hit counter script
Cisco Nexus 7000 Series Command Reference Manual

Cisco Nexus 7000 Series Command Reference Manual

Hide thumbs Also See for Nexus 7000 Series:
Table of Contents

Advertisement

Cisco Nexus 7000 Series Security Command Reference
First Published: --
Last Modified: --
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading

Summary of Contents for Cisco Nexus 7000 Series

  • Page 1 Cisco Nexus 7000 Series Security Command Reference First Published: -- Last Modified: -- Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 2 © Cisco Systems, Inc. All rights reserved.
  • Page 3: Table Of Contents

    Cisco Nexus 7000 Series Security Command Reference...
  • Page 4 Cisco Nexus 7000 Series Security Command Reference...
  • Page 5 Cisco Nexus 7000 Series Security Command Reference...
  • Page 6 D Commands C H A P T E R 3 dot1x max-reauth-req dot1x max-req dot1x pae authenticator dot1x port-control dot1x radius-accounting dot1x re-authentication (EXEC) dot1x re-authentication (global configuration and interface configuration) dot1x system-auth-control Cisco Nexus 7000 Series Security Command Reference...
  • Page 7 E Commands C H A P T E R 4 encrypt pause-frame encryption decrypt type6 encryption delete type6 enable enable Cert-DN-match enable secret enable user-server-group encryption re-encrypt obfuscated enrollment terminal Cisco Nexus 7000 Series Security Command Reference...
  • Page 8 G Commands C H A P T E R 6 Cisco Nexus 7000 Series Security Command Reference viii...
  • Page 9 Cisco Nexus 7000 Series Security Command Reference...
  • Page 10 K Commands C H A P T E R 9 Cisco Nexus 7000 Series Security Command Reference...
  • Page 11 C H A P T E R 1 2 nac enable O Commands C H A P T E R 1 3 object-group (identity policy) object-group ip address object-group ip port object-group ipv6 address Cisco Nexus 7000 Series Security Command Reference...
  • Page 12 R Commands C H A P T E R 1 5 radius abort radius commit radius distribute radius-server deadtime radius-server directed-request radius-server host radius-server key radius-server retransmit radius-server test radius-server timeout Cisco Nexus 7000 Series Security Command Reference...
  • Page 13 (policy map class) set precedence (policy map class) source-interface ssh key ssh login-attempts ssh server enable ssh6 statistics per-entry storm-control level switchport port-security Cisco Nexus 7000 Series Security Command Reference xiii...
  • Page 14 Cisco Nexus 7000 Series Security Command Reference...
  • Page 15 Cisco Nexus 7000 Series Security Command Reference...
  • Page 16 Cisco Nexus 7000 Series Security Command Reference...
  • Page 17 Cisco Nexus 7000 Series Security Command Reference xvii...
  • Page 18 C H A P T E R 1 8 tacacs+ abort tacacs+ commit tacacs+ distribute tacacs-server deadtime tacacs-server directed-request tacacs-server host tacacs-server key tacacs-server test tacacs-server timeout telnet telnet server enable telnet6 terminal verify-only test aaa authorization command-type time-range trustedCert Cisco Nexus 7000 Series Security Command Reference xviii...
  • Page 19 C H A P T E R 1 9 user-certdn-match username userprofile user-pubkey-match user-switch-bind use-vrf V Commands C H A P T E R 2 0 vlan access-map vlan filter vlan policy deny vrf policy deny Cisco Nexus 7000 Series Security Command Reference...
  • Page 20 Contents Cisco Nexus 7000 Series Security Command Reference...
  • Page 21: Document Conventions

    This chapter includes the following topics: Audience This publication is for experienced network administrators who configure and maintain Cisco NX-OS on Cisco Nexus 7000 Series Platform switches. Document Conventions • As part of our constant endeavor to remodel our documents to meet our customers' requirements, Note we have modified the manner in which we document configuration tasks.
  • Page 22 An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line. This document uses the following conventions: Means reader take note. Notes contain helpful suggestions or references to material not covered in the Note manual. Cisco Nexus 7000 Series Security Command Reference xxii...
  • Page 23 Preface Document Conventions Means reader be careful. In this situation, you might do something that could result in equipment damage Caution or loss of data. Cisco Nexus 7000 Series Security Command Reference xxiii...
  • Page 24: Related Documentation

    • Install and Upgrade Guides http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/ products-installation-guides-list.html • Licensing Guide http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/ products-licensing-information-listing.html Documentation for Cisco Nexus 7000 Series Switches and Cisco Nexus 2000 Series Fabric Extenders is available at the following URL: http://www.cisco.com/c/en/us/support/switches/nexus-2000-series-fabric-extenders/ products-installation-and-configuration-guides-list.html Cisco Nexus 7000 Series Security Command Reference xxiv...
  • Page 25: Documentation Feedback

    What's New in Cisco Product Documentation. To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What's New in Cisco Product Documentation RSS feed. RSS feeds are a free service.
  • Page 26 Preface Obtaining Documentation and Submitting a Service Request Cisco Nexus 7000 Series Security Command Reference xxvi...
  • Page 27 35 • aaa authorization commands default, page 37 • aaa authorization config-commands default, page 39 • aaa authorization cts default group, page 41 • aaa authorization ssh-certificate, page 43 Cisco Nexus 7000 Series Security Command Reference...
  • Page 28 • aaa authorization ssh-publickey, page 45 • aaa group server ldap, page 47 • aaa group server radius, page 49 • aaa group server tacacs+, page 50 • aaa user default-role, page 51 Cisco Nexus 7000 Series Security Command Reference...
  • Page 29: Absolute

    For information about the values for the time and date arguments, see the “Usage Guidelines” section. Command Default None Cisco Nexus 7000 Series Security Command Reference...
  • Page 30 07:00 17 September 2007 end 23:59:59 19 September 2007 Related Commands Command Description periodic Configures a periodic time range rule. time-range Configures a time range for use in IPv4 or IPv6 ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 31: Accept-Lifetime

    “Usage Guidelines” section. Command Default infinite Command Modes Key configuration Command History Release Modification 4.0(1) This command was introduced. Usage Guidelines By default, the device interprets all time range rules as UTC. Cisco Nexus 7000 Series Security Command Reference...
  • Page 32: Cisco Nexus 7000 Series Security Command Reference

    00:00:00 Jun 13 2008 23:59:59 Sep 12 2008 switch(config-keychain-key)# Related Commands Command Description Configures a key. keychain Configures a keychain. Configures a key string. key-string send-lifetime Configures a send lifetime for a key. show key chain Shows keychain configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 33: Access-Class

    2/1 This example shows how to remove the dynamically learned, secure MAC addresses 0019.D2D0.00AE: switch# config t switch(config)# clear port-security dynamic address 0019.D2D0.00AE Cisco Nexus 7000 Series Security Command Reference...
  • Page 34: Cisco Nexus 7000 Series Security Command Reference

    A Commands access-class Related Commands Command Description ip access-list Provides debugging information for port security. line Enables port security globally. show line Shows information about port security. Cisco Nexus 7000 Series Security Command Reference...
  • Page 35: Action

    The dot separator is required between the Note channel-number and subinterface-number arguments. Command Default None Command Modes VLAN access-map configuration Command History Release Modification 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 36: Cisco Nexus 7000 Series Security Command Reference

    Enables statistics for an access control list or VLAN statistics access map. vlan access-map Configures a VLAN access map. Applies a VLAN access map to one or more VLANs. vlan filter Cisco Nexus 7000 Series Security Command Reference...
  • Page 37: Arp Access-List

    This command does not require a license. Examples This example shows how to enter ARP access list configuration mode for an ARP ACL named arp-acl-01: switch# conf t switch(config)# arp access-list arp-acl-01 switch(config-arp-acl)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 38: Cisco Nexus 7000 Series Security Command Reference

    Applies an ARP ACL to a VLAN. permit (ARP) Configures a permit rule in an ARP ACL. Displays all ARP ACLs or a specific ARP ACL. show arp access-lists Cisco Nexus 7000 Series Security Command Reference...
  • Page 39: Authentication (Ldap)

    10.10.2.2 switch(config-ldap)# authentication compare password-attribute TyuL8r switch(config-ldap)# Related Commands Command Description aaa group server ldap Creates an LDAP server group and enters the LDAP server group configuration mode for that group. Cisco Nexus 7000 Series Security Command Reference...
  • Page 40: Cisco Nexus 7000 Series Security Command Reference

    A Commands authentication (LDAP) Command Description server Configures the LDAP server as a member of the LDAP server group. show ldap-server groups Displays the LDAP server group configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 41: Aaa Accounting Default

    If you specify the group method, the local method, or both, and they fail, then the accounting authentication fails. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 42: Cisco Nexus 7000 Series Security Command Reference

    Configures AAA RADIUS server groups. Configures RADIUS servers. radius-server host show aaa accounting Displays AAA accounting status information. show aaa groups Displays AAA server group information. tacacs-server host Configures TACACS+ servers. Cisco Nexus 7000 Series Security Command Reference...
  • Page 43: Aaa Accounting Dot1X

    If you specify the group method, the local method, or both, and they fail, then the accounting authentication fails. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 44: Cisco Nexus 7000 Series Security Command Reference

    Related Commands Command Description Configures AAA RADIUS server groups. aaa group server radius radius-server host Configures RADIUS servers. show aaa accounting Displays AAA accounting status information. show aaa groups Displays AAA server group information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 45: Aaa Authentication Cts Default Group

    Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the RADIUS server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 46: Cisco Nexus 7000 Series Security Command Reference

    Configures AAA server groups. feature cts Enables the Cisco TrustSec feature. radius-server host Configures RADIUS servers. Displays the AAA authentication configuration. show aaa authentication show aaa groups Displays the AAA server groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 47: Aaa Authentication Dot1X Default Group

    Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the RADIUS server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 48: Cisco Nexus 7000 Series Security Command Reference

    Dot1xGroup Related Commands Command Description feature dot1x Enables 802.1X. radius-server host Configures RADIUS servers. show aaa authentication Displays the AAA authentication configuration. show aaa groups Displays the AAA server groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 49: Aaa Authentication Eou Default Group

    Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the RADIUS server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 50: Cisco Nexus 7000 Series Security Command Reference

    EoUGroup Related Commands Command Description feature eou Enables EAPoUDP. radius-server host Configures RADIUS servers. show aaa authentication Displays the AAA authentication configuration. show aaa groups Displays the AAA server groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 51: Aaa Authentication Login Ascii-Authentication

    This example shows how to disable ASCII authentication for passwords on TACACS+ servers: switch# configure terminal switch(config)# no aaa authentication login ascii-authentication Related Commands Command Description Displays the status of the ASCII authentication for show aaa authentication login ascii-authentication passwords. Cisco Nexus 7000 Series Security Command Reference...
  • Page 52: Aaa Authentication Login Chap Enable

    Modification 5.0(2) This command was introduced. Usage Guidelines You cannot enable both CHAP and MSCHAP or MSCHAP V2 on your Cisco NX-OS device. This command does not require a license. Examples This example shows how to enable CHAP authentication: switch# configure terminal...
  • Page 53: Aaa Authentication Login Console

    • Any configured RADIUS, TACACS+, or LDAP server group name. (Optional) Specifies that no authentication is to be none used. local Specifies to use the local database for authentication. Command Default local Command Modes Global configuration Cisco Nexus 7000 Series Security Command Reference...
  • Page 54: Cisco Nexus 7000 Series Security Command Reference

    Use the show aaa groups command to display the server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 55: Aaa Authentication Login Default

    • Any configured RADIUS, TACACS+, or LDAP server group name. none (Optional) Specifies that no authentication is to be used. Specifies to use the local database for authentication. local Command Default local Command Modes Global configuration Cisco Nexus 7000 Series Security Command Reference...
  • Page 56: Cisco Nexus 7000 Series Security Command Reference

    Use the show aaa groups command to display the server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 57: Aaa Authentication Login Error-Enable

    This example shows how to disable the display of AAA authentication failure messages to the console: switch# configure terminal switch(config)# no aaa authentication login error-enable Related Commands Command Description Displays the status of the AAA authentication failure show aaa authentication login error-enable message display. Cisco Nexus 7000 Series Security Command Reference...
  • Page 58: Aaa Authentication Login Invalid-Username-Log

    This example shows how to exclude the username in authentication failed messages for all failure reasons: switch# configure terminal switch(config)# no aaa authentication login invalid-username-log Cisco Nexus 7000 Series Security Command Reference...
  • Page 59: Aaa Authentication Login Mschap Enable

    Modification 4.0(1) This command was introduced. Usage Guidelines You cannot enable both MSCHAP and CHAP or MSCHAP V2 on your Cisco NX-OS device. This command does not require a license. Examples This example shows how to enable MSCHAP authentication: switch# configure terminal...
  • Page 60: Aaa Authentication Login Mschapv2 Enable

    Modification 4.1(2) This command was introduced. Usage Guidelines You cannot enable both MSCHAP V2 and CHAP or MSCHAP on your Cisco NX-OS device. This command does not require a license. Examples This example shows how to enable MSCHAP V2 authentication:...
  • Page 61: Aaa Authentication Rejected

    5 in 60 ban 300 Related Commands Command Description clear aaa local user blocked Clears the blocked local user. Displays the AAA authentication configuration. show aaa authentication show aaa local user blocked Displays the blocked local users. Cisco Nexus 7000 Series Security Command Reference...
  • Page 62: Cisco Nexus 7000 Series Security Command Reference

    A Commands aaa authentication rejected Cisco Nexus 7000 Series Security Command Reference...
  • Page 63: Aaa Authorization Commands Default

    If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
  • Page 64: Cisco Nexus 7000 Series Security Command Reference

    By default, context sensitive help and command tab completion show only the commands supported for Note a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.
  • Page 65: Aaa Authorization Config-Commands Default

    If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
  • Page 66: Cisco Nexus 7000 Series Security Command Reference

    By default, context sensitive help and command tab completion show only the commands supported for Note a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.
  • Page 67: Aaa Authorization Cts Default Group

    Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the RADIUS server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 68: Cisco Nexus 7000 Series Security Command Reference

    A Commands aaa authorization cts default group Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show aaa authorization Displays the AAA authorization configuration. show aaa groups Displays the AAA server groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 69: Aaa Authorization Ssh-Certificate

    If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
  • Page 70: Cisco Nexus 7000 Series Security Command Reference

    AAA authorization method for LDAP servers. Enables the LDAP feature. feature ldap feature tacacs+ Enables the TACACS+ feature. show aaa authorization Displays the AAA authorization configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 71: Aaa Authorization Ssh-Publickey

    Use the show aaa groups command to display the server groups on the device. If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
  • Page 72: Cisco Nexus 7000 Series Security Command Reference

    Configures LDAP or local authorization with aaa authorization ssh-certificate certificate authentication as the default AAA authorization method for LDAP servers. Enables the LDAP feature. feature ldap show aaa authorization Displays the AAA authorization configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 73: Aaa Group Server Ldap

    This example shows how to create an LDAP server group and enter LDAP server configuration mode: switch# configure terminal switch(config)# aaa group server ldap LdapServer switch(config-ldap)# This example shows how to delete an LDAP server group: switch# configure terminal switch(config)# no aaa group server ldap LdapServer Cisco Nexus 7000 Series Security Command Reference...
  • Page 74: Cisco Nexus 7000 Series Security Command Reference

    A Commands aaa group server ldap Related Commands Command Description feature ldap Enables LDAP. show aaa groups Displays server group information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 75: Aaa Group Server Radius

    RadServer switch(config-radius)# This example shows how to delete a RADIUS server group: switch# configure terminal switch(config)# no aaa group server radius RadServer Related Commands Command Description Displays server group information. show aaa groups Cisco Nexus 7000 Series Security Command Reference...
  • Page 76: Aaa Group Server Tacacs

    This example shows how to delete a TACACS+ server group: switch# configure terminal switch(config)# no aaa group server tacacs+ TacServer Related Commands Command Description feature tacacs+ Enables TACACS+. Displays server group information. show aaa groups Cisco Nexus 7000 Series Security Command Reference...
  • Page 77: Aaa User Default-Role

    This example shows how to disable default user roles for AAA authentication of remote users: switch# configure terminal switch(config)# no aaa user default-role Related Commands Command Description show aaa user default-role Displays the status of AAA default user role feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 78: Cisco Nexus 7000 Series Security Command Reference

    A Commands aaa user default-role Cisco Nexus 7000 Series Security Command Reference...
  • Page 79: C Commands

    85 • clear ip arp inspection statistics vlan, page 87 • clear ip device tracking, page 89 • clear ip dhcp relay statistics, page 91 • clear ip dhcp snooping binding, page 92 Cisco Nexus 7000 Series Security Command Reference...
  • Page 80: Cisco Nexus 7000 Series Security Command Reference

    139 • crypto certificatemap mapname, page 141 • cts cache enable, page 142 • cts device-id, page 143 • cts role-based sgt-map, page 145 • cts sgt, page 147 Cisco Nexus 7000 Series Security Command Reference...
  • Page 81: Cisco Nexus 7000 Series Security Command Reference

    180 • cts sxp mapping network-map, page 182 • cts sxp node-id, page 183 • cts sxp reconcile-period, page 185 • cts sxp retry-period, page 187 • cts sxp speaker hold-time, page 189 Cisco Nexus 7000 Series Security Command Reference...
  • Page 82: Cipher Suite

    To use this command, you should enable the MACsec Key Agreement (MKA) feature first. • GCM indicates the encryption method. • AES and AES-XPN indicates the hash or integrity algorithm. • The numeral indicates the length of the cipher. Cisco Nexus 7000 Series Security Command Reference...
  • Page 83: Cisco Nexus 7000 Series Security Command Reference

    Displays the configuration of the specified keychain. Displays the details of MKA. show macsec mka show macsec policy Displays all the MACsec policies in the system. Displays the status of MKA. show run mka Cisco Nexus 7000 Series Security Command Reference...
  • Page 84: Clear Access-List Counters

    Related Commands Command Description clear ip access-list counters Clears counters for IPv4 ACLs. clear ipv6 access-list counters Clears counters for IPv6 ACLs. Clears counters for MAC ACLs. clear mac access-list counters Cisco Nexus 7000 Series Security Command Reference...
  • Page 85: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear access-list counters Command Description clear vlan access-list counters Clears counters for VACLs. show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 86: Clear Accounting Log

    This command does not require a license. Examples This example shows how to clear the accounting log: switch# clear accounting log Related Commands Command Description show accounting log Displays the accounting log contents. Cisco Nexus 7000 Series Security Command Reference...
  • Page 87: Clear Copp Statistics

    This example shows how to specify a control plane class map and enter class map configuration mode: switch# clear copp statistics Related Commands Command Description show policy-map interface control-plane Displays the CoPP statistics for interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 88: Clear Cts Cache

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to clear the Cisco TrustSec authentication and authorization cache:...
  • Page 89: Clear Cts Policy

    C Commands clear cts policy clear cts policy To clear the Cisco TrustSec security group access control list (SGACL) policies, use the clear cts policy command. clear cts policy {all| peer device-id| sgt sgt-value} Syntax Description Clears all the Cisco TrustSec SGACL policies on the local device.
  • Page 90: Capture Session

    This example shows how to configure an ACL capture session configuration: switch# configure terminal switch(config)# ip access-list abc1234 switch(config-acl)# capture session 7 switch(config-acl)# Related Commands Command Description ip access-list Creates an access list. monitor session session type acl-capture Configures an ACL capture session. Cisco Nexus 7000 Series Security Command Reference...
  • Page 91: Cts Dot1X

    This command is not supported for F1 Series modules and F2 Series modules. To use this command, you must enable the Cisco TrustSec feature using the feature cts command. After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.
  • Page 92: Cisco Nexus 7000 Series Security Command Reference

    You can use only IPv4 addressing with Cisco TrustSec. This command requires the Advanced Services license. Examples This example shows how to configure Layer 3 Cisco TrustSec global mapping for an SPI and subnet: switch# config t switch(config)# cts l3 spi 3 10.10.1.1/23...
  • Page 93: Class (Policy Map)

    PolicyMapA switch(config-pmap)# class ClassMapA swtich(config-pmap-c) This example shows how to delete a class map from a control plane policy map: switch# configure terminal switch(config)# policy-map type control-plane PolicyMapA switch(config-pmap)# no class ClassMapA Cisco Nexus 7000 Series Security Command Reference...
  • Page 94: Cisco Nexus 7000 Series Security Command Reference

    (policy map) Related Commands Command Description policy-map type control-plane Specifies a control plane policy map and enters policy map configuration mode. show policy-map type control-plane Displays configuration information for control plane policy maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 95: Class-Map Type Control-Plane

    This example shows how to specify a control plane class map and enter class map configuration mode: switch# configure terminal switch(config)# class-map type control-plane ClassMapA switch(config-cmap)# This example shows how to delete a control plane class map: switch# configure terminal switch(config)# no class-map type control-plane ClassMapA Cisco Nexus 7000 Series Security Command Reference...
  • Page 96: Cisco Nexus 7000 Series Security Command Reference

    C Commands class-map type control-plane Related Commands Command Description show class-map type control-plane Displays control plane policy map configuration information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 97: Clear Aaa Local User Blocked

    Related Commands Command Description aaa authentication rejected Configures the login block per user. show aaa authentication Displays the AAA authentication configuration. Displays the blocked local users. show aaa local user blocked Cisco Nexus 7000 Series Security Command Reference...
  • Page 98: Clear Ldap-Server Statistics

    10.10.1.1 Related Commands Command Description Enables LDAP. feature ldap ldap-server host Specifies the IPv4 or IPv6 address or hostname for an LDAP server. show ldap-server statistics Displays the LDAP server statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 99: Clear Mac Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv4 ACLs. clear ip access-list counters clear ipv6 access-list counters Clears counters for IPv6 ACLs. clear vlan access-list counters Clears counters for VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 100: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear mac access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show mac access-lists Displays information about one or all MAC ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 101: Clear Port-Security

    MAC address, in dotted hexadecimal format. Command Default None Command Modes Any command mode Command History Release Modification 4.2(1) Support was added for port-security on port-channel interfaces. 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 102: Cisco Nexus 7000 Series Security Command Reference

    Command Description Provides debugging information for port security. debug port-security feature port-security Enables port security globally. Shows information about port security. show port-security switchport port-security Enables port security on a Layer 2 interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 103: Clear Cts Role-Based Counters

    Related Commands Command Description cts role-based counters enable Enables the RBACL statistics. Displays the configuration status of RBACL statistics show cts role-based counters and lists statistics for all RBACL policies. Cisco Nexus 7000 Series Security Command Reference...
  • Page 104: Clear Dot1X

    This example shows how to clear the 802.1X authenticator instances for an interface: switch# clear dot1x interface ethernet 1/1 Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x all Displays all 802.1X information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 105: Clear Eou

    Command History Release Modification 4.0(1) This command was introduced. Usage Guidelines You must enable EAPoUDP by using the feature eou command before using the clear eou command. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 106: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to the EAPoUDP sessions with a posture token type of checkup: switch# clear eou posturetoken healthy Related Commands Command Description feature eou Enables EAPoUDP. Displays EAPoUDP information. show eou Cisco Nexus 7000 Series Security Command Reference...
  • Page 107: Clear Hardware Rate-Limiter

    Clears rate-limit statistics for Layer 3 glean fast-path packets. Clears rate-limit statistics for Layer 3 maximum transmission unit (MTU) packets. multicast Specifies Layer 3 multicast rate limits. directly-connected Clears rate-limit statistics for Layer 3 directly connected multicast packets. Cisco Nexus 7000 Series Security Command Reference...
  • Page 108: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to clear the rate-limit statistics for Layer 3 glean packets: switch# clear hardware rate-limiter layer-3 glean This example shows how to clear the rate-limit statistics for Layer 3 directly connected multicast packets: switch# clear hardware rate-limiter layer-3 multicast directly-connected Cisco Nexus 7000 Series Security Command Reference...
  • Page 109: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to clear the rate-limit statistics for received packets: switch# clear hardware rate-limiter receive Related Commands Command Description hardware rate-limiter Configures rate limits. show hardware rate-limiter Displays rate-limit information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 110: Clear Ip Arp Inspection Log

    Configures the DAI logging buffer size. show ip arp inspection Displays the DAI configuration status. show ip arp inspection log Displays the DAI log configuration. show ip arp inspection statistics Displays the DAI statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 111: Clear Ip Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv6 ACLs. clear ipv6 access-list counters clear mac access-list counters Clears counters for MAC ACLs. clear vlan access-list counters Clears counters for VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 112: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear ip access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show ip access-lists Displays information about one or all IPv4 ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 113: Clear Ip Arp Inspection Statistics Vlan

    This example shows how to clear the DAI statistics for VLAN 2 and VLANs 5 through 12: switch# clear ip arp inspection statistics vlan 2,5-12 switch# Related Commands Command Description clear ip arp inspection log Clears the DAI logging buffer. Cisco Nexus 7000 Series Security Command Reference...
  • Page 114: Cisco Nexus 7000 Series Security Command Reference

    Configures the DAI logging buffer size. show ip arp inspection Displays the DAI configuration status. show ip arp inspection vlan Displays DAI status for a specified list of VLANs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 115: Clear Ip Device Tracking

    This example shows how to clear the IP device tracking information for an IP address: switch# clear ip device tracking ip-address 10.10.1.1 This example shows how to clear the IP device tracking information for a MAC address: switch# clear ip device tracking mac-address 000c.30da.86f4 Cisco Nexus 7000 Series Security Command Reference...
  • Page 116: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear ip device tracking Related Commands Command Description ip device tracking Enables IP device tracking. show ip device tracking Displays IP device tracking information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 117: Clear Ip Dhcp Relay Statistics

    This example shows how to clear the global DHCP relay statistics: switch# clear ip dhcp relay statistics Related Commands Command Description ip dhcp relay Enables the DHCP relay agent. show ip dhcp relay statistics Displays the DHCP relay statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 118: Clear Ip Dhcp Snooping Binding

    .subchannel-number (Optional) Number of the Ethernet port-channel subchannel. Note The dot separator is required between the channel-number and subchannel-number arguments. Command Default None Command Modes Any command mode Cisco Nexus 7000 Series Security Command Reference...
  • Page 119: Cisco Nexus 7000 Series Security Command Reference

    Displays IP-MAC address bindings, including the static IP source entries. Displays DHCP snooping statistics. show ip dhcp snooping statistics show running-config dhcp Displays DHCP snooping configuration, including the IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 120: Clear Ipv6 Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv4 ACLs. clear ip access-list counters clear mac access-list counters Clears counters for MAC ACLs. clear vlan access-list counters Clears counters for VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 121: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear ipv6 access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show ipv6 access-lists Displays information about one or all IPv6 ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 122: Clear Ipv6 Dhcp Relay Statistics

    This example shows how to clear the global DHCPv6 relay statistics: switch# clear ipv6 dhcp relay statistics Related Commands Command Description ipv6 dhcp relay Enables the DHCPv6 relay agent. show ipv6 dhcp relay statistics Displays the DHCPv6 relay statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 123: Clear Ipv6 Dhcp-Ldra Statistics

    To use this command, you must enable the DHCP feature and LDRA feature. Examples This example shows how to clear the LDRA related statistics: switch# clear ipv6 dhcp-ldra statistics Related Commands Command Description show ipv6 dhcp-ldra Displays the configuration details of LDRA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 124: Clear Vlan Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv4 ACLs. clear ip access-list counters clear ipv6 access-list counters Clears counters for IPv6 ACLs. clear mac access-list counters Clears counters for MAC ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 125: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear vlan access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show vlan access-map Displays information about one or all VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 126: Conf-Offset

    Enables the MKA feature. Creates a key or enters the configuration mode of an existing key. key chain keychain-name Creates a keychain or enters the configuration mode of an existing keychain. Cisco Nexus 7000 Series Security Command Reference...
  • Page 127: Cisco Nexus 7000 Series Security Command Reference

    Displays the configuration of the specified keychain. Displays the details of MKA. show macsec mka show macsec policy Displays all the MACSec policies in the system. show run mka Displays the status of MKA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 128: Copp Copy Profile

    When you use the copp copy profile command, CoPP renames all class maps and policy maps with the specified prefix or suffix. This command does not require a license. Examples This example shows how to create a clone of the CoPP best practice policy: switch # copp copy profile moderate abc Cisco Nexus 7000 Series Security Command Reference...
  • Page 129: Cisco Nexus 7000 Series Security Command Reference

    Applies the default CoPP best practice policy on the Cisco NX-OS device. show copp status Displays the CoPP status, including the last configuration operation and its status. show running-config copp Displays the CoPP configuration in the running configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 130: Copp Profile

    Added the dense keyword. Usage Guidelines In Cisco NX-OS releases prior to 5.2(1), you must use the setup utility to change or reapply the default CoPP policy. You can access the setup utility using the setup command. Beginning with Cisco NX-OS Release 5.2, the CoPP best practice policy is read-only. If you want to modify its configuration, you must clone it using the copp clone profile command.
  • Page 131: Cisco Nexus 7000 Series Security Command Reference

    C Commands copp profile Examples This example shows how to apply the default CoPP best practice policy on the Cisco NX-OS device: switch# configure terminal switch(config)# copp profile moderate switch(config)# This example shows how remove the default CoPP best practice policy from the Cisco NX-OS device:...
  • Page 132: Crllookup

    This example shows how to configure the attribute name, search filter, and base-DN for the CRL search operation in order to send a search query to the LDAP server: switch# conf t switch(config)# ldap search-map s0 switch(config-ldap-search-map)# CRLLookup attribute-name certificateRevocationList search-filter (&(objectClass=cRLDistributionPoint)) base-DN CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mdsldaptestlab,DC=com switch(config-ldap-search-map)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 133: Cisco Nexus 7000 Series Security Command Reference

    C Commands CRLLookup Related Commands Command Description feature ldap Enables LDAP. ldap search-map Configures an LDAP search map. show ldap-search-map Displays the configured LDAP search maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 134: Crypto Ca Authenticate

    Usage Guidelines You can use this command to authenticate the CA to the Cisco NX-OS device by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you execute this command.
  • Page 135: Cisco Nexus 7000 Series Security Command Reference

    Fingerprint(s): MD5 Fingerprint=65:84:9A:27:D5:71:03:33:9C:12:23:92:38:6F:78:12 Do you accept this certificate? [yes/no]: y Related Commands Command Description crypto ca trustpoint Configures the trustpoint. show crypto ca certificates Displays configured trustpoint certificates. Displays trustpoint configurations. show crypto ca trustpoints Cisco Nexus 7000 Series Security Command Reference...
  • Page 136: Crypto Ca Crl Request

    This command does not require a license. Examples This example shows how to configure a CRL for the trustpoint or replaces the current CRL: switch# configure teminal switch(config)# crypto ca crl request admin-ca bootflash:admin-ca.crl Cisco Nexus 7000 Series Security Command Reference...
  • Page 137: Cisco Nexus 7000 Series Security Command Reference

    C Commands crypto ca crl request Related Commands Command Description revocation-check Configures trustpoint revocation check methods. show crypto ca crl Displays configured certificate revocation lists (CRL). Cisco Nexus 7000 Series Security Command Reference...
  • Page 138: Clear Ldap-Server Statistics

