Page 1 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release First Published: 2018-07-17 Last Modified: 2018-11-05 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
Page 2 This product includes software written by Tim Hudson (tjh@cryptsoft.com). Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks.
Page 3 RADIUS and TACACS+ Security Protocols LDAP SSH and Telnet User Accounts and Roles IP ACLs MAC ACLs VACLs DHCP Snooping Dynamic ARP Inspection IP Source Guard Password Encryption Keychain Management Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 4: Table Of Contents
Enabling MSCHAP or MSCHAP V2 Authentication Configuring AAA Accounting Default Methods Using AAA Server VSAs with Cisco NX-OS Devices About VSAs VSA Format Specifying Cisco NX-OS User Roles and SNMPv3 Parameters on AAA Servers Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 5 Configuring the Global RADIUS Transmission Retry Count and Timeout Interval Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server Configuring Accounting and Authentication Attributes for RADIUS Servers Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 6 Configuring a Key for a Specific TACACS+ Server Configuring TACACS+ Server Groups Configuring the Global Source Interface for TACACS+ Server Groups Allowing Users to Specify a TACACS+ Server at Login Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 7 Vendor-Specific Attributes for LDAP Cisco VSA Format for LDAP Virtualization Support for LDAP Licensing Requirements for LDAP Prerequisites for LDAP Guidelines and Limitations for LDAP Default Settings for LDAP Configuring LDAP Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 8 Default Settings for SSH and Telnet Configuring SSH Generating SSH Server Keys Specifying the SSH Public Keys for User Accounts Specifying the SSH Public Keys in IETF SECSH Format Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x viii...
Page 9 User Role Rules Licensing Requirements for User Accounts and RBAC Guidelines and Limitations for User Accounts and RBAC Default Settings for User Accounts and RBAC Enabling Password-Strength Checking Configuring User Accounts Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 10 Enabling the 802.1X Feature Configuring AAA Authentication Methods for 802.1X Controlling 802.1X Authentication on an Interface Creating or Removing an Authenticator PAE on an Interface Enabling Periodic Reauthentication for an Interface Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 11 Protocols for IP ACLs and MAC ACLs Source and Destination Implicit Rules for IP and MAC ACLs Additional Filtering Options Sequence Numbers Logical Operators and Logical Operation Units IPv4 ACL Logging Time Ranges Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 12 Carving a TCAM Region Configuring System ACLs Configuration and Show Command Examples for the System ACLs Configuring Object Groups Session Manager Support for Object Groups Creating and Changing an IPv4 Address Object Group Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 13 Monitoring and Clearing MAC ACL Statistics Configuration Example for MAC ACLs Additional References for MAC ACLs C H A P T E R 1 2 Configuring VLAN ACLs About VLAN ACLs Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x xiii...
Page 14 Port Type Changes Licensing Requirements for Port Security Prerequisites for Port Security Default Settings for Port Security Guidelines and Limitations for Port Security Guidelines and Limitations for Port Security on vPCs Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 15 About the DHCP Relay Agent DHCP Relay Agent DHCP Relay Agent Option 82 VRF Support for the DHCP Relay Agent DHCP Smart Relay Agent About the DHCPv6 Relay Agent DHCPv6 Relay Agent Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 16 Enabling or Disabling VRF Support for the DHCPv6 Relay Agent Configuring DHCPv6 Server Addresses on an Interface Configuring the DHCPv6 Relay Source Interface Configuring IPv6 RA Guard Enabling DHCP Client Verifying the DHCP Configuration Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 17 Guidelines and Limitations for IPv6 Snooping How to Configure IPv6 FHS Configuring the IPv6 RA Guard Policy on the Device Configuring IPv6 RA Guard on an Interface Configuring DHCP—DHCPv6 Guard Configuring IPv6 Snooping Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x xvii...
Page 18 Verifying the DAI Configuration Monitoring and Clearing DAI Statistics Configuration Examples for DAI Two Devices Support DAI Configuring Device A Configuring Device B Additional References for DAI Related Documents Standards Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x xviii...
Page 19 Verifying the Password Encryption Configuration Configuration Examples for Password Encryption C H A P T E R 1 9 Configuring Keychain Management About Keychain Management Lifetime of a Key Licensing Requirements for Keychain Management Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 20 Unicast RPF Process Licensing Requirements for Unicast RPF Guidelines and Limitations for Unicast RPF Default Settings for Unicast RPF Configuring Unicast RPF for Cisco Nexus 9500 Switches with -R Line Cards Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 21 Configuring a Control Plane Policy Map Configuring the Control Plane Service Policy Configuring the CoPP Scale Factor Per Line Card Changing or Reapplying the Default CoPP Policy Copying the CoPP Best Practice Policy Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 22 Key Lifetime and Hitless Key Rollover Fallback Key Licensing Requirements for MACsec Guidelines and Limitations for MACsec Enabling MACsec Disabling MACsec Configuring a MACsec Keychain and Keys Configuring MACsec Fallback Key Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x xxii...
Page 23 About Configurable EAPOL Destination and Ethernet Type Enabling EAPOL Configuration Disabling EAPOL Configuration Verifying the MACsec Configuration Displaying MACsec Statistics Configuration Example for MACsec XML Examples MIBs Related Documentation Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x xxiii...
Page 24 Contents Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x xxiv...
Page 25 Documentation Feedback, on page xxvi • Obtaining Documentation and Submitting a Service Request, on page xxvi Audience This publication is for network administrators who install, configure, and maintain Cisco Nexus switches. Document Conventions Command descriptions use the following conventions: Convention...
Page 26 An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line. Related Documentation for Cisco Nexus 9000 Series Switches The entire Cisco Nexus 9000 Series switch documentation set is available at the following URL: http://www.cisco.com/en/US/products/ps13386/tsd_products_support_series_home.html Documentation Feedback To provide technical feedback on this document, or to report an error or omission, please send your comments to nexus9k-docfeedback@cisco.com.
Page 27: Chapter
New and Changed Information, on page 1 New and Changed Information This table summarizes the new and changed features for the Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x and tells you where they are documented. Table 1: New and Changed Features for Cisco NX-OS Release 9.x...
Page 28 93240YC-FX2, and Cisco Nexus 93240YC-FX2-Z switches Unicast RPF Added support for 9.2(1) Configuring Unicast RPF, supported for Cisco on page 439 Nexus 9300-EX Series and Cisco Nexus 9300-FX/FX2 Series switches. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 29: Chapter
C H A P T E R Overview The Cisco NX-OS software supports security features that can protect your network against degradation or failure and also against data loss or compromise resulting from intentional attacks and from unintended but damaging mistakes by well-meaning network users.
Page 30: Radius And Tacacs+ Security Protocols
A distributed client/server system implemented through AAA that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.
Page 31: Ldap
User Accounts and Roles You can create and manage user accounts and assign roles that limit access to operations on the Cisco NX-OS device. Role-based access control (RBAC) allows you to define the rules for an assign role that restrict the authorization that the user has to access management operations.
Page 32: Mac Acls
MAC ACLs are ACLs that filter traffic using the information in the Layer 2 header of each packet. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the Cisco NX-OS software determines that a MAC ACL applies to a packet, it tests the packet against the conditions of all rules. The first match determines whether a packet is permitted or denied, or if there is no match, the Cisco NX-OS software applies the applicable default rule.
Page 33: Traffic Storm Control
When the ingress traffic reaches the traffic storm control level that is configured on the port, traffic storm control drops the traffic until the interval ends. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 34: Control Plane Policing
Excessive traffic to the supervisor module could overload it and slow down the performance of the entire Cisco NX-OS device. Attacks on the supervisor module can be of various types such as, denial-of-service (DoS) attacks that generate IP traffic streams to the control plane at a very high rate.
Page 35: Configuring Aaa
Cisco NX-OS device. Cisco NX-OS devices support Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control System Plus (TACACS+) protocols. Based on the user ID and password combination that you provide, Cisco NX-OS devices perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers.
Page 36: Benefits Of Using Aaa
• You can centrally manage the accounting log for all Cisco NX-OS devices in the fabric. • It is easier to manage user attributes for each Cisco NX-OS device in the fabric than using the local databases on the Cisco NX-OS devices.
Page 37: Aaa Server Groups
Specifies that no AAA authentication be used. Note If you specify the all RADIUS servers method, rather than a specified server group method, the Cisco NX-OS device chooses the RADIUS server from the global pool of configured RADIUS servers, in the order of configuration.
Page 38: Authentication And Authorization Process For User Login
For console login authentication, user login authentication, and user management session accounting, the Cisco NX-OS device tries each option in the order specified. The local option is the default method when other configured options fail. You can disable the local option for the console or default login by using the no aaa authentication login {console | default} fallback error local command.
Page 39: Aes Password Encryption And Master Encryption Keys
Configuring AAA AES Password Encryption and Master Encryption Keys • When you log in to the required Cisco NX-OS device, you can use the Telnet, SSH, or console login options. • When you have configured the AAA server groups using the server group authentication method, the Cisco NX-OS device sends an authentication request to the first AAA server in the group as follows: •...
Page 40: Prerequisites For Aaa
AAA has the following guidelines and limitations: • If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
Page 41: Configuring Aaa
This section describes the tasks for configuring AAA on Cisco NX-OS devices. Note If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.
Page 42 If you perform a password recovery when remote authentication is enabled, local authentication becomes enabled for console login as soon as the password recovery is done. As a result, you can log into the Cisco NX-OS device through the console port using the new password. After login, you can continue to use local authentication, or you can enable remote authentication after resetting the admin password configured at the AAA servers.
Page 43: Configuring Default Login Authentication Methods
3. exit 4. (Optional) show aaa authentication 5. (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 44 (Optional) show aaa authentication Displays the configuration of the default login authentication methods. Example: switch# show aaa authentication Step 5 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 45: Disabling Fallback To Local Authentication
Caution Disabling fallback to local authentication can lock your Cisco NX-OS device, forcing you to perform a password recovery in order to gain access. To prevent being locked out of the device, we recommend that you disable fallback to local authentication for only the default login or the console login, not both.
Page 46: Enabling The Default User Role For Aaa Authentication
Enabling the Default User Role for AAA Authentication You can allow remote users who do not have a user role to log in to the Cisco NX-OS device through a RADIUS or TACACS+ remote authentication server using a default user role. When you disable the AAA default user role feature, remote users who do not have a user role cannot log in to the device.
Page 47: Enabling Login Authentication Failure Messages
(Optional) show aaa authentication Displays the login failure message configuration. Example: switch# show aaa authentication Step 5 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 48: Logging Successful And Failed Login Attempts
Linux kernel authentication messages appear along with the previous message. Step 4 (Optional) show login on-failure log Displays whether the switch is configured to log failed authentication messages to the syslog server. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 49: Enabling Chap Authentication
The Cisco NX-OS software supports the Challenge Handshake Authentication Protocol (CHAP), a challenge-response authentication protocol that uses the industry-standard Message Digest (MD5) hashing scheme to encrypt responses. You can use CHAP for user logins to a Cisco NX-OS device through a remote authentication server (RADIUS or TACACS+).
Page 50: Enabling Mschap Or Mschap V2 Authentication
Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. The Cisco NX-OS software also supports MSCHAP Version 2 (MSCHAP V2). You can use MSCHAP for user logins to a Cisco NX-OS device through a remote authentication server (RADIUS or TACACS+). MSCHAP V2 only supports user logins to a Cisco NX-OS device through remote authentication RADIUS servers.
Page 51 By default, the Cisco NX-OS device uses Password Authentication Protocol (PAP) authentication between the Cisco NX-OS device and the remote server. If you enable MSCHAP or MSCHAP V2, you need to configure your RADIUS server to recognize the MSCHAP and MSCHAP V2 vendor-specific attributes (VSAs).
Page 52: Configuring Aaa Accounting Default Methods
(AV) pairs and is stored on the AAA server. When you activate AAA accounting, the Cisco NX-OS device reports these attributes as accounting records, which are then stored in an accounting log on the security server.
Page 53 Displays the configuration AAA accounting default methods. Example: switch# show aaa accounting Step 5 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 54: Using Aaa Server Vsas With Cisco Nx-Os Devices
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:...
Page 55: Specifying Cisco Nx-Os User Roles And Snmpv3 Parameters On Aaa Servers
PDUs. Specifying Cisco NX-OS User Roles and SNMPv3 Parameters on AAA Servers You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Cisco NX-OS device using this format: shell:roles="roleA roleB …"...
Page 56: Restricting User Login Sessions
You can restrict the maximum number of simultaneous login sessions per user. Doing so prevents users from having multiple unwanted sessions and solves the potential security issue of unauthorized users accessing a valid SSH or Telnet session. SUMMARY STEPS 1. configure terminal Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 57: Restricting The Password Length
SUMMARY STEPS 1. configure terminal 2. [no] userpassphrase {min-length min-length | max-length max-length} 3. (Optional) show userpassphrase {length | max-length | min-length} 4. (Optional) copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 58: Enabling The Password Prompt For The Username
After providing the required options in the username command, press enter. User will be prompted for the username password and password will be hidden. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 59: Configuring The Shared Secret For Radius Or Tacacs
Confirm plain text secret: [host] key commands. Type 7 Encrypted secret is : "fewhg" Step 3 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch(config)# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 60: Monitoring And Clearing The Local Aaa Accounting Log
Configuring AAA Monitoring and Clearing the Local AAA Accounting Log Monitoring and Clearing the Local AAA Accounting Log The Cisco NX-OS device maintains a local log for the AAA accounting activity. You can monitor this log and clear it. SUMMARY STEPS 1.
Page 61: Configuration Examples For Aaa
The following example shows how to configure the switch to enter a 100-second quiet period if 3 failed login attempts is exceeded within 60 seconds. This example shows no login failures. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 62: Configuration Examples For The Password Prompt Feature
User will be prompted for the username password and password will be hidden. Note: Choosing password key in the same line while configuring user account, password will not be hidden. switch(config)# username user1 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 63: Additional References For Aaa
No new or modified standards are supported by this feature, and support for existing standards has not — been modified by this feature. MIBs MIBs MIBs Link MIBs related to AAA To locate and download supported MIBs, go to the following URL: ftp://ftp.cisco.com/pub/mibs/supportlists/nexus9000/Nexus9000MIBSupportList.html Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 64 Configuring AAA Additional References for AAA Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 65: Configuring Radius
RADIUS server-based security database. • Networks already using RADIUS. You can add a Cisco NX-OS device with RADIUS to the network. This action might be the first step when you make a transition to a AAA server.
Page 66: Radius Operation
RADIUS Operation When a user attempts to log in and authenticate to a Cisco NX-OS device using RADIUS, the following process occurs: • The user is prompted for and enters a username and password.
Page 67: Vendor-Specific Attributes
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:...
Page 68: Licensing Requirements For Radius
RADIUS requires no license. Any feature not included in a license package is bundled with the nx-os image and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.
Page 69: Default Settings For Radius
• You can configure a maximum of 64 RADIUS servers on the Cisco NX-OS device. • If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
Page 70: Radius Server Configuration Process
You can configure up to 64 RADIUS servers. Note By default, when you configure a RADIUS server IP address or hostname of the Cisco NX-OS device, the RADIUS server is added to the default RADIUS server group. You can also add the RADIUS server to another RADIUS server group.
Page 71 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch# copy running-config startup-config Related Topics Configuring a Key for a Specific RADIUS Server, on page 47 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 72: Configuring Global Radius Keys
Configuring Global RADIUS Keys Configuring Global RADIUS Keys You can configure RADIUS keys for all servers used by the Cisco NX-OS device. A RADIUS key is a shared secret text string between the Cisco NX-OS device and the RADIUS server hosts.
