password switch show password secure mode Password secure mode is enabled Related Commands Description Command Enables password strength checking password strength check Cisco Nexus 7000 Series Security...

Page 871: ...as introduced 4 0 3 Usage Guidelines This command does not require a license Examples This example shows how to display password strength checking status switch show password strength check Password strength check enabled Related Commands Description Command Enables password strength checking password strength check Displays security feature configuration in the running configuration show running ...

Page 872: ... History Modification Release Added the inst all keyword 8 1 1 This command was introduced 6 2 2 Usage Guidelines Use this command to display the policy values with associated class maps and drops per policy or class map It also displays the scale factor values when a CoPP policy is applied When the scale factor value is the default 1 00 it is not displayed The scale factor changes the CIR BC PIR ...

Page 873: ...tch access group name copp system p acl bgp match access group name copp system p acl rip match access group name copp system p acl vpc match access group name copp system p acl bgp6 match access group name copp system p acl lisp match access group name copp system p acl ospf match access group name copp system p acl rip6 match access group name copp system p acl rise match access group name copp ...

Page 874: ...oup name copp system p acl cts match access group name copp system p acl glbp match access group name copp system p acl hsrp match access group name copp system p acl vrrp match access group name copp system p acl wccp match access group name copp system p acl hsrp6 match access group name copp system p acl vrrp6 match access group name copp system p acl opflex match access group name copp system ...

Page 875: ...iption Command Displays the CoPP status including the last configuration operation and its status show copp status Cisco Nexus 7000 Series Security Command Reference 849 Show Commands show policy map interface control plane ...

Page 876: ...e a license Examples This example shows how to display control plane policy map information switch show policy map type control plane policy map type control plane copp system policy class copp system class critical police cir 2000 kbps bc 1500 bytes pir 3000 kbps be 1500 bytes conform transmit exceed transmit violate drop class copp system class important police cir 1000 kbps bc 1500 bytes pir 15...

Page 877: ...ty command to view the status of the port security feature on a device switch show port security Total Secured Mac Addresses in System excluding one mac per port 0 Max Addresses limit in System excluding one mac per port 8192 Secure Port MaxSecureAddr CurrentAddr SecurityViolation Security Action Count Count Count Ethernet1 4 5 1 0 Shutdown switch Related Commands Description Command Enables the p...

Page 878: ...Description Command Configures port security on a Layer 2 interface switchport port security Cisco Nexus 7000 Series Security Command Reference 852 Show Commands show port security ...

Page 879: ...ny command mode Command History Modification Release Support for Layer 2 port channel interfaces was added 4 2 1 This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to use the show port security address command to view information about all MAC addresses secured by port security switch show port security address Total Secured M...

Page 880: ...emaining Age mins 1 00EE 378A ABCE STATIC Ethernet1 4 0 switch Related Commands Description Command Enables the port security feature feature port security Shows the status of the port security feature show port security Shows the port security status for a specific interface show port security interface Configures port security on a Layer 2 interface switchport port security Cisco Nexus 7000 Seri...

Page 881: ...lease Support for Layer 2 port channel interfaces was added 4 2 1 This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to use the show port security interface command to view the status of the port security feature on the Ethernet 1 4 interface switch show port security interface ethernet 1 4 Port Security Enabled Port Status Se...

Page 882: ...atus of the port security feature show port security Shows MAC addresses secured by the port security feature show port security address Configures port security on a Layer 2 interface switchport port security Cisco Nexus 7000 Series Security Command Reference 856 Show Commands show port security interface ...

Page 883: ...e command to view the current privilege level username and status of cumulative privilege support switch show privilege User name admin Current privilege level 1 Feature privilege Enabled switch Related Commands Description Command Enables a user to move to a higher privilege level enable level Enables a secret password for a specific privilege level enable secret priv lvl Enables the cumulative p...

Page 884: ...ation cmds Displays the difference between the active configuration and the pending configuration pending diff Displays the status of the RADIUS CFS session session status Displays the status of the RADIUS CFS status Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Exa...

Page 885: ...tiated after enable last operation enable last operation status success This example shows how to display the pending RADIUS configuration switch show radius pending radius server host 10 10 1 1 key 7 qxz123aaa group server radius aaa private sg This example shows how to display the pending RADIUS configuration commands switch show radius pending cmds radius server host 10 10 1 1 key 7 qxz12345 au...

Page 886: ...quest Optional Displays information about the configured RADIUS server groups groups Optional Displays sorted by name information about the RADIUS servers sorted Optional Displays RADIUS statistics for the RADIUS servers statistics Command Default Displays the global RADIUS server configuration Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Us...

Page 887: ... server groups switch show radius server groups total number of groups 2 following RADIUS server groups are configured group radius server all configured radius servers group RadServer deadtime is 0 vrf is management This example shows how to display information for a specified RADIUS server group switch show radius server groups RadServer group RadServer deadtime is 0 vrf is management This examp...

Page 888: ...ting Statistics failed transactions 0 sucessfull transactions 0 requests sent 0 requests timed out 0 responses with no matching requests 0 responses not processed 0 responses containing errors 0 Related Commands Description Command Displays the RADIUS information in the running configuration file show running config radius Cisco Nexus 7000 Series Security Command Reference 862 Show Commands show r...

Page 889: ...ecific user role switch config show role name MyRole role MyRole description new role vlan policy deny permitted vlan 1 10 interface policy deny permitted interface Ethernet2 1 8 vrf policy permit default This example shows how to display information for all user roles in the default virtual device context VDC switch config show role role network admin description Predefined network admin role has...

