hit counter script
Cisco Nexus 5000 Series Configuration Manual

Cisco Nexus 5000 Series Configuration Manual

Nx-os security configuration guide
Hide thumbs Also See for Nexus 5000 Series:
Table of Contents

Advertisement

Cisco Nexus 5000 Series NX-OS Security Configuration Guide
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-20919-01

Advertisement

Table of Contents
loading

Summary of Contents for Cisco Nexus 5000 Series

  • Page 1 Cisco Nexus 5000 Series NX-OS Security Configuration Guide Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-20919-01...
  • Page 2 WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
  • Page 3: Table Of Contents

    C O N T E N T S Preface Audience Document Organization Document Conventions Related Documentation for Nexus 5000 Series NX-OS Software Obtaining Documentation and Submitting a Service Request New and Changed Information New and Changed Information Overview Authentication, Authorization, and Accounting...
  • Page 4 Configuring Accounting and Authentication Attributes for RADIUS Servers Configuring Periodic RADIUS Server Monitoring Configuring the Dead-Time Interval Manually Monitoring RADIUS Servers or Groups Verifying RADIUS Configuration Displaying RADIUS Server Statistics Example RADIUS Configuration Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 5 Disabling TACACS+ Displaying TACACS+ Statistics Verifying TACACS+ Configuration Example TACACS+ Configuration Default TACACS+ Settings Configuring SSH and Telnet Configuring SSH and Telnet Information About SSH and Telnet SSH Server SSH Client Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 6 Information About ACLs IP ACL Types and Applications Application Order Rules Source and Destination Protocols Implicit Rules Additional Filtering Options Sequence Numbers Logical Operators and Logical Operation Units Configuring IP ACLs Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 7 Configuring VACLs Creating or Changing a VACL Removing a VACL Applying a VACL to a VLAN Verifying VACL Configuration Displaying and Clearing VACL Statistics Example Configuration for VACL Default ACL Settings Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 8 Contents Cisco Nexus 5000 Series NX-OS Security Configuration Guide viii OL-20919-01...
  • Page 9: Preface

    Preface This preface describes the audience, organization, and conventions of the Cisco Nexus 5000 Series NX-OS Security Configuration Guide. It also provides information on how to obtain related documentation. • Audience, page ix • Document Organization, page ix • Document Conventions, page x •...
  • Page 10: Document Conventions

    Arguments for which you supply values are in italic screen font. italic screen font < > Nonprinting characters, such as passwords, are in angle brackets. Default responses to system prompts are in square brackets. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 11: Related Documentation For Nexus 5000 Series Nx-Os Software

    Related Documentation for Nexus 5000 Series NX-OS Software Cisco NX-OS documentation is available at the following URL: http://www.cisco.com/en/US/products/ps9670/tsd_products_support_series_home.htmll The documentation set for the Cisco Nexus 5000 Series NX-OS software includes the following documents: Release Notes • Cisco Nexus 5000 Series and Cisco Nexus 2000 Series Release Notes •...
  • Page 12: Obtaining Documentation And Submitting A Service Request

    Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
  • Page 13: New And Changed Information

    The latest version of this document is available at the following Cisco website: http://www.cisco.com/en/US/products/ps9670/products_installation_and_configuration_guides_list.html To check for the latest information about Cisco NX-OS, see the Cisco Nexus 5000 Series and Nexus 2000 Series NX-OS Release Notes available at the following Cisco website: http://www.cisco.com/en/US/products/ps9670/prod_release_notes_list.html...
  • Page 14 Part 3: Switch Security Features of the Cisco Nexus 5000 Series CLI Configuration Guide. For a complete list of Nexus 5000 Series document titles, see the list of Related Documentation in the "Preface." Cisco Nexus 5000 Series NX-OS Security Configuration Guide...
  • Page 15: Overview

    C H A P T E R Overview The Cisco NX-OS software supports security features that can protect your network against degradation or failure and also against data loss or compromise resulting from intentional attacks and from unintended but damaging mistakes by well-meaning network users.
  • Page 16: Radius And Tacacs+ Security Protocols