Page 73: Configuring A Key For A Specific Radius Server
Configuring a Key for a Specific RADIUS Server You can configure a key on the Cisco NX-OS device for a specific RADIUS server. A RADIUS key is a secret text string shared between the Cisco NX-OS device and a specific RADIUS server.
Page 74: Configuring Radius Server Groups
You can configure these server groups at any time but they only take effect when you apply them to an AAA service. Before you begin Ensure that all servers in the group are RADIUS servers. SUMMARY STEPS 1. configure terminal Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 75 Step 6 (Optional) use-vrf vrf-name Specifies the VRF to use to contact the servers in the server group. Example: switch(config-radius)# use-vrf vrf1 Step 7 Exits configuration mode. exit Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 76: Configuring The Global Source Interface For Radius Server Groups
Configures the global source interface for all RADIUS server groups configured on the device. Example: switch(config)# ip radius source-interface mgmt 0 Step 3 exit Exits configuration mode. Example: switch(config)# exit switch# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 77: Allowing Users To Specify A Radius Server At Login
By default, the Cisco NX-OS device forwards an authentication request based on the default AAA authentication method. You can configure the Cisco NX-OS device to allow the user to specify a VRF and RADIUS server to send the authentication request by enabling the directed-request option. If you enable this option, the user can log in as username@vrfname:hostname, where vrfname is the VRF to use and hostname is the name of a configured RADIUS server.
Page 78: Configuring The Global Radius Transmission Retry Count And Timeout Interval
You can configure a global retransmission retry count and timeout interval for all RADIUS servers. By default, a Cisco NX-OS device retries transmission to a RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server. The timeout interval determines how long the Cisco NX-OS device waits for responses from RADIUS servers before declaring a timeout failure.
Page 79: Configuring The Radius Transmission Retry Count And Timeout Interval For A Server
Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server By default, a Cisco NX-OS device retries a transmission to a RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server. You can also set a timeout interval that the Cisco NX-OS device waits for responses from RADIUS servers before declaring a timeout failure.
Page 80 RADIUS configuration to other Cisco NX-OS switch(config)# radius commit devices if you have enabled CFS configuration distribution for the user role feature. Step 6 exit Exits configuration mode. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 81: Configuring Accounting And Authentication Attributes For Radius Servers
(Optional) radius commit exit (Optional) show radius-server (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 82 (Optional) show radius-server Displays the RADIUS server configuration. Example: switch(config)# show radius-server Step 10 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 83: Configuring Global Periodic Radius Server Monitoring
The global configuration parameters include the username and password to use for the servers and an idle timer. The idle timer specifies the interval in which a RADIUS server receives no requests before the Cisco NX-OS device sends out a test packet. You can configure this option to test servers periodically, or you can run a one-time only test.
Page 84: Configuring Periodic Radius Server Monitoring On Individual Servers
The idle timer specifies the interval during which a RADIUS server receives no requests before the Cisco NX-OS device sends out a test packet. You can configure this option to test servers periodically, or you can run a one-time only test.
Page 85 Configuring RADIUS Configuring Periodic RADIUS Server Monitoring on Individual Servers Note The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, the Cisco NX-OS device does not perform periodic RADIUS server monitoring. Before you begin Enable RADIUS.
Page 86: Configuring The Radius Dead-Time Interval
You can configure the dead-time interval for all RADIUS servers. The dead-time interval specifies the time that the Cisco NX-OS device waits after declaring a RADIUS server is dead, before sending out a test packet to determine if the server is now alive. The default value is 0 minutes.
Page 87: Configuring One-Time Passwords
RSA SecurID token. Note The token code used for logging into the Cisco NX-OS device changes every 60 seconds. To prevent problems with device discovery, we recommend using different usernames that are present on the Cisco Secure ACS internal database.
Page 88: Manually Monitoring Radius Servers Or Groups
Displays the RADIUS configuration in the startup configuration. show radius-server [hostname | ipv4-address | Displays all configured RADIUS server parameters. ipv6-address] [directed-request | groups | sorted | statistics] Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 89: Monitoring Radius Servers
Configuring RADIUS Monitoring RADIUS Servers Monitoring RADIUS Servers You can monitor the statistics that the Cisco NX-OS device maintains for RADIUS server activity. Before you begin Configure one or more RADIUS server hosts. SUMMARY STEPS 1. show radius-server statistics {hostname | ipv4-address | ipv6-address}...
Page 90: Configuration Example For Radius
Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide Standards Standards Title No new or modified standards are supported by this feature, and support for existing standards has not — been modified by this feature. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 91 Configuring RADIUS Additional References for RADIUS MIBs MIBs MIBs Link MIBs related to RADIUS To locate and download supported MIBs, go to the following URL: ftp://ftp.cisco.com/pub/mibs/supportlists/nexus9000/ Nexus9000MIBSupportList.html Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 92 Configuring RADIUS Additional References for RADIUS Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 93: Configuring Tacacs
Additional References for TACACS+, on page 102 About TACACS+ The TACACS+ security protocol provides centralized validation of users attempting to gain access to a Cisco NX-OS device. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation.
Page 94: Tacacs+ Operation For User Login
This action is usually done by prompting for a username and password combination, but may include prompts for other items, such as your mother’s maiden name. 1. When the Cisco NX-OS device establishes a connection, it contacts the TACACS+ daemon to obtain the username and password.
Page 95: Default Tacacs+ Server Encryption Type And Secret Key
You must configure the TACACS+ secret key to authenticate the switch to the TACACS+ server. A secret key is a secret text string shared between the Cisco NX-OS device and the TACACS+ server host. The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed).
Page 96: Vendor-Specific Attributes For Tacacs
The Cisco TACACS+ implementation supports one vendor-specific option using the format recommended in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format:...
Page 97: Licensing Requirements For Tacacs
• You can configure a maximum of 64 TACACS+ servers on the Cisco NX-OS device. • If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
Page 98: Default Settings For Tacacs
This section describes how to configure TACACS+ on a Cisco NX-OS device. Note If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.
Page 99: Enabling Tacacs
Cisco NX-OS device. You can configure up to 64 TACACS+ servers. Note By default, when you configure a TACACS+ server IP address or hostname on the Cisco NX-OS device, the TACACS+ server is added to the default TACACS+ server group. You can also add the TACACS+ server to another TACACS+ server group.
Page 100 Step 6 (Optional) show tacacs-server Displays the TACACS+ server configuration. Example: switch# show tacacs-server Step 7 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 101: Configuring Global Tacacs+ Keys
Configuring Global TACACS+ Keys You can configure secret TACACS+ keys at the global level for all servers used by the Cisco NX-OS device. A secret key is a shared secret text string between the Cisco NX-OS device and the TACACS+ server hosts.
Page 102: Configuring A Key For A Specific Tacacs+ Server
3. exit 4. (Optional) show tacacs-server 5. (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 103: Configuring Tacacs+ Server Groups
TACACS+ protocol. The servers are tried in the same order in which you configure them. You can configure these server groups at any time but they only take effect when you apply them to an AAA service. Before you begin Enable TACACS+. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 104 Related Topics Enabling TACACS+ , on page 73 Remote AAA Services, on page 10 Configuring TACACS+ Server Hosts, on page 73 Configuring the TACACS+ Dead-Time Interval, on page 87 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 105: Configuring The Global Source Interface For Tacacs+ Server Groups
You can configure the switch to allow the user to specify which TACACS+ server to send the authentication request by enabling the directed-request option. By default, a Cisco NX-OS device forwards an authentication Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 106 VRF to use and hostname is the name of a configured TACACS+ server. Note If you enable the directed-request option, the Cisco NX-OS device uses only the TACACS+ method for authentication and not the default local method. Note User-specified logins are supported only for Telnet sessions.
Page 107: Configuring The Timeout Interval For A Tacacs+ Server
Configuring the Timeout Interval for a TACACS+ Server You can set a timeout interval that the Cisco NX-OS device waits for responses from a TACACS+ server before declaring a timeout failure. The timeout interval determines how long the Cisco NX-OS device waits for responses from a TACACS+ server before declaring a timeout failure.
Page 108: Configuring Tcp Ports
, on page 73 Configuring TCP Ports You can configure another TCP port for the TACACS+ servers if there are conflicts with another application. By default, Cisco NX-OS devices use port 49 for all TACACS+ requests. Before you begin Enable TACACS+.
Page 109: Configuring Global Periodic Tacacs+ Server Monitoring
You can monitor the availability of all TACACS+ servers without having to configure the test parameters for each server individually. Any servers for which test parameters are not configured are monitored using the global level parameters. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 110 The global configuration parameters include the username and password to use for the servers and an idle timer. The idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco NX-OS device sends out a test packet. You can configure this option to test servers periodically, or you can run a one-time only test.
Page 111: Configuring Periodic Tacacs+ Server Monitoring On Individual Servers
The idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco NX-OS device sends out a test packet. You can configure this option to test servers periodically, or you can run a one-time only test.
Page 112 5 range is from 0 to 1440 minutes. Step 4 exit Exits configuration mode. Example: switch(config)# exit switch# Step 5 (Optional) show tacacs-server Displays the TACACS+ server configuration. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 113: Configuring The Tacacs+ Dead-Time Interval
You can configure the dead-time interval for all TACACS+ servers. The dead-time interval specifies the time that the Cisco NX-OS device waits, after declaring a TACACS+ server is dead, before sending out a test packet to determine if the server is now alive.
Page 114: Configuring Ascii Authentication
4. (Optional) tacacs+ commit 5. exit 6. (Optional) show tacacs-server 7. (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 115: Configuring Aaa Authorization On Tacacs+ Servers
SUMMARY STEPS 1. configure terminal 2. aaa authorization ssh-certificate default {group group-list [none] | local | none} 3. exit 4. (Optional) show aaa authorization [all] 5. (Optional) copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 116: Configuring Command Authorization On Tacacs+ Servers
, on page 73 Configuring Command Authorization on TACACS+ Servers You can configure authorization for commands on TACACS+ servers. Caution Command authorization disables user role-based authorization control (RBAC), including the default roles. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 117 By default, context sensitive help and command tab completion show only the commands supported for a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.
Page 118: Testing Command Authorization On Tacacs+ Servers
, on page 73 Testing Command Authorization on TACACS+ Servers, on page 92 Testing Command Authorization on TACACS+ Servers You can test the command authorization for a user on the TACACS+ servers. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 119: Enabling And Disabling Command Authorization Verification
You can enable and disable command authorization verificaiton on the command-line interface (CLI) for the default user session or for another username. Note The commands do no execute when you enable authorization verification. SUMMARY STEPS 1. terminal verify-only [username username] Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 120: Configuring Privilege Level Support For Authorization On Tacacs+ Servers
When the feature privilege command is enabled, privilege roles inherit the permissions of lower level privilege roles. Note You must also configure the privilege level for the Cisco NX-OS device on the Cisco Secure Access Control Server (ACS). Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 121 Displays the username, current privilege level, and status of cumulative privilege support. Example: switch(config)# show privilege Step 6 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 122: Permitting Or Denying Commands For Users Of Privilege Roles
3. rule number {deny | permit} command command-string 4. exit 5. (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure terminal Example: switch# configure terminal switch(config)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 123: Manually Monitoring Tacacs+ Servers Or Groups
You can manually issue a test message to a TACACS+ server or to a server group. Before you begin Enable TACACS+. SUMMARY STEPS 1. test aaa server tacacs+ {ipv4-address | ipv6-address | hostname} [vrf vrf-name] username password 2. test aaa group group-name username password Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 124: Disabling Tacacs
Enters global configuration mode. Example: switch# configure terminal switch(config)# Step 2 Disables TACACS+. no feature tacacs+ Example: switch(config)# no feature tacacs+ Step 3 Exits configuration mode. exit Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 125: Monitoring Tacacs+ Servers
Example: switch# copy running-config startup-config Monitoring TACACS+ Servers You can monitor the statistics that the Cisco NX-OS device maintains for TACACS+ server activity. Before you begin Configure TACACS+ servers on the Cisco NX-OS device. SUMMARY STEPS 1. show tacacs-server statistics {hostname | ipv4-address | ipv6-address}...
Page 126: Verifying The Tacacs+ Configuration
The following example shows how to configure a TACACS+ server host and server group: feature tacacs+ tacacs-server key 7 "ToIkLhPpG" tacacs-server host 10.10.2.2 key 7 "ShMoMhTl" aaa group server tacacs+ TacServer server 10.10.2.2 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 127 © Copyright ) 2013, Cisco Systems, Inc. All rights reserved. The copyrights to certain works contained in this software are owned by other third parties and used and distributed under Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 128: Where To Go Next
This section includes additional information related to implementing TACACS+. Related Documents Related Topic Document Title Cisco NX-OS licensing Cisco NX-OS Licensing Guide VRF configuration Cisco NX-OS 9000 Series NX-OS Unicast Routing Configuration Guide Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 129 No new or modified standards are supported by this feature, and support for existing standards has not — been modified by this feature. MIBs MIBs MIBs Link MIBs related to TACACS+ To locate and download supported MIBs, go to the following URL: ftp://ftp.cisco.com/pub/mibs/supportlists/nexus9000/ Nexus9000MIBSupportList.html Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 130 Configuring TACACS+ Additional References for TACACS+ Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 131: Configuring Ldap
The Lightweight Directory Access Protocol (LDAP) provides centralized validation of users attempting to gain access to a Cisco NX-OS device. LDAP services are maintained in a database on an LDAP daemon running typically on a UNIX or Windows NT workstation. You must have access to and must configure an LDAP server before the configured LDAP features on your Cisco NX-OS device are available.
Page 132: Ldap Operation For User Login
The default password attribute type is userPassword. LDAP Operation for User Login When a user attempts a Password Authentication Protocol (PAP) login to a Cisco NX-OS device using LDAP, the following actions occur: 1. When the Cisco NX-OS device establishes a connection, it contacts the LDAP daemon to obtain the username and password.
Page 133: Ldap Server Monitoring
The Cisco LDAP implementation supports one vendor-specific option using the format recommended in the IETF specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format: protocol : attribute separator value * Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 134: Virtualization Support For Ldap
Configuring LDAP Virtualization Support for LDAP The protocol is a Cisco attribute for a particular type of authorization, the separator is an = (equal sign) for mandatory attributes, and an * (asterisk) indicates optional attributes. When you use LDAP servers for authentication on a Cisco NX-OS device, LDAP directs the LDAP server to return user attributes, such as authorization information, along with authentication results.
Page 135: Default Settings For Ldap
1. • If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on a AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
Page 136: Enabling Or Disabling Ldap
Configuring Periodic LDAP Server Monitoring, on page 119 Enabling or Disabling LDAP By default, the LDAP feature is disabled on the Cisco NX-OS device. You must explicitly enable the LDAP feature to access the configuration and verification commands for authentication. SUMMARY STEPS 1.
Page 137: Configuring Ldap Server Hosts
Cisco NX-OS device. You can configure up to 64 LDAP servers. Note By default, when you configure an LDAP server IP address or hostname on the Cisco NX-OS device, the LDAP server is added to the default LDAP server group. You can also add the LDAP server to another LDAP server group.
Page 138: Configuring The Rootdn For An Ldap Server
[no] ldap-server host {ipv4-address | ipv6-address | Specifies the rootDN for the LDAP server database and the bind password for the root. hostname} rootDN root-name [password password [port tcp-port [timeout seconds] | timeout seconds]] Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 139: Configuring Ldap Server Groups
(Optional) [no] authentication {bind-first [append-with-baseDN DNstring] | compare [password-attribute password]} (Optional) [no] enable user-server-group (Optional) [no] enable Cert-DN-match (Optional) [no] use-vrf vrf-name exit (Optional) show ldap-server groups (Optional) copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 140 Step 8 exit Exits LDAP server group configuration mode. Example: switch(config-ldap)# exit switch(config)# Step 9 (Optional) show ldap-server groups Displays the LDAP server group configuration. Example: switch(config)# show ldap-server groups Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 141: Configuring The Global Ldap Timeout Interval
Hosts, on page 111 Configuring the Global LDAP Timeout Interval You can set a global timeout interval that determines how long the Cisco NX-OS device waits for responses from all LDAP servers before declaring a timeout failure. Before you begin Enable LDAP.