Page 890: ...face Ethernet2 1 8 vrf policy permit default This example shows how to display information for all user roles in a nondefault virtual device context VDC switch MyVDC show role role vdc admin description Predefined vdc admin role has access to all commands within a VDC instance Rule Perm Type Scope Entity 1 permit read write role vdc operator description Predefined vdc operator role has access to a...

Page 891: ...mmand was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the user role features switch config show role feature feature aaa feature access list feature arp feature callhome feature cdp feature crypto feature gold feature install feature l3vm feature license feature ping feature platform feature qosmgr feature radius feature sche...

Page 892: ...access list clear mac access list clear arp access list clear vlan access map debug aclmgr feature arp show arp show ip arp config t ip arp clear ip arp debug ip arp debug filter ip arp content deleted This example shows how to display detailed information for a specific user role feature switch config show role feature name dot1x feature dot1x show dot1x config t dot1x dot1x clear dot1x debug dot...

Page 893: ...d was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the user role feature groups switch config show role feature group feature group L3 feature router bgp feature router eigrp feature router isis feature router ospf feature router rip feature group SecGroup feature aaa feature radius feature tacacs This example shows how to dis...

Page 894: ... filter ip ospf debug filter ospfv3 debug ip ospf debug ospfv3 clear ip ospf clear ip ospfv3 config t router ospf config t router ospfv3 feature router rip show rip config t rip rip clear rip debug rip show ip rip show ipv6 rip overload rip debug filter rip clear ip rip clear ipv6 rip config t router rip This example shows how to display information for a specific user role feature group switch co...

Page 895: ...Description Command Configures rules for user roles rule Cisco Nexus 7000 Series Security Command Reference 869 Show Commands show role feature group ...

Page 896: ...elines This command does not require a license Examples This example displays the user role configuration differences for the Cisco Fabric Services session switch show role pending Role test user Description new role Vlan policy permit default Interface policy permit default Vrf policy permit default Rule Perm Type Scope Entity 1 permit read write feature aaa Related Commands Description Command E...

Page 897: ...ntroduced 4 1 2 Usage Guidelines This command does not require a license Examples This example displays the user role configuration differences for the Cisco Fabric Services session switch show role pending Role test user Description new role Vlan policy permit default Interface policy permit default Vrf policy permit default Rule Perm Type Scope Entity 1 permit read write feature aaa Related Comm...

Page 898: ...sage Guidelines This command does not require a license Examples This example displays the user role configuration differences for the Cisco Fabric Services session switch show role session status Last Action Time Stamp Thu Nov 20 12 43 26 2008 Last Action Distribution Enable Last Action Result Success Last Action Failure Reason none Related Commands Description Command Enables Cisco Fabric Servic...

Page 899: ...cation Release This command was introduced 4 1 2 Usage Guidelines This command does not require a license Examples This example displays the user role configuration differences for the Cisco Fabric Services session switch show role status Distribution Enabled Session State Locked Related Commands Description Command Enables Cisco Fabric Services distribution for the user role configuration role di...

Page 900: ...configuration of MKA switch show run mka Command show running config mka Time Wed Apr 19 05 08 01 2017 version 8 2 0 SK 1 feature mka macsec policy p1 cipher suite GCM AES XPN 128 key server priority 9 security policy must secure sak expiry time 60 Related Commands Description Command Configures the cipher suite for encrypting traffic with MACsec cipher suite Configures the confidentiality offset ...

Page 901: ...ey server for MKA encryption key server priority Configures the MACsec keychain policy macsec keychain policy Configures the MACsec policy macsec policy Sets an expiry time for a force SAK rekey sak expiry time time Displays the configuration of the specified keychain show key chain Displays all the MACsec policies in the system show macsec policy Cisco Nexus 7000 Series Security Command Reference...

Page 902: ...red and default information all Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the configured AAA information in the running configuration switch show running config aaa version 4 0 1 Cisco Nexus 7000 Series Security Command...

Page 903: ...ing configuration switch show running config aclmgr all Command show running config aclmgr all Time Wed May 25 08 03 46 2011 version 5 2 1 ip access list acl1 ip access list cisco123 copp acl bgp 10 permit tcp any gt 1024 any eq bgp 20 permit tcp any eq bgp any gt 1024 ipv6 access list cisco123 copp acl bgp6 10 permit tcp any gt 1024 any eq bgp 20 permit tcp any eq bgp any gt 1024 ip access list c...

Page 904: ...0x8843 mac access list cisco123 copp acl mac dot1x 10 permit any 0180 c200 0003 0000 0000 0000 0x888e mac access list cisco123 copp acl mac fabricpath isis 10 permit any 0180 c200 0015 0000 0000 0000 20 permit any 0180 c200 0014 0000 0000 0000 mac access list cisco123 copp acl mac flow control 10 permit any 0180 c200 0001 0000 0000 0000 0x8808 mac access list cisco123 copp acl mac gold 10 permit a...

Page 905: ...Description Command Displays the CoPP configuration in the startup configuration show startup config copp Cisco Nexus 7000 Series Security Command Reference 879 Show Commands show running config aclmgr ...

Page 906: ...critical match access group name copp system acl arp match access group name copp system acl msdp class map type control plane match any copp system class important match access group name copp system acl gre match access group name copp system acl tacas class map type control plane match any copp system class normal match access group name copp system acl icmp match redirect dhcp snoop match redi...

Page 907: ...s class map type control plane match any copp system class normal match access group name copp system acl icmp match redirect dhcp snoop match redirect arp inspect match exception ip option match exception ip icmp redirect match exception ip icmp unreachable policy map type control plane copp system policy class copp system class critical police cir 2000 kbps bc 1500 bytes pir 3000 kbps be 1500 by...

