manualshive.com logo in svg

Cisco Nexus 3600 NX-OS, Руководство по настройке безопасности

Cisco Nexus 3600 с операционной системой NX-OS предлагает высокий уровень защиты данных. С помощью "Security Configuration Manual" вы можете настроить безопасность сети. Скачайте этот руководство бесплатно с manualshive.com, чтобы обеспечить надежную защиту вашей инфраструктуры.

Поделиться
Скачать
background image

You can use the access control entry (ACE) hit counters in the hardware only for ACL logic. Use the
software ACE hit counters and the

show access-lists

and

show policy-map type control-plane

commands

to evaluate CPU traffic.

The Cisco NX-OS device hardware performs CoPP on a per-forwarding-engine basis. CoPP does not
support distributed policing. Therefore, you should choose rates so that the aggregate traffic does not
overwhelm the supervisor module.

If multiple flows map to the same class, individual flow statistics will not be available.

If you upgrade from a Cisco NX-OS release that supports the CoPP feature to a Cisco NX-OS release
that supports the CoPP feature with additional classes for new protocols, you must either run the setup
utility using the

setup

command or use the

copp profile

command for the new CoPP classes to be

available.

Before you downgrade from a Cisco NX-OS release that supports the CoPP feature to an earlier Cisco
NX-OS release that supports the CoPP feature, you should verify compatibility using the

show

incompatibility nxos bootflash:filename

command. If an incompatibility exists, disable any features

that are incompatible with the downgrade image before downgrading the software.

You cannot disable CoPP. If you attempt to disable it, packets are rate limited at 50 packets per seconds
[for releases prior to Cisco NX-OS Release 7.0(3)I2(1)], or an error message appears [starting with Cisco
NX-OS Release 7.0(3)I2(1)].

Cisco Nexus 9200 Series switches support CoPP policer rates only in multiples of 10 kbps. If a rate is
configured that is not a multiple of 10 kbps, the rate is rounded down. For example, the switch will use
50 kbps if a rate of 55 kbps is configured. (The

show policy-map type control-plane

command shows

the user configured rate. See

Verifying the CoPP Configuration, on page 135

for more information.)

For Cisco Nexus 9200 Series switches, ip icmp redirect, ipv6 icmp redirect, ip icmp unreachable, ipv6
icmp unreachable, and mtu-failure use the same TCAM entry, and they will all be classified to the class
map where the first exception is present in the policy. In the CoPP strict profile, they are classified to
the class-exception class map. In a different CoPP policy, if the first exception is in a different class map
(for example, class-exception-diag), the rest of the exceptions will be classified to the same class map.

The copp-system-class-fcoe class is not supported for Cisco Nexus 9200 Series switches.

The following guidelines and limitations apply to static CoPP ACLs:

Only Cisco Nexus 9200 Series switches use static CoPP ACLs.

Static CoPP ACLs can be remapped to a different CoPP class.

Access control entries (ACEs) cannot be modified or removed for static CoPP ACLs.

If a CoPP ACL has a static ACL substring, it will be mapped to that type of traffic. For example,
if the ACL includes the acl-mac-stp substring, STP traffic will be classified to the class map for
that ACL.

Static CoPP ACLs take priority over dynamic CoPP ACLs, regardless of their position in the CoPP
policy, the order in which they are configured, and how they appear in the output of the

show

policy-map type control-plane

command.

You must have static CoPP ACLs in the CoPP policy. Otherwise, the CoPP policy will be rejected.

   Cisco Nexus 3600 NX-OS Security Configuration Guide, Release 7.x

126

Configuring Control Plane Policing

Guidelines and Limitations for CoPP

Содержание Nexus 3600 NX-OS

Страница 1: ...guration Guide Release 7 x First Published 2017 09 27 Last Modified 2018 02 27 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 ...

Страница 2: ... IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE T...

Страница 3: ...2 Overview 3 Authentication Authorization and Accounting 3 RADIUS and TACACS Security Protocols 4 SSH and Telnet 4 SSH and Telnet 5 IP ACLs 5 C H A P T E R 3 Configuring AAA 7 Information About AAA 7 AAA Security Services 7 Benefits of Using AAA 8 Remote AAA Services 8 AAA Server Groups 8 AAA Service Configuration Options 9 Authentication and Authorization Process for User Logins 10 Prerequisites ...

Страница 4: ...for Login Parameters 22 Restricting Sessions Per User Per User Per Login 23 Enabling the Password Prompt for User Name 24 Configuring Share Key Value for using RADIUS TACACS 24 Monitoring and Clearing the Local AAA Accounting Log 25 Verifying the AAA Configuration 25 Configuration Examples for AAA 26 Default AAA Settings 26 C H A P T E R 4 Configuring RADIUS 29 Information About RADIUS 29 RADIUS N...

Страница 5: ...ult Settings for RADIUS 44 Feature History for RADIUS 44 C H A P T E R 5 Configuring TACACS 45 Information About Configuring TACACS 45 TACACS Advantages 45 User Login with TACACS 46 Default TACACS Server Encryption Type and Preshared Key 46 TACACS Server Monitoring 47 Prerequisites for TACACS 47 Guidelines and Limitations for TACACS 48 Configuring TACACS 48 TACACS Server Configuration Process 48 E...

Страница 6: ... User Accounts 62 Specifying the SSH Public Keys in Open SSH Format 62 Specifying the SSH Public Keys in IETF SECSH Format 63 Specifying the SSH Public Keys in PEM Formatted Public Key Certificate Form 63 Configuring the SSH Source Interface 64 Starting SSH Sessions to Remote Devices 65 Clearing SSH Hosts 65 Disabling the SSH Server 65 Deleting SSH Server Keys 66 Clearing SSH Sessions 66 Configura...

Страница 7: ...nits 78 ACL TCAM Regions 78 Licensing Requirements for ACLs 79 Prerequisites for ACLs 79 Guidelines and Limitations for ACLs 80 Default ACL Settings 80 ACL Logging 81 Configuring IP ACLs 81 Creating an IP ACL 81 Configuring IPv4 ACL Logging 82 Changing an IP ACL 84 Removing an IP ACL 85 Changing Sequence Numbers in an IP ACL 86 Applying an IP ACL to mgmt0 86 Applying an IP ACL as a Port ACL 87 App...

Страница 8: ...ocess 102 Global Statistics 102 Licensing Requirements for Unicast RPF 103 Guidelines and Limitations for Unicast RPF 103 Default Settings for Unicast RPF 104 Configuring Unicast RPF 104 Configuration Examples for Unicast RPF 106 Verifying the Unicast RPF Configuration 106 Additional References for Unicast RPF 107 C H A P T E R 9 Configuring Control Plane Policing 109 About CoPP 109 Control Plane ...

Страница 9: ...a Control Plane Class Map 127 Configuring a Control Plane Policy Map 129 Configuring the Control Plane Service Policy 131 Configuring the CoPP Scale Factor Per Line Card 132 Changing or Reapplying the Default CoPP Policy 133 Copying the CoPP Best Practice Policy 134 Verifying the CoPP Configuration 135 Displaying the CoPP Configuration Status 137 Monitoring CoPP 137 Clearing the CoPP Statistics 13...