Page 142: Configuring The Timeout Interval For An Ldap Server
Server, on page 116 Configuring the Timeout Interval for an LDAP Server You can set a timeout interval that determines how long the Cisco NX-OS device waits for responses from an LDAP server before declaring a timeout failure. Before you begin Enable LDAP.
Page 143: Configuring Tcp Ports
Configuring TCP Ports Configuring TCP Ports You can configure another TCP port for the LDAP servers if there are conflicts with another application. By default, Cisco NX-OS devices use port 389 for all LDAP requests. Before you begin Enable LDAP.
Page 144: Configuring Ldap Search Maps
(&(objectClass=inetOrgPerson)(cn=$userid)) base-DN dc=acme,dc=com Step 4 (Optional) exit Exits LDAP search map configuration mode. Example: switch(config-ldap-search-map)# exit switch(config)# Step 5 (Optional) show ldap-search-map Displays the configured LDAP search maps. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 145: Configuring Periodic Ldap Server Monitoring
The idle timer specifies the interval in which an LDAP server receives no requests before the Cisco NX-OS device sends out a test packet.
Page 146: Configuring The Ldap Dead-Time Interval
You can configure the dead-time interval for all LDAP servers. The dead-time interval specifies the time that the Cisco NX-OS device waits, after declaring that an LDAP server is dead, before sending out a test packet to determine if the server is now alive.
Page 147: Configuring Aaa Authorization On Ldap Servers
3. (Optional) show aaa authorization [all] 4. (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 148: Monitoring Ldap Servers
Related Topics Enabling or Disabling LDAP, on page 110 Monitoring LDAP Servers You can monitor the statistics that the Cisco NX-OS device maintains for LDAP server activity. Before you begin Configure LDAP servers on the Cisco NX-OS device. SUMMARY STEPS 1.
Page 149: Clearing Ldap Server Statistics
Statistics, on page 123 Clearing LDAP Server Statistics, on page 123 Clearing LDAP Server Statistics You can display the statistics that the Cisco NX-OS device maintains for LDAP server activity. Before you begin Configure LDAP servers on the Cisco NX-OS device. SUMMARY STEPS 1.
Page 150: Configuration Examples For Ldap
The following example shows how to configure AAA authorization with certificate authentication for an LDAP server: aaa authorization ssh-certificate default group LDAPServer1 LDAPServer2 exit show aaa authorization Where to Go Next You can now configure AAA authentication methods to include the server groups. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 151: Additional References For Ldap
No new or modified standards are supported by this feature, and support for existing standards has not — been modified by this feature. MIBs MIBs MIBs Link MIBs related to LDAP To locate and download the supported MIBs, go to the following URL: ftp://ftp.cisco.com/pub/mibs/supportlists/nexus9000/Nexus9000MIBSupportList.html Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 152 Configuring LDAP Additional References for LDAP Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 153: Configuring Ssh And Telnet
This section includes information about SSH and Telnet. SSH Server You can use the SSH server to enable an SSH client to make a secure, encrypted connection to a Cisco NX-OS device. SSH uses strong encryption for authentication. The SSH server in the Cisco NX-OS software can interoperate with publicly and commercially available SSH clients.
Page 154: Ssh Server Keys
The SSH client in the Cisco NX-OS software works with publicly and commercially available SSH servers. SSH Server Keys SSH requires server keys for secure communications to the Cisco NX-OS device. You can use SSH server keys for the following SSH options: •...
Page 155: Telnet Server
• Due to a Poodle vulnerability, SSLv3 is no longer supported. • IPSG is not supported on the following: • The last six 40-Gb physical ports on the Cisco Nexus 9372PX, 9372TX, and 9332PQ switches • All 40G physical ports on the Cisco Nexus 9396PX, 9396TX, and 93128TX switches •...
Page 156: Default Settings For Ssh And Telnet
Default Settings for SSH and Telnet Note If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use. Default Settings for SSH and Telnet This table lists the default settings for SSH and Telnet parameters.
Page 157 MD5. However, the md5 option has been added, if you want to see the fingerprint in MD5 format for backward compatibility. Step 8 show run security all Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 158: Specifying The Ssh Public Keys For User Accounts
Step 2 Enters global configuration mode. configure terminal Example: switch# configure terminal switch(config)# Step 3 username username sshkey file bootflash:filename Configures the SSH public key in IETF SECSH format. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 159: Specifying The Ssh Public Keys In Openssh Format
Example: switch# configure terminal switch(config)# Step 2 username username sshkey ssh-key Configures the SSH public key in OpenSSH format. Example: switch(config)# username User1 sshkey ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G+3f1XswK3OiW4H7YyUyuA50rv7gsEPj hOBYmsi6PAVKui1nIf/DQhum+lJNqJP/eLowb7ubO+lVKRXFY/G+lJNIQW3g9igG30c6k6+ XVn+NjnI1B7ihvpVh7dLddMOXwOnXHYshXmSiH3UD/vKyziEh5S4Tplx8= Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 160: Configuring A Maximum Number Of Ssh Login Attempts
3. (Optional) show running-config security all 4. (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure terminal Example: switch# configure terminal switch(config)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 161: Starting Ssh Sessions
Starting SSH Sessions You can start SSH sessions using IPv4 or IPv6 to connect to remote devices from the Cisco NX-OS device. Before you begin Obtain the hostname for the remote device and, if needed, the username on the remote device.
Page 162: Starting Ssh Sessions From Boot Mode
Configuring SSH Passwordless File Copy You can copy files from a Cisco NX-OS device to a secure copy (SCP) or secure FTP (SFTP) server without a password. To do so, you must create an RSA or DSA identity that consists of public and private keys for authentication with SSH.
Page 163 .pub extension. You can now copy this key pair to any Cisco NX-OS device and use SCP or SFTP to copy the public key file (*.pub) to the home directory of the server.
Page 164: Configuring Scp And Sftp Servers
Configuring SCP and SFTP Servers You can configure an SCP or SFTP server on the Cisco NX-OS device in order to copy files to and from a remote device. After you enable the SCP or SFTP server, you can execute an SCP or SFTP command on the remote device to copy the files to or from the Cisco NX-OS device.
Page 165: Configuring X.509V3 Certificate-Based Ssh Authentication
(Optional) crypto ca crl request trustpoint bootflash:static-crl.crl (Optional) show crypto ca certificates (Optional) show crypto ca crl trustpoint (Optional) show user-account (Optional) show users (Optional) copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 166 The default is 0 (clear text). Note If you do not specify a password, the user might not be able to log in to the Cisco NX-OS device. If you create a user account with the encrypted Note password option, the corresponding SNMP user will not be created.
Page 167: Configuring Legacy Ssh Algorithm Support
You can configure support for legacy SSH security algorithms, message authentication codes (MACs), key types, and ciphers. SUMMARY STEPS 1. configure terminal 2. (Optional) ssh kexalgos all 3. (Optional) ssh macs all 4. (Optional) ssh ciphers all 5. (Optional) ssh keytypes all Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 168 Enables all supported ciphers to encrypt the connection. Example: Supported ciphers are: switch(config)# ssh ciphers all • aes128-cbc • aes192-cbc • aes256-cbc • aes128-ctr • aes192-ctr • aes256-ctr • aes256-gcm@openssh.com • aes128-gcm@openssh.com Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 169: Changing The Default Ssh Server Port
• ssh-rsa Changing the Default SSH Server Port Beginning with Cisco NX-OS Cisco Release 9.2(1), you can change the SSHv2 port number from the default port number 22. Encryptions used while changing the default SSH port provides you with connections that...
Page 170: Clearing Ssh Hosts
1. clear ssh hosts DETAILED STEPS Command or Action Purpose Step 1 clear ssh hosts Clears the SSH host sessions and the known host file. Example: switch# clear ssh hosts Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 171: Disabling The Ssh Server
Configuring SSH and Telnet Disabling the SSH Server Disabling the SSH Server By default, the SSH server is enabled on the Cisco NX-OS device. You can disable the SSH server to prevent SSH access to the switch. SUMMARY STEPS 1. configure terminal 2.
Page 172: Clearing Ssh Sessions
Copies the running configuration to the startup configuration. Example: switch# copy running-config startup-config Related Topics Generating SSH Server Keys, on page 130 Clearing SSH Sessions You can clear SSH sessions from the Cisco NX-OS device. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 173: Configuring Telnet
Configuring Telnet This section describes how to configure Telnet on the Cisco NX-OS device. Enabling the Telnet Server You can enable the Telnet server on the Cisco NX-OS device. By default, the Telnet server is disabled. SUMMARY STEPS 1. configure terminal 2.
Page 174: Starting Telnet Sessions To Remote Devices
Example: switch# copy running-config startup-config Starting Telnet Sessions to Remote Devices You can start Telnet sessions to connect to remote devices from the Cisco NX-OS device. You can start Telnet sessions using either IPv4 or IPv6. Before you begin Obtain the hostname or IP address for the remote device and, if needed, the username on the remote device.
Page 175: Clearing Telnet Sessions
Displays the SSH server configuration. show telnet server Displays the Telnet server configuration. show username username keypair Displays the public key for the specified user. Displays configured user account details. show user-account Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 176: Configuration Example For Ssh
Display the SSH server key. Example: switch(config)# show ssh key could not retrieve dsa key information ************************************** rsa Keys generated:Tue Mar 14 13:13:47 2017 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDh4+DZboQJbJt10nJhgKBYL5lOlhsFM2oZRi9+JqEU GA44I9ej+E5NIRZ1x8ohIt6Vx9Et5csO7Pw72rjUwR3UPmuAm79k7I/SyLGEP3WUL7sqbLvNF5GqKXph oqMT075WUdbGWphorA2g0tTObRrFIQBJVQ0SSBh3oEaaALqYUQ== bitcount:1024 fingerprint: SHA256:V6KAeLAiKRRUPBZm1Yq3rl6JW7Eo7vhLi6CXYxnD/+Y ************************************** ************************************** Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 177: Configuration Example For Ssh Passwordless File Copy
The following example shows how to copy files from a Cisco NX-OS device to a secure copy (SCP) or secure FTP (SFTP) server without a password: Step 1 Generate the SSH public and private keys and store them in the home directory of the Cisco NX-OS device for the specified user. Example:...
Page 178 On the SCP or SFTP server, append the public key stored in key_rsa.pub to the authorized_keys file. Example: $ cat key_rsa.pub >> $HOME/.ssh/ authorized_keys You can now copy files from the Cisco NX-OS device to the server without a password using standard SSH and SCP commands. Step 6 (Optional) Repeat this procedure for the DSA keys.
Page 179: Configuration Example For X.509V3 Certificate-Based Ssh Authentication
DN : /C = US, ST = New York, L = Metropolis, O = cisco , OU = csg, CN = user1; Algo: x509v3-sign-rsa show users NAME...
Page 180 X.509v3 Certificates for Secure Shell Authentication 6187 MIBs MIBs MIBs Link MIBs related to SSH and Telnet To locate and download supported MIBs, go to the following URL: ftp://ftp.cisco.com/pub/mibs/supportlists/nexus9000/ Nexus9000MIBSupportList.html Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 181: Configuring User Accounts And Rbac
About User Accounts and RBAC You can create and manage users accounts and assign roles that limit access to operations on the Cisco NX-OS device. RBAC allows you to define the rules for an assign role that restrict the authorization that the user has to access management operations.
Page 182: Characteristics Of Strong Passwords
All printable ASCII characters are supported in the password string if they are enclosed in quotation marks. If a password is trivial (such as a short, easy-to-decipher password), the Cisco NX-OS software will reject your password configuration if password-strength checking is enabled. Be sure to configure a strong password as shown in the sample configuration.
Page 183: User Role Rules
• The Cisco Nexus 9000 Series switches support a single VDC due to which the vdc-admin has the same privileges and limitations as the network-admin.
Page 184: Licensing Requirements For User Accounts And Rbac
• You can assign a maximum of 64 user roles to a user account. • If you have a user account configured on the local Cisco NX-OS device that has the same name as a remote user account on an AAA server, the Cisco NX-OS software applies the user roles for the local user account to the remote user, not the user roles configured on the AAA server.
Page 185: Default Settings For User Accounts And Rbac
Enabling Password-Strength Checking You can enable password-strength checking which prevents you from creating weak passwords for user accounts. Note When you enable password-strength checking, the Cisco NX-OS software does not check the strength of existing passwords. SUMMARY STEPS 1. configure terminal 2.
Page 186: Configuring User Accounts
Related Topics Characteristics of Strong Passwords, on page 156 Configuring User Accounts You can create a maximum of 256 user accounts on a Cisco NX-OS device. User accounts have the following attributes: • Username • Password • Expiry date •...
Page 187 The default is 0 (clear text). Note If you do not specify a password, the user might not be able to log in to the Cisco NX-OS device. If you create a user account with the encrypted Note password option, the corresponding SNMP user will not be created.
Page 188: Configuring Roles
NewUser ssh-cert-dn "/CN 512 characters and must follow the format shown in the = NewUser, OU = Cisco Demo, O = Cisco, C = US" examples. Make sure the email address and state are configured as emailAddress and ST, respectively.
Page 189 Configuring User Accounts and RBAC Creating User Roles and Rules Before you begin If you want to distribute the user role configuration, enable user role configuration distribution on all Cisco NX-OS devices to which you want the configuration distributed. SUMMARY STEPS...
Page 190 Applies the user role configuration changes in the temporary database to the running configuration. Example: switch(config)# role commit Step 13 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch(config)# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 191: Creating Feature Groups
Creating Feature Groups You can create custom feature groups to add to the default list of features provided by the Cisco NX-OS software. These groups contain one or more of the features. You can create up to 64 feature groups.
Page 192: Changing User Role Interface Policies
Before you begin Create one or more user roles. If you want to distribute the user role configuration, enable user role configuration distribution on all Cisco NX-OS devices to which you want the configuration distributed. SUMMARY STEPS 1.
Page 193: Changing User Role Vlan Policies
Changing User Role VLAN Policies You can change a user role VLAN policy to limit the VLANs that the user can access. By default, a user role allows access to all VLANs. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 194 1-4 Step 5 exit Exits role VLAN policy configuration mode. Example: switch(config-role-vlan)# exit switch(config-role)# Step 6 (Optional) show role Displays the role configuration. Example: switch(config)# show role Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 195: Changing User Role Vrf Policies
VRFs. Before you begin Create one or more user roles. If you want to distribute the user role configuration, enable user role configuration distribution on all Cisco NX-OS devices to which you want the configuration distributed. SUMMARY STEPS 1.
Page 196 Step 9 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch(config-role)# copy running-config startup-config Related Topics Creating User Roles and Rules, on page 162 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 197: About No Service Password-Recovery
Before you begin If you plan to enter the no service password-recovery command, Cisco recommends that you save a copy of the system configuration file in a location away from the device.