Page 908: ... Services license Examples This example shows how to display the Cisco TrustSec configuration in the running configuration switch show running config cts version 4 0 1 feature cts cts role based enforcement cts role based sgt map 10 10 1 1 10 cts role based access list MySGACL permit icmp cts role based sgt 65535 dgt 65535 access list MySGACL cts sxp enable cts sxp connection peer 10 10 3 3 source...

Page 909: ...ing the feature dhcp command This command does not require a license Examples This example shows how to display the DHCP snooping configuration switch show running config dhcp version 4 0 1 feature dhcp interface Ethernet2 46 ip verify source dhcp snooping vlan ip arp inspection trust ip dhcp snooping ip arp inspection validate src mac dst mac ip ip source binding 10 3 2 2 0f00 60b3 2333 vlan 13 i...

Page 910: ...mand Enables the DHCP snooping feature on the device feature dhcp Globally enables DHCP snooping on the device ip dhcp snooping Enables or disables the DHCP relay agent service dhcp Displays general information about DHCP snooping show ip dhcp snooping Displays IP MAC address bindings including the static IP source entries show ip dhcp snooping binding Cisco Nexus 7000 Series Security Command Refe...

Page 911: ...y command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines You must enable the 802 1X feature by using the feature dot1x command before using this command This command does not require a license Examples This example shows how to display the configured 802 1X information in the running configuration switch show running config dot1x version 4 0 1 Cisco Ne...

Page 912: ...and Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines You must enable the EAPoUDP feature by using the feature eou command before using this command This command does not require a license Examples This example shows how to display the configured EAPoUDP information in the running configuration switch show running co...

Page 913: ...y command mode Command History Modification Release This command was introduced 5 0 2 Usage Guidelines You must use the feature ldap command before you can display LDAP information This command does not require a license Examples This example shows how to display LDAP information in the running configuration switch show running config ldap Related Commands Description Command Displays LDAP informa...

Page 914: ...command was introduced 4 0 3 Usage Guidelines This command does not require a license Examples This example shows how to display information for port security in the running configuration switch show running port security version 4 0 3 feature port security logging level port security 5 interface Ethernet2 3 switchport port security Related Commands Description Command Displays port security infor...

Page 915: ...e Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display information for RADIUS in the running configuration switch show running config radius Related Commands Description Command Displays RADIUS information show radius server Cisco Nexus 7000 Series Se...

Page 916: ...as introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display user account SSH server and Telnet server information in the running configuration switch show running config security version 5 1 1 username admin password 5 1 7Jwq LDM XF0M UWeT43DmtjZy8VP91 role network admin username adminbackup password 5 1 Oip C5Ci oOdx7oJSlBCFpNRmQK4na rol...

Page 917: ...d History Modification Release This command was introduced 4 0 1 Usage Guidelines You must use the feature tacacs command before you can display TACACS information This command does not require a license Examples This example shows how to display TACACS information in the running configuration switch show running config tacacs Related Commands Description Command Displays TACACS information show t...

Page 918: ...dification Release This command was introduced 8 0 1 Usage Guidelines None Examples This example shows how to display the status of system related security features switch show security system state XSPACE Non Executable stack Yes Non Executable heap Yes Non Writable text Yes ASLR ASLR enabled Yes CVE offset2lib Patch Present Randomization entropy Good OSC Version 1 0 0 SafeC Version 3 0 1 Cisco N...

Page 919: ...sage Guidelines None Examples This example shows how to display the hash digest entries switch show software integrity index 0 index pcr template hash template name algorithm filedata hash filename hint 1 10 1d8d532d463c9f8c205d0df7787669a85f93e260 ima ng sha1 0000000000000000000000000000000000000000 boot_aggregate 2 10 1cb9d1e2795a75857f70d6a23cb77e4843467617 ima ng sha256 850c63f1b32f19b2dcde9fa...

Page 920: ...t require a license Examples This example shows how to display the SSH server key switch show ssh key rsa Keys generated Wed Aug 11 11 45 14 2010 ssh rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDypfN6FSHZDbFPWEoz7sgWCamhfoqjqYNoZMvySSb4 056LhWZ75D90KPo G XTo7QAyQMpLJSkwKcRkidgD4lwJaDd Ic Sl5SJ3i0jyM61Bwvi 8 J3JoIdft AvgH47GT5BdDD6hM7aUHq efSQSq8pGyDAR4Cw6UdY9HNAWoTw bitcount 1024 fingerprint cd 8d e3 0c 2a ...

Page 921: ...nd Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the SSH server status switch show ssh server ssh is enabled version 2 enabled Related Commands Description Command Enables the SSH server feature ssh Cisco Nexus 7000 Series Security Command Reference 89...

Page 922: ...as no arguments or keywords Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the AAA information in the startup configuration switch show startup config aaa version 4 0 1 Cisco Nexus 7000 Series Security Command Reference 896 ...

Page 923: ...up config saved at Mon May 23 05 44 16 2011 version 5 2 1 ip access list acl1 ip access list copp system p acl bgp 10 permit tcp any gt 1024 any eq bgp 20 permit tcp any eq bgp any gt 1024 ipv6 access list copp system p acl bgp6 10 permit tcp any gt 1024 any eq bgp 20 permit tcp any eq bgp any gt 1024 ip access list copp system p acl cts 10 permit tcp any any eq 64999 20 permit tcp any eq 64999 an...