Страница 10: ...Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x x Contents ...

Страница 11: ...t Conventions Command descriptions use the following conventions Description Convention Bold text indicates the commands and keywords that you enter literally as shown bold Italic text indicates arguments for which the user supplies the values Italic Square brackets enclose an optional element keyword or argument x Square brackets enclosing keywords or arguments separated by a vertical bar indicat...

Страница 12: ...kets Default responses to system prompts are in square brackets An exclamation point or a pound sign at the beginning of a line of code indicates a comment line Obtaining Documentation and Submitting a Service Request For information on obtaining documentation using the Cisco Bug Search Tool BST submitting a service request and gathering additional information see What s New in Cisco Product Docum...

Страница 13: ... documentation set is available at the following URL http www cisco com c en us support switches nexus 3000 series switches tsd products support series home html Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x xiii Preface Related Documentation for Cisco Nexus 3600 Platform Switches ...

Страница 14: ...Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x xiv Preface Related Documentation for Cisco Nexus 3600 Platform Switches ...

Страница 15: ...Description Feature About System ACLs on page 89 7 0 3 F3 4 Added support for configuring system ACLs System ACLs Configuring IP ACLs on page 75 7 0 3 F3 1 Added support for Access Control Lists ACLs Access Control Lists Configuring AAA on page 7 7 0 3 F3 1 Added support for Authentication Authorization and Accounting AAA Authentication Authorization and Accounting Configuring SSH and Telnet on pa...

Страница 16: ... 101 7 0 3 F3 1 Added support for unicast RPF Unicast RPF Configuring Control Plane Policing on page 109 7 0 3 F3 1 Added support for CoPP Control Plane Policing CoPP Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x 2 New and Changed Information New and Changed Information ...

Страница 17: ...at you select encryption Authentication is the way a user is identified prior to being allowed access to the network and network services You configure AAA authentication by defining a named list of authentication methods and then applying that list to various interfaces Authorization Provides the method for remote access control including one time authorization or authorization for each service p...

Страница 18: ...and send authentication requests to a central RADIUS server that contains all user authentication and network service access information TACACS A security application implemented through AAA that provides a centralized validation of users who are attempting to gain access to a router or network access server TACACS services are maintained in a database on a TACACS daemon running typically on a UNI...

Страница 19: ...ce to the other Telnet can accept either an IP address or a domain name as the remote device address IP ACLs IP ACLs are ordered sets of rules that you can use to filter traffic based on IPv4 information in the Layer 3 header of packets Each rule specifies a set of conditions that a packet must satisfy to match the rule When the Cisco NX OS software determines that an IP ACL applies to a packet it...

Страница 20: ...Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x 6 Overview IP ACLs ...

Страница 21: ... The Cisco Nexus device supports Remote Access Dial In User Service RADIUS or Terminal Access Controller Access Control device Plus TACACS protocols Based on the user ID and password that you provide the switches perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers A preshared secret key provides security for...

Страница 22: ...ocal AAA services User password lists for each switch in the fabric are easier to manage AAA servers are already deployed widely across enterprises and can be easily used for AAA services The accounting log for all switches in the fabric can be centrally managed User attributes for each switch in the fabric are easier to manage than using the local databases on the switches AAA Server Groups You c...

Страница 23: ... RADIUS or TACACS server groups for authentication Local Uses the local username or password database for authentication None Uses only the username If the method is for all RADIUS servers instead of a specific server group the Cisco Nexus devices choose the RADIUS server from the global pool of configured RADIUS servers in the order of configuration Servers from this global pool are the servers t...

Страница 24: ... is tried and so on until the remote server responds to the authentication request If all AAA servers in the server group fail to respond the servers in the next server group are tried If all configured methods fail the local database is used for authentication If a Cisco Nexus device successfully authenticates you through a remote AAA server the following conditions apply If the AAA server protoc...

Страница 25: ...tes for Remote AAA Remote AAA servers have the following prerequisites At least one RADIUS or TACACS server must be IP reachable The Cisco Nexus device is configured as a client of the AAA servers The preshared secret key is configured on the Cisco Nexus device and on the remote AAA servers The remote server responds to AAA requests from the Cisco Nexus device Cisco Nexus 3600 NX OS Security Confi...

Страница 26: ...ng Global pool of RADIUS servers Named subset of RADIUS or TACACS servers Local database on the Cisco Nexus device Username only none The default method is local The group radius and group server name forms of the aaa authentication command are used for a set of previously defined RADIUS servers Use the radius server host command to configure the host servers Use the aaa group server radius comman...

Страница 27: ...nfigured methods fail to respond Exits global configuration mode switch config exit Step 3 Optional Displays the configuration of the console login authentication methods switch show aaa authentication Step 4 Optional Copies the running configuration to the startup configuration switch copy running config startup config Step 5 This example shows how to configure authentication methods for the cons...

Страница 28: ...configuration of the default login authentication methods switch show aaa authentication Step 4 Optional Copies the running configuration to the startup configuration switch copy running config startup config Step 5 Enabling Login Authentication Failure Messages When you log in the login is processed by the local user database if the remote AAA servers do not respond If you have enabled the displa...

Страница 29: ...or user admin from 172 22 00 00 When logging level authpriv is 6 additional Linux kernel authentication messages appear along with the previous message If these additional messages need to be ignored the authpriv value should be set to 3 Note Logs all successful authentication messages to the configured syslog server With this configuration the following syslog message appears after the successful...

Страница 30: ...nd all configuration mode commands The authorization methods include the following Group TACACS server group Local Local role based authorization None No authorization is performed The default method is Local There is no authorization on the console session Note Before You Begin You must enable TACACS before configuring AAA command authorization Procedure Purpose Command or Action Enters global co...

Страница 31: ... based on the user s local role switch config aaa authorization config commands default group tac1 local The followng example shows how to authorize configuration mode commands with TACACS server group tac1 If the server is reachable the command is allowed or not allowed based on the server response If there is an error reaching the server allow the command regardless of the local role switch aaa ...

Страница 32: ...e Command or Action Enters global configuration mode switch configure terminal Step 1 Enables MS CHAP authentication The default is disabled switch config aaa authentication login mschap enable Step 2 Exits configuration mode switch config exit Step 3 Optional Displays the MS CHAP configuration switch show aaa authentication login mschap Step 4 Optional Copies the running configuration to the star...

Страница 33: ...gure terminal Step 1 Configures the default accounting method One or more server group names can be specified in a space separated list switch config aaa accounting default group group list local Step 2 The group list argument consists of a space delimited list of group names The group names are the following radius Uses the global pool of RADIUS servers for accounting named group Uses a named sub...

Страница 34: ...ation results This authorization information is specified through VSAs VSA Format The following VSA protocol options are supported by the Cisco Nexus device Shell Used in access accept packets to provide user profile information Accounting Used in accounting request packets If a value contains any white spaces put it within double quotation marks The following attributes are supported by the Cisco...