    You can use the Secure Shell (SSH) server to enable an SSH client to make a secure, encrypted connection to a Cisco NX-OS device. SSH uses strong encryption for authentication. The SSH server in the Cisco NX-OS software can interoperate with publicly and commercially available SSH clients.
  • Page 17: Ip Acls

    Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the Cisco NX-OS software determines that an IP ACL applies to a packet, it tests the packet against the conditions of all rules. The first match determines whether a packet is permitted or denied, or if there is no match, the Cisco NX-OS software applies the applicable default rule.
  • Page 18 Overview IP ACLs Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 19: Configuring Authentication, Authorization, And Accounting

    The authentication, authorization, and accounting (AAA) features allows you to verify the identity of, grant access to, and track the actions of users managing Cisco Nexus 5000 Series switches. The Cisco Nexus 5000 Series switches support Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus (TACACS+) protocols.
  • Page 20: Benefits Of Using Aaa

    Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services: • User password lists for each Cisco Nexus 5000 Series switch in the fabric are easier to manage. • AAA servers are already deployed widely across enterprises and can be easily used for AAA services.
  • Page 21: Aaa Server Groups

    • None—Uses only the user name. Note If the method is for all RADIUS servers, instead of a specific server group, the Nexus 5000 Series switches choose the RADIUS server from the global pool of configured RADIUS servers in the order of configuration.
  • Page 22: Authentication And Authorization Process For User Login

    The figure below shows a flowchart of the authentication and authorization process for user login. The following process occurs: • When you log in to the required Cisco Nexus 5000 Series switch, you can use the Telnet, SSH, Fabric Manager or Device Manager, or console login options.
  • Page 23: Prerequisites For Remote Aaa

    Remote AAA servers have the following prerequisites: • At least one RADIUS or TACACS+ server must be IP reachable. • The Cisco Nexus 5000 Series switch is configured as a client of the AAA servers. Cisco Nexus 5000 Series NX-OS Security Configuration Guide...
  • Page 24: Information About Aaa Guidelines And Limitations

    Configuring Console Login Authentication Methods Information about AAA Guidelines and Limitations • The preshared secret key is configured on the Cisco Nexus 5000 Series switch and on the remote AAA servers. • The remote server responds to AAA requests from the Cisco Nexus 5000 Series switch.
  • Page 25: Configuring Default Login Authentication Methods

    Configuring Default Login Authentication Methods The authentication methods include the following: • Global pool of RADIUS servers • Named subset of RADIUS or TACACS+ servers Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 26 Configuring Authentication, Authorization, and Accounting Configuring AAA • Local database on the Nexus 5000 Series switch • Username only The default method is local. Before you configure default login authentication methods, configure RADIUS or TACACS+ server groups as needed. To configure default login authentication methods, perform this task: SUMMARY STEPS 1.
  • Page 27: Enabling Login Authentication Failure Messages

    Enabling MSCHAP Authentication Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. You can use MSCHAP for user logins to a Cisco Nexus 5000 Series switch through a remote authentication server (RADIUS or TACACS+). By default, the Cisco Nexus 5000 Series switch uses Password Authentication Protocol (PAP) authentication between the switch and the remote server.
  • Page 28 (Optional) Displays the MS-CHAP configuration. Step 5 switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration. Related Topics • About VSAs, page 18 Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 29: Configuring Aaa Accounting Default Methods

    (AV) pairs and is stored on the AAA server. When you activate AAA accounting, the Cisco Nexus 5000 Series switch reports these attributes as accounting records, which are then stored in an accounting log on the security server.
  • Page 30: Using Aaa Server Vsas

    The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:...
  • Page 31: Specifying Switch User Roles And Smnpv3 Parameters On Aaa Servers

    Specifying Switch User Roles and SMNPv3 Parameters on AAA Servers Specifying Switch User Roles and SMNPv3 Parameters on AAA Servers You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Cisco Nexus 5000 Series switch using this format: shell:roles="roleA roleB …"...
  • Page 32: Example Aaa Configuration