Page 924: ...ermit icmp any any mld reduction ip access list copp system p acl igmp 10 permit igmp any 224 0 0 0 3 mac access list copp system p acl mac cdp udld vtp 10 permit any 0100 0ccc cccc 0000 0000 0000 mac access list copp system p acl mac cfsoe 10 permit any 0180 c200 000e 0000 0000 0000 0x8843 mac access list copp system p acl mac dot1x 10 permit any 0180 c200 0003 0000 0000 0000 0x888e mac access li...

Page 925: ...acl arp match access group name copp system acl msdp class map type control plane match any copp system class important match access group name copp system acl gre match access group name copp system acl tacas class map type control plane match any copp system class normal match access group name copp system acl icmp match redirect dhcp snoop match redirect arp inspect match exception ip option ma...

Page 926: ...ss default police cir 200 kbps bc 1500 bytes pir 300 kbps be 1500 bytes conform transmit exceed transmit violate drop policy map type control plane x class class default police cir 0 bps bc 0 bytes conform drop violate drop Cisco Nexus 7000 Series Security Command Reference 900 Show Commands show startup config copp ...

Page 927: ...Examples This example shows how to display the DHCP snooping configuration in the startup configuration switch show startup config dhcp version 4 0 1 feature dhcp interface Ethernet2 46 ip verify source dhcp snooping vlan ip arp inspection trust ip dhcp snooping ip arp inspection validate src mac dst mac ip ip source binding 10 3 2 2 0f00 60b3 2333 vlan 13 interface Ethernet2 46 ip source binding ...

Page 928: ...Description Command Shows DHCP snooping configuration in the running configuration show running config dhcp Cisco Nexus 7000 Series Security Command Reference 902 Show Commands show startup config dhcp ...

Page 929: ...mmand mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines You must enable the 802 1X feature by using the feature dot1x command before using this command This command does not require a license Examples This example shows how to display the 802 1X information in the startup configuration switch show startup config dot1x version 4 0 1 Cisco Nexus 7000 Series...

Page 930: ...Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines You must enable the EAPoUDP feature by using the feature eou command before using this command This command does not require a license Examples This example shows how to display the EAPoUDP information in the startup configuration switch show startup config eou versio...

Page 931: ... command before you can display LDAP information This command does not require a license Examples This example shows how to display the LDAP information in the startup configuration switch show startup config ldap Command show startup config ldap Time Wed Feb 17 13 02 31 2010 Startup config saved at Wed Feb 17 10 32 23 2010 version 5 0 2 feature ldap aaa group server ldap LDAPgroup1 no ldap search...

Page 932: ...command was introduced 4 0 3 Usage Guidelines This command does not require a license Examples This example shows how to display information for port security in the startup configuration switch show startup port security version 4 0 3 feature port security logging level port security 5 interface Ethernet2 3 switchport port security Related Commands Description Command Displays port security infor...

Page 933: ...ywords Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the RADIUS information in the startup configuration switch show startup config radius version 4 0 1 Cisco Nexus 7000 Series Security Command Reference 907 Show Commands s...

Page 934: ...idelines This command does not require a license Examples This example shows how to display the user account SSH server and Telnet server information in the startup configuration switch show startup config security version 5 1 1 username admin password 5 1 7Jwq LDM XF0M UWeT43DmtjZy8VP91 role network admin username adminbackup password 5 1 Oip C5Ci oOdx7oJSlBCFpNRmQK4na role network operator usern...

Page 935: ...ywords Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the TACACS information in the startup configuration switch show startup config tacacs version 4 0 1 Cisco Nexus 7000 Series Security Command Reference 909 Show Commands s...

Page 936: ...ress modules egress Optional Displays the module modulemodule Displays the mapping output for PORT VLAN TCAM bank chaining mode for an interface interface Displays the mapping output for PORT VLAN TCAM bank chaining mode for a VLAN vlan Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 7 3 0 D1 1 The vlan and interface keywords wer...

Page 937: ...n vlan ingress _________________________________________________________________________ Feature Rslt Type T0B0 T0B1 T1B0 T1B1 _________________________________________________________________________ QoS Qos X X RACL Acl X X PBR Acl X X VACL Acl X X DHCP Acl X X DHCP_FHS Acl X X DHCP_LDRA Acl X X ARP Acl X X Netflow Acl X X Netflow SVI Acl X X Netflow Sampler Acc X X Netflow Sampler SVI Acc X X S...

Page 938: ...Any command mode Command History Modification Release This command was introduced 6 2 2 Usage Guidelines This command does not require a license Examples This example shows how to display the feature group and class combination tables for ingress module 4 switch config show system internal access list feature bank class map ingress module 4 Feature Class Definition 0 CLASS_QOS QoS 1 CLASS_INBAND T...

Page 939: ... Enables ACL TCAM bank mapping for feature groups and classes hardware access list resource feature bank mapping Cisco Nexus 7000 Series Security Command Reference 913 Show Commands show system internal access list feature bank class map ...

Page 940: ...NABLED Default ACL DENY Bank Chaining VLAN VLAN Seq Feat Model NO_DENY_ACE_SUPPORT This pltfm supports seq feat model Bank Class Model DISABLED This pltfm supports bank class model Fabric path DNL DISABLED Seq Feat Model NO_DENY_ACE_SUPPORT This pltfm supports seq feat model L4 proto CAM extend DISABLED This pltfm supports L4 proto CAM extend MPLS Topmost As Pipe Mode DISABLED This pltfm supports ...

Page 941: ... supports mpls topmost as pipe mode LOU Threshold Value 5 Related Commands Description Command Enables ACL TCAM bank mapping for feature groups and classes hardware access list resource feature bank mapping Cisco Nexus 7000 Series Security Command Reference 915 Show Commands show system internal access list globals ...