Страница 35: ... Configuration Examples for Login Parameters Restricting Sessions Per User Per User Per Login Enabling the Password Prompt for User Name Configuring Share Key Value for using RADIUS TACACS Configuring Login Parameters Use this task to configure your Cisco NX OS device for login parameters that help detect suspected DoS attacks and slow down dictionary attacks All login parameters are disabled by d...

Страница 36: ...ters show login failures Step 5 Example Switch show login failures Displays information related only to failed login attempts Configuration Examples for Login Parameters Setting Login Parameters Example The following example shows how to configure your switch to enter a 100 second quiet period if 15 failed login attempts is exceeded within 100 seconds all login requests are denied during the quiet...

Страница 37: ...at no information is presently logged Switch show login failures No logged failed login attempts with the device Restricting Sessions Per User Per User Per Login Use this task to restrict the maximum sessions per user Procedure Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Restricts the maximum sessions per user The range is ...

Страница 38: ...ing RADIUS TACACS The shared secret you configure for remote authentication and accounting must be hidden For the radius server key and tacacs server key commands a separate command to generate encrypted shared secret can be used Procedure Purpose Command or Action Enters global configuration mode configure terminal Example Switch configure terminal Step 1 Configures RADIUS and TACACS shared secre...

Страница 39: ...utput The range is from 0 to 250000 bytes You can also specify a start time for the log output Optional Clears the accounting log contents switch clear accounting log Step 2 Verifying the AAA Configuration To display AAA configuration information perform one of the following tasks Purpose Command Displays AAA accounting configuration show aaa accounting Displays AAA authentication information show...

Страница 40: ...running config aaa all Displays the maximum number of login sessions allowed per user show running config all i max login Displays the AAA configuration in the startup configuration show startup config aaa Displays the minimum and maximum length of the user password show userpassphrase length max length min length Configuration Examples for AAA The following example shows how to configure AAA swit...

Страница 41: ...od Disabled Login authentication failure messages Disabled MSCHAP authentication local Default accounting method 250 KB Accounting log display length Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x 27 Configuring AAA Default AAA Settings ...

Страница 42: ...Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x 28 Configuring AAA Default AAA Settings ...

Страница 43: ...Service RADIUS distributed client server system allows you to secure networks against unauthorized access In the Cisco implementation RADIUS clients run on Cisco Nexus device and send authentication and accounting requests to a central RADIUS server that contains all user authentication and network service access information RADIUS Network Environments RADIUS can be implemented in a variety of net...

Страница 44: ... to log in and authenticate to a Cisco Nexus device using RADIUS the following process occurs 1 The user is prompted for and enters a username and password 2 The username and encrypted password are sent over the network to the RADIUS server 3 The user receives one of the following responses from the RADIUS server ACCEPT The user is authenticated REJECT The user is not authenticated and is prompted...

Страница 45: ...live servers and dead servers are different and can be configured by the user The RADIUS server monitoring is performed by sending a test authentication request to the RADIUS server Note Vendor Specific Attributes The Internet Engineering Task Force IETF draft standard specifies a method for communicating vendor specific attributes VSAs between the network access server and the RADIUS server The I...

Страница 46: ...DIUS accounting protocol This attribute is sent only in the VSA portion of the Account Request frames from the RADIUS client on the switch It can be used only with the accounting protocol data units PDUs Prerequisites for RADIUS RADIUS has the following prerequisites You must obtain IPv4 or IPv6 addresses or hostnames for the RADIUS servers You must obtain preshared keys from the RADIUS servers En...

Страница 47: ...onfiguring Periodic RADIUS Server Monitoring on page 40 Configuring RADIUS Server Hosts You must configure the IPv4 or IPv6 address or the hostname for each RADIUS server that you want to use for authentication All RADIUS server hosts are added to the default RADIUS server group You can configure up to 64 RADIUS servers Procedure Purpose Command or Action Enters global configuration move switch co...

Страница 48: ...ured Exits configuration mode switch config exit Step 3 Optional Displays the RADIUS server configuration switch show radius server Step 4 The preshared keys are saved in encrypted form in the running configuration Use the show running config command to display the encrypted preshared keys Note Optional Saves the change persistenetly through reboots and restarts by copying the running configuratio...

Страница 49: ...ted form in the running configuration Use the show running config command to display the encrypted preshared keys Note Optional Saves the change persistenetly through reboots and restarts by copying the running configuration to the startup configuration switch copy running config startup contig Step 5 This example shows how to configure RADIUS preshared keys switch configure terminal switch config...

Страница 50: ...ad time value Note Optional Assigns a source interface for a specific RADIUS server group switch config radius source interface interface Step 5 The supported interface types are management and VLAN Use the source interface command to override the global source interface assigned by the ip radius source interface command Note Exits configuration mode switch config radius exit Step 6 Optional Displ...

Страница 51: ...nterface interface Step 2 interface can be the management or the VLAN interface Exits configuration mode switch config exit Step 3 Optional Displays the RADIUS server configuration information switch show radius server Step 4 Optional Copies the running configuration to the startup configuration switch copy running config startup config Step 5 This example shows how to configure the mgmt 0 interfa...

Страница 52: ... retry count and timeout interval for all RADIUS servers By default a switch retries transmission to a RADIUS server only once before reverting to local authentication You can increase this number up to a maximum of five retries per server The timeout interval determines how long the Cisco Nexus device waits for responses from RADIUS servers before declaring a timeout failure Procedure Purpose Com...

Страница 53: ...P port numbers where RADIUS accounting and authentication messages should be sent Procedure Purpose Command or Action Enters global configuration move switch configure terminal Step 1 Optional Specifies a UDP port to use for RADIUS accounting messages The default UDP port is 1812 switch config radius server host ipv4 address ipv6 address host name acct port udp port Step 2 The range is from 0 to 6...

Страница 54: ...figuring Periodic RADIUS Server Monitoring You can monitor the availability of RADIUS servers These parameters include the username and password to use for the server and an idle timer The idle timer specifies the interval during which a RADIUS server receives no requests before the switch sends out a test packet You can configure this option to test servers periodically For security reasons we re...

Страница 55: ...g Step 6 This example shows how to configure RADIUS server host 10 10 1 1 with a username user1 and password Ur2Gd2BH and with an idle timer of 3 minutes and a deadtime of 5 minutes switch configure terminal switch config radius server host 10 10 1 1 test username user1 password Ur2Gd2BH idle time 3 switch config radius server deadtime 5 switch config exit switch copy running config startup config...

Страница 56: ...g exit switch copy running config startup config Manually Monitoring RADIUS Servers or Groups Procedure Purpose Command or Action Sends a test message to a RADIUS server to confirm availability switch test aaa server radius ipv4 address ipv6 address server name vrf vrf name username password test aaa server radius ipv4 address Step 1 ipv6 address server name vrf vrf name username password Sends a ...

Страница 57: ...s the RADIUS statistics switch show radius server statistics hostname ipv4 address ipv6 address Step 1 Clearing RADIUS Server Statistics You can display the statistics that the Cisco NX OS device maintains for RADIUS server activity Before You Begin Configure RADIUS servers on the Cisco NX OS device Procedure Purpose Command or Action Optional Displays the RADIUS server statistics on the Cisco NX ...