Page 198: Verifying User Accounts And Rbac Configuration
To display user account and RBAC configuration information, perform one of the following tasks: Command Purpose Displays the syntax of the show cli syntax roles network-admin commands that the network-admin role can use. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 199: Configuration Examples For User Accounts And Rbac
The following example shows how to configure a user role that can configure only a specific interface: role name Int_Eth2-3_only rule 1 permit command configure terminal; interface * interface policy deny permit interface Ethernet2/3 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 200: Additional References For User Accounts And Rbac
------------------------------------------------------------------- permit read-write 1.3.6.1.2.1.1.5 deny read 1.3.6.1.2.1.1.9 permit read feature snmp Additional References for User Accounts and RBAC This section includes additional information related to implementing user accounts and RBAC. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 201 — been modified by this feature. MIBs MIBs MIBs Link MIBs related to user accounts and To locate and download supported MIBs, go to the following URL: RBAC ftp://ftp.cisco.com/pub/mibs/supportlists/nexus9000/ Nexus9000MIBSupportList.html Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 202 Configuring User Accounts and RBAC Additional References for User Accounts and RBAC Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 203: Configuring 802.1X
C H A P T E R Configuring 802.1X This chapter describes how to configure IEEE 802.1X port-based authentication on Cisco NX-OS devices. This chapter includes the following sections: • About 802.1X, on page 177 • Licensing Requirements for 802.1X, on page 183 •...
Page 204: Authentication Initiation And Message Exchange
The specific roles are as follows: Supplicant The client device that requests access to the LAN and Cisco NX-OS device services and responds to requests from the Cisco NX-OS device. The workstation must be running 802.1X-compliant client software such as that offered in the Microsoft Windows XP operating device.
Page 205 Note If 802.1X is not enabled or supported on the network access device, the Cisco NX-OS device drops any EAPOL frames from the supplicant. If the supplicant does not receive an EAP-request/identity frame after three attempts to start authentication, the supplicant transmits data as if the port is in the authorized state. A port in the authorized state means that the supplicant has been successfully authenticated.
Page 206: Authenticator Pae Status For Interfaces
Authenticator PAE Status for Interfaces Authenticator PAE Status for Interfaces When you enable 802.1X on an interface, the Cisco NX-OS software creates an authenticator port access entity (PAE) instance. An authenticator PAE is a protocol entity that supports authentication on the interface.
Page 207: Mac Authentication Bypass
Cisco NX-OS device grants the client access to the network. If an EAPOL packet is detected on the interface during the lifetime of the link, the Cisco NX-OS device determines that the device connected to that interface is an 802.1X-capable supplicant and uses 802.1X authentication (not MAC authentication bypass) to authorize the interface.
Page 208: Vlan Assignment From Radius
Cisco NX-OS device puts the port in the authorized state. When the endpoint device leaves the port, the Cisco NX-OS device put the port back into the unauthorized state. A security violation in 802.1X is defined as a detection of frames sourced from any MAC address other than the single MAC address authorized as a result of successful authentication.
Page 209: Licensing Requirements For 802.1X
802.1X Guidelines and Limitations 802.1X port-based authentication has the following configuration guidelines and limitations: • When you upgrade the Cisco Nexus Series switch to Cisco NX-OS Release 9.2(1) using the (dispruptive/non-disruptive) In-Service Software Upgrades (ISSU), you must first the disable 802.1x using the no feature dot1x command and then enable it using the feature dot1x commandfor mutli-authentication to work.
Page 210 • The Cisco NX-OS software supports 802.1X authentication only on physical ports. • The Cisco NX-OS software does not support 802.1X authentication on port channels or subinterfaces. • The Cisco NX-OS software supports 802.1X authentication on member ports of a port channel but not on the port channel itself.
Page 211: Default Settings For 802.1X
Configuring 802.1X Default Settings for 802.1X • Selective enabling or disabling of dot1x on N9K-M12PQ uplink module ports is not supported for Cisco Nexus 9300 platform switches. • A security violation occurs when the same mac is learnt on a different VLAn with dot1x enabled on the interface.
Page 212: Configuring 802.1X
Configure the connection to the remote RADIUS server. Step 3 Enable 802.1X feature on the Ethernet interfaces. Enabling the 802.1X Feature You must enable the 802.1X feature on the Cisco NX-OS device before authenticating any supplicant devices. SUMMARY STEPS 1. configure terminal 2. feature dot1x 3.
Page 213: Configuring Aaa Authentication Methods For 802.1X
Configuring AAA Authentication Methods for 802.1X You can use remote RADIUS servers for 802.1X authentication. You must configure RADIUS servers and RADIUS server groups and specify the default AAA authentication method before the Cisco NX-OS device can perform 802.1X authentication.
Page 214: Controlling 802.1X Authentication On An Interface
Enables 802.1X authentication on the interface. Force-authorized Disables 802.1X authentication on the interface and allows all traffic on the interface without authentication. This state is the default. Force-unauthorized Disallows all traffic on the interface. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 215 Example: switch# show dot1x interface ethernet 2/1 Step 7 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 216: Creating Or Removing An Authenticator Pae On An Interface
You can create or remove the 802.1X authenticator port access entity (PAE) instance on an interface. Note By default, the Cisco NX-OS software creates the authenticator PAE instance on the interface when you enable 802.1X on an interface. Before you begin Enable the 802.1X feature.
Page 217: Enabling Periodic Reauthentication For An Interface
The default is 3600 seconds. The range is from 1 Example: to 65535. switch(config-if)# dot1x timeout re-authperiod 3300 This command affects the behavior of the Cisco Note NX-OS device only if you enable periodic reauthentication on the interface. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 218: Manually Reauthenticating Supplicants
Example: switch# dot1x re-authenticate interface 2/1 Manually Initializing 802.1X Authentication You can manually initialize the authentication for all supplicants on a Cisco NX-OS device or for a specific interface. Note Initializing the authentication clears any existing authentication status before starting the authentication process for the client.
Page 219: Changing 802.1X Authentication Timers For An Interface
The authentication server notifies the switch each time that it receives a Layer 4 packet. If the switch does not receive a notification after sending a packet, the Cisco NX-OS device waits a set period of time and then retransmits the packet. The default is 30 seconds. The range is from 1 to 65535 seconds.
Page 220 Sets the number of seconds that the authenticator ignores EAPOL-Start packets from supplicants that have Example: successfully authenticated. The default value is 0 seconds. switch(config-if)# dot1x timeout ratelimit-period The range is from 1 to 65535 seconds. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 221: Enabling Mac Authentication Bypass
You can enable MAC authentication bypass on an interface that has no supplicant connected. Before you begin Enable the 802.1X feature on the Cisco NX-OS device. SUMMARY STEPS 1. configure terminal 2. interface ethernet slot/port Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 222: Enabling Single Host Or Multiple Hosts Mode
You can enable single host or multiple hosts mode on an interface. Before you begin Enable the 802.1X feature on the Cisco NX-OS device. SUMMARY STEPS 1. configure terminal 2. interface ethernet slot/port Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 223 Displays all 802.1X feature status and configuration information. Example: switch# show dot1x all Step 7 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch(config)# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 224: Disabling 802.1X Authentication On The Cisco Nx-Os Device
Disabling 802.1X Authentication on the Cisco NX-OS Device Disabling 802.1X Authentication on the Cisco NX-OS Device You can disable 802.1X authentication on the Cisco NX-OS device. By default, the Cisco NX-OS software enables 802.1X authentication after you enable the 802.1X feature. However, when you disable the 802.1X feature, the configuration is removed from the Cisco NX-OS device.
Page 225: Disabling The 802.1X Feature
You can disable the 802.1X feature on the Cisco NX-OS device. When you disable 802.1X, all related configurations are automatically discarded. The Cisco NX-OS software creates an automatic checkpoint that you can use if you reenable 802.1X and want to recover the configuration.
Page 226: Resetting The 802.1X Interface Configuration To The Default Values
Displays all 802.1X feature status and configuration information. Example: switch(config)# show dot1x all Step 6 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch(config)# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 227: Setting The Maximum Authenticator-To-Supplicant Frame For An Interface
Setting the Maximum Authenticator-to-Supplicant Frame for an Interface You can set the maximum number of times that the Cisco NX-OS device retransmits authentication requests to the supplicant on an interface before the session times out. The default is 2 times and the range is from 1 to 10.
Page 228: Enabling Radius Accounting For 802.1X Authentication
(Optional) show dot1x Displays the 802.1X configuration. Example: switch# show dot1x Step 5 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 229: Configuring Aaa Accounting Methods For 802.1X
Example This example shows how to enable the 802.1x feature: switch# configure terminal switch(config)# aaa accounting dot1x default group radius switch(config)# exit switch# show aaa accounting switch# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 230: Setting The Maximum Reauthentication Retry Count On An Interface
Setting the Maximum Reauthentication Retry Count on an Interface You can set the maximum number of times that the Cisco NX-OS device retransmits reauthentication requests to the supplicant on an interface before the session times out. The default is 2 times and the range is from 1 to 10.
Page 231: Verifying The 802.1X Configuration
Displays the 802.1X feature configuration in the startup configuration. For detailed information about the fields in the output from these commands, see the Cisco NX-OS Security Command Reference for your platform. 802.1X Support for VXLAN EVPN Guidelines and Limitations for 802.1X Support for VXLAN EVPN The following are the guidelines and limitations for 802.1X support for VXLAN EVPN:...
Page 232: Configuring 802.1X Support For Vxlan Evpn
Configuring 802.1X Support for VXLAN EVPN • You must not configure static and secure MAC together. • The Cisco Nexus 9504 and 9508 switches with -R line cards are not supported. Configuring 802.1X Support for VXLAN EVPN This procedure configures 802.1X for VXLAN EVPN.
Page 233: Verifying The 802.1X Support For Vxlan Evpn
!Command: show running-config dot1x all !No configuration change since last restart !Time: Thu Sep 20 10:22:58 2018 version 9.2(2) Bios:version 07.64 feature dot1x dot1x system-auth-control dot1x mac-move deny interface Ethernet1/1 dot1x host-mode multi-auth Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 234 - seconds since last seen,+ - primary entry using vPC Peer-Link, (T) - True, (F) - False, C - ControlPlane MAC, ~ - vsan VLAN MAC Address Type Secure NTFY Ports Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 235 HostMode = MULTI AUTH ReAuthentication = Disabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 30 ReAuthPeriod = 3600 (Locally configured) ReAuthMax = 2 MaxReq = 1 TxPeriod = 1 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 236: Monitoring 802.1X
RateLimitPeriod = 0 InactivityPeriod = 0 Mac-Auth-Bypass = Enabled Monitoring 802.1X You can display the statistics that the Cisco NX-OS device maintains for the 802.1X activity. Before you begin Enable the 802.1X feature on the Cisco NX-OS device. SUMMARY STEPS 1.
Page 237: Additional References For 802.1X
PPP Extensible Authentication Protocol (EAP) RFC 3580 IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines MIBs MIBs MIBs Link IEEE8021-PAE-MIB To locate and download MIBs, go to the following URL: http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 238 Configuring 802.1X Additional References for 802.1X Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 239: C H A P T E
C H A P T E R Configuring IP ACLs This chapter describes how to configure IP access control lists (ACLs) on Cisco NX-OS devices. Unless otherwise specified, the term IP ACL refers to IPv4 and IPv6 ACLs. This chapter includes the following sections: •...
Page 240: Acl Types And Applications
Egress router ACLs are not supported on subinterfaces and on Cisco Nexus You must enable VLAN Note 9300 Series switch uplink ports. interfaces globally before you can configure a VLAN interface. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 241: Order Of Acl Application
If the packet is bridged within the ingress VLAN, the device does not apply router ACLs. Figure 7: Order of ACL Application The following figure shows the order in which the device applies ACLs. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 242: About Rules
For example, you can use 0x0800 to specify IP traffic in a MAC ACL rule. In IPv4 and IPv6 ACLs, you can specify protocols by the integer that represents the Internet protocol number. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 243: Source And Destination
• IPv4 ACLs support the following additional filtering options: • Layer 4 protocol • TCP and UDP ports • ICMP types and codes • IGMP types Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 244: Sequence Numbers
105 to the new rule. Removing a rule Without using a sequence number, removing a rule requires that you enter the whole rule, as follows: switch(config-acl)# no permit tcp 10.0.0.0/8 any Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 245: Logical Operators And Logical Operation Units
Logical Operators and Logical Operation Units IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers. Cisco NX-OS supports logical operators in only the ingress direction.
Page 246 Note The order of rules in a time range does not affect how a device evaluates whether a time range is active. Cisco NX-OS includes sequence numbers in time ranges to make editing the time range easier. Time ranges also allow you to include remarks, which you can use to insert comments into a time range.
Page 247: Policy-Based Acls
Note Policy-based routing (PBR) ACLs do not support deny access control entries (ACEs) or deny commands to configure a rule. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 248: Statistics And Acls
Atomic ACL Updates By default, when a supervisor module of a Cisco Nexus 9000 Series device updates an I/O module with changes to an ACL, it performs an atomic ACL update. An atomic update does not disrupt traffic that the updated ACL applies to;...
Page 249: Session Manager Support For Ip Acls
TCAM regions to make room for new requirements. On Cisco Nexus 9200 Series switches, the egress TCAM size is 2K, and the ingress TCAM size is 4K. The concepts of TCAM slices and single- and double-wide regions do not apply to these switches. For example, the ing-ifacl region can host IPv4, IPv6, or MAC type entries.
Page 250 512 entries). • RACL v6, CoPP, and multicast have default TCAM sizes and these TCAM sizes must be non-zero on the following Cisco Nexus 9504 and Cisco Nexus 9508 line cards to avoid line card failure during reload: • N9K-X96136YC-R •...
Page 251 Note For traffic that needs to be classified on 40G ports on Cisco Nexus 9300 Series switches, you must carve the qos regions and the corresponding ns-*qos regions. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 252 Cisco Nexus 9300 Series switches, you must carve qos regions and the corresponding ns-*qos regions. VLAN source or VLAN filter SPAN (for Cisco Nexus 9500 or span 9300 Series switches) Rx SPAN on 40G ports (for Cisco Nexus 9300 Series switches only) Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 253 For Cisco Nexus 9200 Series switches, BFD uses the ing-sup region while DHCPv4 relay, DHCPv4 snooping, and DHCPv4 client use the ing-redirect region. CoPP copp The region size cannot be 0. Note Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 254: Licensing Requirements For Ip Acls
No license is required to use IP ACLs. Any feature not included in a license package is bundled NX-OS with the nx-os image and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 255: Prerequisites For Ip Acls
1000 rules. For more information about Session Manager, see the Cisco Nexus 9000 Series NX-OS System Management Configuration Guide. • Configuring IPv4 PACLs in the range of 12k to 64k is supported on Cisco Nexus 9500 Series switches with -RX line cards.
Page 256 (encapsulation path) are not supported. • Cisco Nexus 9300 and 9500 Series switches, and Cisco Nexus 9200 and 9300-EX Series switches have the following limitations for ACL options that can be used on VXLAN traffic: •...
Page 257 • An RACL applied on a Layer 3 physical or logical interface does not match multicast traffic. If multicast traffic must be blocked, use a PACL instead. This behavior applies to Cisco Nexus 9200, 9300, 9300-EX, and 9500 Series switches and Cisco Nexus 3164Q, 31128PQ, 3232C, and 3264Q switches.
Page 258 • RACLs cannot match on packets with multicast MAC destination addresses. • In the Cisco Nexus 9200 and 9300-EX Series switches, RACL with ACL log option will not take into effect as the sup-redirect ACLs will have higher priority for the traffic destined to SUP.