    The following table lists the default settings for AAA parameters. Table 5: Default AAA Parameters Parameters Default Console authentication method local Default authentication method local Login authentication failure messages Disabled MSCHAP authentication Disabled Default accounting method local Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 33 Configuring Authentication, Authorization, and Accounting Default AAA Settings Parameters Default Accounting log display length 250 KB Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 34 Configuring Authentication, Authorization, and Accounting Default AAA Settings Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 35: Configuring Radius

    • Networks already using RADIUS. You can add a Nexus 5000 Series switch with RADIUS to the network. This action might be the first step when you make a transition to a AAA server. • Networks that require resource accounting.
  • Page 36: Radius Operation

    RADIUS solutions and to efficiently manage shared resources to offer different service-level agreements. RADIUS Operation When a user attempts to log in and authenticate to a Cisco Nexus 5000 Series switch using RADIUS, the following process occurs: 1 The user is prompted for and enters a username and password.
  • Page 37: Vendor-Specific Attributes

    RADIUS server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco Nexus 5000 Series switch displays an error message that a failure is taking place. Figure 2: RADIUS Server States The monitoring interval for alive servers and dead servers are different and can be configured by the user.
  • Page 38: Prerequisites For Radius

    • Obtain IPv4 or IPv6 addresses or host names for the RADIUS servers. • Obtain preshared keys from the RADIUS servers. • Ensure that the Cisco Nexus 5000 Series switch is configured as a RADIUS client of the AAA servers. Guidelines and Limitations for RADIUS RADIUS has the following guidelines and limitations: •...
  • Page 39: Configuring Radius Server Hosts

    Copies the running configuration to the startup configuration. The following example shows how to configure a RADIUS server host: switch# configure terminal switch(config)# radius-server host 10.10.1.1 switch(config)# exit switch# show radius-server switch# copy running-config startup-config Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 40: Configuring Radius Global Preshared Keys

    Configuring RADIUS Global Preshared Keys You can configure preshared keys at the global level for all servers used by the Cisco Nexus 5000 Series switch. A preshared key is a shared secret text string between the switch and the RADIUS server hosts.
  • Page 41: Configuring Radius Server Groups

    RADIUS protocol. The servers are tried in the same order in which you configure them. You can configure these server groups at any time but they only take effect when you apply them to an AAA service. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 42 0 Step 6 switch(config-radius)# exit Exits configuration mode. Step 7 switch(config) #show radius-server group (Optional) [group-name] Displays the RADIUS server group configuration. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 43: Configuring The Global Source Interface For Radius Server Groups

    3. exit 4. (Optional) show radius-server 5. (Optional) copy running-config startup config DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config) Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 44: Allowing Users To Specify A Radius Server At Login

    To allow users to specify a RADIUS server at login, perform this task: SUMMARY STEPS 1. switch# configure terminal 2. switch(config)# radius-server directed-request 3. switch(config)# exit 4. (Optional) switch# show radius-server directed-request 5. (Optional) switch# copy running-config startup-config Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 45: Configuring The Global Radius Transmission Retry Count And Timeout Interval

    RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server. The timeout interval determines how long the Cisco Nexus 5000 Series switch waits for responses from RADIUS servers before declaring a timeout failure.
  • Page 46: Configuring The Radius Transmission Retry Count And Timeout Interval For A Server

    Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server By default, a Cisco Nexus 5000 Series switch retries transmission to a RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server.
  • Page 47: Configuring Accounting And Authentication Attributes For Radius Servers

    5. (Optional) switch(config)# radius-server host {ipv4-address | ipv6-address | host-name} authentication 6. switch(config)# exit 7. (Optional) switch(config)# show radius-server 8. (Optional) switch# copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 switch# configure terminal Enters configuration mode. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 48: Configuring Periodic Radius Server Monitoring

    The idle timer specifies the interval during which a RADIUS server receives no requests before the Cisco Nexus 5000 Series switch sends out a test packet. You can configure this option to test servers periodically.
  • Page 49 The test idle timer specifies the interval during which a RADIUS server receives no requests before the Cisco Nexus 5000 Series switch sends out a test packet. The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, the Cisco Nexus 5000 Note Series switch does not perform periodic RADIUS server monitoring.
  • Page 50: Configuring The Dead-Time Interval