Страница 58: ...efault settings for RADIUS parameters Table 6 Default RADIUS Parameters Default Parameters Authentication and accounting Server roles 0 minutes Dead timer interval 1 Retransmission count 5 seconds Retransmission timer interval 0 minutes Idle timer interval test Periodic server monitoring username test Periodic server monitoring password Feature History for RADIUS Table 7 Feature History for RADIUS...

Страница 59: ...ation authorization and accounting facilities TACACS allows for a single access control server the TACACS daemon to provide each service authentication authorization and accounting independently Each service is associated with its own database to take advantage of other services available on that server or on the network depending on the capabilities of the daemon The TACACS client server protocol...

Страница 60: ...eviceh receives an ERROR response the switch tries to use an alternative method for authenticating the user The user also undergoes an additional authorization phase if authorization has been enabled on the Cisco Nexus device Users must first successfully complete TACACS authentication before proceeding to TACACS authorization 3 If TACACS authorization is required the Cisco Nexus device again cont...

Страница 61: ...ACACS server changes to the dead or alive state a Simple Network Management Protocol SNMP trap is generated and the Cisco Nexus device displays an error message that a failure is taking place before it can impact performance The following figure shows the different TACACS server states Figure 3 TACACS Server States The monitoring interval for alive servers and dead servers are different and can be...

Страница 62: ...f needed configure TACACS server groups with subsets of the TACACS servers for AAA authentication methods Configuring TACACS Server Groups on page 51 Step 5 If needed configure periodic TACACS server monitoring Configuring Periodic TACACS Server Monitoring on page 54 Enabling TACACS Although by default the TACACS feature is disabled on the Cisco Nexus device You can enable the TACACS feature to ac...

Страница 63: ...TACACS server hosts you should do the following Enable TACACS See Enabling TACACS on page 48 for more information Obtain the IPv4 or IPv6 addresses or the hostnames for the remote TACACS servers Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Specifies the IPv4 or IPv6 address or hostname for a TACACS server switch config tacacs server host ipv...

Страница 64: ...t is clear text The maximum length is 63 characters Example switch config tacacs server key 7 fewhg By default no secret key is configured If you already configured a shared secret using the generate type7_encrypted_secret command enter it in quotation marks as shown in the second example Note Exits configuration mode switch config exit Step 3 Optional Displays the TACACS server configuration swit...

Страница 65: ...me The default is 0 minutes The range is from 0 through 1440 switch config tacacs deadtime minutes Step 3 If the dead time interval for a TACACS server group is greater than zero 0 that value takes precedence over the global dead time value Note Optional Assigns a source interface for a specific TACACS server group switch config tacacs source interface interface Step 4 The supported interface type...

Страница 66: ...ip tacacs source interface interface Example switch config ip tacacs source interface mgmt 0 Step 2 device The source interface can be the management or the VLAN interface Exits configuration mode exit Example switch config exit switch Step 3 Optional Displays the TACACS server configuration information show tacacs server Example switch show tacacs server Step 4 Optional Copies the running configu...

Страница 67: ... from a TACACS server before declaring a timeout failure The timeout interval determines how long the switch waits for responses from a TACACS server before declaring a timeout failure Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Exits configuration mode switch config exit Step 2 Optional Displays the TACACS server configuration switch show ...

Страница 68: ...val in which a TACACS server receives no requests before the Cisco Nexus device sends out a test packet You can configure this option to test servers periodically or you can run a one time only test To protect network security we recommend that you use a username that is not the same as an existing username in the TACACS database Note The test idle timer specifies the interval in which a TACACS se...

Страница 69: ...me interval for all TACACS servers The dead time interval specifies the time that the Cisco Nexus device waits after declaring a TACACS server is dead before sending out a test packet to determine if the server is now alive When the dead time interval is 0 minutes TACACS servers are not marked as dead even if they are not responding You can configure the dead time interval per group See Configurin...

Страница 70: ...wing example shows how to manually issue a test message switch test aaa server tacacs 10 10 1 1 user1 Ur2Gd2BH switch test aaa group TacGroup user2 As3He3CI Disabling TACACS You can disable TACACS When you disable TACACS all related configurations are automatically discarded Caution Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Disables TACAC...

Страница 71: ... tacacs status pending pending diff Displays the TACACS configuration in the running configuration show running config tacacs all Displays the TACACS configuration in the startup configuration show startup config tacacs Displays all configured TACACS server parameters show tacacs serve host name ipv4 address ipv6 address directed request groups sorted statistics Configuration Examples for TACACS T...

Страница 72: ...g aaa group server tacacs TacServer1 switch config tacacs server 1 1 1 1 switch config tacacs server 1 1 1 2 Default Settings for TACACS The following table lists the default settings for TACACS parameters Table 8 Default TACACS Parameters Default Parameters Disabled TACACS 0 minutes Dead time interval 5 seconds Timeout interval 0 minutes Idle timer interval test Periodic server monitoring usernam...

Страница 73: ...feature enables a SSH client to make a secure encrypted connection to a Cisco Nexus device SSH uses strong encryption for authentication The SSH server in the Cisco Nexus device switch interoperates with publicly and commercially available SSH clients The user authentication mechanisms supported for SSH are RADIUS TACACS and the use of locally stored user names and passwords SSH Client The SSH cli...

Страница 74: ...tion Using Digital Certificates SSH authentication on CiscoNX OS devices provide X 509 digital certificate support for host authentication An X 509 digital certificate is a data item that ensures the origin and integrity of a message It contains encryption keys for secured communications and is signed by a trusted certification authority CA to verify the identity of the presenter The X 509 digital...

Страница 75: ...024 bits Procedure Purpose Command or Action Enters global configuration move switch configure terminal Step 1 Generates the SSH server key switch config ssh key dsa force rsa bits force Step 2 The bits argument is the number of bits used to generate the key The range is from 768 to 2048 and the default value is 1024 Use the force keyword to replace an existing key Exits global configuration mode ...

Страница 76: ... Format You can specify the SSH public keys in SSH format for user accounts Procedure Purpose Command or Action Enters global configuration move switch configure terminal Step 1 Configures the SSH public key in SSH format switch config username username sshkey ssh key Step 2 Exits global configuration mode switch config exit Step 3 Optional Displays the user account configuration switch show user ...

Страница 77: ...format switch config username username sshkey file filename Step 3 Exits global configuration mode switch config exit Step 4 Optional Displays the user account configuration switch show user account Step 5 Optional Copies the running configuration to the startup configuration switch copy running config startup config Step 6 The following example shows how to specify the SSH public key in the IETF ...

Страница 78: ...ertificate form switch copy tftp 10 10 1 1 cert pem bootflash cert pem switch configure terminal switch show user account switch copy running config startup config Configuring the SSH Source Interface You can configure SSH to use a specific interface Procedure Purpose Command or Action Enters global configuration move switch configure terminal Step 1 Configures the source interface for all SSH pac...

Страница 79: ...4 address or a hostname switch ssh hostname username hostname vrf vrf name Step 1 Clearing SSH Hosts When you download a file from a server using SCP or SFTP you establish a trusted SSH relationship with that server Procedure Purpose Command or Action Clears the SSH host sessions switch clear ssh hosts Step 1 Disabling the SSH Server By default the SSH server is enabled on the Cisco Nexus device P...

