Page 1
Cisco Nexus 5000 Series NX-OS Security Configuration Guide Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-20919-01...
Page 2
WebEx logo are registered trademarks of Cisco and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
C O N T E N T S Preface Audience Document Organization Document Conventions Related Documentation for Nexus 5000 Series NX-OS Software Obtaining Documentation and Submitting a Service Request New and Changed Information New and Changed Information Overview Authentication, Authorization, and Accounting...
Page 4
Configuring Accounting and Authentication Attributes for RADIUS Servers Configuring Periodic RADIUS Server Monitoring Configuring the Dead-Time Interval Manually Monitoring RADIUS Servers or Groups Verifying RADIUS Configuration Displaying RADIUS Server Statistics Example RADIUS Configuration Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Page 5
Disabling TACACS+ Displaying TACACS+ Statistics Verifying TACACS+ Configuration Example TACACS+ Configuration Default TACACS+ Settings Configuring SSH and Telnet Configuring SSH and Telnet Information About SSH and Telnet SSH Server SSH Client Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Page 6
Information About ACLs IP ACL Types and Applications Application Order Rules Source and Destination Protocols Implicit Rules Additional Filtering Options Sequence Numbers Logical Operators and Logical Operation Units Configuring IP ACLs Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Page 7
Configuring VACLs Creating or Changing a VACL Removing a VACL Applying a VACL to a VLAN Verifying VACL Configuration Displaying and Clearing VACL Statistics Example Configuration for VACL Default ACL Settings Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Page 8
Contents Cisco Nexus 5000 Series NX-OS Security Configuration Guide viii OL-20919-01...
Preface This preface describes the audience, organization, and conventions of the Cisco Nexus 5000 Series NX-OS Security Configuration Guide. It also provides information on how to obtain related documentation. • Audience, page ix • Document Organization, page ix • Document Conventions, page x •...
Arguments for which you supply values are in italic screen font. italic screen font < > Nonprinting characters, such as passwords, are in angle brackets. Default responses to system prompts are in square brackets. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Related Documentation for Nexus 5000 Series NX-OS Software Cisco NX-OS documentation is available at the following URL: http://www.cisco.com/en/US/products/ps9670/tsd_products_support_series_home.htmll The documentation set for the Cisco Nexus 5000 Series NX-OS software includes the following documents: Release Notes • Cisco Nexus 5000 Series and Cisco Nexus 2000 Series Release Notes •...
Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...
The latest version of this document is available at the following Cisco website: http://www.cisco.com/en/US/products/ps9670/products_installation_and_configuration_guides_list.html To check for the latest information about Cisco NX-OS, see the Cisco Nexus 5000 Series and Nexus 2000 Series NX-OS Release Notes available at the following Cisco website: http://www.cisco.com/en/US/products/ps9670/prod_release_notes_list.html...
Page 14
Part 3: Switch Security Features of the Cisco Nexus 5000 Series CLI Configuration Guide. For a complete list of Nexus 5000 Series document titles, see the list of Related Documentation in the "Preface." Cisco Nexus 5000 Series NX-OS Security Configuration Guide...
C H A P T E R Overview The Cisco NX-OS software supports security features that can protect your network against degradation or failure and also against data loss or compromise resulting from intentional attacks and from unintended but damaging mistakes by well-meaning network users.
You can use the Secure Shell (SSH) server to enable an SSH client to make a secure, encrypted connection to a Cisco NX-OS device. SSH uses strong encryption for authentication. The SSH server in the Cisco NX-OS software can interoperate with publicly and commercially available SSH clients.
Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the Cisco NX-OS software determines that an IP ACL applies to a packet, it tests the packet against the conditions of all rules. The first match determines whether a packet is permitted or denied, or if there is no match, the Cisco NX-OS software applies the applicable default rule.
Page 18
Overview IP ACLs Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
The authentication, authorization, and accounting (AAA) features allows you to verify the identity of, grant access to, and track the actions of users managing Cisco Nexus 5000 Series switches. The Cisco Nexus 5000 Series switches support Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus (TACACS+) protocols.
Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services: • User password lists for each Cisco Nexus 5000 Series switch in the fabric are easier to manage. • AAA servers are already deployed widely across enterprises and can be easily used for AAA services.