Page 942: ...as introduced 5 1 1 Usage Guidelines This command does not require a license Examples This example shows how to display the inband and outband global rate limit configuration for packets that reach the supervisor module switch show system internal pktmgr internal control sw rate limit inband pps global threshold 12500 outband pps global threshold 15500 switch Related Commands Description Command C...

Page 943: ... of the UDP relay feature switch show system internal udp relay database UDP Relay enabled Yes Relay enabled on the following UDP Ports Sr No UDP Port Default Port 1 37 Yes 2 42 Yes 3 49 Yes 4 53 Yes 5 69 Yes 6 137 Yes 7 138 Yes Object Groups information Object Group Name iHello No of Relay Addresses 3 1 IP Addr 2 6 8 12 Netmask 255 255 255 255 2 IP Addr 9 8 7 6 Netmask 255 255 255 255 3 IP Addr 2...

Page 944: ...ands Description Command Enables the UDP relay feature ip forward protocol udp Configures the object group object group udp relay ip address Cisco Nexus 7000 Series Security Command Reference 918 Show Commands show system internal udp relay database ...

Page 945: ...ation and the pending configuration pending diff Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the TACACS CFS status switch show tacacs distribution status distribution enabled session ongoing no session db does not exist m...

Page 946: ... TACACS configuration commands switch show tacacs pending cmds tacacs server host 10 10 2 2 key 7 qxz12345 port 49 This example shows how to display the differences between the pending TACACS configuration and the current TACACS configuration switch show tacacs pending diff tacacs server host 10 10 2 2 Cisco Nexus 7000 Series Security Command Reference 920 Show Commands show tacacs ...

Page 947: ...out the configured TACACS server groups groups Optional Displays sorted by name information about the TACACS servers sorted Optional Displays TACACS statistics for the TACACS servers statistics Command Default Displays the global TACACS server configuration Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines TACACS preshared keys a...

Page 948: ... following TACACS server groups are configured group TacServer server 10 10 2 2 on port 49 deadtime is 0 vrf is vrf3 This example shows how to display information for a specified TACACS server group switch show tacacs server groups TacServer group TacServer server 10 10 2 2 on port 49 deadtime is 0 vrf is vrf3 This example shows how to display sorted information for all TACACS servers switch show ...

Page 949: ...s containing errors 0 Accounting Statistics failed transactions 0 sucessfull transactions 0 requests sent 0 requests timed out 0 responses with no matching requests 0 responses not processed 0 responses containing errors 0 Related Commands Description Command Displays the TACACS information in the running configuration file show running config tacacs Cisco Nexus 7000 Series Security Command Refere...

Page 950: ...es Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display the Telnet server status switch show telnet server telnet service enabled Related Commands Description Command Enables the Telnet server telnet server enable Cisco Nexus 7000 Series Security Command Reference ...

Page 951: ...me range is active which means that the current system time on the device falls within the configured time range This command does not require a license Examples This example shows how to use the show time range command without specifying a time range name on a device that has two time ranges configured where one of the time ranges is inactive and the other is active switch config time range show ...

Page 952: ...mit IPv6 Configures a permit rule for a MAC ACL permit MAC Displays all IPv6 ACLs or a specific IPv6 ACL show ipv6 access lists Displays all ACLs or a specific ACL show access lists Cisco Nexus 7000 Series Security Command Reference 926 Show Commands show time range ...

Page 953: ...shows how to display information for user accounts in the default virtual device context VDC switch show user account user admin this user account has no expiry date roles network admin user adminbackup this user account has no expiry date roles network operator This example shows how to display information for user accounts in a nondefault VDC switch MyVDC show user account user admin this user a...

Page 954: ...nse For security reasons this command does not show the private key Examples This example shows how to display the public key for the specified user switch show username admin keypair rsa Keys generated Mon Feb 15 08 10 45 2010 ssh rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0 rIeMgXwv004lt hwOoyqIKbFGl1tmkFNm tozuazfL 4dH asAXZoJePDdiO1ILBGfrQgzyS5u3prXuXfgnWkTu0 4WlD0DF EPdsd3NNzNbpPFzNDVylPDyDfR X5SfVICioE...

Page 955: ...rates the SSH public and private keys and stores them in the home directory of the Cisco NX OS device for the specified user username username keypair generate Cisco Nexus 7000 Series Security Command Reference 929 Show Commands show username ...

Page 956: ...cense Examples This example shows how to display user session information in the default virtual device context VDC switch show users NAME LINE TIME IDLE PID COMMENT admin pts 1 Mar 17 15 18 5477 172 28 254 254 admin pts 9 Mar 19 11 19 23101 10 82 234 56 This example shows how to display information for user accounts in a nondefault VDC switch MyVDC show users admin pts 10 Mar 19 12 54 30965 10 82...

Page 957: ...e a license Examples This example shows how to use the show vlan access list command to display the contents of the ACL that the VLAN access map named vacl 01 is configured to use switch show vlan access list vacl 01 IP access list ipv4acl 5 deny ip 10 1 1 1 32 any 10 permit ip any any Related Commands Description Command Configures an VLAN access map vlan access map Displays all ACLs or a specifi...

Page 958: ...Description Command Displays all VLAN access maps or a specific VLAN access map show vlan access map Cisco Nexus 7000 Series Security Command Reference 932 Show Commands show vlan access list ...

Page 959: ...o specify an access map If you do not specify an access map name the device lists VLAN access maps alphabetically by access map name For each VLAN access map displayed the device shows the access map name the ACL specified by the match command and the action specified by the action command Use the show vlan filter command to see which VLANs have a VLAN access map applied to them This command does ...