Страница 80: ... global configuration move switch configure terminal Step 1 Disables the SSH server switch config no feature ssh Step 2 Deletes the SSH server key switch config no ssh key dsa rsa Step 3 The default is to delete all the SSH keys Exits global configuration mode switch config exit Step 4 Optional Displays the SSH server configuration switch show ssh key Step 5 Optional Copies the running configurati...

Страница 81: ... This step should not be required because the SSH server is enabled by default Note Step 3 Display the SSH server key switch config show ssh key rsa Keys generated Fri May 8 22 09 47 2009 ssh rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYzCfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZ cTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv DQBsDQH6rZt0KR 2Da8hJD4ZXIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5 Ninn0Mc bitc...

Страница 82: ... id password 0 5 password Step 2 maximum length of 28 characters Valid characters are Example switch config username jsmith password 4Ty18Rnt uppercase letters A through Z lowercase letters a through z numbers 0 through 9 hyphen period underscore _ plus sign and equal sign The at symbol is supported in remote usernames but not in local usernames Usernames must begin with an underscore _ which is s...

Страница 83: ... trustpoint The CRL file is a snapshot of the list of crypto ca crl request trustpoint bootflash static crl crl Step 6 revoked certificates by the trustpoint This static CRL list Example switch config crypto ca crl request winca bootflash crllist crl is manually copied to the device from the Certification Authority CA Static CRL is the only supported revocation check method Note Optional Displays ...

Страница 84: ...IJ06KL07MN notBefore Jun 29 12 36 26 2016 GMT notAfter Jun 29 12 46 23 2021 GMT SHA1 Fingerprint 47 29 E3 00 C1 C1 47 F2 56 8B AC B2 1C 64 48 FC F4 8D 53 AF purposes sslserver sslclient show crypto ca crl tp1 Trustpoint tp1 CRL Certificate Revocation List CRL Version 2 0x1 Signature Algorithm sha1WithRSAEncryption Issuer CN SecDevCA Last Update Aug 8 20 03 15 2016 GMT Next Update Aug 16 08 23 15 2...

Страница 85: ...you can reenable it Procedure Purpose Command or Action Reenables the Telnet server switch config no feature telnet Step 1 Configuring the Telnet Source Interface You can configure Telnet to use a specific interface Procedure Purpose Command or Action Enters global configuration move switch configure terminal Step 1 Configures the source interface for all Telnet packets The following list contains...

Страница 86: ...ain the username on the remote device Enable the Telnet server on the Cisco Nexus device Enable the Telnet server on the remote device Procedure Purpose Command or Action Creates a Telnet session to a remote device The hostname argument can be an IPv4 address an IPv6 address or a device name switch telnet hostname Step 1 The following example shows how to start a Telnet session to connect to a rem...

Страница 87: ... and user account configuration in the running configuration The all keyword displays the default values for the SSH and user accounts switch show running config security all Displays the SSH server configuration switch show ssh server Displays user account information switch show user account Displays the users logged into the device switch show users Displays the configured certificate chain and...

Страница 88: ...eters Enabled SSH server RSA key generated with 1024 bits SSH server key 1024 RSA key bits for generation Enabled Telnet server Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x 74 Configuring SSH and Telnet Default Settings for SSH ...

Страница 89: ...of rules that you can use to filter traffic Each rule specifies a set of conditions that a packet must satisfy to match the rule When the switch determines that an ACL applies to a packet it tests the packet against the conditions of all rules The first match determines whether the packet is permitted or denied If there is no match the switch applies the applicable default rule The switch continue...

Страница 90: ...et port channel subinterfaces Management interfaces Switched Virtual Interfaces SVIs Router ACL IPv4 ACLs IPv6 ACLs VTYs VTY ACL Application Order When the device processes a packet it determines the forwarding path of the packet The path determines which ACLs that the device applies to the traffic The device applies the ACLs in the following order 1 Port ACL 2 Ingress Router ACL Rules You can cre...

Страница 91: ...owing implicit rule deny ipv6 any any All MAC ACLs include the following implicit rule deny any any protocol This implicit rule ensures that the device denies the unmatched traffic regardless of the protocol specified in the Layer 2 header of the traffic Additional Filtering Options You can identify traffic by using additional options IPv4 ACLs support the following additional filtering options La...

Страница 92: ...gical Operators and Logical Operation Units IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers The Cisco Nexus device stores operator operand couples in registers called logical operation units LOUs to perform operations greater than less than not equal to and range on the TCP and UDP ports specified in an IP ACL ACL TCAM Regions You can change t...

Страница 93: ... racl 1024 IPv6 RACL ipv6 racl 640 IPv4 L3 QoS l3qos 256 IPv6 L3 QoS ipv6 l3qos 96 SPAN span 128 Ingress COPP copp 1024 Redirect v4 2048 Redirect v6 Licensing Requirements for ACLs The following table shows the licensing requirements for this feature License Requirement Product No license is required to use ACLs Cisco NX OS Prerequisites for ACLs IP ACLs have the following prerequisites Cisco Nexu...

Страница 94: ...ion This is especially useful for ACLs that include more than about 1000 rules You can configure any number of ACLs as long as TCAM space is available Packets that fail the Layer 3 maximum transmission unit check and therefore require fragmenting IPv4 packets that have IP options additional IP packet header fields following the destination address field When you apply an ACL that uses time ranges ...

Страница 95: ... can be up to 64 characters switch config ip ipv6 access list name Step 2 Creates the IP ACL and enters IP ACL configuration mode The name argument can be up to 64 characters switch config ip access list name Step 3 Creates a rule in the IP ACL You can create many rules The sequence number argument can be a whole number between 1 and 4294967295 switch config acl sequence number permit deny protoco...

Страница 96: ...xample switch configure terminal switch config Step 1 Creates an IPv4 ACL and enters IP ACL configuration mode The name argument can be up to 64 characters ip access list name Example switch config ip access list logging test switch config acl Step 2 Creates an ACL rule that permits or denies IPv4 traffic matching its conditions To enable the system to generate permit deny ip source address destin...

Страница 97: ... ip access list cache entries number of flows Example switch config logging ip access list cache entries 8001 Step 9 If the specified number of packets is logged before the expiry of the alert interval the system generates a syslog message logging ip access list cache threshold threshold Example switch config logging ip access list cache threshold 490 Step 10 Enables the ACL name the sequence numb...

Страница 98: ...es than the current sequence numbering allows you can use the resequence command to reassign sequence numbers Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Enters IP ACL configuration mode for the ACL that you specify by name switch config ip ipv6 ip access list name Step 2 Enters IP ACL configuration mode for the ACL that you specify by name...

Страница 99: ...currently applied Removing an ACL does not affect the configuration of interfaces where you have applied the ACL Instead the switch considers the removed ACL to be empty Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Removes the IP ACL that you specified by name from the running configuration switch config no ip ipv6 access list name Step 2 Re...