Page 259: Default Settings For Ip Acls
3. (Optional) fragments {permit-all | deny-all} 4. [sequence-number] {permit | deny} protocol {source-ip-prefix | source-ip-mask} {destination-ip-prefix | destination-ip-mask} 5. (Optional) statistics per-entry 6. (Optional) Enter one of the following commands: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 260 Step 6 (Optional) Enter one of the following commands: Displays the IP ACL configuration. • show ip access-lists name • show ipv6 access-lists name Example: switch(config-acl)# show ip access-lists acl-01 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 261: Changing An Ip Acl
• show ip access-lists name • show ipv6 access-lists name 8. (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 262 Step 8 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch(config-acl)# copy running-config startup-config Related Topics Changing Sequence Numbers in an IP ACL, on page 238 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 263: Creating A Vty Acl
Step 4 exit Exits IP access list configuration mode. Example: switch(config-ip-acl)# exit switch(config)# Step 5 Specifies the virtual terminal and enters line configuration line vty mode. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 264: Changing Sequence Numbers In An Ip Acl
The difference in switch(config)# resequence access-list ip acl-01 numbers is determined by the increment that you specify. 100 10 The starting-sequence-number argument and the Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 265: Removing An Ip Acl
• show ipv6 access-lists name summary 4. (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 266: Configuring Acl Tcam Region Sizes
You can change the size of the ACL ternary content addressable memory (TCAM) regions in the hardware. You can use this procedure for all Cisco Nexus 9200, 9300, and 9500 Series switches and the Cisco Nexus 3164Q, 31128PQ, 3232C, and 3264Q switches, except for NFE2-enabled devices (such as the X9432C-S 100G line card and the C9508-FM-S fabric module), which must use TCAM templates to configure ACL TCAM region sizes.
Page 267 • e-qos-lite—Configures the size of the IPv4 egress QoS lite TCAM region. • e-racl—Configures the size of the IPv4 egress router ACL (ERACL) TCAM region. • fex-ifacl—Configures the size of the FEX IPv4 port ACL TCAM region. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 268 • ing-l2qos—Configures the size of the ingress Layer 2 QoS TCAM region (Cisco Nexus 9200 switches only). • ing-l2-span-filter—Configures the size of the ingress Layer 2 SPAN filter TCAM region (Cisco Nexus 9200 and 9300-EX switches only). Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 269 • l3qos-lite—Configures the size of the IPv4 Layer 3 QoS lite TCAM region. • mac-ifacl—Configures the size of the MAC port ACL TCAM region. • mac-l3qos—Configures the size of the MAC Layer 3 QoS TCAM region. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 270 X9564TX line cards and the M12PQ generic expansion module (GEM). • ns-mac-vqos—Configures the size of the MAC VLAN QoS TCAM region for the X9536PQ, X9564PX, and X9564TX line cards and the M12PQ generic expansion module (GEM). Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 271 100G M4PC generic expansion module (GEM). • rp-qos—Configures the size of the IPv4 port QoS TCAM region for the 100G 9408PC line card and the 100G M4PC generic expansion module (GEM). Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 272 ERSPAN. For more information and configuration instructions, see the latest Cisco Nexus 9000 Series NX-OS System Management Configuration Guide. Step 3 copy running-config startup-config Copies the running configuration to the startup configuration. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 273 Verifying Traffic Storm Control Configuration, on page 436. The following example shows how to change the size of the RACL TCAM region on a Cisco Nexus 9500 Series switch: switch(config)# hardware access-list tcam region racl 256 [SUCCESS] New tcam size will be applicable only at boot time.
Page 274 512 [SUCCESS] New tcam size will be applicable only at boot time. You need to 'copy run start' and 'reload' switch(config)# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 275: Using Templates To Configure Acl Tcam Region Sizes
You can use create and apply custom templates to configure ACL TCAM region sizes. For all Cisco Nexus 9200, 9300, and 9500 Series switches and the Cisco Nexus 3164Q, 31128PQ, 3232C, and 3264Q switches, you can use this procedure or the "Configuring ACL TCAM Region Sizes"...
Page 276: Configuring Tcam Carving
The default TCAM region configuration varies by platform and does not accommodate all TCAM regions. To enable any desired regions, you must decrease the TCAM size of one region and then increase the TCAM size for the desired region. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 277 Configuring TCAM Carving Note For information on configuring QoS TCAM carving, see the Cisco Nexus 9000 Series NX-OS Quality of Service Configuration Guide. The following tables list the default sizes for the ingress and egress TCAM regions on different platforms.
Page 278 Configuring IP ACLs Configuring TCAM Carving Table 18: Default TCAM Region Configuration (Egress) - For Cisco Nexus 9300-FX Series Switches Region Name Size Width Total Size IPv4 RACL 1792 1792 System Table 19: Default TCAM Region Configuration (Ingress) - For Cisco Nexus 9300-EX Series Switches...
Page 279 Region Name Size Width Total Size IPv4 VACL IPv4 RACL System Table 23: Default TCAM Region Configuration (Ingress) - For Layer 2-to-Layer 3 Configurations on Cisco Nexus 9200 Series Switches Region Name Size Width Total Size Ingress NAT Ingress port ACL...
Page 280 Configuring IP ACLs Configuring TCAM Carving Table 24: Default TCAM Region Configuration (Egress) - For Layer 2-to-Layer 3 Configurations on Cisco Nexus 9200 Series Switches Region Name Size Width Total Size Egress VACL Egress RACL 1536 1536 Egress supervisor 2048...
Page 281 Configuring IP ACLs Configuring TCAM Carving To set the size of the ingress IPv6 RACL TCAM region on a Cisco Nexus 9500 Series switch, perform one of two options. Option #1 Reduce the ingress IPv4 RACL by 512 entries (1536 - 512 = 1024) and add an ingress IPv6 RACL with 512 entries—This option is preferred.
Page 282 If TCAM for a particular feature is not configured and you try to apply a feature that requires TCAM carving, the following message appears: ERROR: Module x returned status: TCAM region is not configured. Please configure TCAM region and retry the command. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 283: Configuring Udf-Based Port Acls
Sizes, on page 240 Configuring UDF-Based Port ACLs You can configure UDF-based port ACLs for Cisco Nexus 9200, 9300, and 9300-EX Series switches. This feature enables the device to match on user-defined fields (UDFs) and to apply the matching packets to an IPv4 port ACL.
Page 284 Example: The number of UDFs that can be attached to a TCAM region varies by platform. You can attach up to 2 UDFs for Cisco switch(config)# hardware access-list tcam region Nexus 9200 switches, up to 8 UDFs for Cisco Nexus 9300...
Page 285: Applying An Ip Acl As A Router Acl
ACLs applied to these interface types are considered router ACLs. Note Egress router ACLs are not supported on subinterfaces and on Cisco Nexus 9300 Series switch uplink ports. Before you begin Ensure that the ACL you want to apply exists and that it is configured to filter traffic in the manner that you need for this application.
Page 286: Applying An Ip Acl As A Port Acl
You can apply an IPv4 or IPv6 ACL to a Layer 2 interface, which can be a physical port or a port channel. ACLs applied to these interface types are considered port ACLs. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 287 Only inbound filtering is supported with port • ip port access-group access-list in ACLs. You can apply one port ACL to an interface. • ipv6 port traffic-filter access-list in Example: switch(config-if)# ip port access-group acl-l2-marketing-group in Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 288: Applying An Ip Acl As A Vacl
12. hardware rate-limiter access-list-log packets 13. acllog match-log-level severity-level 14. (Optional) show logging ip access-list cache [detail] Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 289 Configures the log-update interval (in seconds) for the ACL logging process. The default value is 300 seconds. Example: The range is from 5 to 86400 seconds. switch(config)# logging ip access-list cache interval 490 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 290: Configuring Acls Using Http Methods To Redirect Requests
You can configure ACLs to intercept and redirect specific HTTP methods to a server that is connected to a specific port. The following HTTP methods can be redirected: • connect • delete • get • head • post Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 291 • delete—Matches HTTP packets with the DELETE method [0x44454c45] • get—Matches HTTP packets with the GET method [0x47455420] • head—Matches HTTP packets with the HEAD method [0x48454144] • post—Matches HTTP packets with the POST method [0x504f5354] Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 292 10 permit tcp any any http-method get tcp-option-length 4 redirect port-channel4001 switch(config-acl)# 20 permit tcp any any http-method post redirect port-channel4001 switch(config-acl)# statistics per-entry switch(config)# interface Ethernet 1/33 switch(config-if)# ip port access-group http-redirect-acl in Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 293: Verifying The Ip Acl Configuration
(ACE) sequence number, ACE action, ACL name, ACL direction, ACL filter type, and ACL applied interface. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 294 Displays the ACL startup configuration. Note This command displays the user-configured ACLs in the startup configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 295: Monitoring And Clearing Ip Acl Statistics
The following example shows how to configure IPv4 ACL logging: switch# configure terminal Enter configuration commands, one per line. End with CNTL/Z. switch(config)# ip access-list logging-test Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 296: About System Acls
• The system PACL is supported for Layer 2 interface only. • Up to 10K ACEs are supported with all other basic features for the switch to come up on Cisco Nexus 9500 Series switches with -R line cards. The hardware capacity on Cisco Nexus 9500 Series switches with -RX line cards is 64K ACEs.
Page 297: Carving A Tcam Region
It denies all the traffic during ACL updates. • The atomic ACL update is not supported on Cisco Nexus -R series line cards, but the non-atomic update hardware access-list update default-result is supported on Cisco Nexus -R series line cards.
Page 298: Configuration And Show Command Examples For The System Acls
50 permit ip 1.4.1.1/32 100.100.100.100/32 60 permit ip 1.5.1.1/32 100.100.100.100/32 70 permit ip 1.6.1.1/32 100.100.100.100/32 80 permit ip 1.7.1.1/32 100.100.100.100/32 90 permit ip 1.8.1.1/32 100.100.100.100/32 switch# sh ip access-lists test summary Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 299 SPAN [span] size = Ingress COPP [copp] size = Ingress Flow Counters [flow] size = switch# To view ACL related tech support information, use the show tech-support aclmgr and show tech-support aclqos commands. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 300: Configuring Object Groups
Session Manager supports the configuration of object groups. This feature allows you to create a configuration session and verify your object group configuration changes prior to committing them to the running configuration. For more information about Session Manager, see the Cisco Nexus 9000 Series NX-OS System Management Configuration Guide.
Page 301: Creating And Changing An Ipv6 Address Object Group
You can create and change an IPv6 address group object. SUMMARY STEPS 1. configure terminal 2. object-group ipv6 address name 3. Enter one of the following commands: • [sequence-number] host IPv6-address • [sequence-number] IPv6-address/prefix-len • [sequence-number] IPv6-address network-wildcard Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 302 • no host IPv6-address • no IPv6-address/prefix-len • no IPv6-address network-wildcard Example: switch(config-ipv6addr-ogroup)# no host 2001:db8:0:3ab0::1 Step 5 (Optional) show object-group name Displays the object group configuration. Example: switch(config-ipv6addr-ogroup)# show object-group ipv6-addr-group-A7 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 303: Creating And Changing A Protocol Port Object Group
• lt—Matches port numbers that are less than (and not equal to) the port number that you specify. • neq—Matches all port numbers except for the port number that you specify. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 304: Removing An Object Group
Example: switch# configure terminal switch(config)# Step 2 no object-group {ip address | ipv6 address | ip port} Removes the specified object group. name Example: switch(config)# no object-group ip address ipv4-addr-group-A7 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 305: Verifying The Object-Group Configuration
Session Manager supports the configuration of time ranges. This feature allows you to create a configuration session and verify your time-range configuration changes prior to committing them to the running configuration. For more information about Session Manager, see the Cisco Nexus 9000 Series NX-OS System Management Configuration Guide.
Page 306 Step 7 (Optional) show time-range name Displays the time-range configuration. Example: switch(config-time-range)# show time-range workday-daytime Step 8 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 307: Changing A Time-Range
The following keywords Example: are also valid values for the list-of-weekdays argument: switch(config-time-range)# 100 periodic weekdays • daily —All days of the week. 05:00:00 to 22:00:00 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 308: Removing A Time-Range
ACL. Instead, the device considers the ACL rule using the removed time range to be empty. SUMMARY STEPS 1. configure terminal Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 309: Changing Sequence Numbers In A Time Range
Assigns sequence numbers to the rules contained in the time range, where the first rule receives the starting sequence increment number that you specify. Each subsequent rule receives a Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 310: Verifying The Time-Range Configuration
Displays the time-range configuration. Displays ACL configuration, including all time ranges. show running-config aclmgr Additional References for IP ACLs Related Documents Related Topic Document Title TAP aggregation Configuring TAP Aggregation and MPLS Stripping Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 311: Configuring Mac Acls
C H A P T E R Configuring MAC ACLs This chapter describes how to configure MAC access lists (ACLs) on Cisco NX-OS devices. This chapter contains the following sections: • About MAC ACLs, on page 285 • Licensing Requirements for MAC ACLs, on page 286 •...
Page 312: Licensing Requirements For Mac Acls
• MAC packet classification is not supported when MAC ACLs are used as match criteria for QoS policies on Cisco Nexus 9300 Series switch 40G uplink ports. • When you define a MAC ACL on the non EX/FX Cisco Nexus 9000 Series switches, you must define the ethertype for the traffic to be appropriately matched.
Page 313: Configuring Mac Acls
Displays the MAC ACL configuration. Example: switch(config-mac-acl)# show mac access-lists acl-mac-01 Step 6 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch(config-mac-acl)# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 314: Changing A Mac Acl
Specifies that the device maintains global statistics for packets that match the rules in the ACL. Example: The no option stops the device from maintaining global switch(config-mac-acl)# statistics per-entry statistics for the ACL. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 315: Changing Sequence Numbers In A Mac Acl
Displays the MAC ACL configuration. Example: switch(config)# show mac access-lists acl-mac-01 Step 4 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch(config)# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 316: Removing A Mac Acl
Ensure that the ACL that you want to apply exists and is configured to filter traffic in the manner that you need for this application. SUMMARY STEPS 1. configure terminal Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 317: Applying A Mac Acl As A Vacl
Applying a MAC ACL as a VACL You can apply a MAC ACL as a VACL. Enabling or Disabling MAC Packet Classification You can enable or disable MAC packet classification on a Layer 2 interface. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 318 MAC packet classification on the Example: interface. switch(config-if)# mac packet-classify Step 4 (Optional) Enter one of the following commands: • Displays the running configuration of the Ethernet interface. • show running-config interface ethernet slot/port Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 319: Verifying The Mac Acl Configuration
Displays the MAC ACL configuration. If the MAC ACL includes the show mac access-lists statistics per-entry command, the show mac access-lists command output includes the number of packets that have matched each rule. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 320: Configuration Example For Mac Acls
00c0.4f00.0000 0000.00ff.ffff any 0x0806 interface ethernet 2/1 mac port access-group acl-mac-01 Additional References for MAC ACLs Related Documents Related Topic Document Title TAP aggregation Configuring TAP Aggregation and MPLS Stripping Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 321: Configuring Vlan Acls
C H A P T E R Configuring VLAN ACLs This chapter describes how to configure VLAN access lists (ACLs) on Cisco NX-OS devices. This chapter includes the following sections: • About VLAN ACLs, on page 295 • Licensing Requirements for VACLs, on page 296 •...
Page 322: Vacl Statistics
VACLs require no license. Any feature not included in a license package is bundled with the image and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.
Page 323: Guidelines And Limitations For Vacls
Guidelines and Limitations for VACLs VACLs have the following configuration guidelines: • Cisco recommends using the Session Manager to configure ACLs. This feature allows you to verify the ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration.