• None—Uses only the user name. Note If the method is for all RADIUS servers, instead of a specific server group, the Nexus 5000 Series switches choose the RADIUS server from the global pool of configured RADIUS servers in the order of configuration.
The figure below shows a flowchart of the authentication and authorization process for user login. The following process occurs: • When you log in to the required Cisco Nexus 5000 Series switch, you can use the Telnet, SSH, Fabric Manager or Device Manager, or console login options.
Remote AAA servers have the following prerequisites: • At least one RADIUS or TACACS+ server must be IP reachable. • The Cisco Nexus 5000 Series switch is configured as a client of the AAA servers. Cisco Nexus 5000 Series NX-OS Security Configuration Guide...
Configuring Console Login Authentication Methods Information about AAA Guidelines and Limitations • The preshared secret key is configured on the Cisco Nexus 5000 Series switch and on the remote AAA servers. • The remote server responds to AAA requests from the Cisco Nexus 5000 Series switch.
Configuring Default Login Authentication Methods The authentication methods include the following: • Global pool of RADIUS servers • Named subset of RADIUS or TACACS+ servers Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Page 26
Configuring Authentication, Authorization, and Accounting Configuring AAA • Local database on the Nexus 5000 Series switch • Username only The default method is local. Before you configure default login authentication methods, configure RADIUS or TACACS+ server groups as needed. To configure default login authentication methods, perform this task: SUMMARY STEPS 1.
Enabling MSCHAP Authentication Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. You can use MSCHAP for user logins to a Cisco Nexus 5000 Series switch through a remote authentication server (RADIUS or TACACS+). By default, the Cisco Nexus 5000 Series switch uses Password Authentication Protocol (PAP) authentication between the switch and the remote server.
Page 28
(Optional) Displays the MS-CHAP configuration. Step 5 switch# copy running-config startup-config (Optional) Copies the running configuration to the startup configuration. Related Topics • About VSAs, page 18 Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
(AV) pairs and is stored on the AAA server. When you activate AAA accounting, the Cisco Nexus 5000 Series switch reports these attributes as accounting records, which are then stored in an accounting log on the security server.
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:...
Specifying Switch User Roles and SMNPv3 Parameters on AAA Servers Specifying Switch User Roles and SMNPv3 Parameters on AAA Servers You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Cisco Nexus 5000 Series switch using this format: shell:roles="roleA roleB …"...
• Networks already using RADIUS. You can add a Nexus 5000 Series switch with RADIUS to the network. This action might be the first step when you make a transition to a AAA server. • Networks that require resource accounting.
RADIUS solutions and to efficiently manage shared resources to offer different service-level agreements. RADIUS Operation When a user attempts to log in and authenticate to a Cisco Nexus 5000 Series switch using RADIUS, the following process occurs: 1 The user is prompted for and enters a username and password.
RADIUS server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco Nexus 5000 Series switch displays an error message that a failure is taking place. Figure 2: RADIUS Server States The monitoring interval for alive servers and dead servers are different and can be configured by the user.
• Obtain IPv4 or IPv6 addresses or host names for the RADIUS servers. • Obtain preshared keys from the RADIUS servers. • Ensure that the Cisco Nexus 5000 Series switch is configured as a RADIUS client of the AAA servers. Guidelines and Limitations for RADIUS RADIUS has the following guidelines and limitations: •...
Copies the running configuration to the startup configuration. The following example shows how to configure a RADIUS server host: switch# configure terminal switch(config)# radius-server host 10.10.1.1 switch(config)# exit switch# show radius-server switch# copy running-config startup-config Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Configuring RADIUS Global Preshared Keys You can configure preshared keys at the global level for all servers used by the Cisco Nexus 5000 Series switch. A preshared key is a shared secret text string between the switch and the RADIUS server hosts.
RADIUS protocol. The servers are tried in the same order in which you configure them. You can configure these server groups at any time but they only take effect when you apply them to an AAA service. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Page 42
0 Step 6 switch(config-radius)# exit Exits configuration mode. Step 7 switch(config) #show radius-server group (Optional) [group-name] Displays the RADIUS server group configuration. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server. The timeout interval determines how long the Cisco Nexus 5000 Series switch waits for responses from RADIUS servers before declaring a timeout failure.
Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server By default, a Cisco Nexus 5000 Series switch retries transmission to a RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server.