    10.10.1.1 Related Commands Command Description Enables LDAP. feature ldap ldap-server host Specifies the IPv4 or IPv6 address or hostname for an LDAP server. show ldap-server statistics Displays the LDAP server statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 139: Clear Mac Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv4 ACLs. clear ip access-list counters clear ipv6 access-list counters Clears counters for IPv6 ACLs. clear vlan access-list counters Clears counters for VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 140: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear mac access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show mac access-lists Displays information about one or all MAC ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 141: Clear Port-Security

    MAC address, in dotted hexadecimal format. Command Default None Command Modes Any command mode Command History Release Modification 4.2(1) Support was added for port-security on port-channel interfaces. 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 142: Cisco Nexus 7000 Series Security Command Reference

    Command Description Provides debugging information for port security. debug port-security feature port-security Enables port security globally. Shows information about port security. show port-security switchport port-security Enables port security on a Layer 2 interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 143: Clear Radius-Server Statistics

    This command does not require a license. Examples This example shows how to clear statistics for a RADIUS server: switch# clear radius-server statistics 10.10.1.1 Related Commands Command Description show radius-server statistics Displays RADIUS server host statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 144: Clear Ssh Hosts

    This command does not require a license. Examples This example shows how to clear all SSH host sessions and the known host file: switch# clear ssh hosts Related Commands Command Description ssh server enable Enables the SSH server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 145: Clear Tacacs-Server Statistics

    This command does not require a license. Examples This example shows how to clear statistics for a TACACS+ server: switch# clear tacacs-server statistics 10.10.1.1 Related Commands Command Description show tacacs-server statistics Displays TACACS+ server host statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 146: Clear User

    This command does not require a license. Examples This example shows how to clear all SSH host sessions: switch# clear user user1 Related Commands Command Description Displays the user session information. show users Cisco Nexus 7000 Series Security Command Reference...
  • Page 147: Cts L3 Spi (Global)

    (global) To enable Layer 3 Cisco TrustSec and map a security parameter index (SPI) and subnet for the device, use the cts l3 spi command. To remove the mapping to an IPv4 subnet, use the no form of this command.
  • Page 148: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (global) Command Description show cts l3 mapping Displays the Layer 3 Cisco TrustSec mapping for SPI values to IPv4 subnets. Cisco Nexus 7000 Series Security Command Reference...
  • Page 149: Cts L3 Spi (Interface)

    (interface) cts l3 spi (interface) To enable Layer 3 Cisco TrustSec and configure a security parameter index (SPI) on an interface, use the cts l3 spi command. To revert to the default, use the no form of this command.
  • Page 150: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (interface) Command Description show cts l3 interface Displays the Layer 3 Cisco TrustSec configuration on the interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 151: Crypto Ca Enroll

    This command was introduced. Usage Guidelines A Cisco NX-OS device enrolls with the trustpoint CA to obtain an identity certificate. You can enroll your device with multiple trustpoints and obtain a separate identity certificate from each trustpoint. When enrolling with a trustpoint, you must specify an RSA key pair to certify. You must generate the key pair and associate it to the trustpoint before generating the enrollment request.
  • Page 152: Cisco Nexus 7000 Series Security Command Reference

    For security reasons your password will not be saved in the configuration. Please make a note of it. Password:nbv123 The subject name in the certificate will be: Vegas-1.cisco.com Include the switch serial number in the subject name? [yes/no]:no Include an IP address in the subject name [yes/no]:yes ip address:209.165.200.226...
  • Page 153: Crypto Ca Export

    This command does not require a license. Examples This example shows how to export a certificate and key pair in the PKCS #12 format: switch# configure terminal switch(config)# crypto ca export admin-ca pkcs12 bootflash:adminid.p12 nbv123 Cisco Nexus 7000 Series Security Command Reference...
  • Page 154: Cisco Nexus 7000 Series Security Command Reference

    CA certificate (chain) to a trustpoint. Generates an RSA key pair. crypto key generate rsa rsakeypair Configures and associates the RSA key pair details to a trustpoint. show crypto key mypubkey rsa Displays any RSA public key configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 155: Crypto Ca Import

    The certificates and CRL associated to a trustpoint are automatically persistent when you save the trustpoint configuration in the startup configuration. Otherwise, if you do not saved the trustpoint in the startup configuration, the Cisco Nexus 7000 Series Security Command Reference...
  • Page 156: Cisco Nexus 7000 Series Security Command Reference

    Generates the RSA key pair. rsakeypair Configures trustpoint RSA key pair details. Displays the identity and CA certificate details. show crypto ca certificates show crypto key mypubkey rsa Displays any RSA public key configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 157: Cisco Nexus 7000 Series Security Command Reference

    C Commands crypto ca import Cisco Nexus 7000 Series Security Command Reference...
  • Page 158: Crypto Ca Lookup

    This example shows how to specify the remote cert-store for certificate authentication: switch(config)# crypto ca lookup remote Related Commands Command Description crypto ca remote ldap crl-refresh-time Configures the refresh time to update the certificate revocation list from the remote cert-store. Cisco Nexus 7000 Series Security Command Reference...
  • Page 159: Cisco Nexus 7000 Series Security Command Reference

    Configures the LDAP server group to be used while communicating with LDAP. show crypto ca certstore Displays the configured cert-store. show crypto ca remote-certstore Displays the remote cert-store configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 160: Crypto Ca Remote Ldap Crl-Refresh-Time

    Related Commands Command Description crypto ca lookup Specifies the cert-store to be used for certificate authentication. crypto ca remote ldap server-group Configures the LDAP server group to be used while communicating with LDAP. Cisco Nexus 7000 Series Security Command Reference...
  • Page 161: Crypto Ca Remote Ldap Server-Group

    Command Description crypto ca lookup Specifies the cert-store to be used for certificate authentication. crypto ca remote ldap crl-refresh-time Configures the refresh time to update the certificate revocation list from the remote cert-store. Cisco Nexus 7000 Series Security Command Reference...
  • Page 162: Crypto Ca Test Verify

    The verify status code value of 0 indicates that the verification is successful. Note Related Commands Command Description Displays configured trustpoint certificates. show crypto ca certificates Cisco Nexus 7000 Series Security Command Reference...
  • Page 163: Crypto Ca Trustpoint

    • A CA must be explicitly associated to a trustpoint using the crypto ca authenticate command. • A Cisco NX-OS device can have many trustpoints and all applications on the device can trust a peer certificate issued by any of the trustpoint CAs.
  • Page 164: Cisco Nexus 7000 Series Security Command Reference

    Authenticates the certificate of the certificate authority. Generates a certificate signing request for a trustpoint. crypto ca enroll show crypto ca certificates Displays the identity and CA certificate details. show crypto ca trustpoints Displays trustpoint configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 165: Crypto Cert Ssh-Authorize

    To use this command, you must create a filter map. This command does not require a license. Examples This example shows how to configure a certificate mapping filter for the SSH protocol: switch(config)# crypto cert ssh-authorize default map filtermap1 Cisco Nexus 7000 Series Security Command Reference...
  • Page 166: Cisco Nexus 7000 Series Security Command Reference

    Related Commands Command Description crypto certificatemap mapname Creates a filter map. filter Configures one or more certificate mapping filters within the filter map. show crypto ssh-auth-map Displays the mapping filters configured for SSH authentication. Cisco Nexus 7000 Series Security Command Reference...
  • Page 167: Crypto Certificatemap Mapname

    This example shows how to create a new filter map: switch(config)# crypto certificatemap mapname filtermap1 Related Commands Command Description Configures one or more certificate mapping filters filter within the filter map. show crypto certificatemap Displays the certificate mapping filters. Cisco Nexus 7000 Series Security Command Reference...
  • Page 168: Cts Cache Enable

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to enable Cisco TrustSec authentication and authorization caching:...
  • Page 169: Cts Device-Id

    This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. The Cisco TrustSec device identifier name must be unique in your Cisco TrustSec network cloud. This command requires the Advanced Services license.
  • Page 170: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts device-id Command Description show cts credentials Displays the Cisco TrustSec credentials information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 171: Cts Role-Based Sgt-Map

    To manually configure the Cisco TrustSec security group tag (SGT) mapping to IP addresses, use the cts role-based sgt-map command. To remove an SGT, use the no form of this command. cts role-based sgt-map ipv4-address sgt-value...
  • Page 172: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts role-based sgt-map Cisco Nexus 7000 Series Security Command Reference...
  • Page 173: Cts Sgt

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to configure the Cisco TrustSec SGT for the device:...
  • Page 174: Cts L3 Spi (Global)

    (global) To enable Layer 3 Cisco TrustSec and map a security parameter index (SPI) and subnet for the device, use the cts l3 spi command. To remove the mapping to an IPv4 subnet, use the no form of this command.
  • Page 175: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (global) Command Description show cts l3 mapping Displays the Layer 3 Cisco TrustSec mapping for SPI values to IPv4 subnets. Cisco Nexus 7000 Series Security Command Reference...
  • Page 176: Cts L3 Spi (Interface)

    (interface) cts l3 spi (interface) To enable Layer 3 Cisco TrustSec and configure a security parameter index (SPI) on an interface, use the cts l3 spi command. To revert to the default, use the no form of this command.
  • Page 177: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (interface) Command Description show cts l3 interface Displays the Layer 3 Cisco TrustSec configuration on the interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 178: Cts L3 Spi (Interface)

    (interface) cts l3 spi (interface) To enable Layer 3 Cisco TrustSec and configure a security parameter index (SPI) on an interface, use the cts l3 spi command. To revert to the default, use the no form of this command.
  • Page 179: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (interface) Command Description show cts l3 interface Displays the Layer 3 Cisco TrustSec configuration on the interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 180: Cts Manual

    C Commands cts manual cts manual To enter Cisco TrustSec manual configuration for an interface, use the cts manual command. To remove the manual configuration, use the no form of this command. cts manual no cts manual Syntax Description This command has no arguments or keywords.
  • Page 181: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts manual Command Description show cts interface Displays Cisco TrustSec configuration information for interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 182: Cts Refresh Environment-Data

    C Commands cts refresh environment-data cts refresh environment-data To refresh the Cisco TrustSec environment data downloaded from the AAA server, use the cts refresh environment-data command. cts refresh environment-data Syntax Description This command has no arguments or keywords. Command Default...
  • Page 183: Cts Refresh Role-Based-Policy

    C Commands cts refresh role-based-policy cts refresh role-based-policy To refresh the Cisco TrustSec security group access control list (SGACL) policies downloaded from the Cisco Secure ACS, use the cts refresh role-based-policy command. cts refresh role-based-policy Syntax Description This command has no arguments or keywords.
  • Page 184: Cts Rekey

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to rekey an interface for Cisco TrustSec:...
  • Page 185: Cts Role-Based Access-List

    To create or specify a Cisco TrustSec security group access control list (SGACL) and enter role-based access control list configuration mode, use the cts role-based access-list command. To remove an SGACL, use the no form of this command.
  • Page 186: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts role-based access-list Cisco Nexus 7000 Series Security Command Reference...
  • Page 187: Cts Role-Based Counters Enable

    When you modify an RBACL policy, statistics for the previously assigned access control entry (ACE) are displayed, and the newly assigned ACE statistics are initialized to 0. RBACL statistics are lost only when the Cisco NX-OS device reloads or you deliberately clear the statistics. This command requires the Advanced Services license.
  • Page 188: Cisco Nexus 7000 Series Security Command Reference

    Clears the RBACL statistics so that all counters are reset to 0. show cts role-based counters Displays the configuration status of RBACL statistics and lists statistics for all RBACL policies. Cisco Nexus 7000 Series Security Command Reference...
  • Page 189: Cts Role-Based Detailed-Logging

    7.3(0)D1(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. To view the detailed ACLLOGS, you need to enable logging ip access-list detailed after enabling cts Note role-based detailed logging.
  • Page 190: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts role-based detailed-logging Cisco Nexus 7000 Series Security Command Reference...
  • Page 191: Cts Role-Based Enforcement

    Routing and Forwarding instance (VRF), use the cts role-based enforcement command. To revert to the default, use the no form of this command. To disable Cisco TrustSec SGACL enforcement in an L3 interface or L3 port-channel, use the no cts role-based enforcement command. To revert to the default, use the cts role-based enforcement command.
  • Page 192: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts role-based enforcement switch(config-vrf)# cts role-based enforcement This example shows how to disable Cisco TrustSec SGACL enforcement in an interface and L3 port-channel: switch# configure terminal switch(config)# interface ethernet 6/2 switch(config-if)# no cts role-based enforcement switch(config-if)# exit switch(config)# interface port-channel 100...
  • Page 193: Cts Role-Based Monitor

    Disabled Command Modes Global configurationVRF configuration Command History Release Modification 7.3(0)D1(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. Cisco Nexus 7000 Series Security Command Reference...
  • Page 194: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to disable monitoring permissions for all source groups to all destination groups: switch# configure terminal switch(config)# no cts role-based monitor all Related Commands Command Description Enables the Cisco TrustSec feature. feature cts show cts role-based enable Displays the Cisco TrustSec SGACL policy enforcement configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 195: Cts Role-Based Policy Priority-Static

    8.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. Examples This example shows how to set higher install priority for ISE configured SGACLs: switch# configure terminal...
  • Page 196: Cts Role-Based Sgt

    To manually configure mapping of Cisco TrustSec security group tags (SGTs) to a security group access control list (SGACL), use the cts role-based sgt command. To remove the SGT mapping to an SGACL, use the no form of this command.
  • Page 197: Cisco Nexus 7000 Series Security Command Reference

    3 sgt 10 Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show cts role-based policy Displays the Cisco TrustSec SGT mapping for an SGACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 198: Cts Sxp Allow Default-Route-Sgt

    Modification 7.3(0)D1(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec SXP feature using the cts sxp enable command. Examples This example shows how to expand the network limit: switch# configure terminal switch(config)# cts sxp allow default-route-sgt...
  • Page 199: Cts Sxp Connection Peer

    To configure a Security Group Tag (SGT) Exchange Protocol (SXP) peer connection for Cisco TrustSec, use the cts sxp connection peer command. To remove the SXP connection, use the no form of this command.
  • Page 200: Cisco Nexus 7000 Series Security Command Reference

    This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. You can use only IPv4 addressing with Cisco TrustSec. If you do not specify a source IPv4 address, you must configure a default SXP source IPv4 address using the cts sxp default source-ip command.
  • Page 201: Cisco Nexus 7000 Series Security Command Reference

    Configures the default SXP source IPv4 address for the device. feature cts Enables the Cisco TrustSec feature. show cts sxp connection Displays the Cisco TrustSec SXP peer connection information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 202: Cts Sxp Default Password

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to configure the default SXP password for the device:...
  • Page 203: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts sxp default password Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show cts sxp Displays the Cisco TrustSec SXP configuration information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 204: Cts Sxp Default Source-Ip

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. You can use only IPv4 addressing with Cisco TrustSec. This command requires the Advanced Services license. Examples...
  • Page 205: Cts Sxp Enable

    Modification 4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to enable SXP: switch# configure terminal...
  • Page 206: Cts Sxp Listener Hold-Time

    To configure the global hold-time period of a listener network device in a Cisco TrustSec Security Group Tag (SGT) Exchange Protocol version 4 (SXPv4) network, use the cts sxp listener hold-time command in global configuration mode.
  • Page 207: Cisco Nexus 7000 Series Security Command Reference

    Enables Cisco TrustSec SXP on a device. Configures the hold time of a speaker device in an cts sxp speaker hold-time SXPv4 network. show cts sxp Displays the status of all Cisco TrustSec SXP configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 208: Cts Sxp Mapping Network-Map

    Modification 7.3(0)D1(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature by using the feature cts command. Examples This example shows how to expand the network limit: switch# configure terminal switch(config)# cts sxp mapping network-map 64...
  • Page 209: Cts Sxp Node-Id

    To configure the node ID of a network device for Cisco TrustSec (CTS) Security Group Tag (SGT) Exchange Protocol version 4 (SXPv4), use the cts sxp node-id command in global configuration mode. To remove the node ID, use the no form of this command.
  • Page 210: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts sxp node-id Examples switch(config)# cts sxp node-id 172.16.1.3 Related Commands Command Description cts sxp enable Enables CTS-SXP on a device. Displays the status of all CTS-SXP configurations. show cts sxp Cisco Nexus 7000 Series Security Command Reference...
  • Page 211: Cts Sxp Reconcile-Period

    After a peer terminates an SXP connection, an internal hold down timer starts. If the peer reconnects before the internal hold down timer expires, the SXP reconcile period timer starts. While the SXP reconcile period timer is active, the Cisco NX-OS software retains the SGT mapping entries learned from the previous connection and removes invalid entries.
  • Page 212: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts sxp reconcile-period Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show cts sxp connection Displays the Cisco TrustSec SXP configuration information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 213: Cts Sxp Retry-Period

    The SXP retry period determines how often the Cisco NX-OS software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco NX-OS software makes a new attempt to set up the connection after the SXP retry period timer expires.
  • Page 214: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts sxp retry-period Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show cts sxp connection Displays the Cisco TrustSec SXP peer connection information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 215: Cts Sxp Speaker Hold-Time

    To configure the global hold-time period of a speaker network device in a Cisco TrustSec Security Group Tag (SGT) Exchange Protocol version 4 (SXPv4) network, use the cts sxp speaker hold-time command in global configuration mode.
  • Page 216: Cisco Nexus 7000 Series Security Command Reference

    Enables Cisco TrustSec SXP on a device. Configures the hold time of a listener device in an cts sxp listener hold-time SXPv4 network. show cts sxp Displays the status of all Cisco TrustSec SXP configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 217: D Commands

    (ARP), page 224 • deny (IPv4), page 228 • deny (IPv6), page 243 • deny (MAC), page 259 • deny (role-based access control list), page 262 • description (identity policy), page 264 Cisco Nexus 7000 Series Security Command Reference...
  • Page 218: Cisco Nexus 7000 Series Security Command Reference

    • destination interface, page 268 • device, page 270 • device-role, page 272 • dot1x default, page 274 • dot1x host-mode, page 275 • dot1x initialize, page 277 • dot1x mac-auth-bypass, page 278 Cisco Nexus 7000 Series Security Command Reference...
  • Page 219: Dot1X Max-Reauth-Req

    To change the maximum number of times that the Cisco NX-OS device retransmits reauthentication requests to supplicants on an interface before the session times out, use the dot1x max-reauth-req command. To revert to the default, use the no form of this command.
  • Page 220: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x max-reauth-req Command Description show dot1x all Displays all 802.1X information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 221: Dot1X Max-Req

    To change the maximum number of requests that the Cisco NX-OS device sends to a supplicant before restarting the 802.1X authentication, use the dot1x max-req command. To revert to the default, use the no form of this command.
  • Page 222: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to revert to the default maximum number of request retries for an interface: switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no dot1x max-req Related Commands Command Description feature dot1x Enables the 802.1X feature. Displays all 802.1X information. show dot1x all Cisco Nexus 7000 Series Security Command Reference...
  • Page 223: Dot1X Pae Authenticator

    You must use the feature dot1x command before you configure 802.1X. When you enable 802.1X on an interface, the Cisco NX-OS software creates an authenticator port access entity (PAE) instance. An authenticator PAE is a protocol entity that supports authentication on the interface.
  • Page 224: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x pae authenticator Command Description show dot1x interface Displays 802.1X feature status information for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 225: Dot1X Port-Control

    2/1 switch(config-if)# dot1x port-control auto This example shows how to revert to the default 802.1X authentication action performed on an interface: switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x port-control auto Cisco Nexus 7000 Series Security Command Reference...
  • Page 226: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x port-control Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x interface ethernet Displays 802.1X information for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 227: Dot1X Radius-Accounting

    This example shows how to disable RADIUS accounting for 802.1X authentication: switch# configure terminal switch(config)# no dot1x radius-accounting Related Commands Command Description feature dot1x Enables the 802.1X feature. Displays all 802.1X information in the running show running-config dot1x all configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 228: Dot1X Re-Authentication (Exec)

    This example shows how to reauthenticate the 802.1X supplicant on an interface manually: switch# dot1x re-authentication interface ethernet 2/1 Related Commands Command Description Enables the 802.1X feature. feature dot1x show dot1x all Displays all 802.1X information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 229: Dot1X Re-Authentication (Global Configuration And Interface Configuration)

    You must use the feature dot1x command before you configure 802.1X. In global configuration mode, this command configures periodic reauthentication for all supplicants on the Cisco NX-OS device. In interface configuration mode, this command configures periodic reauthentication only for supplicants on the interface.
  • Page 230: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to disable periodic reauthentication of 802.1X supplicants on an interface: switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# no dot1x re-authentication Related Commands Command Description feature dot1x Enables the 802.1X feature. Displays all 802.1X information. show dot1x all Cisco Nexus 7000 Series Security Command Reference...
  • Page 231: Dot1X System-Auth-Control

    This example shows how to enable 802.1X authentication: switch# configure terminal switch(config)# dot1x system-auth-control Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x Displays 802.1X feature status information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 232: Dot1X Timeout Quiet-Period

    This example shows how to configure the global 802.1X quiet-period timeout: switch# configure terminal switch(config)# dot1x timeout quiet-period 45 This example shows how to revert to the default global 802.1X quiet-period timeout: switch# configure terminal switch(config)# no dot1x timeout quiet-period Cisco Nexus 7000 Series Security Command Reference...
  • Page 233: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to revert to the default 802.1X quiet-period timeout for an interface: switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no dot1x timeout quiet-period Related Commands Command Description feature dot1x Enables the 802.1X feature. Displays all 802.1X information. show dot1x all Cisco Nexus 7000 Series Security Command Reference...
  • Page 234: Dot1X Timeout Ratelimit-Period

    60 This example shows how to revert to the default 802.1X rate-limit period timeout on an interface: switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x timeout ratelimit-period 60 Cisco Nexus 7000 Series Security Command Reference...
  • Page 235: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x timeout ratelimit-period Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x interface ethernet Displays 802.1X information for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 236: Dot1X Timeout Re-Authperiod

    3000 This example shows how to configure the 802.1X reauthentication-period timeout on an interface: switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# dot1x timeout re-authperiod 3300 Cisco Nexus 7000 Series Security Command Reference...
  • Page 237: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x timeout re-authperiod Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x all Displays all 802.1X information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 238: Dot1X Timeout Server-Timeout

    This command was introduced. Usage Guidelines The 802.1X server timeout for an interface is the number of seconds that the Cisco NX-OS device waits before retransmitting a packet to the authentication server. This value overrides the global reauthentication period timeout.
  • Page 239: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x timeout server-timeout Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x interface ethernet Displays 802.1X information for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 240: Dot1X Timeout Supp-Timeout

    This command was introduced. Usage Guidelines The 802.1X supplicant timeout for an interface is the number of seconds that the Cisco NX-OS device waits for the supplicant to respond to an EAP request frame before the Cisco NX-OS device retransmits the frame.
  • Page 241: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x timeout supp-timeout Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x interface ethernet Displays 802.1X information for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 242: Dot1X Timeout Tx-Period

    This command was introduced. Usage Guidelines The 802.1X transmission-timeout period is the number of seconds that the Cisco NX-OS device waits for a response to an EAP-request/identity frame from the supplicant before retransmitting the request. You must use the feature dot1x command before you configure 802.1X.
  • Page 243: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to revert to the default 802.1X transmission-period timeout for an interface: switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no dot1x timeout tx-period Related Commands Command Description feature dot1x Enables the 802.1X feature. Displays all 802.1X information. show dot1x all Cisco Nexus 7000 Series Security Command Reference...
  • Page 244: Deadtime

    TacServer switch(config-tacacs+)# deadtime 5 This example shows how to revert to the dead-time interval default: switch# configure terminal switch(config)# feature tacacs+ switch(config)# aaa group server tacacs+ TacServer switch(config-tacacs+)# no deadtime 5 Cisco Nexus 7000 Series Security Command Reference...
  • Page 245: Cisco Nexus 7000 Series Security Command Reference

    Configures AAA server groups. radius-server host Configures a RADIUS server. show radius-server groups Displays RADIUS server group information. Displays TACACS+ server group information. show tacacs-server groups feature tacacs+ Enables TACACS+. tacacs-server host Configures a TACACS+ server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 246: Delete Ca-Certificate

    This example shows how to delete a certificate authority certificate: switch# configure terminal switch(config)# crypto ca trustpoint admin-ca switch(config-trustpoint)# delete ca-certificate Related Commands Command Description Deletes the identity certificate. delete certificate delete crl Deletes the CRL from the trustpoint. Cisco Nexus 7000 Series Security Command Reference...
  • Page 247: Delete Certificate

    The Cisco NX-OS software generates an error message if the certificate being deleted is the only certificate present or is the last identity certificate in a chain. You can use the optional force keyword to remove the certificate.
  • Page 248: Cisco Nexus 7000 Series Security Command Reference

    D Commands delete certificate Related Commands Command Description delete ca-certificate Deletes the certificate authority certificate. delete crl Deletes the CRL from the trustpoint. Cisco Nexus 7000 Series Security Command Reference...
  • Page 249: Delete Crl

    This example shows how to delete the CRL from the trustpoint: switch# configure terminal switch(config)# crypto ca trustpoint admin-ca switch(config-trustpoint)# delete crl Related Commands Command Description delete ca-certificate Deletes the certificate authority certificate. delete certificate Deletes the identity certificate. Cisco Nexus 7000 Series Security Command Reference...
  • Page 250: Deny (Arp)

    ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. Introduces the IP address portion of the rule. Cisco Nexus 7000 Series Security Command Reference...
  • Page 251: Cisco Nexus 7000 Series Security Command Reference

    ARP messages. response (Optional) Specifies that the rule applies only to packets containing ARP response messages. If you omit both the request and the Note response keywords, the rule applies to all ARP messages. Cisco Nexus 7000 Series Security Command Reference...
  • Page 252: Cisco Nexus 7000 Series Security Command Reference

    Command Default None Command Modes ARP ACL configuration Command History Release Modification 4.0(1) This command was introduced. Usage Guidelines A newly created ARP ACL contains no rules. Cisco Nexus 7000 Series Security Command Reference...
  • Page 253: Cisco Nexus 7000 Series Security Command Reference

    Applies an ARP ACL to a VLAN. Configures a permit rule in an ARP ACL. permit (ARP) remark Configures a remark in an ACL. Displays all ARP ACLs or one ARP ACL. show arp access-list Cisco Nexus 7000 Series Security Command Reference...
  • Page 254: Deny (Ipv4)

    [ sequence-number ] deny udp source [operator port [ port ]| portgroup portgroup] destination [operator port [ port ]| portgroup portgroup] [dscp dscp| precedence precedence] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [ packet-length ]] Cisco Nexus 7000 Series Security Command Reference...
  • Page 255: Cisco Nexus 7000 Series Security Command Reference

    “Usage Guidelines” section. destination Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. Cisco Nexus 7000 Series Security Command Reference...
  • Page 256: Cisco Nexus 7000 Series Security Command Reference

    D Commands deny (IPv4) dscp dscp Cisco Nexus 7000 Series Security Command Reference...
  • Page 257: Cisco Nexus 7000 Series Security Command Reference

    (100110) • cs1—Class-selector (CS) 1, precedence 1 (001000) • cs2—CS2, precedence 2 (010000) • cs3—CS3, precedence 3 (011000) • cs4—CS4, precedence 4 (100000) • cs5—CS5, precedence 5 (101000) • cs6—CS6, precedence 6 (110000) Cisco Nexus 7000 Series Security Command Reference...
  • Page 258: Cisco Nexus 7000 Series Security Command Reference

    The message includes the following information: • Whether the protocol was TCP, UDP, ICMP or a number • Source and destination addresses • Source and destination port numbers, if applicable Cisco Nexus 7000 Series Security Command Reference...
  • Page 259: Cisco Nexus 7000 Series Security Command Reference

    IGMP message number, which is an integer from 0 to 15. It can also be one of the following keywords: • dvmrp—Distance Vector Multicast Routing Protocol • host-query—Host query • host-report—Host report • pim—Protocol Independent Multicast • trace—Multicast trace Cisco Nexus 7000 Series Security Command Reference...
  • Page 260: Cisco Nexus 7000 Series Security Command Reference

    Use the object-group ip port command to create and change IP port object groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 261: Cisco Nexus 7000 Series Security Command Reference

    A newly created IPv4 ACL contains no rules. If you do not specify a sequence number, the device assigns the rule a sequence number that is 10 greater than the last rule in the ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 262: Cisco Nexus 7000 Series Security Command Reference

    • eigrp—Specifies that the rule applies to Enhanced Interior Gateway Routing Protocol (EIGRP) traffic only. • esp—Specifies that the rule applies to Encapsulating Security Protocol (ESP) traffic only. • gre—Specifies that the rule applies to General Routing Encapsulation (GRE) traffic only. Cisco Nexus 7000 Series Security Command Reference...
  • Page 263: Cisco Nexus 7000 Series Security Command Reference

    The syntax is as follows: IPv4-address network-wildcard The following example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet: switch(config-acl)# deny tcp 192.168.67.0 0.0.0.255 any Cisco Nexus 7000 Series Security Command Reference...
  • Page 264: Cisco Nexus 7000 Series Security Command Reference

    • general-parameter-problem—Parameter problem • host-isolated—Host isolated • host-precedence-unreachable—Host unreachable for precedence • host-redirect—Host redirect • host-tos-redirect—Host redirect for ToS • host-tos-unreachable—Host unreachable for ToS • host-unknown—Host unknown • host-unreachable—Host unreachable • information-reply—Information replies Cisco Nexus 7000 Series Security Command Reference...
  • Page 265: Cisco Nexus 7000 Series Security Command Reference

    When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords: bgp—Border Gateway Protocol (179) chargen—Character generator (19) Cisco Nexus 7000 Series Security Command Reference...
  • Page 266: Cisco Nexus 7000 Series Security Command Reference

    When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords: biff—Biff (mail notification, comsat, 512) bootpc—Bootstrap Protocol (BOOTP) client (68) Cisco Nexus 7000 Series Security Command Reference...
  • Page 267: Cisco Nexus 7000 Series Security Command Reference

    IPv4 traffic: switch# configure terminal switch(config)# ip access-list acl-lab-01 switch(config-acl)# deny tcp 10.23.0.0/16 10.176.0.0/16 switch(config-acl)# deny udp 10.23.0.0/16 10.176.0.0/16 switch(config-acl)# deny tcp 192.168.37.0/16 10.176.0.0/16 switch(config-acl)# deny udp 192.168.37.0/16 10.176.0.0/16 switch(config-acl)# permit ip any any Cisco Nexus 7000 Series Security Command Reference...
  • Page 268: Cisco Nexus 7000 Series Security Command Reference

    Configures a remark in an IPv4 ACL. remark show ip access-list Displays all IPv4 ACLs or one IPv4 ACL. statistics per-entry Enables collection of statistics for each entry in an ACL. time-range Configures a time range. Cisco Nexus 7000 Series Security Command Reference...
  • Page 269: Deny (Ipv6)

    [sequence-number| no] deny udp source [operator port [ port ]| portgroup portgroup] destination [operator port [ port ]| portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [ packet-length ]] Cisco Nexus 7000 Series Security Command Reference...
  • Page 270: Cisco Nexus 7000 Series Security Command Reference

    ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. Cisco Nexus 7000 Series Security Command Reference...
  • Page 271: Cisco Nexus 7000 Series Security Command Reference

    D Commands deny (IPv6) protocol Cisco Nexus 7000 Series Security Command Reference...
  • Page 272: Cisco Nexus 7000 Series Security Command Reference

    • udp—Specifies that the rule applies to UDP traffic only. When you use this keyword, the operator argument and the portgroup keyword are available, in addition to the keywords that are available for all valid values of the protocol Cisco Nexus 7000 Series Security Command Reference...
  • Page 273: Cisco Nexus 7000 Series Security Command Reference

    “Usage Guidelines” section. destination Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. Cisco Nexus 7000 Series Security Command Reference...
  • Page 274: Cisco Nexus 7000 Series Security Command Reference

    D Commands deny (IPv6) dscp dscp Cisco Nexus 7000 Series Security Command Reference...
  • Page 275: Cisco Nexus 7000 Series Security Command Reference

    (100110) • cs1—Class-selector (CS) 1, precedence 1 (001000) • cs2—CS2, precedence 2 (010000) • cs3—CS3, precedence 3 (011000) • cs4—CS4, precedence 4 (100000) • cs5—CS5, precedence 5 (101000) • cs6—CS6, precedence 6 (110000) Cisco Nexus 7000 Series Security Command Reference...
  • Page 276: Cisco Nexus 7000 Series Security Command Reference

    (ICMP only: Optional) ICMPv6 message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under “ICMPv6 Message Types” in the “Usage Guidelines” section. Cisco Nexus 7000 Series Security Command Reference...
  • Page 277: Cisco Nexus 7000 Series Security Command Reference

    • range—Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument. Cisco Nexus 7000 Series Security Command Reference...
  • Page 278: Cisco Nexus 7000 Series Security Command Reference

    TCP control bit flags set. The value of the flags argument must be one or more of the following keywords: • ack • fin • psh • rst • syn • urg Cisco Nexus 7000 Series Security Command Reference...
  • Page 279: Cisco Nexus 7000 Series Security Command Reference

    You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 7000 Series Security Command Reference...
  • Page 280: Cisco Nexus 7000 Series Security Command Reference

    • beyond-scope—Destination beyond scope • destination-unreachable—Destination address is unreachable • echo-reply—Echo reply • echo-request—Echo request (ping) • header—Parameter header problems • hop-limit—Hop limit exceeded in transit • mld-query—Multicast Listener Discovery Query • mld-reduction—Multicast Listener Discovery Reduction Cisco Nexus 7000 Series Security Command Reference...
  • Page 281: Cisco Nexus 7000 Series Security Command Reference

    Gateway Protocol (179) chargen—Character generator (19) cmd—Remote commands (rcmd, 514) daytime—Daytime (13) discard—Discard (9) domain—Domain Name Service (53) drip—Dynamic Routing Information Protocol (3949) echo—Echo (7) exec—Exec (rsh, 512) finger—Finger (79) ftp—File Transfer Protocol (21) Cisco Nexus 7000 Series Security Command Reference...
  • Page 282: Cisco Nexus 7000 Series Security Command Reference

    (195) domain—Domain Name Service (DNS, 53) echo—Echo (7) isakmp—Internet Security Association and Key Management Protocol (5) mobile-ip—Mobile IP registration (434) nameserver—IEN116 name service (obsolete, 42) netbios-dgm—NetBIOS datagram service (138) Cisco Nexus 7000 Series Security Command Reference...
  • Page 283: Cisco Nexus 7000 Series Security Command Reference

    Command Description fragments Configures how an IP ACL processes noninitial fragments. ipv6 access-list Configures an IPv6 ACL. object-group ipv6 address Configures an IPv6-address object group. Configures an IP-port object group. object-group ip port Cisco Nexus 7000 Series Security Command Reference...
  • Page 284: Cisco Nexus 7000 Series Security Command Reference

    Configures a remark in an ACL. show ipv6 access-list Displays all IPv6 ACLs or one IPv6 ACL. Enables collection of statistics for each entry in an statistics per-entry ACL. time-range Configures a time range. Cisco Nexus 7000 Series Security Command Reference...
  • Page 285: Deny (Mac)

    (Optional) Specifies that the rule matches only packets with an IEEE 802.1Q header that contains the Class of Service (CoS) value given in the cos-value argument. The cos-value argument can be an integer from 0 to 7. Cisco Nexus 7000 Series Security Command Reference...
  • Page 286: Cisco Nexus 7000 Series Security Command Reference

    • Any address—You can use the any keyword to specify that a source or destination is any MAC address. For examples of the use of the any keyword, see the examples in this section. Each of the examples shows how to specify a source or destination by using the any keyword. Cisco Nexus 7000 Series Security Command Reference...
  • Page 287: Cisco Nexus 7000 Series Security Command Reference

    Configures a remark in an ACL. Displays all MAC ACLs or one MAC ACL. show mac access-list statistics per-entry Enables collection of statistics for each entry in an ACL. Configures a time range. time-range Cisco Nexus 7000 Series Security Command Reference...
  • Page 288: Deny (Role-Based Access Control List)

    Specifies a port range for TCP or UDP. range port-number1 First port in the range. The range is from 0 to 65535. port-number2 Last port in the range. The range is from 0 to 65535. Cisco Nexus 7000 Series Security Command Reference...
  • Page 289: Cisco Nexus 7000 Series Security Command Reference

    This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. To enable RBACL logging, you must enable RBACL policy enforcement on the VLAN and VRF. To enable RBACL logging, you must set the logging level of ACLLOG syslogs to 6 and the logging level of CTS manager syslogs to 5.
  • Page 290: Description (Identity Policy)

    AdminPolicy switch(config-id-policy)# no description Related Commands Command Description identity policy Creates or specifies an identity policy and enters identity policy configuration mode. show identity policy Displays identity policy information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 291: Cisco Nexus 7000 Series Security Command Reference

    D Commands description (identity policy) Cisco Nexus 7000 Series Security Command Reference...
  • Page 292: Description (User Role)

    MyRole switch(config-role)# no description Related Commands Command Description role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 293: Cisco Nexus 7000 Series Security Command Reference

    D Commands description (user role) Cisco Nexus 7000 Series Security Command Reference...
  • Page 294: Destination Interface

    You can enter the destination interface command multiple times to add multiple destinations. This command does not require a license. Examples This example shows how to configure a destination for ACL capture packets: switch# configure terminal Cisco Nexus 7000 Series Security Command Reference...
  • Page 295: Cisco Nexus 7000 Series Security Command Reference

    D Commands destination interface switch(config)# monitor session 7 type acl-capture switch(config-acl-capture)# destination interface ethernet 5/5 Related Commands Command Description monitor session session type acl-capture Configures an ACL capture session. Cisco Nexus 7000 Series Security Command Reference...
  • Page 296: Device

    Specifies the policy to use for the supplicant device. Command Default None Command Modes Identity policy configuration Command History Release Modification 4.0(1) This command was introduced. Usage Guidelines This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 297: Cisco Nexus 7000 Series Security Command Reference

    10.10.2.2 255.255.255.245 policy UserPolicy Related Commands Command Description identity policy Creates or specifies an identity policy and enters identity policy configuration mode. show identity policy Displays identity policy information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 298: Device-Role

    Related Commands Command Description ipv6 nd raguard policy Defines the RA guard policy name and enters RA guard policy configuration mode. Cisco Nexus 7000 Series Security Command Reference...
  • Page 299: Cisco Nexus 7000 Series Security Command Reference

    D Commands device-role Cisco Nexus 7000 Series Security Command Reference...
  • Page 300: Dot1X Default

    This example shows how to set the interface 802.1X parameters to the default: switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x default Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x Displays 802.1X feature status information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 301: Dot1X Host-Mode

    This example shows how to revert to the default host mode on an interface: switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# no dot1x host-mode Related Commands Command Description feature dot1x Enables the 802.1X feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 302: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x host-mode Command Description show dot1x all Displays all 802.1X information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 303: Dot1X Initialize

    You must use the feature dot1x command before you configure 802.1X. This command does not require a license. Examples This example shows how to initialize 802.1X authentication for supplicants on the Cisco NX-OS device: switch# dot1x initialize This example shows how to initialize 802.1X authentication for supplicants on an interface:...
  • Page 304: Dot1X Mac-Auth-Bypass

    This example shows how to disable MAC address authentication bypass: switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no dot1x mac-auth-bypass Related Commands Command Description Enables the 802.1X feature. feature dot1x show dot1x all Displays all 802.1X information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 305: E Commands

    302 • eou ratelimit, page 303 • eou revalidate (EXEC), page 305 • eou revalidate (global configuration and interface configuration), page 307 • eou timeout, page 309 • eq, page 312 Cisco Nexus 7000 Series Security Command Reference...
  • Page 306: Encrypt Pause-Frame

    E Commands encrypt pause-frame encrypt pause-frame To configure pause frame encryption for Cisco Trusted Security (Cisco TrustSec) on an interface, use the encrypt pause-frame command. To remove the pause frame encryption, use the no form of this command. encrypt pause-frame...
  • Page 307: Cisco Nexus 7000 Series Security Command Reference

    Enables Cisco TrustSec authentication on an interface cts dot1x and enters Cisco TrustSec 802.1X configuration mode. Enters Cisco TrustSec manual configuration mode cts manual for an interface. show cts interface Displays the Cisco TrustSec configuration information for interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 308: Encryption Decrypt Type6

    # encryption decrypt type6 Please enter current Master Key: Related Commands Command Description encryption re-encrypt obfuscated Converts the existing obfuscated passwords to type6 encrypted passwords. key config-key Configures the master key for the type-6 encryption. Cisco Nexus 7000 Series Security Command Reference...
  • Page 309: Encryption Delete Type6

    Please enter current Master Key: switch(config)# Related Commands Command Description encryption re-encrypt obfuscated Converts the existing obfuscated passwords to type-6 encrypted passwords key config-key Configures the master key for the type-6 encryption. Cisco Nexus 7000 Series Security Command Reference...
  • Page 310: Enable

    Enables a secret password for a specific privilege level. feature privilege Enables the cumulative privilege of roles for command authorization on TACACS+ servers. Displays the current privilege level, username, and show privilege status of cumulative privilege support. Cisco Nexus 7000 Series Security Command Reference...
  • Page 311: Cisco Nexus 7000 Series Security Command Reference

    E Commands enable Command Description username user-id priv-lvl Enables a user to use privilege levels for authorization. Cisco Nexus 7000 Series Security Command Reference...
  • Page 312: Enable Cert-Dn-Match

    Enables group validation for an LDAP server group. enable user-server-group server Configures the LDAP server as a member of the LDAP server group. Displays the LDAP server group configuration. show ldap-server groups Cisco Nexus 7000 Series Security Command Reference...
  • Page 313: Cisco Nexus 7000 Series Security Command Reference

    E Commands enable Cert-DN-match Cisco Nexus 7000 Series Security Command Reference...
  • Page 314: Enable Secret

    This example shows how to enable a secret password for a specific privilege level: switch# configure terminal switch(config)# feature privilege switch(config)# enable secret 5 def456 priv-lvl 15 switch(config)# username user2 priv-lvl 15 switch(config)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 315: Cisco Nexus 7000 Series Security Command Reference

    Enables the cumulative privilege of roles for command authorization on TACACS+ servers. Displays the current privilege level, username, and show privilege status of cumulative privilege support. username user-id priv-lvl Enables a user to use privilege levels for authorization. Cisco Nexus 7000 Series Security Command Reference...
  • Page 316: Enable User-Server-Group

    Cert-DN-match Enables LDAP users to login only if the user profile lists the subject-DN of the user certificate as authorized for login. Cisco Nexus 7000 Series Security Command Reference...
  • Page 317: Cisco Nexus 7000 Series Security Command Reference

    E Commands enable user-server-group Command Description server Configures the LDAP server as a member of the LDAP server group. show ldap-server groups Displays the LDAP server group configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 318: Encryption Re-Encrypt Obfuscated

    This example shows how to convert the existing obfuscated passwords to type-6 encrypted passwords: switch # encryption re-encrypt obfuscated Related Commands Command Description encryption decrypt type6 Converts type6 encrypted passwords back to their original state. Cisco Nexus 7000 Series Security Command Reference...
  • Page 319: Enrollment Terminal

    Syntax Description This command has no arguments or keywords. Command Default The default is the manual cut-and-paste method, which is the only enrollment method that the Cisco NX-OS software supports. Command Modes Trustpoint configuration Command History...
  • Page 320: Eou Allow Clientless

    This example shows how to prevent EAPoUDP posture validation of clientless endpoint devices: switch# config t switch(config)# no eou allow clientless Related Commands Command Description Enables EAPoUDP. feature eou show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 321: Eou Default

    This example shows how to change the EAPoUDP configuration for an interface to the default: switch# config t switch(config)# interface ethernet 1/1 switch(config-if)# eou default Related Commands Command Description feature eou Enables EAPoUDP. show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 322: Eou Initialize

    Initializes the EAPoUDP sessions for a specific MAC address. posturetoken name Initializes the EAPoUDP sessions for a specific posture token. Command Default None Command Modes Any command mode Command History Release Modification 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 323 0019.076c.dac4 This example shows how to initialize all the EAPoUDP sessions for a posture token: switch# eou initialize posturetoken healthy Related Commands Command Description feature eou Enables EAPoUDP. show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 324: Eou Logging

    This example shows how to enable EAPoUDP logging for an interface: switch# config t switch(config)# interface ethernet 1/1 switch(config-if)# eou logging This example shows how to disable EAPoUDP logging for an interface: switch# config t switch(config)# interface ethernet 1/1 switch(config-if)# no eou logging Cisco Nexus 7000 Series Security Command Reference...
  • Page 325 E Commands eou logging Related Commands Command Description feature eou Enables EAPoUDP. show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 326: Eou Max-Retry

    This example shows how to change the maximum number of EAPoUDP retry attempts for an interface: switch# config t switch(config) interface ethernet 1/1 switch(config-if)# eou max-retry 3 Cisco Nexus 7000 Series Security Command Reference...
  • Page 327 This example shows how to revert to the maximum number of EAPoUDP retry attempts for an interface: switch# config t switch(config) interface ethernet 1/1 switch(config-if)# no eou max-retry Related Commands Command Description feature eou Enables EAPoUDP. Displays EAPoUDP information. show eou Cisco Nexus 7000 Series Security Command Reference...
  • Page 328: Eou Port

    This example shows how to revert to the default UDP port number for EAPoUDP: switch# config t switch(config)# no eou port Related Commands Command Description Enables EAPoUDP. feature eou show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 329: Eou Ratelimit

    This example shows how to change the global maximum number of simultaneous EAPoUDP posture-validation sessions: switch# config t switch(config)# eou ratelimit 30 This example shows how to revert to the default global maximum number of simultaneous EAPoUDP posture-validation sessions: switch# config t switch(config)# no eou ratelimit Cisco Nexus 7000 Series Security Command Reference...
  • Page 330 This example shows how to revert to the default maximum number of simultaneous EAPoUDP posture-validation sessions for an interface: switch# config t switch(config)# interface ethernet 1/1 switch(config-if)# no eou ratelimit Related Commands Command Description feature eou Enables EAPoUDP. show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 331: Eou Revalidate (Exec)

    Revalidates the EAPoUDP sessions for a specific MAC address. posturetoken name Revalidates the EAPoUDP sessions for a specific posture token. Command Default None Command Modes Any command mode Command History Release Modification 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 332 You must use the feature eou command before you configure EAPoUDP. This command does not require a license. The Cisco NX-OS software supports an eou revalidate command in global configuration mode. To use Note an EXEC-level eou revalidate command in global configuration mode, include the required keywords.
  • Page 333: Eou Revalidate (Global Configuration And Interface Configuration)

    The automatic revalidation setting for an interface overrides the global setting for automatic revalidation. Note The Cisco NX-OS software supports an eou revalidate command in EXEC configuration mode. To use an EXEC-level eou revalidate command in global configuration mode, include the required keywords.
  • Page 334 This example shows how to enable automatic revalidation of EAPoUDP sessions for an interface: switch# config t switch(config)# eou revalidate Related Commands Command Description feature eou Enables EAPoUDP. eou timeout Configures the timeout interval for EAPoUDP automatic periodic validation. show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 335: Eou Timeout

    Global revalidation timeout interval: 36000 seconds (10 hours) Global status query timeout interval: 300 seconds (5 minutes) Interface timeout intervals: Global configuration values Command Modes Global configurationInterface configuration Command History Release Modification 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 336 240 This example shows how to change the status-query timeout interval for an interface: switch# config t switch(config)# interface ethernet 1/1 switch(config-if)# eou timeout status-query 270 Cisco Nexus 7000 Series Security Command Reference...
  • Page 337 E Commands eou timeout Related Commands Command Description feature eou Enables EAPoUDP. eou revalidate (global configuration) Enables periodic automatic revalidation of endpoint devices. show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 338 This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 443: switch# config t switch(config)# object-group ip port port-group-05 switch(config-port-ogroup)# eq 443 Cisco Nexus 7000 Series Security Command Reference...
  • Page 339 Specifies a not-equal-to group member in an IP port object group. object-group ip port Configures an IP port object group. range Specifies a port-range group member in an IP port object group. show object-group Displays object groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 340 E Commands Cisco Nexus 7000 Series Security Command Reference...
  • Page 341: F Commands

    333 • feature ssh, page 334 • feature tacacs+, page 335 • feature telnet, page 336 • filter, page 337 • fips mode enable, page 339 • fragments, page 341 Cisco Nexus 7000 Series Security Command Reference...
  • Page 342: Feature (User Role Feature Group)

    Syntax Description feature-name Cisco NX-OS feature name as listed in the show role feature command output. Command Default None Command Modes User role feature group configuration...
  • Page 343: Feature Cts

    F Commands feature cts feature cts To enable the Cisco TrustSec feature, use the feature cts command. To revert to the default, use the no form of this command. feature cts no feature cts Syntax Description This command has no arguments or keywords.
  • Page 344 F Commands feature cts Cisco Nexus 7000 Series Security Command Reference...
  • Page 345: Feature Dhcp

    Access-control list (ACL) statistics are not supported if the DHCP snooping feature is enabled. This command does not require a license. Examples This example shows how to enable DHCP snooping: switch# configure terminal Cisco Nexus 7000 Series Security Command Reference...
  • Page 346 Enables or disables the DHCP relay agent. show ip dhcp snooping Displays general information about DHCP snooping. Displays DHCP snooping configuration, including show running-config dhcp IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 347: Feature Dot1X

    This example shows how to enable 802.1X: switch# configure terminal switch(config)# feature dot1x This example shows how to disable 802.1X: switch# configure terminal switch(config)# no feature dot1x Related Commands Command Description show dot1x Displays 802.1X status information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 348: Feature Eou

    4.0(1) This command was introduced. Usage Guidelines You must use the feature eou command before you configure EAPoUDP. When you disable EAPoUDP, the Cisco NX-OS software removes the EAPoUDP configuration. Note This command does not require a license. Examples This example shows how to enable EAPoUDP:...
  • Page 349: Feature Ldap

    5.0(2) This command was introduced. Usage Guidelines You must use the feature ldap command before you configure LDAP. When you disable LDAP, the Cisco NX-OS software removes the LDAP configuration. Note This command does not require a license. Examples This example shows how to enable LDAP:...
  • Page 350 F Commands feature ldap Cisco Nexus 7000 Series Security Command Reference...
  • Page 351: Feature Mka

    Creates a key or enters the configuration mode of an existing key. key chain keychain-name Creates a keychain or enters the configuration mode of an existing keychain. key-octet-string Configures the text for a MACsec key. Cisco Nexus 7000 Series Security Command Reference...
  • Page 352 Displays the configuration of the specified keychain. Displays the details of MKA. show macsec mka show macsec policy Displays all the MACsec policies in the system. show run mka Displays the status of MKA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 353: Feature Password Encryption Aes

    This example shows how to disable the AES password encryption feature: switch(config)# no feature password encryption aes switch(config)# Related Commands Command Description key config-key Configures the master key for type-6 encryption. show encryption service stat Displays the status of the encryption service. Cisco Nexus 7000 Series Security Command Reference...
  • Page 354: Feature Port-Security

    MAC addresses, regardless of the method by which the device learned the addresses. Examples This example shows how to enable port security globally: switch# configure terminal switch(config)# feature port-security switch(config)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 355 Clears dynamically learned, secure MAC addresses. debug port-security Provides debugging information for port security. show port-security Shows information about port security. Enables port security on a Layer 2 interface. switchport port-security Cisco Nexus 7000 Series Security Command Reference...
  • Page 356: Feature Privilege

    2010 Feb 12 12:52:06 switch %FEATURE-MGR-2-FM_AUTOCKPT_SUCCEEDED AutoCheckpoint created successfully Related Commands Command Description enable level Enables a user to move to a higher privilege level. Enables a secret password for a specific privilege enable secret priv-lvl level. Cisco Nexus 7000 Series Security Command Reference...
  • Page 357 F Commands feature privilege Command Description show privilege Displays the current privilege level, username, and status of cumulative privilege support. username username priv-lvl Enables a user to use privilege levels for authorization. Cisco Nexus 7000 Series Security Command Reference...
  • Page 358: Feature Scp-Server

    To configure a secure copy (SCP) server on the Cisco NX-OS device in order to copy files to and from a remote device, use the feature scp-server command. To disable an SCP server, use the no form of this command.
  • Page 359: Feature Sftp-Server

    To configure a secure FTP (SFTP) server on the Cisco NX-OS device in order to copy files to and from a remote device, use the feature sftp-server command. To disable an SFTP server, use the no form of this command.
  • Page 360: Feature Ssh

    Modification 4.1(2) This command was introduced to replace the ssh server enable command. Usage Guidelines The Cisco NX-OS software supports SSH version 2. This command does not require a license. Examples This example shows how to enable the SSH server:...
  • Page 361: Feature Tacacs

    Usage Guidelines You must use the feature tacacs+ command before you configure TACACS+. Note When you disable TACACS+, the Cisco NX-OS software removes the TACACS+ configuration. This command does not require a license. Examples This example shows how to enable TACACS+:...
  • Page 362: Feature Telnet

    XML interface to system may become unavailable since ssh is disabled Related Commands Command Description Displays the enable status of the features. show feature show telnet server Displays the SSH server key information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 363: Filter

    To use this command, you must create a new filter map. The validation passes if the certificate passes all of the filters configured in the map. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 364 This example shows how to configure a certificate mapping filter within the filter map: switch# configure terminal switch(config)# crypto certificatemap mapname filtermap1 switch(config-certmap-filter)# filter altname-email jsmith@acme.com Related Commands Command Description Creates a filter map. crypto certificatemap mapname show crypto certificatemap Displays the certificate mapping filters. Cisco Nexus 7000 Series Security Command Reference...
  • Page 365: Fips Mode Enable

    SHA for authentication and AES/3DES for privacy. • Delete all SSH server RSA1 key-pairs. • Enable HMAC-SHA1 message integrity checking (MIC) for use during the Cisco TrustSec Security Association Protocol (SAP) negotiation. To do so, enter the sap hash-algorithm HMAC-SHA-1 command from the cts-manual or cts-dot1x mode.
  • Page 366 F Commands fips mode enable FIPS mode is disabled Related Commands Command Description show fips status Displays the status of Federal Information Processing Standard (FIPS) mode. Cisco Nexus 7000 Series Security Command Reference...
  • Page 367: Fragments

    This example shows how to enable fragment optimization in an IPv4 ACL named lab-acl. The permit-all keyword means that the ACL permits any noninitial fragment that does not match a deny command that includes the fragments keyword. switch# configure terminal Cisco Nexus 7000 Series Security Command Reference...
  • Page 368 Configures a permit rule in an IPv6 ACL. permit (IPv6) show ip access-list Displays all IPv4 ACLs or a specific IPv4 ACL. Displays all IPv6 ACLs or a specific IPv6 ACL. show ipv6 access-list Cisco Nexus 7000 Series Security Command Reference...
  • Page 369: G Commands

    G Commands • gt, page 344 Cisco Nexus 7000 Series Security Command Reference...
  • Page 370 This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 49152 through port 65535: switch# configure terminal switch(config)# object-group ip port port-group-05 switch(config-port-ogroup)# gt 49151 Cisco Nexus 7000 Series Security Command Reference...
  • Page 371 Specifies a not-equal-to group member in an IP port object group. object-group ip port Configures an IP port object group. range Specifies a port-range group member in an IP port object group. show object-group Displays object groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 372 G Commands Cisco Nexus 7000 Series Security Command Reference...
  • Page 373: H Commands

    351 • hardware access-list resource pooling, page 352 • hardware access-list update, page 354 • hardware rate-limiter, page 356 • hop-limit, page 360 • host (IPv4), page 362 • host (IPv6), page 365 Cisco Nexus 7000 Series Security Command Reference...
  • Page 374: Hardware Access-List Allow Deny Ace

    This example shows how to disable deny ace feature: switch# configure terminal switch(config)# no hardware access-list allow deny ace switch(config)# Related Commands Command Description hardware access-list update Configures how a supervisor module updates an I/O module with changes to an ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 375: Hardware Access-List Capture

    This example shows how to enable ACL capture on all VDCs: switch# configure terminal switch(config)# hardware access-list capture This example shows how to disable ACL capture on all VDCs: switch # configure terminal switch(config)# no hardware access-list capture Cisco Nexus 7000 Series Security Command Reference...
  • Page 376 H Commands hardware access-list capture Related Commands Command Description hardware access-list update Configures how a supervisor module updates an I/O module with changes to an ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 377: Hardware Access-List Resource Feature Bank-Mapping

    This example shows how to enable ACL TCAM bank mapping for feature groups and classes: switch(config)# hardware access-list resource feature bank-mapping Related Commands Command Description show system internal access-list feature bank-class Displays the ACL TCAM bank mapping feature group and class combination tables. Cisco Nexus 7000 Series Security Command Reference...
  • Page 378: Hardware Access-List Resource Pooling

    Modification 7.3(0)D1(1) This command was modified to support flexible bank chaining feature with VLAN-VLAN and PORT-VLAN modes. 4.2(1) The hyphen was removed between the resource and pooling keywords. 4.1(2) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 379 The command allows you to make more than 16,000 TCAM entries available to ACL-based features. If you want to enable bank chaining for the entire system, Cisco recommends adding the configuration for the entire module range, even if a module is not present, using the module range command, as described in the Examples section.
  • Page 380: Hardware Access-List Update

    VDC only and affects all VDCs. By default, when a supervisor module of a Cisco Nexus 7000 Series device updates an I/O module with changes to an ACL, it performs an atomic ACL update. An atomic update does not disrupt traffic that the updated ACL applies to;...
  • Page 381 Examples Note In Cisco NX-OS Release 4.1(4) and later releases, the hardware access-list update command is available in the default VDC only. To verify that the current VDC is the VDC 1 (the default VDC), use the show vdc current-vdc command.
  • Page 382: Hardware Rate-Limiter

    1 to 18. port start end (Optional) Specifies a port start index. The range is from 1 to 32. You specify the start port and and end port with a space in between them. Cisco Nexus 7000 Series Security Command Reference...
  • Page 383 Specifies Layer-3 control packets. The default rate is 10000 packets per second. glean Specifies Layer-3 glean packets. The default rate is 100 packets per second. glean-fast Specifies Layer 3 glean fast-path packets. The default rate is 100 packets per second. Cisco Nexus 7000 Series Security Command Reference...
  • Page 384 Added the f1, rl-1, rl-2, rl-3, rl-4, and rl-5 keywords. Also, added the following keywords: module, disable, and port. 5.0(2) Added the l2pt keyword. 4.1(2) This command was introduced to replace the platform rate-limit command. Cisco Nexus 7000 Series Security Command Reference...
  • Page 385 This example shows how to configure the port group multiplier: switch# configure terminal switch(config)# hardware rate-limiter portgroup-multiplier 0.5 module 3 Related Commands Command Description Clears rate-limit statistics. clear hardware rate-limiter show hardware rate-limiter Displays rate-limit information. show running-config Displays the running configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 386: Hop-Limit

    The following example shows how the command defines a router advertisement (RA) guard policy name as raguard1, places the router in RA guard policy configuration mode, and sets a minimum hop-count limit of switch(config)# ipv6 nd raguard policy raguard1 switch(config-ra-guard)# hop-limit minimum 3 Cisco Nexus 7000 Series Security Command Reference...
  • Page 387 H Commands hop-limit Related Commands Command Description ipv6 nd raguard policy Defines the RA guard policy name and enters RA guard policy configuration mode. Cisco Nexus 7000 Series Security Command Reference...
  • Page 388: Host (Ipv4)

    IPv4-address are the network portion of the address, as follows: switch(config-ipaddr-ogroup)# 10.23.176.0/24 A prefix-len value of 32 indicates that the group member is a specific IP address. Cisco Nexus 7000 Series Security Command Reference...
  • Page 389 10.121.57.102 switch(config-ipaddr-ogroup)# switch(config-ipaddr-ogroup)# 10.23.176.0 0.0.0.255 switch(config-ipaddr-ogroup)# show object-group ipv4-addr-group-13 10 host 10.121.57.102 20 host 10.121.57.234 30 10.23.176.0/24 switch(config-ipaddr-ogroup)# Related Commands Command Description object-group ip address Configures an IPv4 address group. Cisco Nexus 7000 Series Security Command Reference...
  • Page 390 H Commands host (IPv4) Command Description show object-group Displays object groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 391: Host (Ipv6)

    A network-prefix value of 128 indicates that the group member is a specific IPv6 address. Command Default None Command Modes IPv6 address object group configuration. Command History Release Modification 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 392 2001:db8:0:3ab0::2/128 switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab7::/96 switch(config-ipv6addr-ogroup)# show object-group ipv6-addr-group-A7 10 host 2001:db8:0:3ab0::1 20 host 2001:db8:0:3ab0::2 30 2001:db8:0:3ab7::/96 switch(config-ipv6addr-ogroup)# Related Commands Command Description object-group ipv6 address Configures an IPv6 address group. Displays object groups. show object-group Cisco Nexus 7000 Series Security Command Reference...
  • Page 393: I Commands

    396 • ip dhcp relay information option vpn, page 398 • ip dhcp relay subnet-broadcast, page 400 • ip dhcp relay sub-option type cisco, page 402 • ip dhcp smart-relay, page 404 • ip dhcp smart-relay global, page 406 •...
  • Page 394 454 • ipv6 neighbor binding max-entries, page 455 • ipv6 neighbor tracking, page 457 • ipv6 port traffic-filter, page 459 • ipv6 snooping attach-policy, page 462 • ipv6 traffic-filter, page 463 Cisco Nexus 7000 Series Security Command Reference...
  • Page 395: Identity Policy

    AdminPolicy switch(config-id-policy)# This example shows how to remove an identity policy: switch#configure terminal switch(config)#no identity policy AdminPolicy Related Commands Command Description Displays identity policy information. show identity policy Cisco Nexus 7000 Series Security Command Reference...
  • Page 396: Identity Profile Eapoudp