Page 324: Configuring Vacls
Step 3 Enter one of the following commands: Specifies an ACL for the access-map entry. • match {ip | ipv6} address ip-access-list • match mac address mac-access-list Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 325: Removing A Vacl Or A Vacl Entry
VACL. Instead, the device considers the removed VACL to be empty. SUMMARY STEPS 1. configure terminal 2. no vlan access-map map-name [sequence-number] 3. (Optional) show running-config aclmgr 4. (Optional) copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 326: Applying A Vacl To A Vlan
Step 2 [no] vlan filter map-name vlan-list list Applies the VACL to the VLANs by the list that you specified. The no option unapplies the VACL. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 327: Verifying The Vacl Configuration
Displays the VACL configuration. If the VLAN access-map includes the statistics per-entry command, the show vlan access-list command output includes the number of packets that have matched each rule. clear vlan access-list counters Clears statistics for VACLs. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 328: Configuration Example For Vacls
50-82 Additional References for VACLs Related Documents Related Topic Document Title QoS configuration Cisco Nexus 9000 Series NX-OS Quality of Service Configuration Guide Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 329: Configuring Port Security
C H A P T E R Configuring Port Security This chapter describes how to configure port security on Cisco NX-OS devices. This chapter includes the following sections: • About Port Security, on page 303 • Licensing Requirements for Port Security, on page 309 •...
Page 330: Static Method
A sticky secure MAC address entry remains in the configuration of an interface until one of the following events occurs: • You explicitly remove the address • You configure the interface to act as a Layer 3 interface Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 331: Dynamic Address Aging
The length of time after the device last received a packet from the address on the applicable interface. Note This feature is supported only on Cisco Nexus 9200 and 9300-EX Series switches. Absolute The length of time after the device learned the address. This is the default aging method; however, the default aging time is 0 minutes, which disables aging.
Page 332: Security Violations And Actions
Restrict or Protect, the violation is logged in the system log. Because a MAC move violation results in the interface being error disabled, irrespective of the violation mode configured, we recommend using the errdisable command to enable automatic errdisable recovery. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 333: Port Security And Port Types
Note You cannot configure port security on VXLAN interfaces. Note Port security is supported for FEX interfaces only in non-vPC deployments on Cisco Nexus 9300-EX Series switches. Port Security and Port-Channel Interfaces Port security is supported on Layer 2 port-channel interfaces. Port security operates on port-channel interfaces in the same manner as on physical interfaces, except as described in this section.
Page 334 To do so, remove all secure member ports from the port-channel interface first. After disabling port security on a member port, you can add it to the port-channel interface again, as needed. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 335: Port Type Changes
Port security requires no license. Any feature not included in a license package is bundled NX-OS with the nx-os image and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.
Page 336: Guidelines And Limitations For Port Security
• Port security is supported for FEX interfaces only in non-vPC deployments on Cisco Nexus 9300-EX Series switches. • There is no supported method of disabling the USB port on Cisco Nexus 9000 Series switches. • After configuring the association between the primary and secondary VLANs and deleting the association, all static MAC addresses that were created on the primary VLANs remain on the primary VLAN only.
Page 337: Configuring Port Security
Configuring Port Security Configuring Port Security • On a secondary vPC port, there is no limit check for static MACs configured. Cisco recommends that you configure the same number of static MACs on a secondary vPC port as defined in the maximum MAC count.
Page 338: Enabling Or Disabling Port Security On A Layer 2 Interface
2. Enter one of the following commands: • interface ethernet slot/port • interface port-channel channel-number 3. switchport 4. [no] switchport port-security 5. (Optional) show running-config port-security 6. (Optional) copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 339: Enabling Or Disabling Sticky Mac Address Learning
By default, sticky MAC address learning is disabled. Before you begin You must have enabled port security globally. SUMMARY STEPS 1. configure terminal 2. Enter one of the following commands: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 340: Adding A Static Secure Mac Address On An Interface
Copies the running configuration to the startup configuration. Example: switch(config-if)# copy running-config startup-config Adding a Static Secure MAC Address on an Interface You can add a static secure MAC address on a Layer 2 interface. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 341 Use the vlan keyword if you want to specify the VLAN that traffic from the address is allowed Example: switch(config-if)# switchport port-security mac-address 0019.D2D0.00AE Step 4 (Optional) show running-config port-security Displays the port security configuration. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 342: Removing A Static Secure Mac Address On An Interface
Removes the static secure MAC address from port security on the current interface. Example: switch(config-if)# no switchport port-security mac-address 0019.D2D0.00AE Step 4 (Optional) show running-config port-security Displays the port security configuration. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 343: Removing A Sticky Secure Mac Address
Enters interface configuration mode for the interface from which you want to remove a sticky secure MAC address. • interface ethernet slot/port • interface port-channel channel-number Example: switch(config)# interface ethernet 2/1 switch(config-if)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 344: Removing A Dynamic Secure Mac Address
Enters global configuration mode. Example: switch# configure terminal switch(config)# Step 2 clear port-security dynamic {interface ethernet slot/port Removes dynamically learned, secure MAC addresses, as | address address} [vlan vlan-ID] specified. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 345: Configuring A Maximum Number Of Mac Addresses
1. configure terminal 2. Enter one of the following commands: • interface ethernet slot/port • interface port-channel channel-number 3. [no] switchport port-security maximum number [vlan vlan-ID] 4. (Optional) show running-config port-security Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 346: Configuring An Address Aging Type And Time
MAC addresses learned by the dynamic method have reached their age limit. Absolute aging is the default aging type. By default, the aging time is 0 minutes, which disables aging. Before you begin You must have enabled port security globally. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 347 10 minutes, the age out occurs between 10 and 12 minutes after traffic stops. Step 5 (Optional) show running-config port-security Displays the port security configuration. Example: switch(config-if)# show running-config port-security Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 348: Configuring A Security Violation Action
Configures the security violation action for port security on the current interface. The no option resets the violation | shutdown} action to the default, which is to shut down the interface. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 349: Verifying The Port Security Configuration
Restrict. feature port-security interface Ethernet 2/1 switchport switchport port-security switchport port-security maximum 10 switchport port-security maximum 7 vlan 10 switchport port-security maximum 3 vlan 20 switchport port-security violation restrict Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 350: Configuration Examples For Port Security In A Vpc Domain
1025 secondary_switch(config-if)# switchport port-security violation restrict secondary_switch(config-if)# switchport port-security aging time 4 secondary_switch(config-if)# switchport port-security aging type absolute secondaryy_switch(config-if)# switchport port-security mac sticky Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 351: Additional References For Port Security
Additional References for Port Security Related Documents Related Topic Document Title Layer 2 Cisco Nexus 9000 Series NX-OS Layer 2 Switching Configuration Guide switching MIBs Cisco NX-OS provides read-only SNMP support for port security. MIBs MIBs Link •...
Page 352 Configuring Port Security Additional References for Port Security Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 353: Configuring Dhcp
C H A P T E R Configuring DHCP This chapter describes how to configure the Dynamic Host Configuration Protocol (DHCP) on a Cisco NX-OS device. This chapter includes the following sections: • About DHCP Snooping, on page 327 •...
Page 354: Trusted And Untrusted Sources
In a service provider environment, any device that is not in the service provider network is an untrusted source (such as a customer switch). Host ports are untrusted sources. In the Cisco NX-OS device, you indicate that a source is trusted by configuring the trust state of its connecting interface.
Page 355: Dhcp Snooping In A Vpc Environment
DHCP Snooping in a vPC Environment A virtual port channel (vPC) allows two Cisco NX-OS switches to appear as a single logical port channel to a third device. The third device can be a switch, a server, or any other networking device that supports port channels.
Page 356: Dhcp Snooping Option 82 Data Insertion
82 field in the DHCP reply. 5. The DHCP server sends the reply to the Cisco NX-OS device. The Cisco NX-OS device verifies that it originally inserted the Option 82 data by inspecting the remote ID and possibly the circuit ID fields. The Cisco NX-OS device removes the Option 82 field and forwards the packet to the interface that connects to the DHCP client that sent the DHCP request.
Page 357: About The Dhcp Relay Agent
Configuring DHCP About the DHCP Relay Agent This figure shows the packet formats for the remote ID suboption and the circuit ID suboption. The Cisco NX-OS device uses the packet formats when you globally enable DHCP snooping and when you enable Option 82 data insertion and removal.
Page 358 82 field in the DHCP reply. 6. The DHCP server unicasts the reply to the Cisco NX-OS device if the request was relayed to the server by the device. The Cisco NX-OS device verifies that it originally inserted the Option 82 data by inspecting the remote ID and possibly the circuit ID fields.
Page 359: Vrf Support For The Dhcp Relay Agent
DHCP support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF. For general information about VRFs, see the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide.
Page 360: Dhcp Smart Relay Agent
DHCP support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF. For general information about VRFs, see the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide.
Page 361: Licensing Requirements For Dhcp
DHCP requires no license. Any feature not included in a license package is bundled with the nx-os image and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.
Page 362: Default Settings For Dhcp
• DHCP client and DHCP relay are not supported on the same switch. • DHCP client is not supported for Layer 3 subinterfaces. • DHCP client is supported on the Cisco Nexus 9300 Series switches and the Cisco Nexus 9500 Series switches.
Page 363: Configuring Dhcp
When the DHCP feature is disabled, you cannot configure the DHCP relay agent, DHCP snooping, or any of the features that depend on DHCP. In addition, all DHCP configuration is removed from the device. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 364: Configuring Dhcp Snooping
Before you begin Make sure that you have enabled the DHCP feature. SUMMARY STEPS 1. configure terminal 2. [no] ip dhcp snooping 3. (Optional) show running-config dhcp 4. (Optional) copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 365: Enabling Or Disabling Dhcp Snooping On A Vlan
2. [no] ip dhcp snooping vlan vlan-list 3. (Optional) show running-config dhcp 4. (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 366: Enabling Or Disabling Dhcp Snooping Mac Address Verification
Enables DHCP snooping MAC address verification. The no form of this command disables MAC address Example: verification. switch(config)# ip dhcp snooping verify mac-address Step 3 (Optional) show running-config dhcp Displays the DHCP configuration. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 367: Enabling Or Disabling Option 82 Data Insertion And Removal
4. interface interface slot/port 5. (Optional) ip dhcp option82 sub-option circuit-id 6. exit 7. (Optional) show ip dhcp option82 info interface intf_name 8. (Optional) show running-config dhcp 9. (Optional) copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 368 WORD Format string (Max Size 64) Example: switch(config-if)# ip dhcp option82 sub-option circuit-id test switch(config-if)# Step 6 exit Exits interface configuration mode. Example: switch(config-if)# exit switch(config)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 369: Enabling Or Disabling Strict Dhcp Packet Validation
(Optional) show running-config dhcp Displays the DHCP configuration. Example: switch(config)# show running-config dhcp Step 4 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch(config)# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 370: Configuring An Interface As Trusted Or Untrusted
The no form of this command configures the port Example: as an untrusted interface. switch(config-if)# ip dhcp snooping trust Step 4 (Optional) show running-config dhcp Displays the DHCP configuration. Example: switch(config-if)# show running-config dhcp Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 371: Enabling Or Disabling Dhcp Relay Trusted Port Functionality
(Optional) show ip dhcp relay Displays the DHCP relay configuration. Example: switch(config)# show ip dhcp relay Step 4 (Optional) show ip dhcp relay information Displays the DHCP relay trusted ports configuration. trusted-sources Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 372: Configuring An Interface As A Dhcp Relay Trusted Or Untrusted Port
Layer 3 Ethernet interface that you want to configure as trusted or untrusted or channel-number is the Layer 3 Example: port-channel interface that you want to configure as trusted switch(config)# interface ethernet 2/1 or untrusted. switch(config-if)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 373: Configuring All Interfaces As Trusted Or Untrusted
Before you begin Make sure that the DHCP feature is enabled. SUMMARY STEPS 1. configure terminal 2. [no] ip dhcp relay information trust-all 3. (Optional) show ip dhcp relay information trusted-sources Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 374: Enabling Or Disabling The Dhcp Relay Agent
Ensure that the DHCP feature is enabled. SUMMARY STEPS 1. configure terminal 2. [no] ip dhcp relay 3. (Optional) show ip dhcp relay 4. (Optional) show running-config dhcp 5. (Optional) copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 375: Enabling Or Disabling Option 82 For The Dhcp Relay Agent
4. (Optional) switch(config)# [no] ip dhcp relay sub-option circuit-id format-type string 5. (Optional) switch(config)# show ip dhcp relay 6. (Optional) switch(config)# show running-config dhcp 7. (Optional) switch(config)# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 376: Enabling Or Disabling Vrf Support For The Dhcp Relay Agent
You can configure the device to support the relaying of DHCP requests that arrive on an interface in one VRF to a DHCP server in a different VRF. Before you begin You must enable Option 82 for the DHCP relay agent. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 377: Configuring Dhcp Server Addresses On An Interface
DHCP server IP addresses specified. The relay agent forwards replies from all DHCP servers to the host that sent the request. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 378 6.1(2)I3(3a). They are not supported in Cisco NX-OS Release 9.2(1). • Enters interface configuration mode, where vlan-id is the ID of the VLAN that you want to configure with a DHCP server IP address. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 379: Configuring The Dhcp Relay Source Interface
SUMMARY STEPS 1. configure terminal 2. [no] ip dhcp relay source-interface interface 3. (Optional) show ip dhcp relay [interface interface] 4. (Optional) show running-config dhcp 5. (Optional) copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 380: Enabling Or Disabling Dhcp Smart Relay Globally
Ensure that the DHCP relay agent is enabled. SUMMARY STEPS 1. configure terminal 2. [no] ip dhcp smart-relay global 3. (Optional) show ip dhcp relay 4. (Optional) show running-config dhcp 5. (Optional) copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 381: Enabling Or Disabling Dhcp Smart Relay On A Layer 3 Interface
1. configure terminal 2. interface interface slot/port 3. [no] ip dhcp smart-relay 4. exit 5. exit 6. (Optional) show ip dhcp relay 7. (Optional) show running-config dhcp 8. (Optional) copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 382: Configuring Dhcpv6
Configuring DHCPv6 Enabling or Disabling the DHCPv6 Relay Agent You can enable or disable the DHCPv6 relay agent. By default, the DHCPv6 relay agent is enabled. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 383: Enabling Or Disabling Vrf Support For The Dhcpv6 Relay Agent
You can configure the device to support the relaying of DHCPv6 requests that arrive on an interface in one VRF to a DHCPv6 server in a different VRF. Before you begin Ensure that the DHCP feature is enabled. Ensure that the DHCPv6 relay agent is enabled. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 384: Configuring Dhcpv6 Server Addresses On An Interface
DHCPv6 server IP addresses specified. The relay agent forwards replies from all DHCPv6 servers to the host that sent the request. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 385 The server address can either be a link-scoped unicast or multicast address or a global or site-local unicast or Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 386: Configuring The Dhcpv6 Relay Source Interface
Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Step 2 [no] ipv6 dhcp relay source-interface interface Configures the source interface for the DHCPv6 relay agent. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 387: Configuring Ipv6 Ra Guard
Configuring IPv6 RA Guard You can configure the IPv6 router advertisement (RA) guard feature for Cisco Nexus 9200, 9300, and 9300-EX Series switches and the N9K-X9732C-EX line card. This feature is used to drop all incoming IPv6 RA packets on a Layer 2 interface.