The idle timer specifies the interval during which a RADIUS server receives no requests before the Cisco Nexus 5000 Series switch sends out a test packet. You can configure this option to test servers periodically.
Page 49
The test idle timer specifies the interval during which a RADIUS server receives no requests before the Cisco Nexus 5000 Series switch sends out a test packet. The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, the Cisco Nexus 5000 Note Series switch does not perform periodic RADIUS server monitoring.
You can configure the dead-time interval for all RADIUS servers. The dead-time interval specifies the time that the Cisco Nexus 5000 Series switch waits after declaring a RADIUS server is dead, before sending out a test packet to determine if the server is now alive. The default value is 0 minutes.
Displays all configured RADIUS server parameters. | ipv6-address] [directed-request | groups | sorted | statistics] For detailed information about the fields in the output from this command, refer to the Cisco Nexus 5000 Series Command Reference. Displaying RADIUS Server Statistics...
The Terminal Access Controller Access Control System Plus (TACACS+) security protocol provides centralized validation of users attempting to gain access to a Cisco Nexus 5000 Series switch. TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX or Windows NT workstation.
You must configure the TACACS+ preshared key to authenticate the switch to the TACACS+ server. A preshared key is a secret text string shared between the Cisco Nexus 5000 Series switch and the TACACS+ server host. The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed).
Whenever an TACACS+ server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the Cisco Nexus 5000 Series switch displays an error message that a failure is taking place before it can impact performance.
TACACS+ Server Configuration Process Guidelines and Limitations for TACACS+ TACACS+ has the following guidelines and limitations: • You can configure a maximum of 64 TACACS+ servers on the Cisco Nexus 5000 Series switch. Configuring TACACS+ TACACS+ Server Configuration Process To configure TACACS+ servers, perform this task: SUMMARY STEPS 1.
To access a remote TACACS+ server, you must configure the IPv4 or IPv6 address or the hostname for the TACACS+ server on the Cisco Nexus 5000 Series switch. All TACACS+ server hosts are added to the default TACACS+ server group.You can configure up to 64 TACACS+ servers.
Configuring TACACS+ Global Preshared Keys You can configure preshared keys at the global level for all servers used by the Cisco Nexus 5000 Series switch. A preshared key is a shared secret text string between the Cisco Nexus 5000 Series switch and the TACACS+ server hosts.
Configuring TACACS+ Server Preshared Keys You can configure preshared keys for a TACACS+ server. A preshared key is a shared secret text string between the Cisco Nexus 5000 Series switch and the TACACS+ server host. To configure the TACACS+ preshared keys, perform this task: SUMMARY STEPS 1.
You can configure these server groups at any time but they only take effect when you apply them to an AAA service. Before You Begin You must use the feature tacacs+ command to enable TACACS+ before you configure TACACS+. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Page 61
Exits configuration mode. Step 7 switch(config)# show tacacs-server groups (Optional) Displays the TACACS+ server group configuration. Step 8 switch(config)# copy running-config (Optional) startup-config Copies the running configuration to the startup configuration. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Configures the global source interface for all TACACS+ server groups configured on the device. The source interface can be the management or the VLAN interface. Example: switch(config)# ip tacacs source-interface mgmt Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
You can configure the switch to allow the user to specify which TACACS+ server to send the authenticate request by enabling the directed-request option. By default, a Cisco Nexus 5000 Series switch forwards an authentication request based on the default AAA authentication method. If you enable this option, the user can log in as username@hostname , where hostname is the name of a configured RADIUS server.
Configuring the Global TACACS+ Timeout Interval You can set a global timeout interval that the Cisco Nexus 5000 Series switch waits for responses from all TACACS+ servers before declaring a timeout failure. The timeout interval determines how long the switch waits for responses from TACACS+ servers before declaring a timeout failure.
Configuring the Timeout Interval for a Server You can set a timeout interval that the Cisco Nexus 5000 Series switch waits for responses from a TACACS+ server before declaring a timeout failure. The timeout interval determines how long the switch waits for responses from a TACACS+ server before declaring a timeout failure.
The idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco Nexus 5000 Series switch sends out a test packet.You can configure this option to test servers periodically, or you can run a one-time only test.