    This example shows how to remove the EAPoUDP identity profile configuration: switch#configure terminal switch(config)#no identity profile eapoudp Related Commands Command Description show identity profile Displays identity profile information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 397: Interface Policy Deny

    Related Commands Command Description permit interface Permits interfaces in a role interface policy. role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 398 I Commands interface policy deny Cisco Nexus 7000 Series Security Command Reference...
  • Page 399: Ip Access-Class

    This example shows how to configure a VTY ACL to control access to all IPv4 traffic over all VTY lines : switch# configure terminal switch(config)# ip access-list vtyacl switch(config-ip-acl)# exit switch(config)# line vty switch(config-line)# ip access-class vtyacl out switch(config-line)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 400 Configures an IPv4 ACL. Shows either a specific IPv4 ACL or all IPv4 ACLs. show ip access-lists show running-config interface Shows the running configuration of all interfaces or of a specific interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 401: Ip Access-Group

    • VLAN interfaces You must enable VLAN interfaces globally before you can configure a VLAN interface. For more Note information, see the feature interface-vlan command in the Cisco Nexus 7000 Series NX-OS Interfaces Command Reference. • Layer 3 Ethernet interfaces •...
  • Page 402 Configures an IPv4 ACL. Applies an IPv4 ACL as a port ACL. ip port access-group show access-lists Displays all ACLs. show ip access-lists Shows either a specific IPv4 ACL or all IPv4 ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 403 I Commands ip access-group Command Description show running-config interface Shows the running configuration of all interfaces or of a specific interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 404: Ip Access-List

    ACL. The device does not record statistics for implicit rules. To record statistics for packets that would match the implicit deny ip any any rule, you must explicitly configure an identical rule. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 405 (IPv4) Configures a permit rule in an IPv4 ACL. show ip access-lists Displays all IPv4 ACLs or a specific IPv4 ACL. statistics per-entry Enables collection of statistics for each entry in an ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 406: Ip Arp Inspection Filter

    15,37-48 switch(config)# Related Commands Command Description arp access-list Configures an ARP ACL. ip arp inspection vlan Enables Dynamic ARP Inspection (DAI) for a specified list of VLANs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 407 I Commands ip arp inspection filter Command Description show ip arp inspection Displays the DAI configuration status. show running-config dhcp Displays DHCP snooping configuration, including the DAI configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 408: Ip Arp Inspection Log-Buffer

    64 switch(config)# This example shows how to configure the number of logs for Dynamic ARP Inspection: switch# configure terminal switch(config)# ip arp inspection log-buffer logs 6 switch(config)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 409 Related Commands Command Description clear ip arp inspection log Clears the DAI logging buffer. show ip arp inspection Displays the DAI configuration status. show running-config dhcp Displays DHCP snooping configuration, including DAI configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 410: Ip Arp Inspection Trust

    Displays the Dynamic ARP Inspection (DAI) configuration status. show ip arp inspection interface Displays the trust state and the ARP packet rate for a specified interface. show running-config dhcp Displays DHCP snooping configuration, including DAI configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 411: Ip Arp Inspection Validate

    MAC address in the ARP body for ARP requests and responses. The devices classifies packets with different MAC addresses as invalid and drops them. Command Default None Command Modes Global configuration Command History Release Modification 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 412 Related Commands Command Description Displays the DAI configuration status. show ip arp inspection show running-config dhcp Displays DHCP snooping configuration, including DAI configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 413: Ip Arp Inspection Vlan

    Enables logging of packets permitted by a DHCP binding match. Enables logging of all packets. none Disables logging. Command Default None Command Modes Global configuration Command History Release Modification 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 414 Displays the DAI configuration status. show ip arp inspection vlan Displays DAI status for a specified list of VLANs. show running-config dhcp Displays DHCP snooping configuration, including DAI configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 415: Ip Dhcp Packet Strict-Validation

    Enables the DHCP snooping feature on the device. Enables the insertion and removal of option-82 ip dhcp relay information option information from DHCP packets forwarded by the DHCP relay agent. Globally enables DHCP snooping on the device. ip dhcp snooping Cisco Nexus 7000 Series Security Command Reference...
  • Page 416 I Commands ip dhcp packet strict-validation Command Description show ip dhcp snooping Displays general information about DHCP snooping. show running-config dhcp Displays DHCP snooping configuration, including IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 417: Ip Dhcp Redirect-Response

    This command was introduced. Usage Guidelines DHCP redirect response feature is supported only on the Cisco M3 Series modules. To use this command, you must enable the DHCP feature using the feature dhcp command. You can configure the ip dhcp redirect-response command on any SVI or L3 interfaces.
  • Page 418: Ip Dhcp Relay

    DHCP packets forwarded by the DHCP relay agent. ip dhcp relay sub-option type cisco Enables DHCP to use Cisco proprietary numbers 150, 152, and 151 when filling the link selection, server ID override, and VRF name/VPN ID relay agent option-82 suboptions.
  • Page 419 Globally enables DHCP snooping on the device. show ip dhcp snooping Displays general information about DHCP snooping. show running-config dhcp Displays the DHCP snooping configuration, including the IP source guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 420: Ip Dhcp Relay Address

    You can configure up to four DHCP server IP addresses on Layer 3 Ethernet interfaces and subinterfaces, VLAN interfaces, and Layer 3 port channels. In Cisco NX-OS Release 4.0.2 and earlier releases, you can configure only one DHCP server IP address on an interface.
  • Page 421 Enables VRF support for the DHCP relay agent. ip dhcp relay information option vpn ip dhcp relay sub-option type cisco Enables DHCP to use Cisco proprietary numbers 150, 152, and 151 when filling the link selection, server ID override, and VRF name/VPN ID relay agent option-82 suboptions.
  • Page 422: Ip Dhcp Relay Information Option

    Configures the IP address of a DHCP server on an interface. Enables DHCP to use Cisco proprietary numbers 150, ip dhcp relay sub-option type cisco 152, and 151 when filling the link selection, server ID override, and VRF name/VPN ID relay agent option-82 suboptions.
  • Page 423 Enables the insertion and removal of option-82 information for DHCP packets forwarded without the use of the DHCP relay agent. show running-config dhcp Displays the DHCP snooping configuration, including the IP source guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 424: Ip Dhcp Relay Information Option Vpn

    When the devices receives the DHCP response message, it strips off the Option-82 information and forwards the response to the DHCP client in the client VRF. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 425 DHCP packets forwarded by the DHCP relay agent. ip dhcp relay sub-option type cisco Enables DHCP to use Cisco proprietary numbers 150, 152, and 151 when filling the link selection, server ID override, and VRF name/VPN ID relay agent option-82 suboptions.
  • Page 426: Ip Dhcp Relay Subnet-Broadcast

    Cisco NX-OS devices. This command does not require a license. Examples This example shows how to configure the Cisco NX-OS device to support the relaying of DHCP packets from clients to a subnet broadcast IP address: switch# configure terminal...
  • Page 427 I Commands ip dhcp relay subnet-broadcast Related Commands Command Description feature dhcp Enables the DHCP feature on the device. ip dhcp relay Enable the DHCP relay agent. Cisco Nexus 7000 Series Security Command Reference...
  • Page 428: Ip Dhcp Relay Sub-Option Type Cisco

    To enable DHCP to use Cisco proprietary numbers 150, 152, and 151 when filling the link selection, server ID override, and VRF name/VPN ID relay agent option-82 suboptions, use the ip dhcp relay sub-option type cisco command.
  • Page 429 Globally enables DHCP snooping on the device. show ip dhcp snooping Displays general information about DHCP snooping. show running-config dhcp Displays the DHCP snooping configuration, including the IP source guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 430: Ip Dhcp Smart-Relay

    A maximum of 10,000 clients can use DHCP smart relay at any given time. In a vPC environment with DHCP smart relay enabled, the subnet of the primary and secondary addresses of an interface should be the same on both Cisco NX-OS devices. This command does not require a license.
  • Page 431 Related Commands Command Description ip dhcp smart-relay global Enables the DHCP smart relay globally on the Cisco NX-OS device. Enable the DHCP relay agent. ip dhcp relay Cisco Nexus 7000 Series Security Command Reference...
  • Page 432: Ip Dhcp Smart-Relay Global

    To enable Dynamic Host Configuration Protocol (DHCP) smart relay globally on the Cisco NX-OS device, use the ipdhcp smart-relay global command. To disable DHCP smart relay globally on the Cisco NX-OS device, use the no form of this command.
  • Page 433 Related Commands Command Description ip dhcp smart-relay Enables DHCP smart relay on a Layer 3 interface. Enable the DHCP relay agent. ip dhcp relay Cisco Nexus 7000 Series Security Command Reference...
  • Page 434: Ip Dhcp Snooping

    Enables or disables the DHCP relay agent. ip dhcp snooping information option Enables the insertion and removal of option-82 information for DHCP packets forwarded without the use of the DHCP relay agent. Cisco Nexus 7000 Series Security Command Reference...
  • Page 435 Enables DHCP snooping on the specified VLANs. show ip dhcp snooping Displays general information about DHCP snooping. show running-config dhcp Displays DHCP snooping configuration, including IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 436: Ip Dhcp Snooping Information Option

    Globally enables DHCP snooping on the device. ip dhcp snooping trust Configures an interface as a trusted source of DHCP messages. ip dhcp snooping vlan Enables DHCP snooping on the specified VLANs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 437 I Commands ip dhcp snooping information option Command Description show ip dhcp snooping Displays general information about DHCP snooping. show running-config dhcp Displays DHCP snooping configuration, including IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 438: Ip Dhcp Snooping Trust

    This example shows how to configure an interface as a trusted source of DHCP messages: switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# ip dhcp snooping trust switch(config-if)# Related Commands Command Description ip dhcp snooping Globally enables DHCP snooping on the device. Cisco Nexus 7000 Series Security Command Reference...
  • Page 439 Enables DHCP snooping on the specified VLANs. Displays general information about DHCP snooping. show ip dhcp snooping show running-config dhcp Displays DHCP snooping configuration, including IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 440: Ip Dhcp Snooping Verify Mac-Address

    Globally enables DHCP snooping on the device. Enables the insertion and removal of option-82 ip dhcp snooping information option information for DHCP packets forwarded without the use of the DHCP relay agent. Cisco Nexus 7000 Series Security Command Reference...
  • Page 441 Enables DHCP snooping on the specified VLANs. show ip dhcp snooping Displays general information about DHCP snooping. show running-config dhcp Displays DHCP snooping configuration, including IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 442: Ip Dhcp Snooping Vlan

    Globally enables DHCP snooping on the device. ip dhcp snooping information option Enables the insertion and removal of option-82 information for DHCP packets forwarded without the use of the DHCP relay agent. Cisco Nexus 7000 Series Security Command Reference...
  • Page 443 Enables MAC address verification as part of DHCP snooping. Displays general information about DHCP snooping. show ip dhcp snooping show running-config dhcp Displays DHCP snooping configuration, including IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 444: Ip Forward-Protocol Udp

    Related Commands Command Description ip udp relay subnet-broadcast Enables the UDP relay feature for the subnet broadcasts. object-group udp relay ip address Configures an object group containing IP addresses. Cisco Nexus 7000 Series Security Command Reference...
  • Page 445: Ip Port Access-Group

    • VLAN interfaces You must enable VLAN interfaces globally before you can configure a VLAN interface. For more Note information, see the feature interface-vlan command in the Cisco Nexus 7000 Series NX-OS Interfaces Command Reference. • Layer 3 Ethernet interfaces...
  • Page 446 2/3 switch(config-if)# ip port access-group ipacl in ERROR: The given policy cannot be applied as mac packet classification is enable d on this port switch(config-if)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 447 Shows either a specific IPv4 ACL or all IPv4 ACLs. Shows the running configuration of all interfaces or show running-config interface of a specific interface. statistics per-entry Enables collection of statistics for each entry in an ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 448: Ip Radius Source-Interface

    This example shows how to remove the global source interface for RADIUS server groups: switch# configure terminal switch(config)# no ip radius source-interface Related Commands Command Description Displays the RADIUS server group configuration. show radius-server groups Cisco Nexus 7000 Series Security Command Reference...
  • Page 449: Ip Source Binding

    This example shows how to create a static IP source entry associated with VLAN 100 on Ethernet interface 2/3: switch# configure terminal switch(config)# ip source binding 10.5.22.7 001f.28bd.0013 vlan 100 interface ethernet 2/3 switch(config)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 450 Command Description ip verify source dhcp-snooping-vlan Enables IP Source Guard on an interface. show ip verify source Displays IP-to-MAC address bindings. show running-config dhcp Displays DHCP snooping configuration, including IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 451: Ip Tacacs Source-Interface

    This example shows how to remove the global source interface for TACACS+ server groups: switch# configure terminal switch(config)# no ip tacacs source-interface Related Commands Command Description feature tacacs+ Enables the TACACS+ feature. Displays the TACACS+ server group configuration. show tacacs-server groups Cisco Nexus 7000 Series Security Command Reference...
  • Page 452: Ip Udp Relay Addrgroup

    This example shows how to disassociate the object group: switch(config-if)# no ip udp relay addrgroup udprelay1 Related Commands Command Description ip forward-protocol udp Enables the UDP relay feature. object-group udp relay ip address Configures the object group. Cisco Nexus 7000 Series Security Command Reference...
  • Page 453: Ip Udp Relay Subnet-Broadcast

    This example shows how to disable the UDP relay feature on the subnet broadcast: switch(config-if)# no ip udp relay subnet-broadcast Related Commands Command Description ip forward-protocol udp Enables the UDP relay feature. object-group udp relay ip address Configures an object group containing IP addresses. Cisco Nexus 7000 Series Security Command Reference...
  • Page 454 I Commands ip udp relay subnet-broadcast Cisco Nexus 7000 Series Security Command Reference...
  • Page 455: Ip Verify Source Dhcp-Snooping-Vlan

    2/1 switch(config-if)# ip verify source dhcp-snooping-vlan switch(config-if)# Related Commands Command Description ip source binding Creates a static IP source entry for the specified Ethernet interface. show ip verify source Displays IP-to-MAC address bindings. Cisco Nexus 7000 Series Security Command Reference...
  • Page 456: Ip Verify Unicast Source Reachable-Via

    FIB returns a match and the FIB result indicates that the source is reachable through at least one real interface. The ingress interface through which the packet is received is not required to match any of the interfaces in the FIB result. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 457 Displays the IP configuration in the running show running-config ip configuration. show startup-config interface ethernet Displays the interface configuration in the startup configuration. show startup-config ip Displays the IP configuration in the startup configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 458: Ipv6 Access-Class

    This example shows how to configure VTY ACL to control access to all IPv6 traffic over all VTY lines : switch# configure terminal switch(config)# ip access-list vtyacl switch(config-ip-acl)# exit switch(config)# line vty switch(config-line)# ipv6 access-class vtyacl1 in switch(config-line)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 459 Configures an IPv6 ACL. show ip6 access-lists Shows either a specific IPv6 ACL or all IPv4 ACLs. show running-config interface Shows the running configuration of all interfaces or of a specific interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 460: Ipv6 Access-Class

    This example shows how to remove dynamically learned, secure MAC addresses from the Ethernet 2/1 interface: switch# configure terminal switch(config)# line vty switch(config-line)# ipv6 access-class acl-ipv6-vty01 Related Commands Command Description ipv6 access-list Configures an IPv6 ACL. line Configures line access to the device. Cisco Nexus 7000 Series Security Command Reference...
  • Page 461 I Commands ipv6 access-class Command Description show ipv6 access-list Shows all IPv6 ACLs or a specific IPv6 ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 462: Ipv6 Access-List

    Use the statistics per-entry command to configure the device to record statistics for each rule in an IPv6 ACL. The device does not record statistics for implicit rules. To record statistics for packets that would match implicit rules, you must explicitly configure an identical rule for each implicit rule. Cisco Nexus 7000 Series Security Command Reference...
  • Page 463 Configures a permit rule in an IPv6 ACL. show ipv6 access-lists Displays all IPv6 ACLs or a specific IPv6 ACL. statistics per-entry Enables the collection of statistics for each entry in an ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 464: Ipv6 Dhcp-Ldra

    This example shows how to disable the LDRA feature: switch(config)# no ipv6 dhcp-ldra Related Commands Command Description show ipv6 dhcp-ldra Displays the configuration details of LDRA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 465: Ipv6 Dhcp Guard Policy

    DHCP packets from servers to clients. Client messages or messages sent by relay agents from clients to servers are not blocked. Examples The following example shows how to define a DHCPv6 guard policy name: switch# configure terminal switch(config)# ipv6 dhcp guard policy policy1 Cisco Nexus 7000 Series Security Command Reference...
  • Page 466: Ipv6 Dhcp-Ldra (Interface)

    This example shows how to disable the LDRA feature on the specified interface: switch(config-if)# no ipv6 dhcp-ldra client-facing-trusted Related Commands Command Description ipv6 dhcp-ldra Enables the LDRA feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 467: Ipv6 Dhcp Relay

    VRF to a DHCPv6 server in a different VRF. The ipv6 dhcp relay option type cisco command causes the DHCPv6 relay agent to insert virtual subnet selection (VSS) details as part of the vendor-specific option. The no option causes the DHCPv6 relay agent to insert VSS details as part of the VSS option (68), which is defined in RFC 6607.
  • Page 468 This example shows how to enable VRF support for the DHCPv6 relay agent: switch(config)# ipv6 dhcp relay option vpn This example shows how to enable the DHCPv6 relay agent using option type Cisco: switch(config)# ipv6 dhcp relay option type cisco...
  • Page 469: Ipv6 Dhcp-Ldra Attach Policy (Interface)

    This example shows how to disable the LDRA feature on the specified interface: switch(config-if)# no ipv6 dhcp-ldra attach-policy client-facing-trusted Related Commands Command Description ipv6 dhcp-ldra Enables the LDRA feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 470 I Commands ipv6 dhcp-ldra attach policy (interface) Cisco Nexus 7000 Series Security Command Reference...
  • Page 471: Ipv6 Dhcp-Ldra Attach-Policy Vlan

    1032 This example shows how to disable the LDRA feature on the specified interface: switch(config)# no ipv6 dhcp-ldra attach-policy vlan 1032 Related Commands Command Description ipv6 dhcp-ldra Enables the LDRA feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 472: Ipv6 Dhcp Relay Address

    It is not allowed for a global or site-scoped server address. To configure more than one IP address, use the ipv6 dhcp relay address command once per address. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 473 Related Commands Command Description ipv6 dhcp relay Enables or disables the DHCPv6 relay agent. show ipv6 dhcp relay Displays the DHCPv6 relay configuration. show ipv6 dhcp relay statistics Displays the DHCPv6 relay statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 474: Ipv6 Nd Raguard Attach-Policy

    This command was introduced. Usage Guidelines If no policy is specified using the policy-name argument, the port device role is set to host and all inbound router traffic (for example, RA and redirect messages) is blocked. Cisco Nexus 7000 Series Security Command Reference...
  • Page 475 1-100,200,300-400. Examples In the following example, the IPv6 RA guard feature is applied on GigabitEthernet interface 0/0: switch(config)# interface GigabitEthernet 0/0 switch(config-if)# ipv6 nd raguard attach-policy Cisco Nexus 7000 Series Security Command Reference...
  • Page 476: Ipv6 Nd Raguard Policy

    IPv6 RA guard on a specific interface. Examples The following example shows how to define the RA guard policy name as policy1 and place the device in policy configuration mode: switch(config)# ipv6 nd raguard policy policy1 switch(config-ra-guard)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 477 Specifies the minimum security level parameter value when CGA options are used. trusted-port Configures a port to become a trusted port. validate source-mac Checks the source MAC address against the link layer address. Cisco Nexus 7000 Series Security Command Reference...
  • Page 478: Ipv6 Neighbor Binding

    Usage Guidelines Use the ipv6 neighbor binding command to configure information about individual entries in a binding table. If no keywords or arguments are configured, the IPv6 neighbor binding entry defaults are used. Cisco Nexus 7000 Series Security Command Reference...
  • Page 479 The following example shows how to change the reachable lifetime for binding entries to 100 seconds: switch(config)# ipv6 neighbor binding reachable-entries 100 Related Commands Command Description Tracks entries in the binding table. ipv6 neighbor tracking tracking Overrides the default tracking policy on a port. Cisco Nexus 7000 Series Security Command Reference...
  • Page 480: Ipv6 Neighbor Binding Logging

    Description ipv6 neighbor binding vlan Adds a static entry to the binding table database. ipv6 neighbor tracking Tracks entries in the binding table. Configures IPv6 snooping security logging. ipv6 snooping logging packet drop Cisco Nexus 7000 Series Security Command Reference...
  • Page 481: Ipv6 Neighbor Binding Max-Entries

    The maximum number of entries can be set globally per VLAN, interface, or MAC addresses. Examples The following example shows how to specify globally the maximum number of entries inserted into the cache: switch(config)# ipv6 neighbor binding max-entries 100 Cisco Nexus 7000 Series Security Command Reference...
  • Page 482 I Commands ipv6 neighbor binding max-entries Related Commands Command Description ipv6 neighbor binding vlan Adds a static entry to the binding table database. ipv6 neighbor tracking Tracks entries in the binding table. Cisco Nexus 7000 Series Security Command Reference...
  • Page 483: Ipv6 Neighbor Tracking

    To change the default values of neighbor binding entries in a binding table, use the ipv6 neighbor binding command. Examples The following example shows how to track entries in a binding table: switch(config)# ipv6 neighbor tracking Cisco Nexus 7000 Series Security Command Reference...
  • Page 484 I Commands ipv6 neighbor tracking Related Commands Command Description ipv6 neighbor binding Changes the defaults of neighbor binding entries in a binding table. Cisco Nexus 7000 Series Security Command Reference...
  • Page 485: Ipv6 Port Traffic-Filter

    • VLAN interfaces You must enable VLAN interfaces globally before you can configure a VLAN interface. For more Note information, see the feature interface-vlan command in the Cisco Nexus 7000 Series NX-OS Interfaces Command Reference. Cisco Nexus 7000 Series Security Command Reference...
  • Page 486 ERROR: The given policy cannot be applied as mac packet classification is enable d on this port switch(config-if)# Related Commands Command Description ipv6 access-list Configures an IPv6 ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 487 Displays all ACLs. show ipv6 access-lists Shows either a specific IPv6 ACL or all IPv6 ACLs. show running-config interface Shows the running configuration of all interfaces or of a specific interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 488: Ipv6 Snooping Attach-Policy

    (depending on the platform used) include device ports, switchports, Layer 2 interfaces, Layer 3 interfaces, and VLANs. Examples The following examples shows how to apply an IPv6 snooping policy named policy1 to a target: switch(config)# ipv6 snooping policy policy1 switch(config-ipv6-snooping)# ipv6 snooping attach-policy policy1 Cisco Nexus 7000 Series Security Command Reference...
  • Page 489: Ipv6 Traffic-Filter

    • VLAN interfaces You must enable VLAN interfaces globally before you can configure a VLAN interface. For more Note information, see the feature interface-vlan command in the Cisco Nexus 7000 Series NX-OS Interfaces Command Reference. • Layer 3 Ethernet interfaces and subinterfaces •...
  • Page 490 Displays all ACLs. Shows either a specific IPv6 ACL or all IPv6 ACLs. show ipv6 access-lists show running-config interface Shows the running configuration of all interfaces or of a specific interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 491 K Commands • key, page 466 • key chain, page 468 • key config-key, page 470 • key-octet-string, page 472 • key-server-priority, page 474 • key-string, page 476 Cisco Nexus 7000 Series Security Command Reference...
  • Page 492: Chapter 9 K Commands

    • To use this command in MACsec keychain configuration mode, you should enable the MKA feature first. Examples This example shows how to enter the key configuration mode for key 13 in the glbp-keys keychain: switch# configure terminal switch(config)# key chain glbp-keys switch(config-keychain)# key 13 switch(config-keychain-key)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 493 Displays keychain configuration. show macsec mka Displays the details of MKA. show macsec policy Displays all the MACsec policies in the system. Displays the status of MKA. show run mka Cisco Nexus 7000 Series Security Command Reference...
  • Page 494: Key Chain

    This example shows how to configure a keychain named glbp-keys: switch# configure terminal switch(config)# key chain glbp-keys switch(config-keychain)# This example shows how to configure a MACsec key chain named k1: switch# configure terminal switch(config)# key chain k1 macsec switch(config-macseckeychain)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 495 Displays the keychain configuration. Displays the details of MKA. show macsec mka show macsec policy Displays all the MACsec policies in the system. show run mka Displays the status of MKA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 496: Key Config-Key

    Do you want to proceed (y/n)[n]: [n] y switch# Related Commands Command Description feature password encryption aes Enables the AES password encryption features. show encryption service stat Displays the status of the encryption service. Cisco Nexus 7000 Series Security Command Reference...
  • Page 497 K Commands key config-key Cisco Nexus 7000 Series Security Command Reference...
  • Page 498: Key-Octet-String

    Configures the 128-bit AES encryption algorithm. AES_128_CMAC AES_256_CMAC Configures the 256-bit AES encryption algorithm. Command Default The key octet string is not encrypted. Command Modes MACsec key configuration (config-macseckeychain-macseckey) Command History Release Modification 8.2(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 499 The key octet string is a shared secret. The device stores key strings in a secure format. You can obtain encrypted key strings by using the show key chain command on another Cisco NX-OS device. This command does not require a license. To use this command, you must enable the MKA feature.
  • Page 500: Key-Server-Priority

    Creates a key or enters the configuration mode of an existing key. key chain keychain-name Creates a keychain or enters the configuration mode of an existing keychain. macsec keychain policy Configures the MACsec keychain policy. Cisco Nexus 7000 Series Security Command Reference...
  • Page 501 Displays the configuration of the specified keychain. show macsec mka Displays the details of MKA. Displays all the MACsec policies in the system. show macsec policy show run mka Displays the status of MKA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 502: Key-String

    This option is useful when you are entering a text string based on the encrypted output of a show key chain command that you ran on another Cisco NX-OS device. text-string Text of the key string, up to 63 case-sensitive, alphanumeric characters.
  • Page 503 The key-string text is a shared secret. The device stores key strings in a secure format. You can obtain encrypted key strings by using the show key chain command on another Cisco NX-OS device. This command does not require a license.
  • Page 504 K Commands key-string Cisco Nexus 7000 Series Security Command Reference...
  • Page 505: L Commands

    480 • ldap-server host, page 481 • ldap-server port, page 484 • ldap-server timeout, page 485 • ldap search-map, page 486 • logging drop threshold, page 488 • It, page 490 Cisco Nexus 7000 Series Security Command Reference...
  • Page 506: Ldap-Server Deadtime

    To configure the deadtime interval for all Lightweight Directory Access Protocol (LDAP) servers, use the ldap-server deadtime command. The deadtime interval specifies the time that the Cisco NX-OS device waits, after declaring that an LDAP server is dead, before sending out a test packet to determine if the server is now alive.
  • Page 507: Ldap-Server Host

    (Optional) Specifies the bind password for the root. (Optional) Configures parameters to send test packets test to the LDAP server. idle-time minutes Specifies the time interval (in minutes) for monitoring the server. The range is from 1 to 1440 minutes. Cisco Nexus 7000 Series Security Command Reference...
  • Page 508 Cisco NX-OS device. By default, when you configure an LDAP server IP address or hostname on the Cisco NX-OS device, the LDAP server is added to the default LDAP server group. You can also add the LDAP server to another LDAP server group.
  • Page 509 L Commands ldap-server host Related Commands Command Description feature ldap Enables LDAP. show ldap-server Displays the LDAP server configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 510: Ldap-Server Port

    This example shows how to configure a global TCP port for LDAP messages: switch# configure terminal switch(config)# ldap-server port 2 Related Commands Command Description Enables LDAP. feature ldap show ldap-server Displays the LDAP server configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 511: Ldap-Server Timeout

    To configure a global timeout interval that determines how long the Cisco NX-OS device waits for responses from all Lightweight Directory Access Protocol (LDAP) servers before declaring a timeout failure, use the ldap-server timeout command. To remove the global timeout configuration, use the no form of this command.
  • Page 512: Ldap Search-Map

    Displays the configured LDAP search maps. Configures the attribute name, search filter, and CRLLookup base-DN for the CRL search operation in order to send a search query to the LDAP server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 513 LDAP server. Configures the attribute name, search filter, and userprofile base-DN for the user profile search operation in order to send a search query to the LDAP server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 514: Logging Drop Threshold

    52000 bc 2000 switch(config-pmap-c)# police cir 5000 conform transmit exceed drop violate set1 dscp3 dscp4 table1 pir-markdown-map switch(config-pmap-c)# police cir 52000 pir 78000 be 2000 switch(config-pmap-c)# logging drop threshold 1800 level 2 switch(config-pmap-c)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 515 L Commands logging drop threshold Related Commands Command Description policy-map type control-plane Configures a control plane policy map and enters policy map configuration mode. Cisco Nexus 7000 Series Security Command Reference...
  • Page 516 This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 1 through port 49151: switch# configure terminal switch(config)# object-group ip port port-group-05 switch(config-port-ogroup)# lt 49152 Cisco Nexus 7000 Series Security Command Reference...
  • Page 517 Specifies a not-equal-to group member in an IP port object group. object-group ip port Configures an IP port object group. range Specifies a port range group member in an IP port object group. show object-group Displays object groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 518 L Commands Cisco Nexus 7000 Series Security Command Reference...
  • Page 519: M Commands

    498 • macsec keychain policy, page 500 • macsec policy, page 502 • managed-config-flag, page 504 • match (class-map), page 505 • match (VLAN access-map), page 507 • monitor session, page 509 Cisco Nexus 7000 Series Security Command Reference...
  • Page 520: Mac Access-List

    ACL. The device does not record statistics for implicit rules. To record statistics for packets that would match the implicit rule, you must explicitly configure a rule to deny the packets. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 521 (MAC) Configures a permit rule in a MAC ACL. show mac access-lists Displays all MAC ACLs or a specific MAC ACL. statistics per-entry Enables collection of statistics for each entry in an ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 522: Mac Packet-Classify

    IP port ACL to the interface when MAC packet classification is enabled: switch(config)# show running-config interface ethernet 2/3 !Command: show running-config interface Ethernet2/3 !Time: Wed Jun 24 13:06:49 2009 version 4.2(1) interface Ethernet2/3 ip access-group ipacl in Cisco Nexus 7000 Series Security Command Reference...
  • Page 523 Applies a IPv4 ACL to an interface as a port ACL. Applies a IPv6 ACL to an interface as a port ACL. ipv6 port traffic-filter switchport Configures an interface to operate as a Layer 2 interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 524: Mac Port Access-Group

    If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 525 Displays all ACLs. show mac access-lists Shows either a specific MAC ACL or all MAC ACLs. show running-config interface Shows the running configuration of all interfaces or of a specific interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 526: Macsec Keychain Policy

    5 switch(config-if)# macsec keychain k3 policy p1 Related Commands Command Description feature mka Enables the MKA feature. Creates a key or enters the configuration mode of an existing key. Cisco Nexus 7000 Series Security Command Reference...
  • Page 527 Displays the configuration of the specified keychain. show macsec mka Displays the details of MKA. show macsec policy Displays all the MACsec policies in the system. Displays the status of MKA. show run mka Cisco Nexus 7000 Series Security Command Reference...
  • Page 528: Macsec Policy