Страница 100: ...L that you want to apply exists and that it is configured to filter traffic in the manner that you need for this application Procedure Purpose Command or Action Enters global configuration mode configure terminal Example switch configure terminal switch config Step 1 Applies an IPv4 or IPv6 ACL to the Layer 3 interface for traffic flowing in the direction ip access group access list in out Example...

Страница 101: ...ters global configuration mode switch configure terminal Step 1 Enters interface configuration mode for the specified interface switch config interface ethernet chassis slot port port channel channel number Step 2 Optional Displays the ACL configuration switch show running config Step 3 Optional Copies the running configuration to the startup configuration switch copy running config startup config...

Страница 102: ... switch config if ip access group access list in switch config if ipv6 traffic filter access list in Optional Displays the ACL configuration switch config if show running config aclmgr Step 4 Optional Copies the running configuration to the startup configuration switch config if copy running config startup config Step 5 Verifying the ACL Logging Configuration To display ACL logging configuration i...

Страница 103: ... in the running configuration including the IP ACL configuration and the interfaces where you have applied IP ACLs This command displays the user configured ACLs in the running configuration The all option displays both the default CoPP configured and the user configured ACLs in the startup configuration Note switch show running config aclmgr all About System ACLs Beginning with Cisco NX OS Releas...

Страница 104: ...v4 ACL on the device See Creating an IP ACL on page 81 for more information Procedure Purpose Command or Action Enters the configuration mode config t Step 1 Configures the system ACL system acl Step 2 Applies a Layer 2 PACL to the interface Only inbound filtering is supported with port ACLs You can apply one port ACL to an interface ip port access group pacl name in Step 3 Configuration and Show ...

Страница 105: ...8 1 1 32 100 100 100 100 32 switch sh ip access lists test summary IPV4 ACL test Total ACEs Configured 12279 Configured on interfaces Active on interfaces ingress ingress switch To validate PACL IPv4 ifacl TCAM region size use the show hardware access list tcam region command switch show hardware access list tcam region WARNING The output shows NFE tcam region info Please refer to show hardware ac...

Страница 106: ... aclqos commands show tech support aclmgr show tech support aclqos Configuring ACL Logging Configuring the ACL Logging Cache Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Sets the maximum number of log entries cached in the software The range is from 0 to 1000000 entries The default value is 8000 entries switch config logging ip access list c...

Страница 107: ...onfigure the ACL logging cache Configure the ACL log match level Procedure Purpose Command or Action Enters global configuration mode switch configure terminal Step 1 Specifies the Ethernet interface switch config interface ethernet slot port Step 2 Attaches an ACL with a log to the specified interface ACL logging is enabled when the ACL is applied to the interface on the hardware switch config if...

Страница 108: ... config startup config Step 3 The following example shows how to apply the log match level for entries to be logged in the ACL log switch configure terminal switch config acllog match log level 3 switch config copy running config startup config Clearing Log Files You can clear messages in the log file and the NVRAM Procedure Purpose Command or Action Clears the access control list ACL cache switch...

Страница 109: ...ult CoPP configured and the user configured ACLs in the startup configuration Note switch show startup config aclmgr all Displays the access control list ACL log file in the running configuration switch show running config acllog Displays the access control list ACL log file in the running configuration including the IP ACL configuration and the interfaces where you have applied IP ACLs This comma...

Страница 110: ... switch config show hardware access list tcam region Example switch config show hardware access list tcam region Step 4 Copies the running configuration to the startup configuration switch config reload Example switch config reload Step 5 The new size values are effective only upon the next reload after saving the copy running config to startup config Note The following example shows how to change...

Страница 111: ...h switch config reload Step 4 The following example shows how to revert to the default RACL TCAM region sizes switch config no hardware profile tcam region racl 256 SUCCESS New tcam size will be applicable only at boot time You need to copy run start and reload switch config copy running configur startup config switch config reload WARNING This command will reboot the system Do you want to continu...

Страница 112: ...ass ozi2 in switch config line no access class ozi3 out switch config Step 4 Exits line configuration mode switch config line exit Example switch config line exit switch Step 5 Optional Displays the running configuration of the ACLs on the switch switch show running config aclmgr Example switch show running config aclmgr Step 6 Optional Copies the running configuration to the startup configuration...

Страница 113: ...show running config aclmgr Time Fri Aug 27 22 01 09 2010 version 5 0 2 N1 1 ip access list ozi 10 deny ip 172 18 217 82 32 any 20 permit ip any any ip access list ozi2 10 permit ip 10 55 144 118 32 any 20 permit ip 172 18 217 79 32 any 30 permit ip 172 18 217 82 32 any 40 permit ip 172 18 217 92 32 any line vty access class ozi in access class ozi2 out The following example shows how to configure ...

Страница 114: ...itch configure terminal Enter configuration commands one per line End with CNTL Z switch config line vty switch config line no access class ozi2 in switch config line no ip access class ozi2 in switch config line exit switch Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x 100 Configuring IP ACLs Configuration Examples for ACLs on VTY Lines ...

Страница 115: ...tackers to thwart efforts to locate or filter the attacks Unicast RPF deflects attacks by forwarding only the packets that have source addresses that are valid and consistent with the IP routing table When you enable Unicast RPF on an interface the examines all ingress packets received on that interface to ensure that the source address and source interface appear in the routing table and match th...

Страница 116: ...t the upstream end of a connection You can use Unicast RPF for downstream networks even if the downstream network has other connections to the Internet Be careful when using optional BGP attributes such as weight and local preference because an attacker can modify the best path back to the source address Modification would affect the operation of Unicast RPF Caution When a packet is received at th...

Страница 117: ...twork The more entities that deploy uRPF across Internet intranet and extranet resources means that the better the chances are of mitigating large scale network disruptions throughout the Internet community and the better the chances are of tracing the source of an attack uRPF will not inspect IP packets that are encapsulated in tunnels such as generic routing encapsulation GRE tunnels You must co...

Страница 118: ...raffic Check on Source IP Address uRPF Configuration MPLS Encap VPN ECMP IP ECMP IP Unipath IPv6 IPv4 Allow Allow Allow Disable Disable uRPF loose uRPF loose uRPF loose Loose Loose uRPF loose uRPF loose uRPF strict Strict Strict Default Settings for Unicast RPF This table lists the default settings for Unicast RPF parameters Table 14 Default Unicast RPF Parameter Settings Default Parameters Disabl...

Страница 119: ... interface configuration mode interface ethernet slot port Example switch config interface ethernet 2 3 switch config if Step 2 Configures unicast RPF on the interface for both IPv4 and IPv6 ip ipv6 verify unicast source reachable via any Step 3 Example switch config if ip verify unicast source reachable via any You must configure unicast RPF on each interface since it is disabled by default The c...

Страница 120: ...ast RPF for IPv4 IPv6 packets interface Ethernet2 3 ip address 172 23 231 240 23 ip verify unicast source reachable via any interface Ethernet2 3 ipv6 address 2001 0DB8 c18 1 3 64 ipv6 verify unicast source reachable via any The following examples shows how to configure strict Unicast RPF for IPv4 IPv6 packets interface Ethernet2 2 ip address 172 23 231 240 23 ip verify unicast source reachable vi...