Page 67
0. Step 3 switch(config)# tacacs-server dead-time minutes Specifies the number minutes before the Cisco Nexus 5000 Series switch checks a TACACS+ server that was previously unresponsive. The default value is 0 minutes and the valid range is 0 to 1440 minutes.
You can configure the dead-time interval for all TACACS+ servers. The dead-time interval specifies the time that the Cisco Nexus 5000 Series switch waits, after declaring a TACACS+ server is dead, before sending out a test packet to determine if the server is now alive.
(Optional) Copies the running configuration to the startup configuration. Displaying TACACS+ Statistics To display the statistics the Cisco Nexus 5000 Series switch maintains for TACACS+ activity, perform this task: Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
{hostname | ipv4-address | Displays the TACACS+ statistics. ipv6-address} For detailed information about the fields in the output from this command, see the Cisco Nexus 5000 Series Command Reference. Verifying TACACS+ Configuration To display TACACS+ configuration information, perform one of the following tasks: SUMMARY STEPS 1.
The Secure Shell Protocol (SSH) server feature enables a SSH client to make a secure, encrypted connection to a Cisco Nexus 5000 Series switch. SSH uses strong encryption for authentication. The SSH server in the Cisco Nexus 5000 Series switch will interoperate with publicly and commercially available SSH clients.
• The dsa option generates the DSA key-pair for the SSH version 2 protocol. • The rsa option generates the RSA key-pair for the SSH version 2 protocol. By default, the Cisco Nexus 5000 Series switch generates an RSA key using 1024 bits. SSH supports the following public key formats: •...
To specify the SSH public keys in open SSH format, generate an SSH public key in open SSH format and perform this task: SUMMARY STEPS 1. switch# configure terminal 2. switch(config)# username username sshkey ssh-key 3. switch(config)# exit 4. (Optional) switch# show user-account 5. (Optional) switch# copy running-config startup-config Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Step 1 switch# copy server-file bootflash: filename Downloads the file containing the SSH key in PEM-formatted Public Key Certificate form from a server. The server can be FTP, SCP, SFTP, or TFTP Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Starting SSH Sessions to Remote Devices To start SSH sessions to connect to remote devices from your Cisco Nexus 5000 Series switch, perform this task: SUMMARY STEPS 1. switch# ssh {hostname | username@hostname} [vrf vrf-name]...
Configuring SSH and Telnet Disabling the SSH Server Disabling the SSH Server By default, the SSH server is enabled on the Cisco Nexus 5000 Series switch. To disable the SSH server to prevent SSH access to the switch, perform this task: SUMMARY STEPS 1.
(Optional) Copies the running configuration to the startup configuration. Clearing SSH Sessions To clear SSH sessions from the Cisco Nexus 5000 Series switch, perform this task: SUMMARY STEPS 1. switch# show users 2. switch# clear line vty-line...
Save the configuration. switch(config)# copy running-config startup-config Configuring Telnet Enabling the Telnet Server By default, the Telnet server is enabled. You can disable the Telnet server on your Cisco Nexus 5000 Series switch. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Disables the Telnet server. The default is enabled. Reenabling the Telnet Server If the Telnet server on your Cisco Nexus 5000 Series switch has been disabled, you can reenable it. SUMMARY STEPS 1. switch(config)# feature telnet DETAILED STEPS...
Trying 10.10.1.1... Connected to 10.10.1.1. Escape character is '^]'. switch login: Clearing Telnet Sessions To clear Telnet sessions from the Cisco Nexus 5000 Series switch, perform this task: SUMMARY STEPS 1. switch# show users 2. switch# clear line vty-line DETAILED STEPS...
The following table lists the default settings for SSH parameters. Table 11: Default SSH Parameters Parameters Default SSH server Enabled SSH server key RSA key generated with 1024 bits RSA key bits for generation 1024 Telnet server Enabled Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
IP ACL Types and Applications The Cisco Nexus 5000 Series switch supports IPv4, IPv6, and MAC ACLs for security traffic filtering. The switch allows you to use IP ACLs as port ACLs and VLAN ACLs, as shown in the following table.