    Creates a keychain or enters the configuration mode of an existing keychain. Configures the MACsec keychain policy. macsec keychain policy show key chain Displays the configuration of the specified keychain. Cisco Nexus 7000 Series Security Command Reference...
  • Page 529 M Commands macsec policy Command Description show macsec mka Displays the details of MKA. show macsec policy Displays all the MACsec policies in the system. show run mka Displays the status of MKA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 530: Managed-Config-Flag

    RA guard policy configuration mode, and enables M flag verification: switch(config)# ipv6 nd raguard policy raguard1 switch(config-ra-guard)# managed-config-flag on Related Commands Command Description Defines the RA guard policy name and enters RA ipv6 nd raguard policy guard policy configuration mode. Cisco Nexus 7000 Series Security Command Reference...
  • Page 531: Match (Class-Map)

    Matches IPv4 or IPv6 option packets. protocol arp Matches Address Resolution Protocol (ARP) packets. Matches dynamic ARP inspection or DHCP snooping redirect redirect packets. arp-inspect Matches dynamic ARP inspection. Matches dynamic DHCP snooping. dhcp-snoop Cisco Nexus 7000 Series Security Command Reference...
  • Page 532 Related Commands Command Description class-map type control-plane Creates or specifies a control plane class map and enters class map configuration mode. show class-map type control-plane Displays configuration information for control plane policy maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 533: Match (Vlan Access-Map)

    Cisco Nexus 7000 Series Security Command Reference...
  • Page 534 Displays information about how a VLAN access map is applied. Configures a VLAN access map. vlan access-map vlan filter Applies a VLAN access map to one or more VLANs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 535: Monitor Session

    Enables access control list (ACL) capture on all virtual device contexts (VDCs). destination interface Configures a destination for ACL capture packets. Displays the ACL capture session configuration. show ip-access capture session Cisco Nexus 7000 Series Security Command Reference...
  • Page 536 M Commands monitor session Cisco Nexus 7000 Series Security Command Reference...
  • Page 537: N Commands

    N Commands • nac enable, page 512 • neq, page 513 Cisco Nexus 7000 Series Security Command Reference...
  • Page 538: Nac Enable

    This example shows how to disable NAC on an interface: switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no nac enable Related Commands Command Description Enables EAPoUDP. feature eou show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 539: Neq

    This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to any port except port 80: switch# configure terminal switch(config)# object-group ip port port-group-05 switch(config-port-ogroup)# neq 80 Cisco Nexus 7000 Series Security Command Reference...
  • Page 540 Specifies a less-than group member in an IP port object group. object-group ip port Configures an IP port object group. range Specifies a port-range group member in an IP port object group. show object-group Displays object groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 541: O Commands

    (identity policy), page 516 • object-group ip address, page 518 • object-group ip port, page 520 • object-group ipv6 address, page 522 • object-group udp relay ip address, page 524 • other-config-flag, page 525 Cisco Nexus 7000 Series Security Command Reference...
  • Page 542: Object-Group (Identity Policy)

    Creates or specifies an identity policy and enters identity policy configuration mode. mac access-list Creates a MAC ACL and enters MAC ACL configuration mode. show identity policy Displays identity policy information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 543 O Commands object-group (identity policy) Cisco Nexus 7000 Series Security Command Reference...
  • Page 544: Object-Group Ip Address

    IPv4 addresses and one group member that is the 10.23.176.0 subnet: switch# configure terminal switch(config)# object-group ip address ipv4-addr-group-13 switch(config-ipaddr-ogroup)# host 10.121.57.102 switch(config-ipaddr-ogroup)# 10.121.57.234/32 switch(config-ipaddr-ogroup)# 10.23.176.0 0.0.0.255 switch(config-ipaddr-ogroup)# show object-group ipv4-addr-group-13 10 host 10.121.57.102 20 host 10.121.57.234 30 10.23.176.0/24 switch(config-ipaddr-ogroup)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 545 O Commands object-group ip address Related Commands Command Description host (IPv4) Configures a group member for an IPv4 address object group. show object-group Displays object groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 546: Object-Group Ip Port

    This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 443: switch# configure terminal switch(config)# object-group ip port port-group-05 switch(config-port-ogroup)# eq 443 switch(config-port-ogroup)# show object-group port-group-05 10 eq 443 switch(config-port-ogroup)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 547 Specifies a less-than group member in an IP port object group. Specifies a not-equal-to group member in an IP port object group. range Specifies a port range group member in an IP port object group. Displays object groups. show object-group Cisco Nexus 7000 Series Security Command Reference...
  • Page 548: Object-Group Ipv6 Address

    IPv6 addresses and one group member that is the 2001:db8:0:3ab7:: subnet: switch# configure terminal switch(config)# object-group ipv6 address ipv6-addr-group-A7 switch(config-ipv6addr-ogroup)# host 2001:db8:0:3ab0::1 switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab0::2/128 switch(config-ipv6addr-ogroup)# 2001:db8:0:3ab7::/96 switch(config-ipv6addr-ogroup)# show object-group i pv6-addr-group-A7 10 host 2001:db8:0:3ab0::1 20 host 2001:db8:0:3ab0::2 30 2001:db8:0:3ab7::/96 switch(config-ipv6addr-ogroup)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 549 O Commands object-group ipv6 address Related Commands Command Description host (IPv6) Configures a group member for an IPv6 address object group. show object-group Displays object groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 550: Object-Group Udp Relay Ip Address

    This example shows how to delete the the object group: switch(config)# no object-group udp relay ip address udprelay1 Related Commands Command Description ip forward-protocol udp Enables the UDP relay feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 551: Other-Config-Flag

    RA guard policy configuration mode, and enables O flag verification: switch(config)# ipv6 nd raguard policy raguard1 switch(config-ra-guard)# other-config-flag on Related Commands Command Description ipv6 nd raguard policy Defines the RA guard policy name and enters RA guard policy configuration mode. Cisco Nexus 7000 Series Security Command Reference...
  • Page 552 O Commands other-config-flag Cisco Nexus 7000 Series Security Command Reference...
  • Page 553: P Commands

    583 • platform rate-limit, page 585 • police (policy map), page 587 • policy, page 590 • policy-map type control-plane, page 592 • preference, page 593 • propagate-sgt, page 594 Cisco Nexus 7000 Series Security Command Reference...
  • Page 554: Password Secure-Mode

    This example shows how to disable secure mode for changing password: switch# configure terminal switch(config)# no password secure-mode Related Commands Command Description show password strength-check Enables password-strength checking. Cisco Nexus 7000 Series Security Command Reference...
  • Page 555: Password Strength-Check

    4.0(3) This command was introduced. Usage Guidelines When you enable password-strength checking, the Cisco NX-OS software only allows you to create strong passwords. The characteristics for strong passwords include the following: • At least eight characters long • Does not contain many consecutive characters (such as “abcd”) •...
  • Page 556 This example shows how to disable password-strength checking: switch# configure terminal switch(config)# no password strength-check Related Commands Command Description show password strength-check Enables password-strength checking. show running-config security Displays security feature configuration in the running configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 557: Periodic

    The following keywords are valid values for the weekday argument: • monday • tuesday • wednesday • thursday • friday • saturday • sunday Cisco Nexus 7000 Series Security Command Reference...
  • Page 558 This example shows how to create a time range named weekend-remote-access-times and configure a periodic rule that allows traffic between 4:00 a.m. and 10:00 p.m. on Saturday and Sunday: switch# configure terminal switch(config)# time-range weekend-remote-access-times switch(config-time-range)# periodic weekend 04:00:00 to 22:00:00 Cisco Nexus 7000 Series Security Command Reference...
  • Page 559 18:00:00 to 22:00:00 Related Commands Command Description absolute Configures an absolute time-range rule. time-range Configures a time range that you can use in IPv4 and IPv6 ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 560: Permit (Acl)

    (Optional) Specifies protocol independent multicast. Specifies Transport Control Protocol. (Optional) Specifies User Datagram Protocol. source Source network address. (Optional) Specifies the source address group. addrgroup (Optional) Specifies any source address. host (Optional) Specifies a single destination host. Cisco Nexus 7000 Series Security Command Reference...
  • Page 561 This example shows how to enable a capture session for the access control entries (ACEs) of the access control list: switch# configure terminal switch(config)# ip access-list acl-1 switch(config-acl)# permit tcp host 10.1.1.1 any capture session 10 switch(config-acl)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 562 P Commands permit (ACL) Related Commands Command Description ip access-group name in Applies an ACL with capture session ACEs to the interface. ip access-list Creates an access list. Cisco Nexus 7000 Series Security Command Reference...
  • Page 563: Permit (Arp)

    Specifies that any host matches the part of the rule that contains the any keyword. You can use any to specify the sender IP address, target IP address, sender MAC address, and target MAC address. Cisco Nexus 7000 Series Security Command Reference...
  • Page 564 IP address in the packet matches the value of the target-IP argument. You can specify host target-IP only when you use the response keyword. Valid values for the target-IP argument are IPv4 addresses in dotted-decimal format. Cisco Nexus 7000 Series Security Command Reference...
  • Page 565 If you do not specify either the response or request keyword, the rule applies to packets that contain any ARP message. Cisco Nexus 7000 Series Security Command Reference...
  • Page 566 Configures an ARP ACL. ip arp inspection filter Applies an ARP ACL to a VLAN. remark Configures a remark in an ACL. Displays all ARP ACLs or one ARP ACL. show arp access-list Cisco Nexus 7000 Series Security Command Reference...
  • Page 567: Permit (Ipv4)

    [ sequence-number ] permit udp source [operator port [ port ]| portgroup portgroup] destination [operator port [ port ]| portgroup portgroup] [dscp dscp| precedence precedence] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [ packet-length ]] Cisco Nexus 7000 Series Security Command Reference...
  • Page 568 “Usage Guidelines” section. destination Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. Cisco Nexus 7000 Series Security Command Reference...
  • Page 569 P Commands permit (IPv4) dscp dscp Cisco Nexus 7000 Series Security Command Reference...
  • Page 570 (100110) • cs1—Class-selector (CS) 1, precedence 1 (001000) • cs2—CS2, precedence 2 (010000) • cs3—CS3, precedence 3 (011000) • cs4—CS4, precedence 4 (100000) • cs5—CS5, precedence 5 (101000) • cs6—CS6, precedence 6 (110000) Cisco Nexus 7000 Series Security Command Reference...
  • Page 571 The message includes the following information: • Whether the protocol was TCP, UDP, ICMP or a number protocol • Source and destination addresses • Source and destination port numbers, if applicable Cisco Nexus 7000 Series Security Command Reference...
  • Page 572 IGMP message number, which is an integer from 0 to 15. It can also be one of the following keywords: • dvmrp—Distance Vector Multicast Routing Protocol • host-query—Host query • host-report—Host report • pim—Protocol Independent Multicast • trace—Multicast trace Cisco Nexus 7000 Series Security Command Reference...
  • Page 573 Use the object-group ip port command to create and change IP port object objects. Cisco Nexus 7000 Series Security Command Reference...
  • Page 574 A newly created IPv4 ACL contains no rules. If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 575 • eigrp—Specifies that the rule applies to Enhanced Interior Gateway Routing Protocol (EIGRP) traffic only. • esp—Specifies that the rule applies to Encapsulating Security Protocol (ESP) traffic only. • gre—Specifies that the rule applies to General Routing Encapsulation (GRE) traffic only. Cisco Nexus 7000 Series Security Command Reference...
  • Page 576 • Address and variable-length subnet mask—You can use an IPv4 address followed by a variable-length subnet mask (VLSM) to specify a host or a network as a source or destination. The syntax is as follows: IPv4-address/prefix-len Cisco Nexus 7000 Series Security Command Reference...
  • Page 577 • host-redirect—Host redirect • host-tos-redirect—Host redirect for ToS • host-tos-unreachable—Host unreachable for ToS • host-unknown—Host unknown • host-unreachable—Host unreachable • information-reply—Information replies • information-request—Information requests • mask-reply—Mask replies • mask-request—Mask requests • mobile-redirect—Mobile host redirect Cisco Nexus 7000 Series Security Command Reference...
  • Page 578 0 to 65535. It can also be one of the following keywords: bgp—Border Gateway Protocol (179) chargen—Character generator (19) cmd—Remote commands (rcmd, 514) daytime—Daytime (13) discard—Discard (9) domain—Domain Name Service (53) Cisco Nexus 7000 Series Security Command Reference...
  • Page 579 0 to 65535. It can also be one of the following keywords: biff—Biff (mail notification, comsat, 512) bootpc—Bootstrap Protocol (BOOTP) client (68) bootps—Bootstrap Protocol (BOOTP) server (67) discard—Discard (9) dnsix—DNSIX security protocol auditing (195) domain—Domain Name Service (DNS, 53) Cisco Nexus 7000 Series Security Command Reference...
  • Page 580 IP traffic from an IP-address object group named eng_workstations to an IP-address object group named marketing_group: switch# configure terminal switch(config)# ip access-list acl-eng-to-marketing switch(config-acl)# permit ip addrgroup eng_workstations addrgroup marketing_group Related Commands Command Description Configures a deny rule in an IPv4 ACL. deny (IPv4) Cisco Nexus 7000 Series Security Command Reference...
  • Page 581 Configures a remark in an ACL. Displays all IPv4 ACLs or one IPv4 ACL. show ip access-list statistics per-entry Enables collection of statistics for each entry in an ACL. Configures a time range. time-range Cisco Nexus 7000 Series Security Command Reference...
  • Page 582: Permit (Ipv6)

    [sequence-number| no] permit udp source [operator port [ port ]| portgroup portgroup] destination [operator port [ port ]| portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [ packet-length ]] Cisco Nexus 7000 Series Security Command Reference...
  • Page 583 ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. Cisco Nexus 7000 Series Security Command Reference...
  • Page 584 P Commands permit (IPv6) protocol Cisco Nexus 7000 Series Security Command Reference...
  • Page 585 • udp—Specifies that the rule applies to UDP traffic only. When you use this keyword, the operator argument and the portgroup keyword are available, in addition to the keywords that are available for all valid values of the protocol Cisco Nexus 7000 Series Security Command Reference...
  • Page 586 “Usage Guidelines” section. destination Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. Cisco Nexus 7000 Series Security Command Reference...
  • Page 587 P Commands permit (IPv6) dscp dscp Cisco Nexus 7000 Series Security Command Reference...
  • Page 588 (100110) • cs1—Class-selector (CS) 1, precedence 1 (001000) • cs2—CS2, precedence 2 (010000) • cs3—CS3, precedence 3 (011000) • cs4—CS4, precedence 4 (100000) • cs5—CS5, precedence 5 (101000) • cs6—CS6, precedence 6 (110000) Cisco Nexus 7000 Series Security Command Reference...
  • Page 589 (ICMP only: Optional) ICMPv6 message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under “ICMPv6 Message Types” in the “Usage Guidelines” section. Cisco Nexus 7000 Series Security Command Reference...
  • Page 590 • range—Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument. Cisco Nexus 7000 Series Security Command Reference...
  • Page 591 TCP control bit flags set. The value of the flags argument must be one or more of the following keywords: • ack • fin • psh • rst • syn • urg Cisco Nexus 7000 Series Security Command Reference...
  • Page 592 You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 7000 Series Security Command Reference...
  • Page 593 • header—Parameter header problems • hop-limit—Hop limit exceeded in transit • mld-query—Multicast Listener Discovery Query • mld-reduction—Multicast Listener Discovery Reduction • mld-report—Multicast Listener Discovery Report • nd-na—Neighbor discovery neighbor advertisements • nd-ns—Neighbor discovery neighbor solicitations Cisco Nexus 7000 Series Security Command Reference...
  • Page 594 (13) discard—Discard (9) domain—Domain Name Service (53) drip—Dynamic Routing Information Protocol (3949) echo—Echo (7) exec—Exec (rsh, 512) finger—Finger (79) ftp—File Transfer Protocol (21) ftp-data—FTP data connections (20) gopher—Gopher (7) hostname—NIC hostname server (11) Cisco Nexus 7000 Series Security Command Reference...
  • Page 595 Security Association and Key Management Protocol (5) mobile-ip—Mobile IP registration (434) nameserver—IEN116 name service (obsolete, 42) netbios-dgm—NetBIOS datagram service (138) netbios-ns—NetBIOS name service (137) netbios-ss—NetBIOS session service (139) non500-isakmp—Internet Security Association and Key Management Protocol (45) Cisco Nexus 7000 Series Security Command Reference...
  • Page 596 Configures an IPv6-address object group. object-group ipv6 address object-group ip port Configures an IP-port object group. remark Configures a remark in an ACL. show ipv6 access-list Displays all IPv6 ACLs or one IPv6 ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 597 P Commands permit (IPv6) Command Description statistics per-entry Enables collection of statistics for each entry in an ACL. time-range Configures a time range. Cisco Nexus 7000 Series Security Command Reference...
  • Page 598: Permit (Mac)

    (Optional) Specifies that the rule matches only packets with an IEEE 802.1Q header that contains the Class of Service (CoS) value given in the cos-value argument. The cos-value argument can be an integer from 0 to 7. Cisco Nexus 7000 Series Security Command Reference...
  • Page 599 • Any address—You can use the any keyword to specify that a source or destination is any MAC address. For examples of the use of the any keyword, see the examples in this section. Each of the examples shows how to specify a source or destination by using the any keyword. Cisco Nexus 7000 Series Security Command Reference...
  • Page 600 Configures a remark in an ACL. statistics per-entry Enables collection of statistics for each entry in an ACL. show mac access-list Displays all MAC ACLs or one MAC ACL. time-range Configures a time range. Cisco Nexus 7000 Series Security Command Reference...
  • Page 601: Permit (Role-Based Access Control List)

    First port in the range. The range is from 0 to 65535. port-number2 Last port in the range. The range is from 0 to 65535. (Optional) Specifies that packets matching this configuration be logged. Cisco Nexus 7000 Series Security Command Reference...
  • Page 602 This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. To enable RBACL logging, you must enable RBACL policy enforcement on the VLAN and VRF. To enable RBACL logging, you must set the logging level of ACLLOG syslogs to 6 and the logging level of CTS manager syslogs to 5.
  • Page 603: Permit Interface

    1/1, ethernet 1/3, ethernet 1/5, ethernet 1/7 This example shows how to deny an interface in a user role interface policy: switch# configure terminal switch(config)# role name MyRole Cisco Nexus 7000 Series Security Command Reference...
  • Page 604 Description interface policy deny Enters interface policy configuration mode for a user role. Creates or specifies a user role and enters user role role name configuration mode. show role Displays user role information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 605: Permit Vlan

    MyRole switch(config-role)# vlan policy deny switch(config-role-vlan)# permit vlan 1-8 This example shows how to permit a list of VLAN identifiers for a user role VLAN policy: switch# configure terminal switch(config)# role name MyRole Cisco Nexus 7000 Series Security Command Reference...
  • Page 606 Description vlan policy deny Enters VLAN policy configuration mode for a user role. role name Creates or specifies a user role and enters user role configuration mode. Displays user role information. show role Cisco Nexus 7000 Series Security Command Reference...
  • Page 607: Permit Vrf

    This example shows how to permit a VRF name from a user role VRF policy: switch# configure terminal switch(config)# role name MyRole switch(config-role)# vrf policy deny switch(config-role-vrf)# no permit vrf engineering Related Commands Command Description vrf policy deny Enters VRF policy configuration mode for a user role. Cisco Nexus 7000 Series Security Command Reference...
  • Page 608 P Commands permit vrf Command Description role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 609: Platform Access-List Update

    This command was introduced. Usage Guidelines By default, a Cisco NX-OS device performs atomic ACL updates, which do not disrupt traffic that the updated ACL applies to; however, atomic updates require that the I/O modules that receive the updates have enough available resources to store each of the updated entries in the affected ACL.
  • Page 610 This example shows how to revert to the atomic update method: switch# configure terminal switch(config)# no platform access-list update default-result permit switch(config)# platform access-list update atomic Related Commands Command Description Displays the running configuration, including the show running-config all default configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 611: Platform Rate-Limit

    10000 packets per second. local-groups Specifies local groups multicast packets. The default rate is 10000 packets per second. rpf-leak Specifies Reverse Path Forwarding (RPF) leak packets. The default rate is 500 packets per second. Cisco Nexus 7000 Series Security Command Reference...
  • Page 612 This example shows how to revert to the default rate limit for control packets: switch# configure terminal switch(config)# no platform rate-limit layer-3 control Related Commands Command Description Displays the running configuration. show running-config Cisco Nexus 7000 Series Security Command Reference...
  • Page 613: Police (Policy Map)

    (Optional) Specifies units for traffic rates in megabits per second. (Optional) Specifies units for traffic rates in packets per second. (Optional) Specifies the committed burst size. burst-size Committed burst size. The range is from 1 to 512000000. Cisco Nexus 7000 Series Security Command Reference...
  • Page 614 Flags the packet on the PIR markdown map. pir pir-rate Specifies the PIR rate. (Optional) Specifies the extended burst size. extended-burst-size Extended burst size. The range is from 1 to 512000000. Cisco Nexus 7000 Series Security Command Reference...
  • Page 615 (policy map) Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode. show policy-map type control-plane Displays configuration information for control plane policy maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 616: Policy

    To manually configure a Cisco TrustSec authentication policy on an interface with either a Cisco TrustSec device identifier or security group tag (SGT), use the policy command. To revert to the default, use the no form of this command.
  • Page 617 DeviceB switch(config-if-cts-manual)# exit switch(config-if)# shutdown switch(config-if)# no shutdown This example shows how to remove a manually configured dynamic Cisco TrustSec policy from an interface: switch# configure terminal switch(config)# interface ethernet 2/3 switch(config-if)# cts manual switch(config-if-cts-manual)# no policy dynamic identity DeviceB...
  • Page 618: Policy-Map Type Control-Plane

    This example shows how to delete a control plane policy map: switch# configure terminal switch(config)# no policy-map type control-plane PolicyMapA Related Commands Command Description show policy-map type control-plane Displays configuration information for control plane policy maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 619: Preference

    254 or less than switch(config)# ipv6 dhcp guard policy policy1 switch(config-dhcp-guard)# preference min 2 switch(config-dhcp-guard)# preference max 254 Related Commands Command Description ipv6 dhcp guard policy Defines the DHCPv6 guard policy name. Cisco Nexus 7000 Series Security Command Reference...
  • Page 620: Propagate-Sgt

    Use the no propagate-sgt l2-control command to enable SGT tagging exemption for L2 control packets. This exemption ensures that the L2 control protocols are transmitted without any SGT tags from the Cisco TrustSec enabled-ports. The no propagate-sgt l2-control command is supported only on the Cisco M3 Series module ports without Cisco TrustSec MACSec.
  • Page 621 ERROR: 'no propagate-sgt l2-control' is not allowed on any port of this line card type. Related Commands Command Description Enters Cisco TrustSec 802.1X configuration mode cts dot1x for an interface. feature cts Enables the Cisco TrustSec feature. show cts interface Displays the Cisco TrustSec configuration for interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 622 P Commands propagate-sgt Cisco Nexus 7000 Series Security Command Reference...
  • Page 623: R Commands

    626 • role distribute, page 627 • role feature-group name, page 628 • role name, page 630 • router-preference maximum, page 632 • rsakeypair, page 634 • rule, page 636 Cisco Nexus 7000 Series Security Command Reference...
  • Page 624: Radius Abort

    R Commands radius abort radius abort To discard a RADIUS Cisco Fabric Services distribution session in progress, use the radius abort command. radius abort Syntax Description This command has no other arguments or keywords. Command Default None Command Modes Global configuration...
  • Page 625: Radius Commit

    CFS does not distribute the RADIUS server group configurations, periodic RADIUS server testing configurations, or server and global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices.
  • Page 626: Radius Distribute

    Usage Guidelines CFS does not distribute the RADIUS server group configurations, periodic RADIUS server testing configurations, or server and global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices. This command does not require a license.
  • Page 627: Radius-Server Deadtime

    R Commands radius-server deadtime radius-server deadtime To configure the dead-time interval for all RADIUS servers on a Cisco NX-OS device, use the radius-server deadtime command. To revert to the default, use the no form of this command. radius-server deadtime minutes...
  • Page 628 R Commands radius-server deadtime Related Commands Command Description show radius-server Displays RADIUS server information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 629: Radius-Server Directed-Request

    This example shows how to disallow users to send authentication requests to a specific RADIUS server when logging in: switch# configure terminal switch(config)# no radius-server directed-request Related Commands Command Description show radius-server directed-request Displays the directed request RADIUS server configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 630: Radius-Server Host

    63 characters. (Optional) Enables the generation of Protected Access Credentials (PAC) on the RADIUS Cisco Access Control Server (ACS) for use with Cisco TrustSec. accounting (Optional) Configures accounting. acct-port port-number (Optional) Configures the RADIUS server port for accounting.
  • Page 631 Command Default Accounting port: 1813 Authentication port: 1812 Accounting: enabled Authentication: enabled Retransmission count: 1 Idle-time: none Server monitoring: disabled Timeout: 5 seconds Test username: test Test password: test Command Modes Global configuration Cisco Nexus 7000 Series Security Command Reference...
  • Page 632 7 1234 switch(config)# radius-server host 10.10.2.3 test idle-time 10 switch(config)# radius-server host 10.10.2.3 test username tester switch(config)# radius-server host 10.10.2.3 test password 2B9ka5 Related Commands Command Description show radius-server Displays RADIUS server information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 633: Radius-Server Key

    You can configure a global key to be used for all RADIUS server configurations on the switch. You can override this global key assignment by using the key keyword in the radius-server host command. Cisco Nexus 7000 Series Security Command Reference...
  • Page 634 This example shows how to provide various scenarios to configure RADIUS authentication: switch# configure terminal switch(config)# radius-server key AnyWord switch(config)# radius-server key 0 AnyWord switch(config)# radius-server key 7 public pac Related Commands Command Description show radius-server Displays RADIUS server information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 635: Radius-Server Retransmit

    This example shows how to revert to the default number of retransmissions to RADIUS servers: switch# configure terminal switch(config)# no radius-server retransmit 3 Related Commands Command Description Displays RADIUS server information. show radius-server Cisco Nexus 7000 Series Security Command Reference...
  • Page 636: Radius-Server Test

    To use this command, you must enable RADIUS authentication. Any servers for which test parameters are not configured are monitored using the global level parameters. Test parameters that are configured for individual servers take precedence over global test parameters. Cisco Nexus 7000 Series Security Command Reference...
  • Page 637 This example shows how to configure the parameters for global RADIUS server monitoring: switch# configure terminal switch(config)# radius-server test username user1 password Ur2Gd2BH idle-time 3 Related Commands Command Description show radius-server Displays RADIUS server information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 638: Radius-Server Timeout

    30 This example shows how to revert to the default interval: switch# configure terminal switch(config)# no radius-server timeout 30 Related Commands Command Description show radius-server Displays RADIUS server information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 639: Range

    This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 137 through port 139: switch# configure terminal switch(config)# object-group ip port port-group-05 switch(config-port-ogroup)# range 137 139 Cisco Nexus 7000 Series Security Command Reference...
  • Page 640 Specifies a less-than group member in an IP port object group. Specifies a not-equal-to group member in an IP port object group. object-group ip port Configures an IP port object group. show object-group Displays object groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 641: Rate-Limit Cpu Direction

    If the rate of incoming or outgoing packets exceeds the configured rate limit, the device logs a system message but does not drop any packets. F1 Series modules support up to five rate limiters shared among all control traffic sent to the Supervisor module. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 642 10000 action log switch(config)# Related Commands Command Description show system internal pktmgr internal control Displays the inband and outband global rate limit sw-rate-limit configuration for packets that reach the supervisor module. Cisco Nexus 7000 Series Security Command Reference...
  • Page 643: Remark

    No ACL contains a remark by default. Command Modes IP access-list configuration IPv6 access-list configuration MAC access-list configuration Command History Release Modification 4.1(2) Support for the IPv6 access-list configuration mode was added. 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 644 Configures an IPv4 ACL. ipv6 access-list Configures an IPv6 ACL mac access-list Configures a MAC ACL. show access-list Displays all ACLs or one ACL. Enables collection of statistics for each entry in an statistics per-entry ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 645: Replay-Protection

    R Commands replay-protection replay-protection To enable the data-path replay protection feature for Cisco TrustSec authentication on an interface, use the replay-protection command. To disable the data-path replay protection feature, use the no form of this command. replay-protection no replay-protection Syntax Description This command has no arguments or keywords.
  • Page 646 Related Commands Command Description cts dot1x Enters Cisco TrustSec 802.1X configuration mode for an interface. feature cts Enables the Cisco TrustSec feature. show cts interface Displays the Cisco TrustSec configuration for interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 647: Resequence

    Number that the device adds to each subsequent sequence number. Command Default None Command Modes Global configuration Command History Release Modification 4.1(2) Support for IPv6 ACLs was added. 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 648 Configures an ARP ACL. ip access-list Configures an IPv4 ACL. ipv6 access-list Configures an IPv6 ACL. mac access-list Configures a MAC ACL. Displays all ACLs or a specific ACL. show access-lists Cisco Nexus 7000 Series Security Command Reference...
  • Page 649: Revocation-Check

    This example shows how to do no checking for revoked certificates: switch(config-trustpoint)# revocation-check none Related Commands Command Description Configures a CRL or overwrites the existing one for crypto ca crl-request the trustpoint CA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 650 R Commands revocation-check Command Description show crypto ca crl Displays configured CRLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 651: Role Abort

    R Commands role abort role abort To discard a user role Cisco Fabric Services distribution session in progress, use the role abort command. role abort Syntax Description This command has no other arguments or keywords. Command Default None Command Modes...
  • Page 652: Role Commit

    R Commands role commit role commit To apply the pending configuration pertaining to the user role Cisco Fabric Services distribution session in progress in the fabric, use the role commit command. role commit Syntax Description This command has no other arguments or keywords.
  • Page 653: Role Distribute

    R Commands role distribute role distribute To enable Cisco Fabric Services distribution for user roles, use the role distribute command. To disable this feature, use the no form of the command. role distribute no role distribute Syntax Description This command has no other arguments or keywords.
  • Page 654: Role Feature-Group Name

    This command was introduced. Usage Guidelines The Cisco NX-OS software provides the default user role feature group L3 for Layer 3 features. You cannot modify or delete the L3 user role feature group. This command does not require a license.
  • Page 655 R Commands role feature-group name Command Description show role feature-group Displays the user role feature groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 656: Role Name

    The Cisco NX-OS software provides four default user roles: • network-admin—Complete read-and-write access to the entire Cisco NX-OS device (only available in the default VDC) • network-operator—Complete read access to the entire Cisco NX-OS device (only available in the default VDC) • vdc-admin—Read-and-write access limited to a VDC •...
  • Page 657 This example shows how to enable privilege level 5 for users: switch# configure terminal switch(config)# role name priv-5 switch(config-role)# Related Commands Command Description rule Configure rules for a user role or for users of privilege roles. show role Displays the user roles. Cisco Nexus 7000 Series Security Command Reference...
  • Page 658: Router-Preference Maximum