    You can configure the dead-time interval for all RADIUS servers. The dead-time interval specifies the time that the Cisco Nexus 5000 Series switch waits after declaring a RADIUS server is dead, before sending out a test packet to determine if the server is now alive. The default value is 0 minutes.
  • Page 51: Verifying Radius Configuration

    Displays all configured RADIUS server parameters. | ipv6-address] [directed-request | groups | sorted | statistics] For detailed information about the fields in the output from this command, refer to the Cisco Nexus 5000 Series Command Reference. Displaying RADIUS Server Statistics...
  • Page 52: Example Radius Configuration

    Server roles Authentication and accounting Dead timer interval 0 minutes Retransmission count Retransmission timer interval 5 seconds Idle timer interval 0 minutes Periodic server monitoring username test Periodic server monitoring password test Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 53: Configuring Tacacs

    The Terminal Access Controller Access Control System Plus (TACACS+) security protocol provides centralized validation of users attempting to gain access to a Cisco Nexus 5000 Series switch. TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX or Windows NT workstation.
  • Page 54: User Login With Tacacs

    You must configure the TACACS+ preshared key to authenticate the switch to the TACACS+ server. A preshared key is a secret text string shared between the Cisco Nexus 5000 Series switch and the TACACS+ server host. The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed).
  • Page 55: Tacacs+ Server Monitoring

    Whenever an TACACS+ server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco Nexus 5000 Series switch displays an error message that a failure is taking place before it can impact performance.
  • Page 56: Guidelines And Limitations For Tacacs

    TACACS+ Server Configuration Process Guidelines and Limitations for TACACS+ TACACS+ has the following guidelines and limitations: • You can configure a maximum of 64 TACACS+ servers on the Cisco Nexus 5000 Series switch. Configuring TACACS+ TACACS+ Server Configuration Process To configure TACACS+ servers, perform this task: SUMMARY STEPS 1.
  • Page 57: Enabling Tacacs

    To access a remote TACACS+ server, you must configure the IPv4 or IPv6 address or the hostname for the TACACS+ server on the Cisco Nexus 5000 Series switch. All TACACS+ server hosts are added to the default TACACS+ server group.You can configure up to 64 TACACS+ servers.
  • Page 58: Configuring Tacacs+ Global Preshared Keys

    Configuring TACACS+ Global Preshared Keys You can configure preshared keys at the global level for all servers used by the Cisco Nexus 5000 Series switch. A preshared key is a shared secret text string between the Cisco Nexus 5000 Series switch and the TACACS+ server hosts.
  • Page 59: Configuring Tacacs+ Server Preshared Keys

    Configuring TACACS+ Server Preshared Keys You can configure preshared keys for a TACACS+ server. A preshared key is a shared secret text string between the Cisco Nexus 5000 Series switch and the TACACS+ server host. To configure the TACACS+ preshared keys, perform this task: SUMMARY STEPS 1.
  • Page 60: Configuring Tacacs+ Server Groups

    You can configure these server groups at any time but they only take effect when you apply them to an AAA service. Before You Begin You must use the feature tacacs+ command to enable TACACS+ before you configure TACACS+. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 61 Exits configuration mode. Step 7 switch(config)# show tacacs-server groups (Optional) Displays the TACACS+ server group configuration. Step 8 switch(config)# copy running-config (Optional) startup-config Copies the running configuration to the startup configuration. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 62: Configuring The Global Source Interface For Tacacs+ Server Groups

    Configures the global source interface for all TACACS+ server groups configured on the device. The source interface can be the management or the VLAN interface. Example: switch(config)# ip tacacs source-interface mgmt Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 63: Specifying A Tacacs+ Server At Login

    You can configure the switch to allow the user to specify which TACACS+ server to send the authenticate request by enabling the directed-request option. By default, a Cisco Nexus 5000 Series switch forwards an authentication request based on the default AAA authentication method. If you enable this option, the user can log in as username@hostname , where hostname is the name of a configured RADIUS server.
  • Page 64: Configuring The Global Tacacs+ Timeout Interval