Page 960: ...CL for traffic filtering in a VLAN access map match Displays information about how a VLAN access map is applied show vlan filter Configures a VLAN access map vlan access map Applies a VLAN access map to one or more VLANs vlan filter Cisco Nexus 7000 Series Security Command Reference 934 Show Commands show vlan access map ...

Page 961: ...se the access map keyword and specify an access map or you use the vlan keyword and specify a VLAN ID Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to display all VLAN access map information on a device that has only one VLAN access map applied austin vla...

Page 962: ...cess maps or a VLAN access map show vlan access map Configures a VLAN access map vlan access map Applies a VLAN access map to one or more VLANs vlan filter Cisco Nexus 7000 Series Security Command Reference 936 Show Commands show vlan filter ...

Page 963: ... 943 tacacs server host page 945 tacacs server key page 948 tacacs server test page 950 tacacs server timeout page 952 telnet page 953 telnet server enable page 955 telnet6 page 956 terminal verify only page 958 test aaa authorization command type page 960 time range page 962 trustedCert page 964 Cisco Nexus 7000 Series Security Command Reference 937 ...

Page 964: ...elines To use this command TACACS must be enabled using the feature tacacs command This command does not require a license Examples This example shows how to discard a TACACS CFS distribution session in progress switch configure terminal switch config tacacs abort Related Commands Description Command Enables TACACS feature tacacs Displays TACACS CFS distribution status and other details show tacac...

Page 965: ... must have distribution enabled using the tacacs distribute command CFS does not distribute the TACACS server group configurations periodic TACACS server testing configurations or server and global keys The keys are unique to the Cisco NX OS device and are not shared with other Cisco NX OS devices This command does not require a license Examples This example shows how to apply a TACACS configurati...

Page 966: ...led using the feature tacacs command CFS does not distribute the TACACS server group configurations periodic TACACS server testing configurations or server and global keys The keys are unique to the Cisco NX OS device and are not shared with other Cisco NX OS devices This command does not require a license Examples This example shows how to enable TACACS fabric distribution switch configure termin...

Page 967: ...individual TACACS server is greater than zero 0 that value takes precedence over the value set for the server group When the dead time interval is 0 minutes TACACS server monitoring is not performed unless the TACACS server is part of a server group and the dead time interval for the group is greater than 0 minutes You must use the feature tacacs command before you configure TACACS This command do...

Page 968: ...dead time interval for monitoring a nonresponsive TACACS server deadtime Displays TACACS server information show tacacs server Enables TACACS feature tacacs Cisco Nexus 7000 Series Security Command Reference 942 T Commands tacacs server deadtime ...

Page 969: ...ostname during login where vrfname is the virtual routing and forwarding VRF name to use and hostname is the name of a configured TACACS server The username is sent to the server name for authentication If you enable the directed request option the Cisco NX OS device uses only the RADIUS method for authentication and not the default local method Note This command does not require a license Example...

Page 970: ...n Command Displays a directed request TACACS server configuration show tacacs server directed request Enables TACACS feature tacacs Cisco Nexus 7000 Series Security Command Reference 944 T Commands tacacs server directed request ...

Page 971: ... X X X X format ipv6 address Optional Configures the TACACS server s shared secret key key Optional Configures a preshared key specified in cleartext indicated by 0 to authenticate communication between the TACACS client and server This is the default 0 Optional Configures a preshared key specified in encrypted text indicated by 7 to authenticate communication between the TACACS client and server ...

Page 972: ...Command History Modification Release The single connection keyword was added 6 2 2 This command was introduced 4 0 1 Usage Guidelines You must use the feature tacacs command before you configure TACACS When the idle time interval is 0 minutes periodic TACACS server monitoring is not performed This command does not require a license Examples This example shows how to configure TACACS server host pa...

Page 973: ...lated Commands Description Command Displays TACACS server information show tacacs server Enables TACACS feature tacacs Cisco Nexus 7000 Series Security Command Reference 947 T Commands tacacs server host ...

Page 974: ...ate communication between the TACACS client and server The preshared key is alphanumeric case sensitive and has a maximum of 63 characters shared secret Command Default None Command Modes Global configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines You must configure the TACACS preshared key to authenticate the device to the TACACS server The length ...

Page 975: ...fig tacacs server key AnyWord switch config tacacs server key 0 AnyWord switch config tacacs server key 7 public Related Commands Description Command Displays TACACS server information show tacacs server Enables TACACS feature tacacs Cisco Nexus 7000 Series Security Command Reference 949 T Commands tacacs server key ...

Page 976: ...packets The password is alphanumeric case sensitive and has a maximum of 32 characters password password Specifies a username in the test packets The name is alphanumeric not case sensitive and has a maximum of 32 characters To protect network security we recommend that you use a username that is not the same as an existing username in the TACACS database Note username name Command Default Server ...

Page 977: ...and does not require a license Examples This example shows how to configure the parameters for global TACACS server monitoring switch configure terminal switch config tacacs server test username user1 password Ur2Gd2BH idle time 3 Related Commands Description Command Displays TACACS server information show tacacs server Cisco Nexus 7000 Series Security Command Reference 951 T Commands tacacs serve...

Page 978: ...se This command was introduced 4 0 1 Usage Guidelines You must use the feature tacacs command before you configure TACACS This command does not require a license Examples This example shows how to configure the TACACS server timeout value switch configure terminal switch config tacacs server timeout 3 This example shows how to revert to the default TACACS server timeout value switch configure term...

Page 979: ...the Telnet session The name is case sensitive vrfvrf name Command Default Port 23 Default VRF Command Modes Any command mode Command History Modification Release This command was introduced 4 0 1 Usage Guidelines To use this command you must enable the Telnet server using the feature telnet command To create a Telnet session with IPv6 addressing use the telnet6 command The Cisco NX OS software sup...