    The following example shows how the command defines a router advertisement (RA) guard policy name as raguard1, places the router in RA guard policy configuration mode, and configures router-preference maximum verification to be high: switch(config)# ipv6 nd raguard policy raguard1 switch(config-ra-guard)# router-preference maximum high Cisco Nexus 7000 Series Security Command Reference...
  • Page 659 R Commands router-preference maximum Related Commands Command Description ipv6 nd raguard policy Defines the RA guard policy name and enters RA guard policy configuration mode. Cisco Nexus 7000 Series Security Command Reference...
  • Page 660: Rsakeypair

    CA to ensure that the association between the identity certificate and the key pair for a trustpoint is consistent. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 661 Requests certificates for the switch’s RSA key pair created for the trustpoint CA. crypto key generate rsa Configures RSA key pair information. show crypto key mypubkey rsa Displays information about configured RSA key pairs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 662: Rule

    Syntax Description number Sequence number for the rule. The Cisco NX-OS software applies the rule with the highest value first and then the rest in descending order. The range is 1 to 256. deny Denies access to commands or features.
  • Page 663 MyRole switch(config-role)# no rule 10 Related Commands Command Description Creates or specifies a user role name and enters user role name role configuration mode. show role Displays the user roles. Cisco Nexus 7000 Series Security Command Reference...
  • Page 664 R Commands rule Cisco Nexus 7000 Series Security Command Reference...
  • Page 665: S Commands

    675 • switchport port-security aging type, page 677 • switchport port-security mac-address, page 679 • switchport port-security mac-address sticky, page 681 • switchport port-security maximum, page 683 • switchport port-security violation, page 685 Cisco Nexus 7000 Series Security Command Reference...
  • Page 666: Sak-Expiry-Time

    Configures the cipher suite for encrypting traffic with MACsec. conf-offset Configures the confidentiality offset for MKA encryption. Enables the MKA feature. feature mka Creates a key or enters the configuration mode of an existing key. Cisco Nexus 7000 Series Security Command Reference...
  • Page 667 Displays the configuration of the specified keychain. show macsec mka Displays the details of MKA. Displays all the MACsec policies in the system. show macsec policy show run mka Displays the status of MKA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 668: Sap Modelist

    This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.
  • Page 669 S Commands sap modelist This example shows how to revert to the default Cisco TrustSec SAP operation mode on an interface: switch# configure terminal switch(config)# interface ethernet 2/3 switch(config-if)# cts dot1x switch(config-if-cts-dot1x)# no sap modelist gmac switch(config-if-cts-dot1x)# exit switch(config-if)# shutdown...
  • Page 670: Sap Pmk

    To manually configure the Cisco TrustSec Security Association Protocol (SAP) pairwise master key (PMK), use the sap pmk command. To remove the SAP configuration, use the no form of this command. sap pmk [key| [left-zero-padded] [display encrypt]| encrypted {encrypted_pmk| use-dot1x} [modelist...
  • Page 671 This command is not supported for F1 Series modules and F2 Series modules. To use this command, you must enable the Cisco TrustSec feature using the feature cts command. After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.
  • Page 672: Send-Lifetime

    By default, the time interval within which the device sends a key during key exchange with another device—the send lifetime—is infinite, which means that the key is always valid. The start-time and end-time arguments both require time and date components, in the following format: Cisco Nexus 7000 Series Security Command Reference...
  • Page 673 00:00:00 Jun 13 2008 23:59:59 Aug 12 2008 switch(config-keychain-key)# Related Commands Command Description accept-lifetime Configures an accept lifetime for a key. Configures a key. Configures a keychain. key chain key-string Configures a key string. show key chain Displays keychain configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 674: Server

    Note You must use the feature tacacs+ command before you configure TACACS+ and the feature ldap command before you configure LDAP. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 675 Displays RADIUS server group information. show tacacs-server groups Displays TACACS+ server group information. feature tacacs+ Enables TACACS+. tacacs-server host Configures a TACACS+ server. Enables LDAP. feature ldap ldap-server host Configures an LDAP server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 676: Service Dhcp

    Enables the insertion and removal of option-82 information from DHCP packets. ip dhcp snooping Globally enables DHCP snooping on the device. show ip dhcp snooping Displays general information about DHCP snooping. Cisco Nexus 7000 Series Security Command Reference...
  • Page 677 S Commands service dhcp Command Description show running-config dhcp Displays DHCP snooping configuration, including IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 678: Service-Policy Input

    This example shows how to remove a control plane policy map from the control plane: switch# configure terminal switch(config)# control-plane switch(config-cp)# no service-policy input PolicyMapA Related Commands Command Description Specifies a control plane policy map and enters policy policy-map type control-plane map configuration mode. Cisco Nexus 7000 Series Security Command Reference...
  • Page 679 S Commands service-policy input Command Description show policy-map type control-plane Displays configuration information for control plane policy maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 680: Set Cos

    This example shows how to revert to the default CoS value for a control plane policy map: switch# configure terminal switch(config)# policy-map type control-plane PolicyMapA switch(config-pmap)# class ClassMapA switch(config-pmap-c)# no set cos 4 Cisco Nexus 7000 Series Security Command Reference...
  • Page 681 Specifies a control plane policy map and enters policy map configuration mode. show policy-map type control-plane Displays configuration information for control plane policy maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 682: Set Dscp (Policy Map Class)

    Specifies assured forwarding 42 DSCP (100100). af42 af43 Specifies assured forwarding 43 DSCP (100110). Specifies class selector 1 (precedence 1) DSCP (001000). Specifies class selector 2 (precedence 2) DSCP (010000). Specifies class selector 3 (precedence 3) DSCP (011000). Cisco Nexus 7000 Series Security Command Reference...
  • Page 683 This example shows how to revert to the default DSCP value for a control plane policy map: switch# configure terminal switch(config)# policy-map type control-plane PolicyMapA switch(config-pmap)# class ClassMapA switch(config-pmap-c)# no set dscp 4 Cisco Nexus 7000 Series Security Command Reference...
  • Page 684 Specifies a control plane policy map and enters policy map configuration mode. show policy-map type control-plane Displays configuration information for control plane policy maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 685: Set Precedence (Policy Map Class)

    Specifies network precedence equal to precedence value 7. priority Specifies priority precedence equal to precedence value 1. routine Specifies routine precedence equal to precedence value 0. Command Default 0 or routine Command Modes Policy map class configuration Cisco Nexus 7000 Series Security Command Reference...
  • Page 686 Specifies a control plane policy map and enters policy map configuration mode. show policy-map type control-plane Displays configuration information for control plane policy maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 687: Source-Interface

    0 switch(config-radius)# source-interface ethernet 2/1 Related Commands Command Description feature tacacs+ Enables the TACACS+ feature. Configures the global source interface for the ip radius source-interface RADIUS groups configured on the Cisco NX-OS device. Cisco Nexus 7000 Series Security Command Reference...
  • Page 688 Configures the global source interface for the TACACS+ groups configured on the Cisco NX-OS device. show radius-server groups Displays the RADIUS server group configuration. show tacacs-server groups Displays the TACACS+ server group configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 689: Ssh

    The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions. If you are planning to create an SSH session to a remote device from the boot mode of a Cisco NX-OS device, you must obtain the hostname for the remote device, enable the SSH server on the remote device, and ensure that the Cisco NX-OS device is loaded with only the kickstart image.
  • Page 690 Warning: Permanently added '10.10.1.1' (RSA) to the list of known hosts. User Access Verification Password: This example shows how to create an SSH session to a remote device from the boot mode of the Cisco NX-OS device: switch(boot)# ssh user1@10.10.1.1...
  • Page 691: Ssh Key

    4.0(1) This command was introduced. Usage Guidelines The Cisco NX-OS software supports SSH version 2. If you want to remove or replace an SSH server key, you must first disable the SSH server using the no feature ssh command. This command does not require a license.
  • Page 692 XML interface to system may become unavailable since ssh is disabled switch(config)# no ssh key switch(config)# feature ssh Related Commands Command Description show ssh key Displays the SSH server key information. Enables the SSH server. feature ssh Cisco Nexus 7000 Series Security Command Reference...
  • Page 693: Ssh Login-Attempts

    This example shows how to disable the SSH login attempt configuration: switch# configure terminal switch(config)# no ssh login-attempts Related Commands Command Description Displays the configured maximum number of SSH show running-config security all login attempts. Cisco Nexus 7000 Series Security Command Reference...
  • Page 694: Ssh Server Enable

    This command was deprecated and replaced with the feature ssh command. 4.0(1) This command was introduced. Usage Guidelines The Cisco NX-OS software supports SSH version 2. This command does not require a license. Examples This example shows how to enable the SSH server: switch# configure terminal...
  • Page 695: Ssh6

    S Commands ssh6 ssh6 To create a Secure Shell (SSH) session using IPv6 on the Cisco NX-OS device, use the ssh6 command. ssh6 [username @] {ipv6-address| hostname} [vrf vrf-name] Syntax Description username (Optional) Username for the SSH session. The username is not case sensitive.
  • Page 696 S Commands ssh6 Command Description Starts an SSH session using IPv4 addressing. feature ssh Enables the SSH server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 697: Statistics Per-Entry

    For more information about implicit rules, see the following commands: • ip access-list • ipv6 access-list • mac access-list To view per-entry statistics, use the show access-lists command or the applicable following command: Cisco Nexus 7000 Series Security Command Reference...
  • Page 698 Command Description Displays all IPv4, IPv6, and MAC ACLs, or a specific show access-lists ACL. clear access-list counters Clears per-entry statistics for all IPv4, IPv6, and MAC ACLs, or for a specific ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 699: Storm-Control Level

    A threshold value of 0 or 0.0 (fractional) percent means that all specified traffic is blocked on a port. Use the show interfaces counters broadcast command to display the discard count. Cisco Nexus 7000 Series Security Command Reference...
  • Page 700 1/1 switch(config-if)# no storm-control multicast level Related Commands Command Description show interface Displays the storm-control suppression counters for an interface. Displays the configuration of the interface. show running-config Cisco Nexus 7000 Series Security Command Reference...
  • Page 701: Switchport Port-Security

    This command does not require a license. Examples This example shows how to enable port security on the Ethernet 2/1 interface: switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# switchport port-security switch(config-if)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 702 Enables the sticky method for learning secure MAC addresses. Configures an interface or a VLAN maximum for switchport port-security maximum secured MAC addresses on an interface. switchport port-security violation Configures the security violation action for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 703: Switchport Port-Security Aging Type

    Layer 2 interface. This command does not require a license. Examples This example shows how to configure the aging type to be “inactivity” on the Ethernet 2/1 interface: switch# configure terminal switch(config)# interface ethernet 2/1 Cisco Nexus 7000 Series Security Command Reference...
  • Page 704 Configures an interface or a VLAN maximum for secured MAC addresses on an interface. switchport port-security violation Configures the security violation action for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 705: Switchport Port-Security Mac-Address

    This command does not require a license. Examples This example shows how to configure 0019.D2D0.00AE as a static, secure MAC address on the Ethernet 2/1 interface: switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# switchport port-security mac-address 0019.D2D0.00AE switch(config-if)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 706 Enables the sticky method for learning secure MAC addresses. Configures an interface or a VLAN maximum for switchport port-security maximum secured MAC addresses on an interface. switchport port-security violation Configures the security violation action for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 707: Switchport Port-Security Mac-Address Sticky

    This example shows how to enable the sticky method of learning secure MAC addresses on the Ethernet 2/1 interface: switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# switchport port-security mac-address sticky switch(config-if)# Related Commands Command Description feature port-security Enables port security globally. show port-security Shows information about port security. Cisco Nexus 7000 Series Security Command Reference...
  • Page 708 Configures a static MAC address. switchport port-security maximum Configures an interface or a VLAN maximum for secured MAC addresses on an interface. switchport port-security violation Configures the security violation action for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 709: Switchport Port-Security Maximum

    Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface. There is no default VLAN maximum. There is a system-wide, nonconfigurable maximum of 4096 secure MAC addresses. Cisco Nexus 7000 Series Security Command Reference...
  • Page 710 MAC addresses. switchport port-security mac-address Configures a static MAC address. switchport port-security mac-address sticky Enables the sticky method for learning secure MAC addresses. switchport port-security violation Configures the security violation action for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 711: Switchport Port-Security Violation

    MAC addresses. Command Default None Command Modes Interface configuration Command History Release Modification 4.2(1) Support for Layer 2 port-channel interfaces was added. 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 712 • Restrict—Drops ingress traffic from any nonsecure MAC addresses. Address learning continues until 100 security violations have occurred on the interface. Traffic from addresses learned after the first security violation is dropped. Cisco Nexus 7000 Series Security Command Reference...
  • Page 713 Configures a static MAC address. switchport port-security mac-address sticky Enables the sticky method for learning secure MAC addresses. switchport port-security maximum Configures an interface or a VLAN maximum for secured MAC addresses on an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 714 S Commands switchport port-security violation Cisco Nexus 7000 Series Security Command Reference...
  • Page 715: Chapter 1 7 Show Commands

    725 • show crypto ca remote-certstore, page 727 • show crypto ca trustpoints, page 728 • show crypto certificatemap, page 729 • show crypto key mypubkey rsa, page 730 Cisco Nexus 7000 Series Security Command Reference...
  • Page 716 769 • show hardware rate-limiter, page 772 • show identity policy, page 776 • show identity profile, page 777 • show ip access-lists, page 778 • show ip access-lists capture session, page 781 Cisco Nexus 7000 Series Security Command Reference...
  • Page 717 832 • show ldap-server groups, page 833 • show ldap-server statistics, page 834 • show mac access-lists, page 836 • show macsec mka, page 838 • show macsec policy, page 842 Cisco Nexus 7000 Series Security Command Reference...
  • Page 718 889 • show running-config security, page 890 • show running-config tacacs+, page 891 • show security system state, page 892 • show software integrity, page 893 • show ssh key, page 894 Cisco Nexus 7000 Series Security Command Reference...
  • Page 719 • show user-account, page 927 • show username, page 928 • show users, page 930 • show vlan access-list, page 931 • show vlan access-map, page 933 • show vlan filter, page 935 Cisco Nexus 7000 Series Security Command Reference...
  • Page 720: Show

    If no I/O modules are configured with the command, the show command has no output. Examples This example shows how to display the I/O modules that are configured with the command: switch# show Module 1 enabled Module 3 enabled switch# Cisco Nexus 7000 Series Security Command Reference...
  • Page 721: Show Aaa Accounting

    4.0(1) This command was introduced. Usage Guidelines This command does not require a license. Examples This example shows how to display the configuration of the accounting log: switch# show aaa accounting default: local Cisco Nexus 7000 Series Security Command Reference...
  • Page 722: Show Aaa Authentication

    Command History Release Modification 5.0(2) Added the chap keyword 4.2(1) Added the mschapv2 keyword. 4.1(2) Added the ascii-authentication keyword. 4.0(1) This command was introduced. Usage Guidelines This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 723 Enables CHAP authentication. aaa authentication login error-enable Configures the AAA authentication failure message to display on the console. aaa authentication login mschap enable Enables MSCHAP authentication. aaa authentication login mschapv2 enable Enables MSCHAP V2 authentication. Cisco Nexus 7000 Series Security Command Reference...
  • Page 724: Show Aaa Authorization

    AAA command authorization: default authorization for config-commands: none default authorization for commands: local cts: group radius Related Commands Command Description aaa authorization Configures the default AAA authorization method. feature cts Enables the Cisco TrustSec feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 725 Show Commands show aaa authorization Command Description feature ldap Enables the LDAP feature. feature tacacs+ Enables the TACACS+ feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 726: Show Aaa Groups

    Command History Release Modification 4.0(1) This command was introduced. Usage Guidelines This command does not require a license. Examples This example shows how to display AAA group information: switch# show aaa groups radius TacServer Cisco Nexus 7000 Series Security Command Reference...
  • Page 727: Show Aaa Local User Blocked

    Local-user State testuser Watched (till 11:34:42 IST Feb 5 2015) Related Commands Command Description Configures the login block per user. aaa authentication rejected clear aaa local user blocked Clears the blocked users. Cisco Nexus 7000 Series Security Command Reference...
  • Page 728: Show Aaa User Default-Role

    This command does not require a license. Examples This example shows how to display the AAA user default role configuration: switch# show aaa user default-role enabled Related Commands Command Description aaa user default-role Enables the AAA user default role. Cisco Nexus 7000 Series Security Command Reference...
  • Page 729: Show Access-List Status Module

    5 Non-Atomic ACL updates Disabled. TCAM Default Result is Deny. Resource-pooling: Disabled switch(config)# Related Commands Command Description Enables access control list (ACL) capture on all access-list capture virtual device contexts (VDCs). Cisco Nexus 7000 Series Security Command Reference...
  • Page 730: Show Access-Lists

    The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following: • Whether per-entry statistics are configured for the ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 731 IPv4 ACL named ipv4-RandD-outbound-web, such as which interfaces the ACL is applied to and active on: switch# show access-lists ipv4-RandD-outbound-web summary IPV4 ACL ipv4-RandD-outbound-web Statistics enabled Total ACEs Configured: 4 Cisco Nexus 7000 Series Security Command Reference...
  • Page 732 Displays all IPv4 ACLs or a specific IPv4 ACL. show ipv6 access-lists Displays all IPv6 ACLs or a specific IPv6 ACL. Displays all MAC ACLs or a specific MAC ACL. show mac access-lists Cisco Nexus 7000 Series Security Command Reference...
  • Page 733: Show Accounting Log

    When you make a change to the configuration, the results are shown in the output for show accounting log. There three results for the configuration change: • Success: indicates the configuration change was successful. • Failure: indicates the configuration change was unsuccessful. Cisco Nexus 7000 Series Security Command Reference...
  • Page 734 Fri Mar 15 10:19:58 2013:type=update:id=console0:user=Ciscoadmin:cmd=configure terminal ; interface Ethernet1/1 (SUCCESS) Fri Mar 15 10:19:59 2013:type=update:id=console0:user=Ciscoadmin:cmd=configure terminal ; interface Ethernet1/1 ; shutdown (REDIRECT) Fri Mar 15 10:19:59 2013:type=update:id=console0:user=Ciscoadmin:cmd=configure terminal ; interface Ethernet1/1 ; shutdown (SUCCESS) Cisco Nexus 7000 Series Security Command Reference...
  • Page 735 Fri Mar 15 10:20:03 2013:type=update:id=console0:user=Ciscoadmin:cmd=configure terminal ; interface Ethernet1/1 ; no shutdown (REDIRECT) Fri Mar 15 10:20:03 2013:type=update:id=console0:user=Ciscoadmin:cmd=configure terminal ; interface Ethernet1/1 ; no shutdown (SUCCESS) Related Commands Command Description clear accounting log Clears the accounting log. Cisco Nexus 7000 Series Security Command Reference...
  • Page 736: Show Arp Access-Lists

    ARP access list arp-permit-all 10 permit ip any mac any Related Commands Command Description Configures an ARP ACL. arp access-list ip arp inspection filter Applies an ARP ACL to a VLAN. Cisco Nexus 7000 Series Security Command Reference...
  • Page 737 Show Commands show arp access-lists Cisco Nexus 7000 Series Security Command Reference...
  • Page 738: Show Class-Map Type Control-Plane

    Cisco Nexus 7000 Series Security Command Reference...
  • Page 739: Show Cli Syntax Roles Network-Admin

    | instances | all } } (23) show system internal copp [ event-history ] errors (24) show system internal copp [ event-history ] logs (25) show system internal copp [ event-history ] msgs Cisco Nexus 7000 Series Security Command Reference...
  • Page 740 (58) show tech-support forwarding l3 unicast vdc-all [ module <module> ] --More-- Related Commands Command Description Displays the syntax of the commands that the show cli syntax roles network-operator network-operator role can use but the vdc-operator role cannot. Cisco Nexus 7000 Series Security Command Reference...
  • Page 741: Show Cli Syntax Roles Network-Operator

    (19) show system internal access-list status [ ] (20) show system internal copp ppf-database { policy { subscriptions | sessions | instances | all } } (21) show system internal copp [ event-history ] errors --More-- Cisco Nexus 7000 Series Security Command Reference...
  • Page 742 Show Commands show cli syntax roles network-operator Related Commands Command Description show cli syntax roles network-admin Displays the syntax of the commands that the network-admin role can use but the vdc-admin role cannot. Cisco Nexus 7000 Series Security Command Reference...
  • Page 743: Show Copp Diff Profile

    Examples This example shows how to display the difference between the currently applied default CoPP best practice policy and the latest CoPP best practice policy: switch# show copp diff profile moderate applied latest Cisco Nexus 7000 Series Security Command Reference...
  • Page 744 Show Commands show copp diff profile Related Commands Command Description show copp profile Displays the details of the CoPP best practice policy, along with the classes and policer values. Cisco Nexus 7000 Series Security Command Reference...
  • Page 745: Show Copp Profile

    Cisco Nexus 7000 Series Security Command Reference...
  • Page 746 CoPP best practice policy and the latest or previous CoPP best practice policy. Displays the CoPP status, including the last show copp status configuration operation and its status. show running-config copp Displays the CoPP configuration in the running configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 747: Show Copp Status

    This example shows how to display the CoPP configuration status information: switch# show copp status Last Config Operation: service-policy input copp-system-policy Last Config Operation Timestamp: 21:57:58 UTC Jun 4 2008 Last Config Operation Status: Success Policy-map attached to the control-plane: new-copp-policy Cisco Nexus 7000 Series Security Command Reference...
  • Page 748: Show Crypto Ca Certificates

    /C=US/O=cisco/CN=Aparna CA2 issuer= /emailAddress=amandke@cisco.com/C=IN/ST=Maharashtra/L=Pune/O=cisco/OU=ne tstorage/CN=Aparna CA1 serial=14A3A877000000000005 notBefore=May 5 18:43:36 2005 GMT notAfter=May 3 23:10:36 2006 GMT MD5 Fingerprint=32:50:26:9B:16:B1:40:A5:D0:09:53:0A:98:6C:14:CC purposes: sslserver sslclient ike CA certificate 1: subject= /emailAddress=amandke@cisco.com/C=IN/ST=Maharashtra/L=Pune/O=cisco/OU=n etstorage/CN=Aparna CA1 issuer= /emailAddress=amandke@cisco.com/C=IN/ST=Karnataka/L=Bangalore/O=Cisco/OU =netstorage/CN=Aparna CA Cisco Nexus 7000 Series Security Command Reference...
  • Page 749 3 22:46:37 2005 GMT notAfter=May 3 22:55:17 2007 GMT MD5 Fingerprint=65:84:9A:27:D5:71:03:33:9C:12:23:92:38:6F:78:12 purposes: sslserver sslclient ike Related Commands Command Description crypto ca authenticate Authenticates the certificate of the CA. show ca trustpoints Displays trustpoint configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 750: Show Crypto Ca Certstore

    Certstore lookup: REMOTE Related Commands Command Description crypto ca lookup Specifies the cert-store to be used for certificate authentication. show crypto ca remote-certstore Displays the remote cert-store configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 751: Show Crypto Ca Crl

    Revocation Date: Mar 15 09:12:45 2005 GMT Serial Number: 1E721E50000000000004 Revocation Date: Apr 5 11:04:20 2005 GMT Serial Number: 3D26E445000000000005 Revocation Date: Apr 5 11:04:16 2005 GMT Serial Number: 3D28F8DF000000000006 Revocation Date: Apr 5 11:04:12 2005 GMT Cisco Nexus 7000 Series Security Command Reference...
  • Page 752 X509v3 CRL Reason Code: Cessation Of Operation Signature Algorithm: sha1WithRSAEncryption 4e:3b:4e:7a:55:6b:f2:ec:72:29:70:16:2a:fd:d9:9a:9b:12: f9:cd:dd:20:cc:e0:89:30:3b:4f:00:4b:88:03:2d:80:4e:22: 9f:46:a5:41:25:f4:a5:26:b7:b6:db:27:a9:64:67:b9:c0:88: 30:37:cf:74:57:7a:45:5f:5e:d0 Related Commands Command Description crypto ca crl request Configures a CRL or overwrites the existing one for the trustpoint CA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 753: Show Crypto Ca Remote-Certstore

    This example shows how to display the remote cert-store configuration: switch# show crypto ca remote-certstore Remote Certstore: NONE Related Commands Command Description crypto ca lookup Specifies the cert-store to be used for certificate authentication. show crypto ca certstore Displays the configured cert-store. Cisco Nexus 7000 Series Security Command Reference...
  • Page 754: Show Crypto Ca Trustpoints

    Related Commands Command Description crypto ca authenticate Authenticates the certificate of the CA. crypto ca trustpoint Declares the trustpoint certificate authority that the device should trust. show crypto ca certificates Displays configured trustpoint certificates. Cisco Nexus 7000 Series Security Command Reference...
  • Page 755: Show Crypto Certificatemap

    This example shows how to display the certificate mapping filters: switch# show crypto certificatemap Related Commands Command Description Creates a filter map. crypto certificatemap mapname filter Configures one or more certificate mapping filters within the filter map. Cisco Nexus 7000 Series Security Command Reference...
  • Page 756: Show Crypto Key Mypubkey Rsa

    Related Commands Command Description crypto ca enroll Requests certificates for the switch’s RSA key pair. Generate an RSA key pair. crypto key generate rsa rsakeypair Configure trustpoint RSA key pair details Cisco Nexus 7000 Series Security Command Reference...
  • Page 757: Show Crypto Ssh-Auth-Map

    Command Description crypto certificatemap mapname Creates a filter map. crypto cert ssh-authorize Configures a certificate mapping filter for the SSH protocol. filter Configures one or more certificate mapping filters within the filter map. Cisco Nexus 7000 Series Security Command Reference...
  • Page 758: Show Cts

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to display the Cisco TrustSec global configuration:...
  • Page 759: Show Cts Capability Interface

    Show Commands show cts capability interface show cts capability interface To display the Cisco TrustSec capability of all interfaces or a specific Ethernet interface, use the show cts capability interface command. show cts capability interface {all| ethernet} Syntax Description Displays the Cisco TrustSec capability of all interfaces.
  • Page 760 Eth8/5 Yes Yes cts dot1x and manual configs allowed Related Commands Command Description feature cts Enables the Cisco TrustSec feature. Displays the global Cisco TrustSec configuration. show cts Cisco Nexus 7000 Series Security Command Reference...
  • Page 761: Show Cts Credentials

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to display the Cisco TrustSec credentials configuration:...
  • Page 762: Show Cts Environment-Data

    This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. The Cisco NX-OS device downloads the Cisco TrustSec environment data from the ACS after you have configured the Cisco TrustSec credentials for the device and configured authentication, authorization, and accounting (AAA).
  • Page 763: Show Cts Interface

    Use the no propagate-sgt l2-control command to enable SGT tagging exemption for L2 control packets. This exemption ensures that the L2 control protocols are transmitted without any SGT tags from the Cisco TrustSec enabled-ports. The no propagate-sgt l2-control command is supported only on the Cisco M3 Series module ports without Cisco TrustSec MACSec.
  • Page 764 ERROR: 'no propagate-sgt l2-control' is not allowed on any port of this line card type. Related Commands Command Description Enters Cisco TrustSec 802.1X configuration mode cts dot1x for an interface. feature cts Enables the Cisco TrustSec feature. show cts interface Displays the Cisco TrustSec configuration for interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 765: Show Cts L3 Interface

    Show Commands show cts l3 interface show cts l3 interface To display the Layer 3 Cisco TrustSec configuration on the interfaces, use the show cts l3 interface command. show cts l3 interface Syntax Description This command has no arguments or keywords.
  • Page 766: Show Cts L3 Mapping

    Show Commands show cts l3 mapping show cts l3 mapping To display the Layer 3 Cisco TrustSec mapping configuration for the device, use the show cts l3 mapping command. show cts l3 mapping Syntax Description This command has no arguments or keywords.
  • Page 767: Show Cts Pacs

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to display the Cisco TrustSec global configuration:...
  • Page 768: Show Cts Propagate-Status

    8.1(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples The following example displays all interfaces configured with SGT tagging exemption for L2 control protocols.
  • Page 769 Show Commands show cts propagate-status Related Commands Command Description propagate-sgt Enable SGT propagation on Layer 2 Cisco TrustSec interfaces. feature cts Enables the Cisco TrustSec feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 770: Show Cts Role-Based Access-List

    Show Commands show cts role-based access-list show cts role-based access-list To display the global Cisco TrustSec security group access control list (SGACL) configuration, use the show cts role-based access-list command. show cts role-based access-list [ list-name ] Syntax Description list-name (Optional) SGACL name.
  • Page 771: Show Cts Role-Based Counters

    5.0(2) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to display the configuration status of RBACL statistics and the total number of...
  • Page 772 IP(monitored) permit ip [0] Related Commands Command Description clear cts role-based counters Clears the RBACL statistics so that all counters are reset to 0. Enables the RBACL statistics. cts role-based counters enable Cisco Nexus 7000 Series Security Command Reference...
  • Page 773: Show Cts Role-Based Disabled-Interface

    8.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to verify that SGACL policy enforcement is disabled on interfaces.
  • Page 774: Show Cts Role-Based Enable

    To display the Cisco TrustSec security group access control list (SGACL) enable status for VLANs and Virtual Routing and Forwarding instances (VRFs), use the show cts role-based enable command. show cts role-based enable Syntax Description This command has no arguments or keywords.
  • Page 775: Show Cts Role-Based Policy

    Show Commands show cts role-based policy show cts role-based policy To display the global Cisco TrustSec security group access control list (SGACL) policies, use the show cts role-based policy command. show cts role-based policy [sgt{sgt-value| any| unknown}| dgt{dgt-value| any| unknown}| configured|...
  • Page 776 Show Commands show cts role-based policy Examples This example shows how to display the Cisco TrustSec SGACL policies: switch# show cts role-based policy sgt:unknown dgt:unknown rbacl:deny_ip(Downloaded,Monitored) deny ip sgt:101(101) dgt:102(102) rbacl:rb2(Configured) deny eigrp sgt:101(101) dgt:102(102) rbacl:ise_rbacl_1_ace(Downloaded) deny gre Related Commands...
  • Page 777: Show Cts Role-Based Sgt Vlan

    To display the Cisco TrustSec Security Group Tag (SGT) mapping configuration for a specific VLAN, use the show cts role-based sgt vlan command. show cts role-based sgt vlan {all| vlan-id} Syntax Description Displays the configured SGT for all VLANs.
  • Page 778: Show Cts Role-Based Sgt-Map

    Show Commands show cts role-based sgt-map show cts role-based sgt-map To display the global Cisco TrustSec Security Group Tag (SGT) mapping configuration, use the show cts role-based sgt-map command. show cts role-based sgt-map [summary| sxp peer peer-ipv4-addr| vlan vlan-id| vrf vrf-name]...
  • Page 779 10.10.10.20 vrf:3 CLI Configured 10.10.10.30 vrf:3 CLI Configured Related Commands Command Description feature cts Enables the Cisco TrustSec feature. cts role-based sgt-map Manually configures the Cisco TrustSec SGT mapping to IP addresses. Cisco Nexus 7000 Series Security Command Reference...
  • Page 780: Show Cts Sap Pmk