    Configuring the Global TACACS+ Timeout Interval You can set a global timeout interval that the Cisco Nexus 5000 Series switch waits for responses from all TACACS+ servers before declaring a timeout failure. The timeout interval determines how long the switch waits for responses from TACACS+ servers before declaring a timeout failure.
  • Page 65: Configuring The Timeout Interval For A Server

    Configuring the Timeout Interval for a Server You can set a timeout interval that the Cisco Nexus 5000 Series switch waits for responses from a TACACS+ server before declaring a timeout failure. The timeout interval determines how long the switch waits for responses from a TACACS+ server before declaring a timeout failure.
  • Page 66: Configuring Periodic Tacacs+ Server Monitoring

    The idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco Nexus 5000 Series switch sends out a test packet.You can configure this option to test servers periodically, or you can run a one-time only test.
  • Page 67 0. Step 3 switch(config)# tacacs-server dead-time minutes Specifies the number minutes before the Cisco Nexus 5000 Series switch checks a TACACS+ server that was previously unresponsive. The default value is 0 minutes and the valid range is 0 to 1440 minutes.
  • Page 68: Configuring The Dead-Time Interval

    You can configure the dead-time interval for all TACACS+ servers. The dead-time interval specifies the time that the Cisco Nexus 5000 Series switch waits, after declaring a TACACS+ server is dead, before sending out a test packet to determine if the server is now alive.
  • Page 69: Disabling Tacacs

    (Optional) Copies the running configuration to the startup configuration. Displaying TACACS+ Statistics To display the statistics the Cisco Nexus 5000 Series switch maintains for TACACS+ activity, perform this task: Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 70: Verifying Tacacs+ Configuration

    {hostname | ipv4-address | Displays the TACACS+ statistics. ipv6-address} For detailed information about the fields in the output from this command, see the Cisco Nexus 5000 Series Command Reference. Verifying TACACS+ Configuration To display TACACS+ configuration information, perform one of the following tasks: SUMMARY STEPS 1.
  • Page 71: Example Tacacs+ Configuration

    Table 10: Default TACACS+ Parameters Parameters Default TACACS+ Disabled Dead timer interval 0 minutes Timeout interval 5 seconds Idle timer interval 0 minutes Periodic server monitoring username test Periodic server monitoring password test Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 72 Default TACACS+ Settings Disabling TACACS+ Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 73: Configuring Ssh And Telnet

    The Secure Shell Protocol (SSH) server feature enables a SSH client to make a secure, encrypted connection to a Cisco Nexus 5000 Series switch. SSH uses strong encryption for authentication. The SSH server in the Cisco Nexus 5000 Series switch will interoperate with publicly and commercially available SSH clients.
  • Page 74: Telnet Server

    • The dsa option generates the DSA key-pair for the SSH version 2 protocol. • The rsa option generates the RSA key-pair for the SSH version 2 protocol. By default, the Cisco Nexus 5000 Series switch generates an RSA key using 1024 bits. SSH supports the following public key formats: •...
  • Page 75: Specifying The Ssh Public Keys For User Accounts

    To specify the SSH public keys in open SSH format, generate an SSH public key in open SSH format and perform this task: SUMMARY STEPS 1. switch# configure terminal 2. switch(config)# username username sshkey ssh-key 3. switch(config)# exit 4. (Optional) switch# show user-account 5. (Optional) switch# copy running-config startup-config Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 76: Specifying The Ssh Public Keys In Ietf Secsh Format

    1. switch# copy server-file bootflash: filename 2. switch# configure terminal 3. switch(config)# username username sshkey file filename 4. switch(config)# exit 5. (Optional) switch# show user-account 6. (Optional) switch# copy running-config startup-config Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 77: Specifying The Ssh Public Keys In Pem-Formatted Public Key Certificate Form

    Step 1 switch# copy server-file bootflash: filename Downloads the file containing the SSH key in PEM-formatted Public Key Certificate form from a server. The server can be FTP, SCP, SFTP, or TFTP Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 78: Starting Ssh Sessions To Remote Devices