Page 980: ...scription Command Clears Telnet sessions clear line Creates a Telnet session using IPv6 addressing telnet6 Enables the Telnet server feature telnet Cisco Nexus 7000 Series Security Command Reference 954 T Commands telnet ...

Page 981: ...ced with the feature telnet command 4 1 2 This command was introduced 4 0 1 Usage Guidelines This command does not require a license Examples This example shows how to enable the Telnet server switch configure terminal switch config telnet server enable This example shows how to disable the Telnet server switch configure terminal switch config no telnet server enable XML interface to system may be...

Page 982: ...Telnet session The name is case sensitive vrfvrf name Command Default Port 23 Default VRF Command Modes Any command mode Command History Modification Release This command was introduced 4 0 2 Usage Guidelines To use this command you must enable the Telnet server using the feature telnet command To create a Telnet session with IPv4 addressing use the telnet command The Cisco NX OS software supports...

Page 983: ...scription Command Clears Telnet sessions clear line Creates a Telnet session using IPv4 addressing telnet Enables the Telnet server feature telnet Cisco Nexus 7000 Series Security Command Reference 957 T Commands telnet6 ...

Page 984: ...idelines When you enable command authorization verification the CLI indicates if the command is successfully authorized for the user but does not execute the command The command authorization verification uses the methods configured in the aaa authorization commands default command and the aaa authorization config commands default command This command does not require a license Examples This examp...

Page 985: ...Description Command Configures authorization for configuration commands aaa authorization config commands default Cisco Nexus 7000 Series Security Command Reference 959 T Commands terminal verify only ...

Page 986: ...ommand command string Command Default None Command Modes Any command mode Command History Modification Release This command was introduced 4 2 1 Usage Guidelines To use the test aaa authorization command type command you must enable the TACACS feature using the feature tacacs command You must configure a TACACS group on the Cisco NX OS device using the aaa server group command before you can test ...

Page 987: ...ds aaa authorization commands default Configures authorization for configuration commands aaa authorization config commands default Configures AAA server groups aaa group server Cisco Nexus 7000 Series Security Command Reference 961 T Commands test aaa authorization command type ...

Page 988: ...ommand does not require a license You can use a time range in permit and deny commands for IPv4 and IPv6 ACLs Examples This example shows how to use the time range command and enter time range configuration mode switch configure terminal switch config time range workweek vpn access switch config time range Related Commands Description Command Specifies a time range that has a specific start date a...

Page 989: ...Description Command Configures an IPv4 permit rule permit IPv4 Configures an IPv6 permit rule permit IPv6 Cisco Nexus 7000 Series Security Command Reference 963 T Commands time range ...

Page 990: ...ignated name for the LDAP search map The name is alphanumeric case sensitive and has a maximum of 128 characters base DN base DN name Command Default None Command Modes LDAP search map configuration Command History Modification Release This command was introduced 5 0 2 Usage Guidelines To use this command you must enable LDAP This command does not require a license Examples This example shows how ...

Page 991: ...ption Command Enables LDAP feature ldap Configures an LDAP search map ldap search map Displays the configured LDAP search maps show ldap search map Cisco Nexus 7000 Series Security Command Reference 965 T Commands trustedCert ...

Page 992: ...Cisco Nexus 7000 Series Security Command Reference 966 T Commands trustedCert ...

Page 993: ...U Commands user certdn match page 968 username page 970 userprofile page 975 user pubkey match page 977 user switch bind page 979 use vrf page 981 Cisco Nexus 7000 Series Security Command Reference 967 ...

Page 994: ...ters search filter filter Specifies the base designated name for the LDAP search map The name is alphanumeric case sensitive and has a maximum of 128 characters base DN base DN name Command Default None Command Modes LDAP search map configuration Command History Modification Release This command was introduced 5 0 2 Usage Guidelines To use this command you must enable LDAP This command does not re...

Page 995: ...on Command Enables LDAP feature ldap Configures an LDAP search map ldap search map Displays the configured LDAP search maps show ldap search map Cisco Nexus 7000 Series Security Command Reference 969 U Commands user certdn match ...

Page 996: ... Cisco NX OS software allows these special characters in the user id argument text string _ Note user id Optional Specifies the expire date for the user account The format for the date argument is YYYY MM DD expire date Optional Specifies a password for the account The default is no password password Optional Specifies that the password is in clear text Clear text passwords are encrypted before th...

Page 997: ...g user account ssh cert dn Specifies the distinguished name which can be up to 512 characters and must follow the Open SSL format dn name Specifies the bootflash filename bootflash filename Specifies the remote filename volatile filename Specifies the privilege level to which the user is assigned The range is from 0 to 15 priv lvl n Command Default Unless specified usernames have no expire date pa...

Page 998: ...User accounts are local to the VDCs You can create user accounts with the same user identifiers in different VDCs The Cisco NX OS software does not support all numeric usernames whether created with TACACS or RADIUS or created locally Local users with all numeric names cannot be created If an all numeric user name exists on an AAA server and is entered during login the user is not logged in Cautio...

Page 999: ... example shows how to export the public and private keys from the home directory of the Cisco NX OS device to the bootflash directory switch configure t switch config username user1 keypair export bootflash key_rsa rsa Enter Passphrase switch config dir 951 Jul 09 11 13 59 2009 key_rsa 221 Jul 09 11 14 00 2009 key_rsa pub The private key is exported as the file that you specify and the public key ...