Страница 121: ...face and verifies if the unicast RPF is enabled or disabled show ip interface ethernet slot port Displays the IP configuration in the startup configuration show startup config ip Additional References for Unicast RPF This section includes additional information related to implementing unicast RPF Related Documents Document Title Related Topic Cisco Nexus 3600 Series NX OS Label Switching Configura...

Страница 122: ...Cisco Nexus 3600 NX OS Security Configuration Guide Release 7 x 108 Configuring Unicast RPF Additional References for Unicast RPF ...

Страница 123: ... ensures network stability reachability and packet delivery This feature allows a policy map to be applied to the control plane This policy map looks like a normal QoS policy and is applied to all traffic entering the switch from a non management port A common attack vector for network devices is the denial of service DoS attack where excessive traffic is directed at the device interfaces The Cisc...

Страница 124: ...he control plane at a very high rate forcing the control plane to spend a large amount of time in handling these packets and preventing the control plane from processing genuine traffic Examples of DoS attacks include Internet Control Message Protocol ICMP echo requests IP fragments TCP SYN flooding These attacks can impact the device performance and have the following negative effects Reduced ser...

Страница 125: ... The following exceptions are possible from line cards and fabric modules match exception mtu failure Redirected packets Packets that are redirected to the supervisor module Glean packets If a Layer 2 MAC address for a destination IP address is not present in the FIB the supervisor module receives the packet and sends an ARP request to the host All of these different packets could be maliciously u...

Страница 126: ... Nexus 9000 Series NX OS Quality of Service Configuration Guide Dynamic and Static CoPP ACLs CoPP access control lists ACLs are classified as either dynamic or static Cisco Nexus 9300 and 9500 Series and 3164Q 31128PQ 3232C and 3264Q switches use only dynamic CoPP ACLs Cisco Nexus 9200 Series switches use both dynamic and static CoPP ACLs Dynamic CoPP ACLs work only for Forwarding Information Base...

Страница 127: ... is applied This option is removed starting with Cisco NX OS Release 7 0 3 I2 1 For previous releases Cisco does not recommend using the Skip option because it will impact the control plane of the network If you do not select an option or choose not to execute the setup utility the software applies strict policing We recommend that you start with the strict policy and later modify the CoPP policie...

Страница 128: ...s the following configuration class map type control plane match any copp system p class important match access group name copp system p acl hsrp match access group name copp system p acl vrrp match access group name copp system p acl hsrp6 match access group name copp system p acl vrrp6 match access group name copp system p acl mac lldp The copp system class l2 default class has the following con...

Страница 129: ... system p acl mld The copp system class multicast router class has the following configuration class map type control plane match any copp system p class multicast router match access group name copp system p acl pim match access group name copp system p acl msdp match access group name copp system p acl pim6 match access group name copp system p acl pim reg match access group name copp system p a...

Страница 130: ...lice cir 36000 kbps bc 1280000 bytes conform transmit violate drop class copp system p class important set cos 6 police cir 2500 kbps bc 1280000 bytes conform transmit violate drop class copp system p class multicast router set cos 6 police cir 2600 kbps bc 128000 bytes conform transmit violate drop class copp system p class management set cos 2 police cir 10000 kbps bc 32000 bytes conform transmi...

Страница 131: ...copp system p class important set cos 6 police cir 3000 pps bc 128 packets conform transmit violate drop class copp system p class multicast router set cos 6 police cir 3000 pps bc 128 packets conform transmit violate drop class copp system p class management set cos 2 police cir 3000 pps bc 32 packets conform transmit violate drop class copp system p class multicast host set cos 1 police cir 2000...

Страница 132: ...mit violate drop class copp system p class important set cos 6 police cir 2500 kbps bc 1920000 bytes conform transmit violate drop class copp system p class multicast router set cos 6 police cir 2600 kbps bc 192000 bytes conform transmit violate drop class copp system p class management set cos 2 police cir 10000 kbps bc 48000 bytes conform transmit violate drop class copp system p class multicast...

Страница 133: ...ps bc 192 packets conform transmit violate drop class copp system p class multicast router set cos 6 police cir 3000 pps bc 192 packets conform transmit violate drop class copp system p class management set cos 2 police cir 3000 pps bc 48 packets conform transmit violate drop class copp system p class multicast host set cos 1 police cir 2000 pps bc 192 packets conform transmit violate drop class c...

Страница 134: ...000 bytes conform transmit violate drop class copp system p class multicast router set cos 6 police cir 2600 kbps bc 256000 bytes conform transmit violate drop class copp system p class management set cos 2 police cir 10000 kbps bc 64000 bytes conform transmit violate drop class copp system p class multicast host set cos 1 police cir 1000 kbps bc 256000 bytes conform transmit violate drop class co...

Страница 135: ...icast router set cos 6 police cir 3000 pps bc 256 packets conform transmit violate drop class copp system p class management set cos 2 police cir 3000 pps bc 64 packets conform transmit violate drop class copp system p class multicast host set cos 1 police cir 2000 pps bc 256 packets conform transmit violate drop class copp system p class l3mc data set cos 1 police cir 3000 pps bc 32 packets confo...

Страница 136: ...ss multicast router set cos 6 police cir 370 kbps bc 128000 bytes conform transmit violate drop class copp system p class management set cos 2 police cir 2500 kbps bc 128000 bytes conform transmit violate drop class copp system p class multicast host set cos 2 police cir 300 kbps bc 128000 bytes conform transmit violate drop class copp system p class l3mc data set cos 1 police cir 600 kbps bc 3200...

Страница 137: ...s copp system p class multicast host set cos 2 police cir 1000 pps bc 128 packets conform transmit violate drop class copp system p class l3mc data set cos 1 police cir 1200 pps bc 32 packets conform transmit violate drop class copp system p class normal set cos 1 police cir 750 pps bc 32 packets conform transmit violate drop class copp system p class ndp set cos 1 police cir 750 pps bc 32 packets...

Страница 138: ...class map command A traffic class is used to classify traffic This example shows how to create a new class map called copp sample class class map type control plane copp sample class Step 2 Create a traffic policy using the policy map command A traffic policy policy map contains a traffic class and one or more CoPP features that will be applied to the traffic class The CoPP features in the traffic...

Страница 139: ...ps is put into the last class the default class Monitor the drops in this class and investigate if these drops are based on traffic that you do not want or the result of a feature that was not configured and you need to add All broadcast traffic is sent through CoPP logic in order to determine which packets for example ARP and DHCP need to be redirected through an access control list ACL to the ro...

Страница 140: ...f 10 kbps the rate is rounded down For example the switch will use 50 kbps if a rate of 55 kbps is configured The show policy map type control plane command shows the user configured rate See Verifying the CoPP Configuration on page 135 for more information For Cisco Nexus 9200 Series switches ip icmp redirect ipv6 icmp redirect ip icmp unreachable ipv6 icmp unreachable and mtu failure use the sam...

Страница 141: ...onfigure CoPP Configuring a Control Plane Class Map You must configure control plane class maps for control plane policies You can classify traffic by matching packets based on existing ACLs The permit and deny ACL keywords are ignored in the matching You can configure policies for IP version 4 IPv4 and IP version 6 IPv6 packets Before You Begin Ensure that you have configured the IP ACLs if you w...