    6.2(2) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command does not require a license. Examples This example shows how to display the Cisco TrustSec SAP PMK configuration:...
  • Page 781: Show Cts Sxp

    To display Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (CTS-SXP) connection or source IP-to-SGT mapping information, use the show cts sxp command in user EXEC or privileged EXEC mode. show cts sxp {connections | sgt-map} [detail | vrf instance-name]...
  • Page 782 : -1 TCP conn password: not set (using default SXP password) Delete hold down timer is running Duration since last state change: 0:00:00:16 (dd:hr:mm:sec) ---------------------------------------------- Peer IP : 10.10.2.1 Source IP : 10.10.2.2 Cisco Nexus 7000 Series Security Command Reference...
  • Page 783 Related Commands Command Description cts sxp connection peer Enters the Cisco TrustSec SXP peer IP address and specifies if a password is used for the peer connection cts sxp default password Configures the Cisco TrustSec SXP default password. cts sxp default source-ip Configures the Cisco TrustSec SXP source IPv4 address.
  • Page 784: Show Cts Sxp Connection

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to display the Cisco TrustSec Security Group Tag (SGT) Exchange Protocol (SXP)
  • Page 785: Show Data-Corruption

    20 times since Mon Feb 15 09:05:20 2016 DATACORRUPTION-DATAINCONSISTENCY: -Traceback= hmm +0x40faf +0xbf870 +0xc0b4c +0x40292 +0xa37fa +0xa9f29 +0xc05aa +0xc060e +0xc0765 +0x42c35 +0x2c339 librsw.so+0xacc33 libpthread.so.0+0x6b75 libc.so.6+0xee02e happened 1 time since Fri Feb 12 00:01:16 2016 Cisco Nexus 7000 Series Security Command Reference...
  • Page 786: Show Dot1X

    This command does not require a license. Examples This example shows how to display the 802.1X feature status: switch# show dot1x Sysauthcontrol Enabled Dot1x Protocol Version 2 Related Commands Command Description Enables the 802.1X feature. feature dot1x Cisco Nexus 7000 Series Security Command Reference...
  • Page 787: Show Dot1X All

    HostMode = SINGLE HOST ReAuthentication = Disabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthPeriod = 3600 (Locally configured) ReAuthMax = 2 MaxReq = 2 TxPeriod = 30 RateLimitPeriod = 0 Cisco Nexus 7000 Series Security Command Reference...
  • Page 788 Show Commands show dot1x all Related Commands Command Description feature dot1x Enables the 802.1X feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 789: Show Dot1X Interface Ethernet

    Dot1x Info for Ethernet2/1 ----------------------------------- PAE = AUTHENTICATOR PortControl = FORCE_AUTH HostMode = SINGLE HOST ReAuthentication = Disabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthPeriod = 3600 (Locally configured) ReAuthMax = 2 Cisco Nexus 7000 Series Security Command Reference...
  • Page 790 Show Commands show dot1x interface ethernet MaxReq = 2 TxPeriod = 30 RateLimitPeriod = 0 Related Commands Command Description Enables the 802.1X feature. feature dot1x Cisco Nexus 7000 Series Security Command Reference...
  • Page 791: Show Encryption Service Stat

    Encryption service is enabled Master Encryption Key is configured. Type-6 encryption is being used switch# Related Commands Command Description show key chain Displays the configuration for a specific keychain. Cisco Nexus 7000 Series Security Command Reference...
  • Page 792: Show Eou

    (Optional) Displays the EAPoUDP sessions for posture tokens. name (Optional) Token name. Command Default Displays the global EAPoUDP configuration Command Modes Any command mode Command History Release Modification 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 793 This example shows how to display 802.1X information for a MAC address: switch# show eou mac-address 0019.076c.dac4 This example shows how to display 802.1X information for a MAC address: switch# show eou posturetoken healthy Related Commands Command Description Enables the 802.1X feature. feature eou Cisco Nexus 7000 Series Security Command Reference...
  • Page 794: Show Fips Status

    This command does not require a license. Examples This example shows how to display the status of FIPS mode: switch# show fips status FIPS mode is disabled Related Commands Command Description Enables FIPS mode. fips mode enable Cisco Nexus 7000 Series Security Command Reference...
  • Page 795: Show Hardware Access-List Feature-Combo

    • bfd—Bidirectional Forwarding Detection • cbts—Class-Based Tunnel Selection • cts_impl_tunnel—CTS Implicit Tunnel • dhcp—Dynamic Host Configuration Protocol • erspan_dst—Encapsulated Remote Switched Port Analyzer (destination) • erspan_src—Encapsulated Remote Switched Port Analyzer (source) • lisp—Locator/ID Separation Protocol Cisco Nexus 7000 Series Security Command Reference...
  • Page 796 ______________________________________________________________________________ Feature Rslt Type T0B0 T0B1 T1B0 T1B1 ______________________________________________________________________________ RACL DHCP SPM WCCP VACL Stats Cisco Nexus 7000 Series Security Command Reference...
  • Page 797 ______________________________________________________________________________ Feature Rslt Type T0B0 T0B1 T1B0 T1B1 ______________________________________________________________________________ PACL Related Commands Command Description Configures the device to allow ACL TCAM bank hardware access-list resource feature bank-mapping mappings. Cisco Nexus 7000 Series Security Command Reference...
  • Page 798: Show Hardware Rate-Limiter

    Specifies rate-limit statistics for Layer 2 Tunnel l2pt Protocol (L2TP) packets. mcast-snooping Specifies rate-limit statistics for Layer 2 multicast-snooping packets. port-security Specifies rate-limit statistics for Layer 2 port-security packets. Specifies rate-limit statistics for Layer 2 storm-control storm-control packets. Cisco Nexus 7000 Series Security Command Reference...
  • Page 799 Displays all rate-limit statistics. Command Modes Any command mode Command History Release Modification 6.2(2) Added the glean-fast keyword. 5.1(1) Added the f1, rl-1, rl-2, rl-3, rl-4, rl-5, and module keywords. 5.0(2) Added the l2pt keyword. Cisco Nexus 7000 Series Security Command Reference...
  • Page 800 Total copy Config : 30000 Allowed Dropped Total receive Config : 30000 Allowed Dropped Total layer-2 port-security Config : Disabled layer-2 mcast-snooping Config : 10000 Allowed Dropped Total layer-2 vpc-low Config : 4000 Cisco Nexus 7000 Series Security Command Reference...
  • Page 801 Allowed, Dropped & Total: aggregated since last clear counters Rate Limiter Class Parameters ------------------------------------------------------------ access-list-log Config : 100 Allowed Dropped Total Related Commands Command Description Clears rate-limit statistics. clear hardware rate-limiter hardware rate-limiter Configures rate limits. Cisco Nexus 7000 Series Security Command Reference...
  • Page 802: Show Identity Policy

    This example shows how to display information for all of the identity policies: switch# show identity policy This example shows how to display information for a specific identity policy: switch# show identity policy AdminPolicy Related Commands Command Description identity policy Configures identity policies. Cisco Nexus 7000 Series Security Command Reference...
  • Page 803: Show Identity Profile

    This example shows how to display the identity profiles: switch# show identity profile This example shows how to display the EAPoUDP identity profile configuration: switch# show identity profile eapoudp Related Commands Command Description identity profile eapoudp Configures EAPoUDP identity profiles. Cisco Nexus 7000 Series Security Command Reference...
  • Page 804: Show Ip Access-Lists

    For more information about object groups, see the object-group ip address and object-group ip port commands. The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following: Cisco Nexus 7000 Series Security Command Reference...
  • Page 805 This example shows how to use the show ip access-lists command with the summary keyword to display information about an IPv4 ACL named ipv4-RandD-outbound-web, such as which interfaces the ACL is applied to and active on: switch# show ip access-lists ipv4-RandD-outbound-web summary IPV4 ACL ipv4-RandD-outbound-web Statistics enabled Cisco Nexus 7000 Series Security Command Reference...
  • Page 806 Displays all IPv6 ACLs or a specific IPv6 ACL. show mac access-lists Displays all MAC ACLs or a specific MAC ACL. statistics per-entry Starts recording statistics for packets permitted or denied by each entry in an ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 807: Show Ip Access-Lists Capture Session

    This example shows how to display the ACL capture session configuration: switch# show ip access-lists capture session 5 switch# Related Commands Command Description monitor session session type acl-capture Configures an ACL capture session. destination interface Configures a destination for ACL capture packets. Cisco Nexus 7000 Series Security Command Reference...
  • Page 808: Show Ip Arp Inspection

    Related Commands Command Description ip arp inspection vlan Enables DAI for a specified list of VLANs. Displays the trust state and the ARP packet rate for show ip arp inspection interface a specified interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 809 Displays the DAI statistics. show ip arp inspection vlan Displays DAI status for a specified list of VLANs. Displays DHCP snooping configuration, including show running-config dhcp DAI configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 810: Show Ip Arp Inspection Interface

    ---------- -------------- Ethernet2/46 Trusted switch# Related Commands Command Description ip arp inspection vlan Enables Dynamic ARP Inspection (DAI) for a specified list of VLANs. show ip arp inspection Displays the DAI configuration status. Cisco Nexus 7000 Series Security Command Reference...
  • Page 811 Displays the DAI statistics. show ip arp inspection vlan Displays DAI status for a specified list of VLANs. Displays DHCP snooping configuration, including show running-config dhcp DAI configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 812: Show Ip Arp Inspection Log

    Displays the DAI configuration status. Displays the trust state and the ARP packet rate for show ip arp inspection interface a specified interface. show running-config dhcp Displays DHCP snooping configuration, including DAI configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 813: Show Ip Arp Inspection Statistics

    ARP Req Forwarded ARP Res Forwarded ARP Req Dropped ARP Res Dropped DHCP Drops DHCP Permits SMAC Fails-ARP Req = 0 SMAC Fails-ARP Res = 0 DMAC Fails-ARP Res = 0 IP Fails-ARP Req Cisco Nexus 7000 Series Security Command Reference...
  • Page 814 Displays the trust state and the ARP packet rate for show ip arp inspection interface a specified interface. show ip arp inspection log Displays the DAI log configuration. Displays DHCP snooping configuration, including show running-config dhcp DAI configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 815: Show Ip Arp Inspection Vlan

    Destination Mac Validation : Enabled IP Address Validation : Enabled Vlan : 1 ----------- Configuration : Enabled Operation State : Active Vlan : 13 ----------- Configuration : Enabled Operation State : Inactive switch# Cisco Nexus 7000 Series Security Command Reference...
  • Page 816 Displays the DAI configuration status. Displays the trust state and the ARP packet rate for show ip arp inspection interface a specified interface. show running-config dhcp Displays DHCP snooping configuration, including DAI configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 817: Show Ip Device Tracking

    This example shows how to display the IP device tracking information for an IP address: switch# show ip device tracking ip-address 10.10.1.1 This example shows how to display the IP device tracking information for a MAC address: switch# show ip device tracking mac-address 0018.bad8.3fbd Cisco Nexus 7000 Series Security Command Reference...
  • Page 818 Show Commands show ip device tracking Related Commands Command Description ip device tracking Configures IP device tracking. Cisco Nexus 7000 Series Security Command Reference...
  • Page 819: Show Ip Dhcp Relay

    Relay Trusted functionality is disabled Smart-relay is enabled on the following interfaces: ----------------------------------------------------- Subnet-broadcast is enabled on the following interfaces: ------------------------------------------------------ Helper addresses are configured on the following interfaces: Interface Relay Address VRF Name Cisco Nexus 7000 Series Security Command Reference...
  • Page 820 Command Description feature dhcp Enables the DHCP snooping feature on the device. ip dhcp relay Enables the DHCP relay agent. Shows DHCP server addresses configured on the show ip dhcp relay address device. Cisco Nexus 7000 Series Security Command Reference...
  • Page 821: Show Ip Dhcp Relay Address

    This command does not require a license. Examples This example shows how to display all the DHCP relay addresses configured on a device: switch# show ip dhcp relay address Interface Relay Address VRF Name ------------- ------------- -------- Ethernet1/2 10.1.1.1 Cisco Nexus 7000 Series Security Command Reference...
  • Page 822 Enables the DHCP snooping feature on the device. feature dhcp ip dhcp relay Enables the DHCP relay agent. show ip dhcp relay Shows DHCP relay status and server addresses configured on the device. Cisco Nexus 7000 Series Security Command Reference...
  • Page 823: Show Ip Dhcp Relay Statistics

    14 -------------------------------------------------------- Message Type Drops ---------------------------------------------------------------------- Discover Offer Request(*) Release(*) Decline Inform(*) Nack ---------------------------------------------------------------------- Total ---------------------------------------------------------------------- DHCP server stats: ---------------------------------------------------------------------------- Server Request Response ---------------------------------------------------------------------------- 10.64.66.242 management ---------------------------------------------------------------------- Cisco Nexus 7000 Series Security Command Reference...
  • Page 824 Total Packets Forwarded Total Packets Dropped Non DHCP: Total Packets Received Total Packets Forwarded Related Commands Command Description ip dhcp relay Enables the DHCP relay agent. show ip dhcp relay Displays the DHCP configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 825: Show Ip Dhcp Snooping

    This example shows how to display general status information about DHCP snooping: switch# show ip dhcp snooping DHCP snooping service is enabled Switch DHCP snooping is enabled DHCP snooping is configured on the following VLANs: 1,13 DHCP snooping is operational on the following VLANs: Cisco Nexus 7000 Series Security Command Reference...
  • Page 826 Globally enables DHCP snooping on the device. show ip dhcp snooping binding Displays IP-MAC address bindings, including the static IP source entries. show ip dhcp snooping statistics Displays DHCP snooping statistics. show running-config dhcp Displays DHCP snooping configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 827: Show Ip Dhcp Snooping Binding

    (Optional) Limits the output to all static IP-MAC address bindings. Command Default None Command Modes Any command mode Command History Release Modification 4.0(1) This command was introduced. Usage Guidelines This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 828 Globally enables DHCP snooping on the device. show ip dhcp snooping Displays general information about DHCP snooping. Displays DHCP snooping statistics. show ip dhcp snooping statistics show running-config dhcp Displays DHCP snooping configuration, including IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 829: Show Ip Dhcp Snooping Statistics

    This example shows how to display DHCP snooping statistics: switch# show ip dhcp snooping statistics Packets processed 0 Packets received through cfsoe 0 Packets forwarded 0 Packets forwarded on cfsoe 0 Total packets dropped 0 Packets dropped from untrusted ports 0 Cisco Nexus 7000 Series Security Command Reference...
  • Page 830 Displays general information about DHCP snooping. show ip dhcp snooping binding Displays IP-MAC address bindings, including the static IP source entries. show running-config dhcp Displays DHCP snooping configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 831: Show Ip Udp Relay

    NetBIOS Datagram Server (port 138) enabled UDP relay is enabled on the following non-default UDP ports: ----------------------------------------------------------------- Object-group and Subnet-broadcast configurations: Interface Subnet-broadcast Object-group ---------- ---------------- ------------ Vlan700 disabled iSmart Vlan800 enabled iHello Cisco Nexus 7000 Series Security Command Reference...
  • Page 832 Show Commands show ip udp relay Related Commands Command Description ip forward-protocol udp Enables the UDP relay feature. object-group udp relay ip address Configures the object group. Cisco Nexus 7000 Series Security Command Reference...
  • Page 833: Show Ip Verify Source

    Related Commands Command Description Creates a static IP source entry for the specified ip source binding Ethernet interface. ip verify source dhcp-snooping-vlan Enables IP Source Guard on an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 834 Show Commands show ip verify source Command Description show running-config dhcp Displays DHCP snooping configuration, including IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 835: Show Ipv6 Access-Lists

    For more information about object groups, see the object-group ipv6 address and object-group ip port commands. The summary keyword allows you to display information about the ACL rather than the ACL configuration. The information displayed includes the following: Cisco Nexus 7000 Series Security Command Reference...
  • Page 836 This example shows how to use the show ipv6 access-lists command with the summary keyword to display information about an IPv6 ACL named ipv6-RandD-outbound-web, such as which interfaces the ACL is applied to and active on: switch# show ipv6 access-lists ipv6-RandD-outbound-web summary IPV6 ACL ipv6-RandD-outbound-web Statistics enabled Cisco Nexus 7000 Series Security Command Reference...
  • Page 837 Displays all IPv4 ACLs or a specific IPv4 ACL. show mac access-lists Displays all MAC ACLs or a specific MAC ACL. statistics per-entry Starts recording statistics for packets permitted or denied by each entry in an ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 838: Show Ipv6 Dhcp Relay

    DHCPv6 Relay is configured on the following interfaces: Interface Relay Address VRF Name ------------- ------------- -------- Ethernet1/4 Related Commands Command Description ipv6 dhcp relay Enables the DHCPv6 relay agent. Displays statistics relating to DHCPv6. show ipv6 dhcp relay statistics Cisco Nexus 7000 Series Security Command Reference...
  • Page 839: Show Ipv6 Dhcp Relay Statistics

    This example shows how to display the globally configured DHCPv6 relay statistics: switch# show ipv6 dhcp relay statistics Related Commands Command Description ipv6 dhcp relay Enables the DHCPv6 relay agent. show ipv6 dhcp relay Displays the DHCPv6 configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 840: Show Ipv6 Dhcp-Ldra

    SOLICIT REQUEST Messages Sent RELAY-FORWARD DHCPv6 LDRA server facing statistics. Messages received Messages sent Messages discarded Messages Received RELAY-REPLY Messages Sent ADVERTISE REPLY Related Commands Command Description ipv6 dhcp-ldra Enables the LDRA feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 841 Show Commands show ipv6 dhcp-ldra Cisco Nexus 7000 Series Security Command Reference...
  • Page 842: Show Ipv6 Dhcp Guard Policy

    The table below describes the significant fields shown in the display. Table 1: show ipv6 dhcp guard policy Field Description Device Role The role of the device. The role is either client, server or relay. Cisco Nexus 7000 Series Security Command Reference...
  • Page 843 Show Commands show ipv6 dhcp guard policy Field Description Target The name of the target. The target is either an interface or a VLAN. Cisco Nexus 7000 Series Security Command Reference...
  • Page 844: Show Ipv6 Nd Raguard Policy

    The role of the device attached to the port. This device configuration is that of host. Policy applied on the following interfaces: The specified interface on which the RA guard feature is configured. Cisco Nexus 7000 Series Security Command Reference...
  • Page 845: Show Ipv6 Neighbor Binding

    AABB.CC01.F500 Et0/0 0002 0 REACHABLE 8850 FE80::21D:71FF:FE99:4900 001D.7199.4900 Vl100 0080 7203 DOWN 2001:600::1 AABB.CC01.F500 Et0/0 0003 0 REACHABLE 3181 2001:300::1 AABB.CC01.F500 Et0/0 0007 0 REACHABLE 9559 2001:100::2 AABB.CC01.F600 Et1/0 0002 0 REACHABLE 9196 Cisco Nexus 7000 Series Security Command Reference...
  • Page 846 The table below describes the significant fields shown in the display. Table 3: show ipv6 neighbor binding Field Descriptions Field Description address DB has n entries Number of entries in the specified database. Cisco Nexus 7000 Series Security Command Reference...
  • Page 847: Show Ipv6 Snooping Capture-Policy

    Table 4: show ipv6 snooping capture-policy Field Descriptions Field Description Hardware policy registered on Fa4/11 A hardware policy contains a programmatic access list (ACL), with a list of access control entries (ACEs). Protocol The protocol whose packets are being inspected. Cisco Nexus 7000 Series Security Command Reference...
  • Page 848 Show Commands show ipv6 snooping capture-policy Field Description Message The type of message being inspected. Action Action to be taken on the packet. Feature The inspection feature for this information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 849: Show Ipv6 Snooping Counters

    Dropped messages on Fa4/12: Feature/Message RS REDIR RA guard Dropped reasons on Fa4/12: RA guard RA drop - reason:RA/REDIR received on un-authorized port The table below describes the significant fields shown in the display. Cisco Nexus 7000 Series Security Command Reference...
  • Page 850 Dropped messages on: The messages dropped on the interface. Feature/message The feature that caused the drop, and the type and number of messages dropped. RA drop - reason: The reason that these messages were dropped. Cisco Nexus 7000 Series Security Command Reference...
  • Page 851: Show Ipv6 Snooping Features

    Table 6: show ipv6 snooping features Field Descriptions Field Description Feature name The names of the IPv6 global policy features configured on the router. priority The priority of the specified feature. state The state of the specified feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 852: Show Ipv6 Snooping Policies

    --------- ---- trusted Et0/0 Et1/0 untrusted Et2/0 RA guard policies configured: Policy Interface Vlan ------ --------- ---- host Et0/0 Et1/0 router Et2/0 The table below describes the significant fields shown in the display. Cisco Nexus 7000 Series Security Command Reference...
  • Page 853 Table 7: show ipv6 snooping policies Field Descriptions Field Description NDP inspection policies configured: Description of the policies configured for a specific feature. Policy Whether the policy is trusted or untrusted. Interface The interface to which a policy is attached. Cisco Nexus 7000 Series Security Command Reference...
  • Page 854: Show Key Chain

    This example shows how to display the MACsec keychain configuration for the k1 MACsec keychain that contains the 01 MACsec key: switch# show key chain k1 Key-Chain k1 Macsec Key 01 -- text 7 "075f701e1d5d4c53404a520d052829272b63647040534355560e005952560c001b" Cisco Nexus 7000 Series Security Command Reference...
  • Page 855 Configures an accept lifetime for a key. Configures a key. Configures a keychain. key chain key-octet-string Configures the text for a MACsec key. key-string Configures a key string. send-lifetime Configures a send lifetime for a key. Cisco Nexus 7000 Series Security Command Reference...
  • Page 856: Show Ldap-Search-Map

    Configures the attribute name, search filter, and attribute-name base-DN for the user profile, trusted certificate, CRL, certificate DN match, public key match, or user-switchgroup lookup search operation. feature ldap Enables LDAP. ldap search-map Configures an LDAP search map. Cisco Nexus 7000 Series Security Command Reference...
  • Page 857 Show Commands show ldap-search-map Command Description ldap-server host Specifies the IPv4 or IPv6 address or hostname for an LDAP server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 858: Show Ldap-Server

    : 389 deadtime : 0 total number of servers : 0 Related Commands Command Description feature ldap Enables LDAP. ldap-server host Specifies the IPv4 or IPv6 address or hostname for an LDAP server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 859: Show Ldap-Server Groups

    Authentication Mech: Default(PLAIN) Search map: Related Commands Command Description Creates an LDAP server group and enters the LDAP aaa group server ldap server group configuration mode for that group. feature ldap Enables LDAP. Cisco Nexus 7000 Series Security Command Reference...
  • Page 860: Show Ldap-Server Statistics

    0 sucessfull transactions: 0 requests sent: 0 requests timed out: 0 responses with no matching requests: 0 responses not processed: 0 responses containing errors: 0 Related Commands Command Description Enables LDAP. feature ldap Cisco Nexus 7000 Series Security Command Reference...
  • Page 861 Show Commands show ldap-server statistics Command Description ldap-server host Specifies the IPv4 or IPv6 address or hostname for an LDAP server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 862: Show Mac Access-Lists

    ACL contains when the device applies it to an interface. If a rule in the ACL uses an object group, the number of entries in the ACL when it is applied may be much greater than the number of rules. Cisco Nexus 7000 Series Security Command Reference...
  • Page 863 Displays all ACLs or a specific ACL. show ip access-lists Displays all IPv4 ACLs or a specific IPv4 ACL. Displays all IPv6 ACLs or a specific IPv6 ACL. show ipv6 access-lists Cisco Nexus 7000 Series Security Command Reference...
  • Page 864: Show Macsec Mka

    (Optional) Shows MKA statistics. summary (Optional) Shows MKA summary information. Command Default None Command Modes Any command mode Command History Release Modification 8.2(1) This command was introduced. Usage Guidelines This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 865 : 20:42:51 UTC Thu May 04 2017 Number of Macsec Capable Live Peers: 2 Number of SA consumed in Hardware Number of Macsec Capable Live Peers Responded: 2 Live Peer List: SSCI Key-Server-Priority Tx/Rx Programmed ------------------------------------------------------------------------------- Cisco Nexus 7000 Series Security Command Reference...
  • Page 866 MKPDU Rx Drop SAKUSE, KS Rx/Tx Not Set... 16956 MKPDU Rx Drop Packet, Ethertype Mismatch. 0 SAK Failures SAK Generation....0 Hash Key Generation....0 SAK Encryption/Wrap....0 SAK Decryption/Unwrap.... 0 CA Failures ICK Derivation....0 Cisco Nexus 7000 Series Security Command Reference...
  • Page 867 Sets an expiry time for a force SAK rekey. show key chain Displays the configuration of the specified keychain. Displays all the MACsec policies in the system. show macsec policy show run mka Displays the status of MKA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 868: Show Macsec Policy

    MACsec Policy Cipher Window Offset Security Rekey time -------------------------------- ---------------- ---- -------- -------- ------------ -------------- GCM-AES-XPN-128 must-secure Related Commands Command Description cipher suite Configures the cipher suite for encrypting traffic with MACsec. Cisco Nexus 7000 Series Security Command Reference...
  • Page 869 Sets an expiry time for a force SAK rekey. show key chain Displays the configuration of the specified keychain. show macsec mka Displays the details of MKA. show run mka Displays the status of MKA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 870: Show Password Secure-Mode

    This command does not require a license. Examples This example shows how to display the secure mode for changing password: switch# show password secure-mode Password secure mode is enabled Related Commands Command Description password strength-check Enables password-strength checking. Cisco Nexus 7000 Series Security Command Reference...
  • Page 871: Show Password Strength-Check

    This example shows how to display password-strength checking status: switch# show password strength-check Password strength check enabled Related Commands Command Description password strength-check Enables password-strength checking. Displays security feature configuration in the running show running-config security configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 872: Show Policy-Map Interface Control-Plane

    CIR, BC, PIR, and BE values only. The actual applied value on a module is the scale factor multiplied by the configured value. This command does not require a license. Examples This example shows how to monitor CoPP: switch# show policy-map interface control-plane Control Plane service-policy input: copp-system-policy-default Cisco Nexus 7000 Series Security Command Reference...
  • Page 873 1: conformed 3210508 bytes, 5-min offered rate 7 bytes/sec peak rate 8 bytes/sec at Wed May 03 05:19:24 2017 inst 2: conformed 0 bytes, 5-min offered rate 0 bytes/sec peak rate 0 bytes/sec Cisco Nexus 7000 Series Security Command Reference...
  • Page 874 5-min offered rate 0 bytes/sec peak rate 0 bytes/sec inst 1: conformed 0 bytes, 5-min offered rate 0 bytes/sec peak rate 0 bytes/sec inst 2: conformed 0 bytes, 5-min offered rate 0 bytes/sec peak rate 0 bytes/sec Cisco Nexus 7000 Series Security Command Reference...
  • Page 875 Show Commands show policy-map interface control-plane Related Commands Command Description show copp status Displays the CoPP status, including the last configuration operation and its status. Cisco Nexus 7000 Series Security Command Reference...
  • Page 876: Show Policy-Map Type Control-Plane

    400 kbps bc 1500 bytes pir 600 kbps be 1500 bytes conform transmit exceed transmit violate drop class class-default police cir 200 kbps bc 1500 bytes pir 300 kbps be 1500 bytes conform transmit exceed transmit violate drop Cisco Nexus 7000 Series Security Command Reference...
  • Page 877: Show Port-Security

    Command Description Enables the port security feature. feature port-security show port-security address Shows MAC addresses secured by the port security feature. show port-security interface Shows the port security status for a specific interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 878 Show Commands show port-security Command Description switchport port-security Configures port security on a Layer 2 interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 879: Show Port-Security Address

    Max Addresses limit in System (excluding one mac per port) : 8192 ---------------------------------------------------------------------- Secure Mac Address Table ---------------------------------------------------------------------- Vlan Mac Address Type Ports Remaining Age (mins) ---- ----------- ------ ----- ------------- 0054.AAB3.770F STATIC port-channel1 00EE.378A.ABCE STATIC Ethernet1/4 ====================================================================== switch# Cisco Nexus 7000 Series Security Command Reference...
  • Page 880 Enables the port security feature. show port-security Shows the status of the port security feature. show port-security interface Shows the port security status for a specific interface. switchport port-security Configures port security on a Layer 2 interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 881: Show Port-Security Interface

    Port Status : Secure Down Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute Maximum MAC Addresses Total MAC Addresses Configured MAC Addresses Sticky MAC Addresses Security violation count switch# Cisco Nexus 7000 Series Security Command Reference...
  • Page 882 Enables the port security feature. show port-security Shows the status of the port security feature. show port-security address Shows MAC addresses secured by the port security feature. switchport port-security Configures port security on a Layer 2 interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 883: Show Privilege

    Enables a secret password for a specific privilege level. Enables the cumulative privilege of roles for feature privilege command authorization on TACACS+ servers. username username priv-lvl Enables a user to use privilege levels for authorization. Cisco Nexus 7000 Series Security Command Reference...
  • Page 884: Show Radius

    Show Commands show radius show radius To display the RADIUS Cisco Fabric Services (CFS) distribution status and other details, use the show radius command. show radius {distribution status| merge status| pending [cmds]| pending-diff| session status| status} Syntax Description distribution status Displays the status of the RADIUS CFS distribution.
  • Page 885 10.10.1.1 key 7 qxz12345 auth_port 1812 acct_port 1813 authentication accounting This example shows how to display the differences between the pending RADIUS configuration and the current RADIUS configuration: switch(config)# show radius pending-diff +radius-server host 10.10.1.1 authentication accounting Cisco Nexus 7000 Series Security Command Reference...
  • Page 886: Show Radius-Server

    Usage Guidelines RADIUS preshared keys are not visible in the show radius-server command output. Use the show running-config radius command to display the RADIUS preshared keys. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 887 10.10.1.1: available for authentication on port:1812 available for accounting on port:1813 This example shows how to display statistics for a specified RADIUS server: switch# show radius-server statistics 10.10.1.1 Server is not monitored Cisco Nexus 7000 Series Security Command Reference...
  • Page 888 0 responses with no matching requests: 0 responses not processed: 0 responses containing errors: 0 Related Commands Command Description show running-config radius Displays the RADIUS information in the running configuration file. Cisco Nexus 7000 Series Security Command Reference...
  • Page 889: Show Role

    ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- permit read-write role: network-operator description: Predefined network operator role has access to all read commands on the switch ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- Cisco Nexus 7000 Series Security Command Reference...
  • Page 890 Predefined vdc operator role has access to all read commands within a VDC instance ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- permit read Related Commands Command Description role name Configures user roles. Cisco Nexus 7000 Series Security Command Reference...
  • Page 891: Show Role Feature

    <content deleted> This example shows how to display detailed information for all the user role features: switch(config)# show role feature detail Cisco Nexus 7000 Series Security Command Reference...
  • Page 892 * config t ; dot1x * dot1x * clear dot1x * debug dot1x * Related Commands Command Description Configures feature groups for user roles. role feature-group rule Configures rules for user roles. Cisco Nexus 7000 Series Security Command Reference...
  • Page 893: Show Role Feature-Group