Page 1000: ...a switch config crypto ca trustpoint tp1 switch config trustpoint crypto ca authenticate tp1 switch config trustpoint crypto ca crl request tp1 bootflash crl1 crl switch config trustpoint exit switch config exit Related Commands Description Command Enables a user to move to a higher privilege level enable level Enables a secret password for a specific privilege level enable secret priv lvl Enables...

Page 1001: ...search filter filter Specifies the base designated name for the LDAP search map The name is alphanumeric case sensitive and has a maximum of 128 characters base DN base DN name Command Default None Command Modes LDAP search map configuration Command History Modification Release This command was introduced 5 0 2 Usage Guidelines To use this command you must enable LDAP This command does not require...

Page 1002: ...ption Command Enables LDAP feature ldap Configures an LDAP search map ldap search map Displays the configured LDAP search maps show ldap search map Cisco Nexus 7000 Series Security Command Reference 976 U Commands userprofile ...

Page 1003: ...ters search filter filter Specifies the base designated name for the LDAP search map The name is alphanumeric case sensitive and has a maximum of 128 characters base DN base DN name Command Default None Command Modes LDAP search map configuration Command History Modification Release This command was introduced 5 0 2 Usage Guidelines To use this command you must enable LDAP This command does not re...

Page 1004: ...on Command Enables LDAP feature ldap Configures an LDAP search map ldap search map Displays the configured LDAP search maps show ldap search map Cisco Nexus 7000 Series Security Command Reference 978 U Commands user pubkey match ...

Page 1005: ...acters search filter filter Specifies the base designated name for the LDAP search map The name is alphanumeric case sensitive and has a maximum of 128 characters base DN base DN name Command Default None Command Modes LDAP search map configuration Command History Modification Release This command was introduced 5 0 2 Usage Guidelines To use this command you must enable LDAP This command does not ...

Page 1006: ...on Command Enables LDAP feature ldap Configures an LDAP search map ldap search map Displays the configured LDAP search maps show ldap search map Cisco Nexus 7000 Series Security Command Reference 980 U Commands user switch bind ...

Page 1007: ...he aaa group server radius command to enter RADIUS server group configuration mode the aaa group server tacacs command to enter TACACS server group configuration mode or the aaa group server ldap command to enter LDAP server group configuration mode If the server is not found use the radius server host command the tacacs server host command or the ldap server host command to configure the server Y...

Page 1008: ...fig tacacs use vrf vrf3 This example shows how to remove the VRF name from an LDAP server group switch configure t switch config feature ldap switch config aaa group server ldap LdapServer switch config tacacs no use vrf vrf3 Related Commands Description Command Configures AAA server groups aaa group server Configures a RADIUS server radius server host Displays LDAP server information show ldap se...

Page 1009: ...V Commands vlan access map page 984 vlan filter page 986 vlan policy deny page 988 vrf policy deny page 990 Cisco Nexus 7000 Series Security Command Reference 983 ...

Page 1010: ...end of the VLAN access map and assigns a sequence number that is 10 greater than the sequence number of the preceding entry When you use the no form of the command use the sequence number argument to specify an entry that you want to remove Omit the sequence number argument if you want to remove the entire VLAN access map sequence number Name of the VLAN access map that you want to create or confi...

Page 1011: ...tch mac address mac acl 00e switch config access map action drop switch config access map statistics per entry switch config access map show vlan access map Vlan access map vlan map 01 10 match ip ip acl 01 match mac mac acl 00f action forward Vlan access map vlan map 01 20 match ip ip acl 320 match mac mac acl 00e action drop statistics per entry Related Commands Description Command Specifies an ...

Page 1012: ... you use the no form of this command the VLAN list argument is optional If you omit this argument the device removes the access map from all VLANs where the access map is applied Note vlan list VLAN list Command Default None Command Modes Global configuration Command History Modification Release This command was introduced 4 0 1 Usage Guidelines You can apply a VLAN access map to one or more VLANs...

Page 1013: ... to VLANs 20 through 29 and 33 through 45 switch show vlan filter vlan map vlan map 01 Configured on VLANs 20 45 switch config no vlan filter vlan map 01 30 32 switch show vlan filter vlan map vlan map 01 Configured on VLANs 20 29 33 45 Related Commands Description Command Specifies an action for traffic filtering in a VLAN access map action Specifies an ACL for traffic filtering in a VLAN access ...

Page 1014: ...n user role VLAN policy configuration mode This command does not require a license Examples This example shows how to enter user role VLAN policy configuration mode for a user role switch configure t switch config role name MyRole switch config role vlan policy deny switch config role vlan This example shows how to revert to the default VLAN policy for a user role switch configure t switch config ...

Page 1015: ...Cisco Nexus 7000 Series Security Command Reference 989 V Commands vlan policy deny ...

Page 1016: ...g thepermit vrf command in user role VRF policy configuration mode This command does not require a license Examples This example shows how to enter VRF policy configuration mode for a user role switch configure t switch config role name MyRole switch config role vrf policy deny switch config role vrf This example shows how to revert to the default VRF policy for a user role switch configure t swit...

Page 1017: ...Cisco Nexus 7000 Series Security Command Reference 991 V Commands vrf policy deny ...

Page 1018: ...Cisco Nexus 7000 Series Security Command Reference 992 V Commands vrf policy deny ...

Search results

Summary of Contents for Nexus 7000 Series

Reviews:

Related manuals for Nexus 7000 Series

Brands by name

Popular brands

Cisco Nexus 7000 Series, Command Reference Manual

Search results

Summary of Contents for Nexus 7000 Series

Reviews:

Related manuals for Nexus 7000 Series

Brands by name

Popular brands