You can specify any protocol by number. In IPv4 ACLs, you can specify protocols by the integer that represents the Internet protocol number. For example, you can use 115 to specify Layer 2 Tunneling Protocol (L2TP) traffic. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
• ICMP types and codes • IGMP types • Flow label • DSCP value • TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set • Established TCP connections • Packet length Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
235 to the new rule. In addition, the Cisco Nexus 5000 Series switch allows you to reassign sequence numbers to rules in an ACL. Resequencing is useful when an ACL has rules numbered contiguously, such as 100 and 101, and you need to insert one or more rules between those rules.
{permit|deny} protocol source destination sequence-number argument can be a whole number between 1 and 4294967295. The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 5000 Series Command Reference. Step 4 switch(config-acl)# statistics...
The sequence-number argument can be a whole number between 1 and 4294967295. The permit and deny commands support many ways of identifying traffic. For more information, see the Cisco Nexus 5000 Series Command Reference. Step 4...
{ip | ipv6} access-list name Removes the IP ACL that you specified by name from the running configuration. Step 3 switch# show running-config (Optional) Displays ACL configuration. The removed IP ACL should not appear. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
You can apply an IPv4 or IPv6 ACL to the management interface (mgmt0). Before You Begin Ensure that the ACL that you want to apply exists and that it is configured to filter traffic in the manner that you need for this application. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Page 93
Example: switch(config-if)# show running-config aclmgr Step 5 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch(config-if)# copy running-config startup-config Related Topics • Creating an IP ACL Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Copies the running configuration to the startup configuration. Verifying IP ACL Configurations To display IP ACL configuration information, perform one of the following tasks: SUMMARY STEPS 1. switch# show running-config 2. switch# show running-config interface Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Displays the configuration of an interface to which you have applied an ACL. For detailed information about the fields in the output from these commands, refer to the Cisco Nexus 5000 Series Command Reference. Displaying and Clearing IP ACL Statistics Use the show ip access-lists and show ipv6 access-list commands to display statistics about an IP ACL, including the number of packets that have matched each rule.
[sequence-number] Creates a rule in the MAC ACL. {permit | deny} source destination protocol The permit and deny options support many ways of identifying traffic. For more information, see the Cisco Nexus 5000 Series Command Reference. Step 4 switch(config-mac-acl)# statistics...
Page 97
Copies the running configuration to the startup configuration. The following example shows how to change a MAC ACL: switch# configure terminal switch(config)# mac access-list acl-mac-01 switch(config-mac-acl)# 100 permit mac 00c0.4f00.00 0000.00ff.ffff any switch(config-mac-acl)# statistics Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
To change all the sequence numbers assigned to rules in a MAC ACL, perform this task: SUMMARY STEPS 1. switch# configure terminal 2. switch(config)# resequence mac access-list name starting-sequence-number increment 3. (Optional) switch# show mac access-lists name 4. (Optional) switch# copy running-config startup-config Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
ACL. Displaying and Clearing MAC ACL Statistics Use the show mac access-lists command to display statistics about a MAC ACL, including the number of packets that have matched each rule. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
In access map configuration mode, you use the action command to specify one of the following actions: • Forward—Sends the traffic to the destination determined by normal operation of the switch. • Drop—Drops the traffic. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
(hits) on all the interfaces on which that VACL is applied. The Cisco Nexus 5000 Series switch does not support interface-level VACL statistics. Note For each VLAN access map that you configure, you can specify whether the switch maintains statistics for that VACL.
Verifying VACL Configuration To display VACL configuration information, perform one of the following tasks: SUMMARY STEPS 1. switch# show running-config aclmgr 2. switch# show vlan filter 3. switch# show vlan access-map Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
50-82 Default ACL Settings The following table lists the default settings for IP ACLs parameters. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Page 106
The following table lists the default settings for VACL parameters. Table 15: Default VACL Parameters Parameters Default VACLs No IP ACLs exist by default. ACL rules Implicit rules apply to all ACLs. Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01...
Page 107
VSAs AAA services Cisco vendor ID 18, 25 configuration options IP ACLs remote description accounting description authentication description local MSCHAP methods enabling authentication remote Cisco Nexus 5000 Series NX-OS Security Configuration Guide OL-20919-01 IN-1...
Page 108
AAA servers 17, 19 specifying parameters for AAA servers source interfaces RADIUS server groups TACACS+ server groups vendor-specific attributes description VSAs statistics format TACACS+ protocol options support description Cisco Nexus 5000 Series NX-OS Security Configuration Guide IN-2 OL-20919-01...