    Starting SSH Sessions to Remote Devices To start SSH sessions to connect to remote devices from your Cisco Nexus 5000 Series switch, perform this task: SUMMARY STEPS 1. switch# ssh {hostname | username@hostname} [vrf vrf-name]...
  • Page 79: Disabling The Ssh Server

    Configuring SSH and Telnet Disabling the SSH Server Disabling the SSH Server By default, the SSH server is enabled on the Cisco Nexus 5000 Series switch. To disable the SSH server to prevent SSH access to the switch, perform this task: SUMMARY STEPS 1.
  • Page 80: Clearing Ssh Sessions

    (Optional) Copies the running configuration to the startup configuration. Clearing SSH Sessions To clear SSH sessions from the Cisco Nexus 5000 Series switch, perform this task: SUMMARY STEPS 1. switch# show users 2. switch# clear line vty-line...
  • Page 81: Configuring Telnet

    Save the configuration. switch(config)# copy running-config startup-config Configuring Telnet Enabling the Telnet Server By default, the Telnet server is enabled. You can disable the Telnet server on your Cisco Nexus 5000 Series switch. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 82: Reenabling The Telnet Server

    Disables the Telnet server. The default is enabled. Reenabling the Telnet Server If the Telnet server on your Cisco Nexus 5000 Series switch has been disabled, you can reenable it. SUMMARY STEPS 1. switch(config)# feature telnet DETAILED STEPS...
  • Page 83: Clearing Telnet Sessions

    Trying 10.10.1.1... Connected to 10.10.1.1. Escape character is '^]'. switch login: Clearing Telnet Sessions To clear Telnet sessions from the Cisco Nexus 5000 Series switch, perform this task: SUMMARY STEPS 1. switch# show users 2. switch# clear line vty-line DETAILED STEPS...
  • Page 84: Default Ssh Settings

    The following table lists the default settings for SSH parameters. Table 11: Default SSH Parameters Parameters Default SSH server Enabled SSH server key RSA key generated with 1024 bits RSA key bits for generation 1024 Telnet server Enabled Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 85: Configuring Access Control Lists

    IP ACL Types and Applications The Cisco Nexus 5000 Series switch supports IPv4, IPv6, and MAC ACLs for security traffic filtering. The switch allows you to use IP ACLs as port ACLs and VLAN ACLs, as shown in the following table.
  • Page 86: Application Order

    You can specify any protocol by number. In IPv4 ACLs, you can specify protocols by the integer that represents the Internet protocol number. For example, you can use 115 to specify Layer 2 Tunneling Protocol (L2TP) traffic. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 87: Implicit Rules

    • ICMP types and codes • IGMP types • Flow label • DSCP value • TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set • Established TCP connections • Packet length Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 88: Sequence Numbers

    235 to the new rule. In addition, the Cisco Nexus 5000 Series switch allows you to reassign sequence numbers to rules in an ACL. Resequencing is useful when an ACL has rules numbered contiguously, such as 100 and 101, and you need to insert one or more rules between those rules.
  • Page 89: Configuring Ip Acls

    {permit|deny} protocol source destination sequence-number argument can be a whole number between 1 and 4294967295. The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 5000 Series Command Reference. Step 4 switch(config-acl)# statistics...
  • Page 90: Changing An Ip Acl

    The sequence-number argument can be a whole number between 1 and 4294967295. The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 5000 Series Command Reference. Step 4...
  • Page 91: Removing An Ip Acl

    {ip | ipv6} access-list name Removes the IP ACL that you specified by name from the running configuration. Step 3 switch# show running-config (Optional) Displays ACL configuration. The removed IP ACL should not appear. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 92: Changing Sequence Numbers In An Ip Acl

    You can apply an IPv4 or IPv6 ACL to the management interface (mgmt0). Before You Begin Ensure that the ACL that you want to apply exists and that it is configured to filter traffic in the manner that you need for this application. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 93 Example: switch(config-if)# show running-config aclmgr Step 5 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch(config-if)# copy running-config startup-config Related Topics • Creating an IP ACL Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 94: Applying An Ip Acl As A Port Acl