Page 388: Enabling Dhcp Client
3. ipv6 address use-link-local-only 4. [no] {ip | ipv6} address dhcp 5. (Optional) Do one of the following options: • show running-config interface ethernet slot/port • show running-config interface mgmt 0 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 389 Example: Only the {ip | ipv6} address dhcp command is saved. The switch(config-if)# copy running-config assigned IP address is not saved even though it shows in startup-config the running configuration. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 390: Verifying The Dhcp Configuration
Use the show ip dhcp snooping binding [ip-address | mac-address | dynamic | static | vlan vlan-id | interface interface-type interface-number] command to display all entries from the DHCP snooping binding database. MacAddress IpAddress LeaseSec Type VLAN Interface Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 391: Clearing The Dhcp Snooping Binding Database
Use the clear ipv6 dhcp relay statistics command to clear the global DHCPv6 relay statistics. Use the clear ipv6 dhcp relay statistics interface interface command to clear the DHCPv6 relay statistics for a particular interface. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 392: Configuration Examples For Dhcp
The following example shows how the DHCP client feature can be used to assign an IPv4 address to a VLAN interface: switch# configure terminal switch(config)# interface vlan 7 switch(config-if)# no shutdown switch(config-if)# ip address dhcp switch(config-if)# show running-config interface vlan 7 interface Vlan7 no shutdown ip address dhcp Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 393: Additional References For Dhcp
Unicast Routing Configuration Guide Standards Standards Title RFC-2131 Dynamic Host Configuration Protocol (http://tools.ietf.org/html/rfc2131) RFC-3046 DHCP Relay Agent Information Option (http://tools.ietf.org/html/rfc3046) RFC-6607 Virtual Subnet Selection Options for DHCPv4 and DHCPv6 (http://tools.ietf.org/html/rfc6607) Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 394 Configuring DHCP Additional References for DHCP Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 395: Configuring Ipv6 First Hop Security
C H A P T E R Configuring IPv6 First Hop Security This chapter describes how to configure First Hop Security (FHS) features on Cisco NX-OS devices. This chapter includes the following sections: • Introduction to First-Hop Security, on page 369 •...
Page 396: Ipv6 Global Policies
Guidelines and Limitations of First Hop Security The general guidelines and limitations of First Hop Security are as follows: • Before enabling the FHS on the interface or VLAN, we recommend carving TCAM regions on Cisco Nexus 9300 and 9500 Series switches. To enable FHS successfully: •...
Page 397: About Vpc First Hop Security Configuration
• Control traffic (DHCP/ND) will not be redirected to CPU for processing on both vPC peers if it goes over the peer link. • Packets switched over the peer link aren’t processed a second time. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 398: Dhcp Relay On Vpc Leg
DHCP Server messages by default. You can customize the IPv6 policy to implement: • Security-level glean. • IPv6 DHCP Guard policy with device-role server. In this configuration, IPv6 Snooping trusts DHCP server messages attached to the vPC link. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 399: Dhcp Client Relay On Orphan Ports
DHCP server traffic. You do not require an individual IPv6 snooping policy per interface. Any DHCP traffic arriving via the vPC peer is also implicitly trusted and if policing is required, the vPC peer automatically drops it. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 400: Ra Guard
RA frame. Once the L2 device has validated the content of the RA frame and router redirect frame against the configuration, it forwards the RA to its unicast or multicast destination. If the RA frame content is not validated, the RA is dropped. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 401: Guidelines And Limitations Of Ipv6 Ra Guard
• If a packet arriving from DHCP server is a Relay Forward or a Relay Reply, only the device role is checked. In addition, IPv6 DHCP Guard doesn't apply the policy for a packet sent out by the local relay agent running on the switch. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 402: Ipv6 Snooping
(or VLAN) as well as the DHCP server facing interface (or VLAN). In the case of DHCP Relay, an IPv6 Snooping policy must be attached at the VLAN level to see the server replies. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 403: How To Configure Ipv6 Fhs
RS packets that are received on another interface, are not redirected to the device-role host. Only RA and RR packets (that are allowed) are redirected to the device-role host. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 404: Configuring Ipv6 Ra Guard On An Interface
Exits RA guard policy configuration mode and returns to global configuration mode. Example: Device(config-ra-guard)# exit Configuring IPv6 RA Guard on an Interface SUMMARY STEPS 1. configure terminal 2. interface type number 3. ipv6 nd raguard attach-policy [policy-name] Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 405 Et1/0 vlan all Step 6 debug ipv6 snooping raguard [filter | interface | vlanid] Enables debugging for IPv6 RA guard snooping information. Example: Device# debug ipv6 snooping raguard Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 406: Configuring Dhcp-Dhcpv6 Guard
It blocks any incoming server Device(config-dhcp-guard)# device-role server packets. • device-role server—Interface where a normal DHCPv6 server is connected. It allows all DHCPv6 packets originating on this interface. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 407 Exits interface configuration mode and returns to global configuration mode. Example: Device(config-if)# exit Step 12 vlan configuration vlan-id Specifies a VLAN and enters VLAN configuration mode. Example: Device(config)# vlan configuration 1 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 408: Configuring Ipv6 Snooping
[no] switchport 12. ipv6 snooping attach-policy policy-name 13. exit 14. vlan configuration vlan-id 15. ipv6 snooping attach-policy policy-name 16. exit exit 18. show ipv6 snooping policy policy-name Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 409 • guard—works like inspect, but in addition drops IPv6, ND, RA, and IPv6 DHCP Server packets in case of a threat. Step 8 tracking Enables tracking. Example: Device(config-snoop-policy)# tracking enable Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 410 EXEC mode. Example: Device(config)# exit Step 18 show ipv6 snooping policy policy-name Displays the policy configuration and the interfaces where the policy is applied. Example: Device(config)# show ipv6 snooping policy policy1 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 411: Verifying And Troubleshooting Ipv6 Snooping
Displays information about the configured policies and the interfaces to which they are attached. Example: Device# show ipv6 snooping policies Step 5 debug ipv6 snooping Enables debugging for snooping information in IPv6. Example: Device# debug ipv6 snooping Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 412: Configuration Examples
Example: Configuring IPv6 First-Hop Security Binding Table config terminal ipv6 neighbor binding vlan 100 2001:db8::1 interface ethernet3/0 ipv6 neighbor binding max-entries 100 ipv6 neighbor binding logging ipv6 neighbor binding retry-interval 8 exit show ipv6 neighbor binding Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 413: Example: Configuring Ipv6 Snooping
This section includes additional information related to configuring IPv6 First-Hop Security. Related Documents Related Topic Document Title Cisco NX-OS Licensing Cisco NX-OS Licensing Guide Command reference Cisco Nexus 7000 Series NX-OS Security Command Reference Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 414 Configuring IPv6 First Hop Security Additional References for IPv6 First-Hop Security Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 415: Configuring Dynamic Arp Inspection
ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a reply from a host even if an ARP request was not received. After the attack, all traffic from the device under attack flows through the attacker’s computer and then to the router, switch, or host. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 416: Dai And Arp Spoofing Attacks
You can configure DAI to drop ARP packets when the IP addresses in the packets are invalid or when the MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 417: Interface Trust States And Network Security
If some devices in a VLAN run DAI and other devices do not, the guidelines for configuring the trust state of interfaces on a device that runs DAI become the following: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 418: Logging Dai Packets
VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses. You can also specify the type of packets that are logged. By default, a Cisco Nexus device logs only packets that DAI drops.
Page 419: Guidelines And Limitations For Dai
• ARP ACLs are not supported. Default Settings for DAI This table lists the default settings for DAI parameters. Table 33: Default DAI Parameters Parameters Default Disabled on all VLANs. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 420: Configuring Dai
[no] ip arp inspection vlan vlan-list Enables DAI for the specified list of VLANs. The no option disables DAI for the specified VLANs. Example: switch(config)# ip arp inspection vlan 13 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 421: Configuring The Dai Trust State Of A Layer 2 Interface
Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Step 2 interface type port/slot Enters interface configuration mode. Example: switch(config)# interface ethernet 2/1 switch(config-if)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 422: Enabling Or Disabling Additional Validation
• Each ip arp inspection validate command that you enter replaces the configuration from any previous commands. If you enter an ip arp inspection validate command to enable src-mac and dst-mac validations, Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 423: Configuring The Dai Logging Buffer Size
You can configure the DAI logging buffer size. The default buffer size is 32 messages. SUMMARY STEPS 1. configure terminal 2. [no] ip arp inspection log-buffer entries number 3. (Optional) show running-config dhcp 4. (Optional) copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 424: Configuring Dai Log Filtering
DAI log filtering. Example: • all—Logs all packets that match DHCP bindings. switch(config)# ip arp inspection vlan 100 • none—Does not log packets that match DHCP dhcp-bindings permit bindings. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 425: Verifying The Dai Configuration
Command Purpose show ip arp inspection statistics [vlan vlan-id] Displays DAI statistics. clear ip arp inspection statistics vlan vlan-id Clears DAI statistics. clear ip arp inspection log Clears DAI logs. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 426: Configuration Examples For Dai
- Supports-STP-Dispute Device ID Local Intrfce Hldtme Capability Platform Port ID switchB Ethernet2/3 R S I WS-C2960-24TC Ethernet1/4 switchA# Step 2 Enable DAI on VLAN 1 and verify the configuration. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 427 1 Vlan : 1 ----------- ARP Req Forwarded ARP Res Forwarded ARP Req Dropped ARP Res Dropped DHCP Drops DHCP Permits Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 428: Configuring Device B
1 Source Mac Validation : Disabled Destination Mac Validation : Disabled IP Address Validation : Disabled Vlan : 1 ----------- Configuration : Enabled Operation State : Active Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 429 ARP Req Dropped ARP Res Dropped DHCP Drops DHCP Permits SMAC Fails-ARP Req = 0 SMAC Fails-ARP Res = 0 DMAC Fails-ARP Res = 0 IP Fails-ARP Req IP Fails-ARP Res switchB# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 430: Additional References For Dai
Related Documents Related Topic Document Title ACL TCAM regions Configuring IP ACLs DHCP and DHCP snooping Configuring DHCP, on page 327 Standards Standard Title RFC-826 An Ethernet Address Resolution Protocol (http://tools.ietf.org/html/rfc826) Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 431: Configuring Ip Source Guard
• DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results of inspecting the packet • IP traffic from static IP source entries that you have configured on the Cisco NX-OS device Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 432: Licensing Requirements For Ip Source Guard
IP source entry. When you first enable IP Source Guard on an interface, you may experience disruption in IP traffic until the hosts on the interface receive a new IP address from a DHCP server. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 433: Default Settings For Ip Source Guard
• IP Source Guard is not supported on fabric extender (FEX) ports or generic expansion module (GEM) ports. • The following guidelines and limitations apply to the Cisco Nexus 9200 Series switches: • IPv6 adjacency is not formed with IPSG enabled on the incoming interface.
Page 434: Adding Or Removing A Static Ip Source Entry
3. (Optional) show ip dhcp snooping binding [interface interface-type slot/port] 4. (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 435: Configuring Ip Source Guard For Trunk Ports
[no] ip dhcp snooping ipsg-excluded vlan vlan-list Specifies the list of VLANs to exclude from the DHCP snooping check for IP Source Guard on trunk ports. Example: switch(config)# ip dhcp snooping ipsg-excluded vlan 1001-1256,3097 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 436: Displaying Ip Source Guard Bindings
2/3 no shutdown ip verify source dhcp-snooping-vlan show ip ver source IP source guard excluded vlans: ------------------------------------------------------ None ----------------------------------- IP source guard is enabled on the following interfaces: ------------------------------------------------------ ethernet2/3 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 437: Additional References
Configuring IP Source Guard Additional References Additional References Related Documents Related Topic Document Title ACL TCAM regions Configuring IP ACLs DHCP and DHCP snooping Configuring DHCP, on page 327 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 438 Configuring IP Source Guard Related Documents Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 439: Configuring Password Encryption
After you enable AES password encryption and configure a master key, all existing and newly created clear-text passwords for supported applications (currently RADIUS and TACACS+) are stored in type-6 encrypted format, unless you disable type-6 password encryption. You can also configure Cisco NX-OS to convert all existing weakly encrypted passwords to type-6 encrypted passwords.
Page 440: Guidelines And Limitations For Password Encryption
Configuring Password Encryption This section describes the tasks for configuring password encryption on Cisco NX-OS devices. Configuring a Master Key and Enabling the AES Password Encryption Feature You can configure a master key for type-6 encryption and enable the Advanced Encryption Standard (AES) password encryption feature.
Page 441 About AES Password Encryption and Master Encryption Keys, on page 413 Configuring Text for a Key, on page 424 Configuring Accept and Send Lifetimes for a Key, on page 425 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 442: Converting Existing Passwords To Type-6 Encrypted Passwords
Please enter current Master Key: Deleting Type-6 Encrypted Passwords You can delete all type-6 encrypted passwords from the Cisco NX-OS device. SUMMARY STEPS 1. encryption delete type6 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 443: Verifying The Password Encryption Configuration
Encryption service is enabled. Master Encryption Key is configured. Type-6 encryption is being used. feature tacacs+ tacacs-server key Cisco123 show running-config tacacs+ feature tacacs+ logging level tacacs 5 tacacs-server key 6 "JDYkqyIFWeBvzpljSfWmRZrmRSRE8syxKlOSjP9RCCkFinZbJI3GD5c6rckJR/Qju2PKLmOewbheAA==" Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 444 Configuring Password Encryption Configuration Examples for Password Encryption Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 445: Configuring Keychain Management
The device allows you to configure multiple keychains. Some routing protocols that support key-based authentication can use a keychain to implement a hitless key rollover for authentication. For more information, see the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide.
Page 446: Licensing Requirements For Keychain Management
Keychain management requires no license. Any feature not included in a license package is NX-OS bundled with the nx-os image and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide. Prerequisites for Keychain Management Keychain management has no prerequisites.
Page 447: Default Settings For Keychain Management
Configuring Keychain Management Default Settings for Keychain Management Default Settings for Keychain Management This table lists the default settings for Cisco NX-OS keychain management parameters. Table 36: Default Keychain Management Parameters Parameters Default Key chains No keychain exists by default.
Page 448: Removing A Keychain
Confirms that the keychain no longer exists in running configuration. Example: switch(config-keychain)# show key chain bgp-keys Step 4 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 449: Configuring A Master Key And Enabling The Aes Password Encryption Feature
Displays the configuration status of the AES password encryption feature and the master key. Example: switch(config)# show encryption service stat Step 5 Required: copy running-config startup-config Copies the running configuration to the startup configuration. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 450: Configuring Text For A Key
Before you begin Determine the text for the key. You can enter the text as unencrypted text or in the encrypted form that Cisco NX-OS uses to display key text when you use the show key chain command. Using the encrypted form is particularly helpful if you are creating key text to match a key as shown in the show key chain command output from another device.
Page 451: Configuring Accept And Send Lifetimes For A Key
We recommend that you configure the keys in a keychain to have overlapping lifetimes. This practice prevents loss of key-secured communication due to moments where no key is active. SUMMARY STEPS 1. configure terminal Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 452 Example: as local times. switch(config-keychain-key)# send-lifetime 00:00:00 The start-time argument is the time of day and date that Jun 13 2013 23:59:59 Aug 12 2013 the key becomes active. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 453: Configuring A Key For Ospfv2 Cryptographic Authentication
5. (Optional) show key chain name 6. (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 454: Determining Active Key Lifetimes
Displays the key chains configured on the device. Verifying the Keychain Management Configuration To display keychain management configuration information, perform the following task: Command Purpose show key chain name Displays the keychains configured on the device. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 455: Configuration Example For Keychain Management
00:00:00 Nov 12 2013 23:59:59 Mar 12 2013 send-lifetime 00:00:00 Dec 12 2013 23:59:59 Feb 12 2013 Where to Go Next For information about routing features that use keychains, see the Cisco Nexus 9000 Series NX-OS Unicast Routing Configuration Guide. Additional References for Keychain Management...