Страница 142: ...h config cmap match exception ip icmp redirect Step 4 Optional Specifies matching for IPv4 or IPv6 ICMP unreachable exception packets match exception ip ipv6 icmp unreachable Example switch config cmap match exception ip icmp unreachable Step 5 Optional Specifies matching for IPv4 or IPv6 option exception packets match exception ip ipv6 option Example switch config cmap match exception ip option S...

Страница 143: ...terminal Example switch configure terminal switch config Step 1 Specifies a control plane policy map and enters policy map configuration mode The policy map name can have a maximum of 64 characters and is case sensitive policy map type control plane policy map name Example switch config policy map type control plane ClassMapA switch config pmap Step 2 Specifies a control plane class map name or th...

Страница 144: ...es The conform transmit action transmits the packet You can specify the BC and conform action for the same CIR Note Optional Specifies the threshold value for dropped packets and generates a syslog if the drop count exceeds the logging drop threshold drop count level syslog level Example switch config pmap c logging drop threshold 100 Step 5 configured threshold The range for the drop count argume...

Страница 145: ... y 2013 Nov 13 23 16 46 switch ACLQOS SLOT24 5 ACLQOS_NON_ATOMIC Non atomic ACL QoS policy update done for CoPP 2013 Nov 13 23 16 46 switch ACLQOS SLOT23 5 ACLQOS_NON_ATOMIC Non atomic ACL QoS policy update done for CoPP 2013 Nov 13 23 16 46 switch ACLQOS SLOT21 5 ACLQOS_NON_ATOMIC Non atomic ACL QoS policy update done for CoPP 2013 Nov 13 23 16 46 switch ACLQOS SLOT25 5 ACLQOS_NON_ATOMIC Non atom...

Страница 146: ...plane configuration mode exit Example switch config cp exit switch config Step 4 Optional Displays the CoPP configuration show running config copp all Example switch config show running config copp Step 5 Optional Copies the running configuration to the startup configuration copy running config startup config Example switch config copy running config startup config Step 6 Related Topics Configurin...

Страница 147: ... programmed in the particular module To revert to the default scale factor value of 1 00 use the no scale factor value module multiple module range command or explicitly set the default scale factor value to 1 00 using the scale factor 1 module multiple module range command Optional Displays the applied scale factor values when a CoPP policy is applied show policy map interface control plane Examp...

Страница 148: ...p Example switch config show running config copp Step 3 Related Topics Changing or Reapplying the Default CoPP Policy Using the Setup Utility on page 139 Copying the CoPP Best Practice Policy The CoPP best practice policy is read only If you want to modify its configuration you must copy it Procedure Purpose Command or Action Creates a copy of the CoPP best practice policy copp copy profile strict...

Страница 149: ... maps and drops per policy or class map It also displays the scale factor values when a CoPP policy is applied When the scale factor value is the default 1 00 it is not displayed The scale factor changes the CIR and BC values internally on each module but the display shows the configured CIR and BC values only The actual applied value on a module is the scale factor multiplied by the configured va...

Страница 150: ...erate lenient dense show copp diff profile Displays the details of the CoPP best practice policy along with the classes and policer values show copp profile strict moderate lenient dense Displays the user configured access control lists ACLs in the running configuration The all option displays both the default CoPP configured and user configured ACLs in the running configuration show running confi...

Страница 151: ... interface control plane Step 1 Statistics are specified in terms of OutPackets packets admitted to the control plane and DropPackets packets dropped because of rate limiting This example shows how to monitor CoPP switch show policy map interface control plane Control Plane Service policy input copp system p policy strict class map copp system p class critical match any set cos 7 police cir 19000 ...

Страница 152: ... 0 24 ip access list copp system p acl msdp permit tcp any any eq 639 mac access list copp system p acl arp permit any any 0x0806 ip access list copp system p acl tacas permit udp any any eq 49 ip access list copp system p acl ntp permit udp any 10 0 1 1 23 eq 123 ip access list copp system p acl icmp permit icmp any any class map type control plane match any copp system p class critical match acc...

Страница 153: ...y will guide you through the basic configuration of the system Setup configures only enough connectivity for management of the system Note setup is mainly used for configuring the system initially when no configuration is present So setup always assumes system defaults and not the current system configuration values Press Enter at anytime to skip a dialog Use ctrl c at anytime to skip the remainin...

Страница 154: ...t server enable no system default switchport system default switchport shutdown policy map type control plane copp system p policy Would you like to edit the configuration yes no n CR Use this configuration and save it yes no y y switch Additional References for CoPP This section provides additional information related to implementing CoPP Related Documents Document Title Related Topic Cisco NX OS...

Отзывы:

Нет отзывов

Похожие инструкции для Nexus 3600 NX-OS

D-Link DHP-541 Datasheet preview
DHP-541
Бренд: D-Link Страницы: 4
D-Link DFE-550TX Datasheet preview
DFE-550TX
Бренд: D-Link Страницы: 2
CAME FROG PLUS Manual preview
FROG PLUS
Бренд: CAME Страницы: 2
AVE 8PSWT Specification preview
8PSWT
Бренд: AVE Страницы: 2
AbleNet SCATIR 51100 Manual preview
SCATIR 51100
Бренд: AbleNet Страницы: 12
A2A Simulations BONANZA ACCU-SIM V35B Manual preview
BONANZA ACCU-SIM V35B
Бренд: A2A Simulations Страницы: 112
Asante FRIENDLYNET FS4116R Quick Installation Manual preview
FRIENDLYNET FS4116R
Бренд: Asante Страницы: 6
IOGear GHDMIMS52 Quick Start Manual preview
GHDMIMS52
Бренд: IOGear Страницы: 1
Ruby Tech GS-2108C User Manual preview
GS-2108C
Бренд: Ruby Tech Страницы: 254
Pilz PSEN 1.2p-25 Operating Instructions Manual preview
PSEN 1.2p-25
Бренд: Pilz Страницы: 8
Black Box ServSwitch 17S Quick Start Manual preview
ServSwitch 17S
Бренд: Black Box Страницы: 10
ORiNG TGS-1080-M12 Series Quick Installation Manual preview
TGS-1080-M12 Series
Бренд: ORiNG Страницы: 2
3onedata IES6300PRO Series Quick Installation Manual preview
IES6300PRO Series
Бренд: 3onedata Страницы: 5
IN-COMMAND NCSTS9 Installation And Operation Manual preview
NCSTS9
Бренд: IN-COMMAND Страницы: 8
Myson Touch 2 WiFi Leaflet preview
Touch 2 WiFi
Бренд: Myson Страницы: 2
Alaxala AX2400S series Hardware Instruction Manual preview
AX2400S series
Бренд: Alaxala Страницы: 249
Opencockpits BREAKERF Installation & User Manual preview
BREAKERF
Бренд: Opencockpits Страницы: 30
BEP MARINCO PRO INSTALLER 771-SFD Manual preview
MARINCO PRO INSTALLER 771-SFD
Бренд: BEP Страницы: 4

Бренды по названию

Популярные бренды

Загрузить еще бренды