    Copies the running configuration to the startup configuration. Verifying IP ACL Configurations To display IP ACL configuration information, perform one of the following tasks: SUMMARY STEPS 1. switch# show running-config 2. switch# show running-config interface Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 95: Displaying And Clearing Ip Acl Statistics

    Displays the configuration of an interface to which you have applied an ACL. For detailed information about the fields in the output from these commands, refer to the Cisco Nexus 5000 Series Command Reference. Displaying and Clearing IP ACL Statistics Use the show ip access-lists and show ipv6 access-list commands to display statistics about an IP ACL, including the number of packets that have matched each rule.
  • Page 96: Changing A Mac Acl

    [sequence-number] Creates a rule in the MAC ACL. {permit | deny} source destination protocol The permit and deny options support many ways of identifying traffic. For more information, see the Cisco Nexus 5000 Series Command Reference. Step 4 switch(config-mac-acl)# statistics...
  • Page 97 Copies the running configuration to the startup configuration. The following example shows how to change a MAC ACL: switch# configure terminal switch(config)# mac access-list acl-mac-01 switch(config-mac-acl)# 100 permit mac 00c0.4f00.00 0000.00ff.ffff any switch(config-mac-acl)# statistics Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 98: Removing A Mac Acl

    To change all the sequence numbers assigned to rules in a MAC ACL, perform this task: SUMMARY STEPS 1. switch# configure terminal 2. switch(config)# resequence mac access-list name starting-sequence-number increment 3. (Optional) switch# show mac access-lists name 4. (Optional) switch# copy running-config startup-config Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 99: Applying A Mac Acl As A Port Acl

    SUMMARY STEPS 1. switch# configure terminal 2. switch(config)# interface {ethernet [chassis/]slot/port | port-channel channel-number} 3. switch(config-if)# mac port access-group access-list 4. (Optional) switch# show running-config 5. (Optional) switch# copy running-config startup-config Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 100: Verifying Mac Acl Configurations

    ACL. Displaying and Clearing MAC ACL Statistics Use the show mac access-lists command to display statistics about a MAC ACL, including the number of packets that have matched each rule. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 101: Example Configuration For Mac Acls

    In access map configuration mode, you use the action command to specify one of the following actions: • Forward—Sends the traffic to the destination determined by normal operation of the switch. • Drop—Drops the traffic. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 102: Statistics

    (hits) on all the interfaces on which that VACL is applied. The Cisco Nexus 5000 Series switch does not support interface-level VACL statistics. Note For each VLAN access map that you configure, you can specify whether the switch maintains statistics for that VACL.
  • Page 103: Removing A Vacl

    Enters configuration mode. Step 2 switch(config)# no vlan access-map map-name Removes the VLAN access map configuration for the specified access map. Step 3 switch(config)# show running-config (Optional) Displays ACL configuration. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 104: Applying A Vacl To A Vlan

    Verifying VACL Configuration To display VACL configuration information, perform one of the following tasks: SUMMARY STEPS 1. switch# show running-config aclmgr 2. switch# show vlan filter 3. switch# show vlan access-map Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 105: Displaying And Clearing Vacl Statistics

    50-82 Default ACL Settings The following table lists the default settings for IP ACLs parameters. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 106 The following table lists the default settings for VACL parameters. Table 15: Default VACL Parameters Parameters Default VACLs No IP ACLs exist by default. ACL rules Implicit rules apply to all ACLs. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
  • Page 107 VSAs AAA services Cisco vendor ID 18, 25 configuration options IP ACLs remote description accounting description authentication description local MSCHAP methods enabling authentication remote Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01 IN-1...
  • Page 108 AAA servers 17, 19 specifying parameters for AAA servers source interfaces RADIUS server groups TACACS+ server groups vendor-specific attributes description VSAs statistics format TACACS+ protocol options support description Cisco Nexus 5000 Series NX-OS Security Configuration Guide IN-2 OL-20919-01...

Table of Contents