    This example shows how to display detailed information about all the user role feature groups: switch(config)# show role feature-group detail feature group: L3 feature: router-bgp show bgp * config t ; bgp * bgp * clear bgp * debug bgp * show ip bgp * Cisco Nexus 7000 Series Security Command Reference...
  • Page 894 This example shows how to display information for a specific user role feature group: switch(config)# show role feature-group name SecGroup feature group: SecGroup feature: aaa feature: radius feature: tacacs Related Commands Command Description Configures feature groups for user roles. role feature-group Cisco Nexus 7000 Series Security Command Reference...
  • Page 895 Show Commands show role feature-group Command Description rule Configures rules for user roles. Cisco Nexus 7000 Series Security Command Reference...
  • Page 896: Show Role Pending

    Show Commands show role pending show role pending To display the pending user role configuration differences for the Cisco Fabric Services distribution session, use the show role pending command. show role pending Syntax Description This command has no arguments or keywords.
  • Page 897: Show Role Pending-Diff

    Show Commands show role pending-diff show role pending-diff To display the differences between the pending user role configuration for the Cisco Fabric Services distribution session and the running configuration, use the show role pending-diff command. show role pending-diff Syntax Description This command has no arguments or keywords.
  • Page 898: Show Role Session

    Show Commands show role session show role session To display the status information for a user role Cisco Fabric Services session, use the show role session command. show role session status Syntax Description status (Optional) Displays the role session status.
  • Page 899: Show Role Status

    Show Commands show role status show role status To display the status for the Cisco Fabric Services distribution for the user role feature, use the show role status command. show role status Syntax Description This command has no arguments or keywords.
  • Page 900: Show Run Mka

    Configures the cipher suite for encrypting traffic with MACsec. Configures the confidentiality offset for MKA conf-offset encryption. feature mka Enables the MKA feature. Creates a key or enters the configuration mode of an existing key. Cisco Nexus 7000 Series Security Command Reference...
  • Page 901 Configures the MACsec policy. sak-expiry-time time Sets an expiry time for a force SAK rekey. show key chain Displays the configuration of the specified keychain. Displays all the MACsec policies in the system. show macsec policy Cisco Nexus 7000 Series Security Command Reference...
  • Page 902: Show Running-Config Aaa

    This command was introduced. Usage Guidelines This command does not require a license. Examples This example shows how to display the configured AAA information in the running configuration: switch# show running-config aaa version 4.0(1) Cisco Nexus 7000 Series Security Command Reference...
  • Page 903: Show Running-Config Aclmgr

    10 permit udp any eq bootpc any 20 permit udp any neq bootps any eq bootps ip access-list cisco123-copp-acl-dhcp-relay-response 10 permit udp any eq bootps any 20 permit udp any any eq bootpc ip access-list cisco123-copp-acl-eigrp Cisco Nexus 7000 Series Security Command Reference...
  • Page 904 10 permit any any --More-- Related Commands Command Description show running-config copp Displays the CoPP configuration in the running configuration. Displays the user-configured ACLs in the startup show startup-config aclmgr configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 905 Show Commands show running-config aclmgr Command Description show startup-config copp Displays the CoPP configuration in the startup configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 906: Show Running-Config Copp

    2000 kbps bc 1500 bytes pir 3000 kbps be 1500 bytes conform transmit exceed transmit violate drop class copp-system-class-important police cir 1000 kbps bc 1500 bytes pir 1500 kbps be 1500 bytes conform transmit exceed transmit violate drop Cisco Nexus 7000 Series Security Command Reference...
  • Page 907 400 kbps bc 1500 bytes pir 600 kbps be 1500 bytes conform transmit exceed transmit violate drop class class-default police cir 200 kbps bc 1500 bytes pir 300 kbps be 1500 bytes conform transmit exceed transmit violate drop Cisco Nexus 7000 Series Security Command Reference...
  • Page 908: Show Running-Config Cts

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to display the Cisco TrustSec configuration in the running configuration: switch# show running-config cts version 4.0(1)
  • Page 909: Show Running-Config Dhcp

    13 ip arp inspection vlan 13 This example shows how to verify DHCP configurations on the device. DHCP relay configuration information is also displayed in the example. switch# show running-config dhcp Cisco Nexus 7000 Series Security Command Reference...
  • Page 910 Enables or disables the DHCP relay agent. service dhcp show ip dhcp snooping Displays general information about DHCP snooping. show ip dhcp snooping binding Displays IP-MAC address bindings, including the static IP source entries. Cisco Nexus 7000 Series Security Command Reference...
  • Page 911: Show Running-Config Dot1X

    You must enable the 802.1X feature by using the feature dot1x command before using this command. This command does not require a license. Examples This example shows how to display the configured 802.1X information in the running configuration: switch# show running-config dot1x version 4.0(1) Cisco Nexus 7000 Series Security Command Reference...
  • Page 912: Show Running-Config Eou

    You must enable the EAPoUDP feature by using the feature eou command before using this command. This command does not require a license. Examples This example shows how to display the configured EAPoUDP information in the running configuration: switch# show running-config eou version 4.0(1) Cisco Nexus 7000 Series Security Command Reference...
  • Page 913: Show Running-Config Ldap

    This command does not require a license. Examples This example shows how to display LDAP information in the running configuration: switch# show running-config ldap Related Commands Command Description show ldap-server Displays LDAP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 914: Show Running-Config Port-Security

    This example shows how to display information for port-security in the running configuration: switch# show running-port-security version 4.0(3) feature port-security logging level port-security 5 interface Ethernet2/3 switchport port-security Related Commands Command Description show startup-config port-security Displays port-security information in the startup configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 915: Show Running-Config Radius

    This command does not require a license. Examples This example shows how to display information for RADIUS in the running configuration: switch# show running-config radius Related Commands Command Description show radius-server Displays RADIUS information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 916: Show Running-Config Security

    5.1(1) username admin password 5 $1$7Jwq/LDM$XF0M/UWeT43DmtjZy8VP91 role network-admin username adminbackup password 5 $1$Oip/C5Ci$oOdx7oJSlBCFpNRmQK4na. role network-operator username user1 password 5 $1$qEclQ5Rx$CAX9fXiAoFPYSvbVzpazj/ role network-operator telnet server enable ssh key rsa 1024 force Cisco Nexus 7000 Series Security Command Reference...
  • Page 917: Show Running-Config Tacacs

    This command does not require a license. Examples This example shows how to display TACACS+ information in the running configuration: switch# show running-config tacacs+ Related Commands Command Description show tacacs-server Displays TACACS+ information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 918: Show Security System State

    This example shows how to display the status of system related security features: switch# show security system state XSPACE: Non-Executable stack: Non-Executable heap: Non-Writable text: ASLR: ASLR enabled: CVE-offset2lib Patch: Present Randomization entropy: Good OSC: Version: 1.0.0 SafeC: Version: 3.0.1 Cisco Nexus 7000 Series Security Command Reference...
  • Page 919: Show Software Integrity

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1 10 1d8d532d463c9f8c205d0df7787669a85f93e260 ima-ng sha1:0000000000000000000000000000000000000000 boot_aggregate 2 10 1cb9d1e2795a75857f70d6a23cb77e4843467617 ima-ng sha256:850c63f1b32f19b2dcde9fa199a83da920c9e377e1e2dc52a6c7fdd045a21475 /etc/r c.d/rcS.d/S98admin-login 3 10 d07e9ebb0f9b548dd41558a6ec56f62e22b354a0 ima-ng sha256:941c993b3ffda0e0157442d849304e9a7e96f5f7da551754105023cb2ab8392a /bin/b switch# show software integrity total 1139 Cisco Nexus 7000 Series Security Command Reference...
  • Page 920: Show Ssh Key

    Keys generated:Wed Aug 11 11:45:14 2010 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDypfN6FSHZDbFPWEoz7sgWCamhfoqjqYNoZMvySSb4 056LhWZ75D90KPo+G+XTo7QAyQMpLJSkwKcRkidgD4lwJaDd/Ic/Sl5SJ3i0jyM61Bwvi+8+J3JoIdft AvgH47GT5BdDD6hM7aUHq+efSQSq8pGyDAR4Cw6UdY9HNAWoTw== bitcount:1024 fingerprint: cd:8d:e3:0c:2a:df:58:d3:6e:9c:bd:72:75:3f:2e:45 ************************************** could not retrieve dsa key information ************************************** Related Commands Command Description ssh server key Configures the SSH server key. Cisco Nexus 7000 Series Security Command Reference...
  • Page 921: Show Ssh Server

    This command does not require a license. Examples This example shows how to display the SSH server status: switch# show ssh server ssh is enabled version 2 enabled Related Commands Command Description feature ssh Enables the SSH server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 922: Show Startup-Config Aaa

    This command was introduced. Usage Guidelines This command does not require a license. Examples This example shows how to display the AAA information in the startup configuration: switch# show startup-config aaa version 4.0(1) Cisco Nexus 7000 Series Security Command Reference...
  • Page 923: Show Startup-Config Aclmgr

    10 permit udp any eq bootps any 20 permit udp any any eq bootpc ip access-list copp-system-p-acl-eigrp 10 permit eigrp any any ip access-list copp-system-p-acl-ftp 10 permit tcp any any eq ftp-data 20 permit tcp any any eq ftp Cisco Nexus 7000 Series Security Command Reference...
  • Page 924 Displays the user-configured ACLs in the running configuration. show running-config copp Displays the CoPP configuration in the running configuration. Displays the CoPP configuration in the startup show startup-config copp configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 925: Show Startup-Config Copp

    2000 kbps bc 1500 bytes pir 3000 kbps be 1500 bytes conform transmit exceed transmit violate drop class copp-system-class-important police cir 1000 kbps bc 1500 bytes pir 1500 kbps be 1500 bytes conform transmit exceed transmit violate drop class copp-system-class-normal Cisco Nexus 7000 Series Security Command Reference...
  • Page 926 200 kbps bc 1500 bytes pir 300 kbps be 1500 bytes conform transmit exceed transmit violate drop policy-map type control-plane x class class-default police cir 0 bps bc 0 bytes conform drop violate drop Cisco Nexus 7000 Series Security Command Reference...
  • Page 927: Show Startup-Config Dhcp

    1 ip arp inspection vlan 1 ip dhcp snooping vlan 13 ip arp inspection vlan 13 switch# Related Commands Command Description feature dhcp Enables the DHCP snooping feature on the device. Cisco Nexus 7000 Series Security Command Reference...
  • Page 928 Show Commands show startup-config dhcp Command Description show running-config dhcp Shows DHCP snooping configuration in the running configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 929: Show Startup-Config Dot1X

    You must enable the 802.1X feature by using the feature dot1x command before using this command. This command does not require a license. Examples This example shows how to display the 802.1X information in the startup configuration: switch# show startup-config dot1x version 4.0(1) Cisco Nexus 7000 Series Security Command Reference...
  • Page 930: Show Startup-Config Eou

    You must enable the EAPoUDP feature by using the feature eou command before using this command. This command does not require a license. Examples This example shows how to display the EAPoUDP information in the startup configuration: switch# show startup-config eou version 4.0(1) Cisco Nexus 7000 Series Security Command Reference...
  • Page 931: Show Startup-Config Ldap

    !Startup config saved at: Wed Feb 17 10:32:23 2010 version 5.0(2) feature ldap aaa group server ldap LDAPgroup1 no ldap-search-map aaa group server ldap LdapServer1 no ldap-search-map Related Commands Command Description show ldap-server Displays LDAP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 932: Show Startup-Config Port-Security

    This example shows how to display information for port-security in the startup configuration: switch# show startup-port-security version 4.0(3) feature port-security logging level port-security 5 interface Ethernet2/3 switchport port-security Related Commands Command Description show running-config port-security Displays port-security information in the running configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 933: Show Startup-Config Radius

    This command was introduced. Usage Guidelines This command does not require a license. Examples This example shows how to display the RADIUS information in the startup configuration: switch# show startup-config radius version 4.0(1) Cisco Nexus 7000 Series Security Command Reference...
  • Page 934: Show Startup-Config Security

    5.1(1) username admin password 5 $1$7Jwq/LDM$XF0M/UWeT43DmtjZy8VP91 role network-admin username adminbackup password 5 $1$Oip/C5Ci$oOdx7oJSlBCFpNRmQK4na. role network-operator username user1 password 5 $1$qEclQ5Rx$CAX9fXiAoFPYSvbVzpazj/ role network-operator telnet server enable ssh key rsa 1024 force Cisco Nexus 7000 Series Security Command Reference...
  • Page 935: Show Startup-Config Tacacs

    This command was introduced. Usage Guidelines This command does not require a license. Examples This example shows how to display the TACACS+ information in the startup configuration: switch# show startup-config tacacs+ version 4.0(1) Cisco Nexus 7000 Series Security Command Reference...
  • Page 936: Show System Internal Access-List Feature Bank-Chain Map

    This command does not require a license. Examples This example shows how to display the feature group and class combination tables for ingress module 2: switch# show system internal access-list feature bank-chain map vlan-vlan ingress module 2 Cisco Nexus 7000 Series Security Command Reference...
  • Page 937 ACLMGR ERSPAN (source) SPM_VINCI_PROXY SPM_VINCI_ANYCAST SPM_VINCI_FABRIC_VLAN SPM ITD SPM EVPN ARP UDP RELAY SPM_VXLAN_OAM Related Commands Command Description hardware access-list resource feature Enables ACL TCAM bank mapping for feature groups bank-mapping and classes. Cisco Nexus 7000 Series Security Command Reference...
  • Page 938: Show System Internal Access-List Feature Bank-Class Map

    DHCP, Netflow, ARP, VACL, 4. CLASS_RACL : RACL, RACL_STAT, Netflow (SVI), ARP, 5. CLASS_VACL : VACL, VACL_STAT, ARP, FEX, Netflow, 6. CLASS_RV_ACL : RACL, PBR, BFD, ARP, SPM WCCP, VACL, SPM OTV, FEX, CTS implicit Tunnel Cisco Nexus 7000 Series Security Command Reference...
  • Page 939 Show Commands show system internal access-list feature bank-class map Related Commands Command Description hardware access-list resource feature Enables ACL TCAM bank mapping for feature groups bank-mapping and classes. Cisco Nexus 7000 Series Security Command Reference...
  • Page 940: Show System Internal Access-List Globals

    This pltfm supports seq feat model Bank Class Model : DISABLED This pltfm supports bank class model Fabric path DNL : DISABLED Seq Feat Model : NO_DENY_ACE_SUPPORT This pltfm supports seq feat model Cisco Nexus 7000 Series Security Command Reference...
  • Page 941 MPLS Topmost As Pipe Mode : DISABLED This pltfm supports mpls topmost as pipe mode LOU Threshold Value : 5 Related Commands Command Description hardware access-list resource feature Enables ACL TCAM bank mapping for feature groups and classes. bank-mapping Cisco Nexus 7000 Series Security Command Reference...
  • Page 942: Show System Internal Pktmgr Internal Control Sw-Rate-Limit

    12500 outband pps global threshold 15500 switch# Related Commands Command Description rate-limit cpu direction pps action log Configures rate limits globally on the device for packets that reach the supervisor module. Cisco Nexus 7000 Series Security Command Reference...
  • Page 943: Show System Internal Udp-Relay Database

    3 . IP-Addr : 2.4.6.8 Netmask : 255.255.0.0 Associated Interfaces: ----------------------------------- Vlan800 Subnet-broadcast enabled --------------------------------------------------------------- Object-Group Name iSmart No. of Relay Addresses : 1 . IP-Addr : 4.5.6.7 Netmask : 255.255.0.0 Associated Interfaces: Cisco Nexus 7000 Series Security Command Reference...
  • Page 944 Show Commands show system internal udp-relay database ----------------------------------- Vlan700 Subnet-broadcast disabled Related Commands Command Description ip forward-protocol udp Enables the UDP relay feature. object-group udp relay ip address Configures the object group. Cisco Nexus 7000 Series Security Command Reference...
  • Page 945: Show Tacacs

    Show Commands show tacacs+ show tacacs+ To display the TACACS+ Cisco Fabric Services (CFS) distribution status and other details, use the show tacacs+ command. show tacacs+ {distribution status| pending [cmds]| pending-diff} Syntax Description distribution status Displays the status of the TACACS+ CFS distribution.
  • Page 946 10.10.2.2 key 7 qxz12345 port 49 This example shows how to display the differences between the pending TACACS+ configuration and the current TACACS+configuration: switch# show tacacs+ pending-diff +tacacs-server host 10.10.2.2 Cisco Nexus 7000 Series Security Command Reference...
  • Page 947: Show Tacacs-Server

    TACACS+ preshared keys are not visible in the show tacacs-server command output. Use the show running-config tacacs+ command to display the TACACS+ preshared keys. You must use the feature tacacs+ command before you can display TACACS+ information. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 948 This example shows how to display statistics for a specified TACACS+ servers: switch# show tacacs-server statistics 10.10.2.2 Server is not monitored Authentication Statistics failed transactions: 0 sucessfull transactions: 0 requests sent: 0 requests timed out: 0 responses with no matching requests: 0 Cisco Nexus 7000 Series Security Command Reference...
  • Page 949 0 responses with no matching requests: 0 responses not processed: 0 responses containing errors: 0 Related Commands Command Description show running-config tacacs+ Displays the TACACS+ information in the running configuration file. Cisco Nexus 7000 Series Security Command Reference...
  • Page 950: Show Telnet Server

    This command does not require a license. Examples This example shows how to display the Telnet server status: switch# show telnet server telnet service enabled Related Commands Command Description telnet server enable Enables the Telnet server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 951: Show Time-Range

    10 absolute start 0:00:00 1 November 2009 end 23:59:59 30 November 2009 Related Commands Command Description time-range Configures a time range. permit (IPv4) Configures a permit rule for an IPv4 ACL. ipv6 access-list Configures an IPv6 ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 952 Configures a permit rule for an IPv6 ACL. permit (MAC) Configures a permit rule for a MAC ACL. show ipv6 access-lists Displays all IPv6 ACLs or a specific IPv6 ACL. show access-lists Displays all ACLs or a specific ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 953: Show User-Account

    This example shows how to display information for user accounts in a nondefault VDC: switch-MyVDC# show user-account user:admin this user account has no expiry date roles:vdc-admin Related Commands Command Description telnet server enable Enables the Telnet server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 954: Show Username

    This example shows how to display the public key for the specified user: switch# show username admin keypair ************************************** rsa Keys generated:Mon Feb 15 08:10:45 2010 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0+rIeMgXwv004lt/hwOoyqIKbFGl1tmkFNm/tozuazfL 4dH/asAXZoJePDdiO1ILBGfrQgzyS5u3prXuXfgnWkTu0/4WlD0DF/EPdsd3NNzNbpPFzNDVylPDyDfR X5SfVICioEirjX9Y59DZP+Nng6rJD7Z/YHVXs/jRNLPBOIs= bitcount:262144 fingerprint: a4:a7:b1:d1:43:09:49:6f:7c:f8:60:62:8e:a2:c1:d1 ************************************** could not retrieve dsa key information ************************************** switch# Cisco Nexus 7000 Series Security Command Reference...
  • Page 955 Related Commands Command Description username username keypair generate Generates the SSH public and private keys and stores them in the home directory of the Cisco NX-OS device for the specified user. Cisco Nexus 7000 Series Security Command Reference...
  • Page 956: Show Users

    23101 (10.82.234.56)* This example shows how to display information for user accounts in a nondefault VDC: switch-MyVDC# show users admin pts/10 Mar 19 12:54 30965 (10.82.234.56)* Related Commands Command Description username Configures user accounts. Cisco Nexus 7000 Series Security Command Reference...
  • Page 957: Show Vlan Access-List

    Displays all IPv4 ACLs or a specific IPv4 ACL. show ipv6 access-lists Displays all IPv6 ACLs or a specific IPv6 ACL. show mac access-lists Displays all MAC ACLs or a specific MAC ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 958 Show Commands show vlan access-list Command Description show vlan access-map Displays all VLAN access maps or a specific VLAN access map. Cisco Nexus 7000 Series Security Command Reference...
  • Page 959: Show Vlan Access-Map

    This command does not require a license. Examples This example shows how to remove dynamically learned, secure MAC addresses from the Ethernet 2/1 interface: switch# show vlan access-map Vlan access-map austin-vlan-map match ip: austin-corp-acl action: forward Cisco Nexus 7000 Series Security Command Reference...
  • Page 960 Displays information about how a VLAN access map show vlan filter is applied. vlan access-map Configures a VLAN access map. vlan filter Applies a VLAN access map to one or more VLANs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 961: Show Vlan Filter

    Configured on VLANs: 20-35,42-80 Related Commands Command Description Specifies an action for traffic filtering in a VLAN action access map. match Specifies an ACL for traffic filtering in a VLAN access map. Cisco Nexus 7000 Series Security Command Reference...
  • Page 962 Description show vlan access-map Displays all VLAN access maps or a VLAN access map. vlan access-map Configures a VLAN access map. vlan filter Applies a VLAN access map to one or more VLANs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 963: Chapter 1 8 T Commands

    953 • telnet server enable, page 955 • telnet6, page 956 • terminal verify-only, page 958 • test aaa authorization command-type, page 960 • time-range, page 962 • trustedCert, page 964 Cisco Nexus 7000 Series Security Command Reference...
  • Page 964: Tacacs+ Abort

    T Commands tacacs+ abort tacacs+ abort To discard a TACACS+ Cisco Fabric Services (CFS) distribution session in progress, use the tacacs+ abort command. tacacs+abort Syntax Description This command has no arguments or keywords. Command Default None. Command Modes Global configuration...
  • Page 965: Tacacs+ Commit

    CFS does not distribute the TACACS+ server group configurations, periodic TACACS+ server testing configurations, or server and global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices.
  • Page 966: Tacacs+ Distribute

    To use this command, TACACS+ must be enabled using the feature tacacs+ command. CFS does not distribute the TACACS+ server group configurations, periodic TACACS+ server testing configurations, or server and global keys. The keys are unique to the Cisco NX-OS device and are not shared with other Cisco NX-OS devices.
  • Page 967: Tacacs-Server Deadtime

    This example shows how to configure the dead-time interval and enable periodic monitoring: switch# configure terminal switch(config)# tacacs -server deadtime 10 This example shows how to revert to the default dead-time interval and disable periodic monitoring: switch# configure terminal switch(config)# no tacacs -server deadtime 10 Cisco Nexus 7000 Series Security Command Reference...
  • Page 968 T Commands tacacs-server deadtime Related Commands Command Description deadtime Sets a dead-time interval for monitoring a nonresponsive TACACS+ server. show tacacs-server Displays TACACS+ server information. feature tacacs+ Enables TACACS+. Cisco Nexus 7000 Series Security Command Reference...
  • Page 969: Tacacs-Server Directed-Request

    (VRF) name to use and hostname is the name of a configured TACACS+ server. The username is sent to the server name for authentication. If you enable the directed-request option, the Cisco NX-OS device uses only the RADIUS method for Note authentication and not the default local method.
  • Page 970 T Commands tacacs-server directed-request Related Commands Command Description show tacacs-server directed request Displays a directed request TACACS+ server configuration. feature tacacs+ Enables TACACS+. Cisco Nexus 7000 Series Security Command Reference...
  • Page 971: Tacacs-Server Host

    The range is from 1 to 65535. test (Optional) Configures parameters to send test packets to the TACACS+ server. idle-time time Specifies the time interval (in minutes) for monitoring the server. The time range is 1 to 1440 minutes. Cisco Nexus 7000 Series Security Command Reference...
  • Page 972 0 abcd switch(config)# tacacs-server host tacacs3 key 7 1234 switch(config)# tacacs-server host 10.10.2.3 test idle-time 10 switch(config)# tacacs-server host 10.10.2.3 test username tester switch(config)# tacacs-server host 10.10.2.3 test password 2B9ka5 Cisco Nexus 7000 Series Security Command Reference...
  • Page 973 T Commands tacacs-server host Related Commands Command Description show tacacs-server Displays TACACS+ server information. feature tacacs+ Enables TACACS+. Cisco Nexus 7000 Series Security Command Reference...
  • Page 974: Tacacs-Server Key

    You can override this global key assignment by using the key keyword in the tacacs-server host command. You must use the feature tacacs+ command before you configure TACACS+. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 975 The following example shows how to configure TACACS+ server shared keys: switch# configure terminal switch(config)# tacacs-server key AnyWord switch(config)# tacacs-server key 0 AnyWord switch(config)# tacacs-server key 7 public Related Commands Command Description show tacacs-server Displays TACACS+ server information. feature tacacs+ Enables TACACS+. Cisco Nexus 7000 Series Security Command Reference...
  • Page 976: Tacacs-Server Test

    Modification 5.0(2) This command was introduced. Usage Guidelines To use this command, you must enable TACACS+ authentication. Any servers for which test parameters are not configured are monitored using the global level parameters. Cisco Nexus 7000 Series Security Command Reference...
  • Page 977 This example shows how to configure the parameters for global TACACS+ server monitoring: switch# configure terminal switch(config)# tacacs-server test username user1 password Ur2Gd2BH idle-time 3 Related Commands Command Description Displays TACACS+ server information. show tacacs-server Cisco Nexus 7000 Series Security Command Reference...
  • Page 978: Tacacs-Server Timeout

    This example shows how to revert to the default TACACS+ server timeout value: switch# configure terminal switch(config)# no tacacs-server timeout 3 Related Commands Command Description show tacacs-server Displays TACACS+ server information. Enables TACACS+. feature tacacs+ Cisco Nexus 7000 Series Security Command Reference...
  • Page 979: Telnet

    T Commands telnet telnet To create a Telnet session using IPv4 on the Cisco NX-OS device, use the telnet command. telnet {ipv4-address| hostname} [ port-number ] [vrf vrf-name] Syntax Description ipv4-address IPv4 address of the remote device. hostname Hostname of the remote device. The name is alphanumeric, case sensitive, and has a maximum of 64 characters.
  • Page 980 T Commands telnet Related Commands Command Description clear line Clears Telnet sessions. telnet6 Creates a Telnet session using IPv6 addressing. feature telnet Enables the Telnet server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 981: Telnet Server Enable

    This example shows how to disable the Telnet server: switch# configure terminal switch(config)# no telnet server enable XML interface to system may become unavailable since ssh is disabled Related Commands Command Description Displays the SSH server key information. show telnet server Cisco Nexus 7000 Series Security Command Reference...
  • Page 982: Telnet6

    T Commands telnet6 telnet6 To create a Telnet session using IPv6 on the Cisco NX-OS device, use the telnet6 command. telnet6 {ipv6-address| hostname} [ port-number ] [vrf vrf-name] Syntax Description ipv6-address IPv6 address of the remote device. hostname Hostname of the remote device. The name is alphanumeric, case sensitive, and has a maximum of 64 characters.
  • Page 983 T Commands telnet6 Related Commands Command Description clear line Clears Telnet sessions. telnet Creates a Telnet session using IPv4 addressing. feature telnet Enables the Telnet server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 984: Terminal Verify-Only

    This example shows how to enable command authorization verification: switch# terminal verify-only This example shows how to disable command authorization verification: switch# terminal no verify-only Related Commands Command Description Configures authorization for EXEC commands. aaa authorization commands default Cisco Nexus 7000 Series Security Command Reference...
  • Page 985 T Commands terminal verify-only Command Description aaa authorization config-commands default Configures authorization for configuration commands. Cisco Nexus 7000 Series Security Command Reference...
  • Page 986: Test Aaa Authorization Command-Type

    To use the test aaa authorization command-type command, you must enable the TACACS+ feature using the feature tacacs+ command. You must configure a TACACS+ group on the Cisco NX-OS device using the aaa server group command before you can test the command authorization.
  • Page 987 Related Commands Command Description aaa authorization commands default Configures authorization for EXEC commands. aaa authorization config-commands default Configures authorization for configuration commands. aaa group server Configures AAA server groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 988: Time-Range

    Specifies a time range that has a specific start date and time. deny (IPv4) Configures an IPv4 deny rule. deny (IPv6) Configures an IPv6 deny rule. Specifies a time range that is active one or more times periodic per week. Cisco Nexus 7000 Series Security Command Reference...
  • Page 989 T Commands time-range Command Description permit (IPv4) Configures an IPv4 permit rule. permit (IPv6) Configures an IPv6 permit rule. Cisco Nexus 7000 Series Security Command Reference...
  • Page 990: Trustedcert

    This example shows how to configure the attribute name, search filter, and base-DN for the trusted certificate search operation in order to send a search query to the LDAP server: switch# conf t switch(config)# ldap search-map s0 switch(config-ldap-search-map)# trustedCert attribute-name cACertificate search-filter (&(objectClass=certificationAuthority)) base-DN CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=mdsldaptestlab,DC=com switch(config-ldap-search-map)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 991 T Commands trustedCert Related Commands Command Description feature ldap Enables LDAP. ldap search-map Configures an LDAP search map. show ldap-search-map Displays the configured LDAP search maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 992 T Commands trustedCert Cisco Nexus 7000 Series Security Command Reference...
  • Page 993: Chapter 1 9 U Commands

    U Commands • user-certdn-match, page 968 • username, page 970 • userprofile, page 975 • user-pubkey-match, page 977 • user-switch-bind, page 979 • use-vrf, page 981 Cisco Nexus 7000 Series Security Command Reference...
  • Page 994: User-Certdn-Match

    This example shows how to configure the attribute name, search filter, and base-DN for the certificate DN match search operation in order to send a search query to the LDAP server: switch# conf t switch(config)# ldap search-map s0 switch(config-ldap-search-map)# user-certdn-match attribute-name certificateDN search-filter (&(objectClass=inetOrgPerson)(cn=$userid)) base-DN dc=acme,dc=com switch(config-ldap-search-map)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 995 U Commands user-certdn-match Related Commands Command Description feature ldap Enables LDAP. ldap search-map Configures an LDAP search map. show ldap-search-map Displays the configured LDAP search maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 996: Username

    64 characters. All printable ASCII characters are supported Note in the password string if they are enclosed in quotation marks. role role-name (Optional) Specifies the user role. The role-name argument is case sensitive. Cisco Nexus 7000 Series Security Command Reference...
  • Page 997 In nondefault VDCs, the default user role is vdc-operator. You cannot delete the default admin user role. Also, you cannot change the expire date or remove the network-admin role for the default admin user role. Cisco Nexus 7000 Series Security Command Reference...
  • Page 998 This command was introduced. Usage Guidelines The Cisco NX-OS software creates two default user accounts in the VDC: admin and adminbackup. The nondefault VDCs have one default user account: admin. You cannot remove a default user account. User accounts are local to the VDCs. You can create user accounts with the same user identifiers in different VDCs.
  • Page 999 This example shows how to export the public and private keys from the home directory of the Cisco NX-OS device to the bootflash directory: switch# configure t...
  • Page 1000 Checks the password security strength. show privilege Displays the current privilege level, username, and status of cumulative privilege support. show user-account Displays the user account configuration. show username Displays the public key for the specified user. Cisco Nexus 7000 Series Security Command Reference...

Table of Contents

Save PDF