Page 456 Configuring Keychain Management Additional References for Keychain Management Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 457: Configuring Traffic Storm Control
C H A P T E R Configuring Traffic Storm Control This chapter describes how to configure traffic storm control on the Cisco NX-OS device. This chapter includes the following sections: • About Traffic Storm Control, on page 431 •...
Page 458: Licensing Requirements For Traffic Storm Control
A higher threshold allows more packets to pass through. Traffic storm control on the Cisco Nexus 9000v device is implemented in the hardware. The traffic storm control circuitry monitors packets that pass from a Layer 2 interface to the switching bus. Using the Individual/Group bit in the packet destination address, the circuitry determines if the packet is unicast or broadcast, tracks the current count of packets within the 3.9-millisecond interval, and filters out subsequent...
Page 459: Guidelines And Limitations For Traffic Storm Control
Cisco Nexus 9336C-FX2, Cisco Nexus 93300YC-FX2, and Cisco Nexus 93240YC-FX2-Z switches. • If you have configured a SVI for the VLAN on Cisco Nexus 9200, 9300-EX platform switches, or on the N9K-X9700-FX3 line cards, storm control broadcast does not work for ARP traffic (ARP request).
Page 460: Default Settings For Traffic Storm Control
• Traffic storm control is not supported on 100G ports on the Cisco Nexus 9300 Series switches. It is supported on the Cisco Nexus 9300-EX/FX and FX2 Series switches and the Cisco Nexus 9500 Series switches with the 9700-EX/FX line card.
Page 461 Step 4 [no] storm-control action trap Generates an SNMP trap (defined in CISCO-PORT-STORM-CONTROL-MIB) and a syslog Example: message when the traffic storm control limit is reached. switch(config-if)# storm-control action trap Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 462: Verifying Traffic Storm Control Configuration
Displays the storm control statistics for arp packets [ethernet | port-channel] number on the interface. Monitoring Traffic Storm Control Counters You can monitor the counters the Cisco NX-OS device maintains for traffic storm control activity. Command Purpose show interface [ethernet slot/port | port-channel number] counters...
Page 463: Additional References For Traffic Storm Control
Additional References for Traffic Storm Control This section includes additional information related to implementing traffic storm control. Related Documents Related Topic Document Title Cisco NX-OS licensing Cisco NX-OS Licensing Guide Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 464 Configuring Traffic Storm Control Additional References for Traffic Storm Control Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 465: Configuring Unicast Rpf
C H A P T E R Configuring Unicast RPF This chapter describes how to configure unicast reverse path forwarding (uRPF) on Cisco NX-OS devices. This chapter includes the following sections: • About Unicast RPF, on page 439 • Licensing Requirements for Unicast RPF, on page 441 •...
Page 466: Unicast Rpf Process
Modification would affect the operation of unicast RPF. When a packet is received at the interface where you have configured unicast RPF and ACLs, the Cisco NX-OS software performs the following actions: 1.
Page 467: Licensing Requirements For Unicast Rpf
• Cisco Nexus 9300 platform switches (excluding the 9300-FXP switches). • Beginning with Cisco NX-OS Release 9.2(1), uRPF is supported for Cisco Nexus 9300-EX Series switches (for IPv4 only) and on Cisco Nexus 9300-FX/FX2 Series switches (for IPv4 and IPv6).
Page 468: Default Settings For Unicast Rpf
However, this will enable Unicast RPF for both IPv4 and IPv6. • For Cisco Nexus 9300-EX, FX, and FX2 Series switches, the ping to a directly connected peer IP interface will fail when the peer IP interface has strict unicast RPF enabled with the ARP/ND to SRC IP is not resolved.
Page 469: Configuring Unicast Rpf For Cisco Nexus 9500 Switches With -R Line Cards
Configuring Unicast RPF for Cisco Nexus 9500 Switches with -R Line Cards Configuring Unicast RPF for Cisco Nexus 9500 Switches with -R Line Cards You can configure unicast RPF on an ingress interface for Cisco Nexus 9500 Series switches with an -R line card. SUMMARY STEPS 1.
Page 470: Configuring Unicast Rpf For Cisco Nexus 9300 Switches
Configuring Unicast RPF for Cisco Nexus 9300 Switches You can configure one of the following Unicast RPF modes on an ingress interface for Cisco Nexus 9300 platform switches (excluding the 9300-FXP switches) running Cisco NX-OS Release 9.2(1) or a later release.
Page 471 Unicast RPF check) does not match the default route if you do not specify the allow-default keyword. • The rx keyword specifies strict Unicast RPF. Step 6 exit Exits interface configuration mode. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 472: Configuration Examples For Unicast Rpf
Example: switch(config)# copy running-config startup-config Configuration Examples for Unicast RPF The following example shows how to configure loose unicast RPF for IPv4 packets on a Cisco Nexus 9500 Series switch with an -R line card: interface Ethernet2/3 ip address 172.23.231.240/23...
Page 473: Verifying The Unicast Rpf Configuration
Configuring Unicast RPF Verifying the Unicast RPF Configuration The following example shows how to configure strict unicast RPF for IPv4 packets on a Cisco Nexus 9300 platform switch: no system urpf disable interface Ethernet2/2 ip address 172.23.231.240/23 ip verify unicast source reachable-via rx...
Page 474 Configuring Unicast RPF Additional References for Unicast RPF Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 475: Configuring Switchport Blocking
C H A P T E R Configuring Switchport Blocking This chapter describes how to configure switchport blocking on the Cisco NX-OS device. This chapter includes the following sections: • About Switchport Blocking, on page 449 • Licensing Requirements for Switchport Blocking, on page 449 •...
Page 476: Default Settings For Switchport Blocking
• Switchport blocking does not offer levels of control. It prevents the flooding of all unknown egress multicast or unicast packets on the specified port. • Switchport blocking drops control packets that originate from the CPU on Cisco Nexus 9500 Series switches. It does not drop packets on Cisco Nexus 9300 Series switches.
Page 477: Verifying The Switchport Blocking Configuration
1/2 switch(config-if)# switchport block multicast switch(config-if)# switchport block unicast switch(config-if)# show running-config interface ethernet 1/2 !Command: show running-config interface Ethernet1/2 !Time: Wed Apr 15 16:25:48 2015 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 478 Configuring Switchport Blocking Configuration Example for Switchport Blocking version 79.2(1) interface Ethernet1/2 switchport switchport block multicast switchport block unicast Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 479: Configuring Control Plane Policing
The supervisor module divides the traffic that it manages into three functional components or planes: Data plane Handles all the data traffic. The basic functionality of a Cisco NX-OS device is to forward packets from one interface to another. The packets that are not meant for the switch itself are called the transit packets.
Page 480: Control Plane Protection
Cisco NX-OS device. For example, a DoS attack on the supervisor module could generate IP traffic streams to the control plane at a very high rate, forcing the control plane to spend a large amount of time in handling these packets and preventing the control plane from processing genuine traffic.
Page 481: Classification For Copp
ARP request to the host. All of these different packets could be maliciously used to attack the control plane and overwhelm the Cisco NX-OS device. CoPP classifies these packets to different classes and provides a mechanism to individually control the rate at which the supervisor module receives these packets.
Page 482: Dynamic And Static Copp Acls
Configuration Guide. Dynamic and Static CoPP ACLs CoPP access control lists (ACLs) are classified as either dynamic or static. Cisco Nexus 9300 and 9500 Series and 3164Q, 31128PQ, 3232C, and 3264Q switches use only dynamic CoPP ACLs. Cisco Nexus 9200 Series switches use both dynamic and static CoPP ACLs.
Page 483: Default Policing Policies
Default Policing Policies Default Policing Policies When you bring up your Cisco NX-OS device for the first time, the Cisco NX-OS software installs the default copp-system-p-policy-strict policy to protect the supervisor module from DoS attacks. You can set the level of protection by choosing one of the following CoPP policy options from the initial setup utility: •...
Page 484 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 485 The copp-system-class-normal-dhcp-relay-response class has the following configuration: class-map type control-plane match-any copp-system-p-class-normal-dhcp-relay-response match access-group name copp-system-p-acl-dhcp-relay-response match access-group name copp-system-p-acl-dhcp6-relay-response Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 486 Note The copp-system-class-fcoe class is not supported for Cisco Nexus 9200 Series switches. Strict Default CoPP Policy On Cisco Nexus 9200 Series switches, the strict CoPP policy has the following configuration: policy-map type control-plane copp-system-p-policy-strict class copp-system-p-class-l3uc-data set cos 1...
Page 487 0 police cir 400 kbps bc 32000 bytes conform transmit violate drop On Cisco Nexus 9300 and 9500 Series and 3164Q, 31128PQ, 3232C, and 3264Q switches, the strict CoPP policy has the following configuration: policy-map type control-plane copp-system-p-policy-strict...
Page 488 0 police cir 50 pps bc 32 packets conform transmit violate drop Moderate Default CoPP Policy On Cisco Nexus 9200 Series switches, the moderate CoPP policy has the following configuration: policy-map type control-plane copp-system-p-policy-moderate class copp-system-p-class-l3uc-data set cos 1...
Page 489 0 police cir 400 kbps bc 48000 bytes conform transmit violate drop On Cisco Nexus 9300 and 9500 Series and 3164Q, 31128PQ, 3232C, and 3264Q switches, the moderate CoPP policy has the following configuration: policy-map type control-plane copp-system-p-policy-moderate...
Page 490 0 police cir 50 pps bc 48 packets conform transmit violate drop Lenient Default CoPP Policy On Cisco Nexus 9200 Series switches, the lenient CoPP policy has the following configuration: policy-map type control-plane copp-system-p-policy-lenient class copp-system-p-class-l3uc-data set cos 1...
Page 491 0 police cir 400 kbps bc 64000 bytes conform transmit violate drop On Cisco Nexus 9300 and 9500 Series and 3164Q, 31128PQ, 3232C, and 3264Q switches, the lenient CoPP policy has the following configuration: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 492 7 police cir 100 pps bc 64 packets conform transmit violate drop class copp-system-p-class-l2-default set cos 0 police cir 50 pps bc 64 packets conform transmit violate drop Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 493 0 police cir 50 pps bc 64 packets conform transmit violate drop Dense Default CoPP Policy On Cisco Nexus 9200 Series switches, the dense CoPP policy has the following configuration: policy-map type control-plane copp-system-p-policy-dense class copp-system-p-class-l3uc-data set cos 1...
Page 494 0 police cir 200 kbps bc 32000 bytes conform transmit violate drop On Cisco Nexus 9300 and 9500 Series and 3164Q, 31128PQ, 3232C, and 3264Q switches, the dense CoPP policy has the following configuration: policy-map type control-plane copp-system-p-policy-dense...
Page 495: Modular Qos Command-Line Interface
This example shows how to attach the policy map to the control plane: control-plane service-policy input copp-system-policy Note The copp-system-policy is always configured and applied. There is no need to use this command explicitly. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 496: Copp And The Management Interface
CoPP and the Management Interface CoPP and the Management Interface The Cisco NX-OS device supports only hardware-based CoPP, which does not support the management interface (mgmt0). The out-of-band mgmt0 interface connects directly to the CPU and does not pass through the in-band traffic hardware where CoPP is implemented.
Page 497 • Cisco Nexus 9200 Series switches support CoPP policer rates only in multiples of 10 kbps. If a rate is configured that is not a multiple of 10 kbps, the rate is rounded down. For example, the switch will use 50 kbps if a rate of 55 kbps is configured.
Page 498: Default Settings For Copp
• IPv6 ACL not supported for dynamic CoPP Note If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use. Default Settings for CoPP This table lists the default settings for CoPP parameters.
Page 499: Configuring Copp
(Optional) show class-map type control-plane [class-map-name] (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 Enters global configuration mode. configure terminal Example: switch# configure terminal switch(config)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 500 Displays the control plane class map configuration. [class-map-name] Example: switch(config)# show class-map type control-plane Step 10 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch(config)# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 501: Configuring A Control Plane Policy Map
You must configure a policy map for CoPP, which includes policing parameters. If you do not configure a policer for a class, the following default is configured: • 50 packets per second (pps) with a burst of 32 packets (for Cisco Nexus 9300 and 9500 Series and 3164Q, 31128PQ, 3232C, and 3264Q switches) •...
Page 502 Specifies the committed information rate (CIR). The rate range is as follows: • police [cir] {cir-rate [rate-type]} • 0 to 268435456 pps (for Cisco Nexus 9300 and 9500 • police [cir] {cir-rate [rate-type]} [bc] burst-size Series and 3164Q, 31128PQ, 3232C, and 3264Q...
Page 503: Configuring The Control Plane Service Policy
Ensure that you have configured a control plane policy map. SUMMARY STEPS 1. configure terminal 2. control-plane 3. [no] service-policy input policy-map-name 4. exit 5. (Optional) show running-config copp [all] 6. (Optional) copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 504: Configuring The Copp Scale Factor Per Line Card
CoPP policy. The changes are effective immediately, so you do not need to reapply the CoPP policy. SUMMARY STEPS 1. configure terminal 2. control-plane 3. scale-factor value module multiple-module-range Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 505: Changing Or Reapplying The Default Copp Policy
You can change to a different default CoPP policy, or you can reapply the same default CoPP policy. SUMMARY STEPS 1. [no] copp profile [strict | moderate | lenient | dense] 2. (Optional) show copp status 3. (Optional) show running-config copp Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 506: Copying The Copp Best Practice Policy
Step 3 (Optional) show running-config copp Displays the CoPP configuration in the running configuration, including the copied policy configuration. Example: switch# show running-config copp Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 507: Protocol Acl Filtering
Protocol ACL filtering is supported on the MAC and IP ACLs and is not supported on the IPv6 ACls. Beginning Cisco NX-OS Release 9.2(2), support to this feature is added on the following NX-OS platform switches: • Cisco Nexus 9300-EX •...
Page 508 ClassMapA switch(config-pmap)# Step 10 class {class-map-name [insert-before class-map-name2] Specifies a control plane class map name or the class default and enters control plane class configuration mode. | class-default} Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 509: Configuring Ip Acl Filtering For Copp
IP-foo-1 eq bgp class-map type control-plane [match-all | match-any] class-map-name (Optional) match access-group name access-list-name policy-map type control-plane policy-map-name class {class-map-name [insert-before class-map-name2] | class-default} 12. Enter one of the following commands: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 510 Specifies a control plane class map and enters class map class-map-name configuration mode. The default class matching is match-any. The name can be a maximum of 64 characters Example: long and is case sensitive. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 511 Enters the control plane dynamic configuration mode. Example: switch(config)# control-plane dynamic mode switch(config-cp-dyn)# Step 14 service-policy-dynamic input policy-map-name Specifies a policy map for the input traffic. ENd Example: switch(config-cp-dyn)# service-policy-dynamic input PolicyMap1 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 512: Verifying The Copp Configuration
[class-map-name] Displays the control plane class map configuration, including the ACLs that are bound to this class map. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 513 [all] Displays the user-configured access control lists (ACLs) in the startup configuration. The all option displays both the default (CoPP-configured) and user-configured ACLs in the startup configuration. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 514: Displaying The Copp Configuration Status
Control Plane Service-policy input: copp-system-p-policy-strict class-map copp-system-p-class-critical (match-any) set cos 7 police cir 19000 pps , bc 128 packets module 4 : transmitted 373977 packets; Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 515: Clearing The Copp Statistics
639 mac access-list copp-system-p-acl-arp permit any any 0x0806 ip access-list copp-system-p-acl-tacas permit udp any any eq 49 ip access-list copp-system-p-acl-ntp permit udp any 10.0.1.1/23 eq 123 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 516: Changing Or Reapplying The Default Copp Policy Using The Setup Utility
So setup always assumes system defaults and not the current system configuration values. Press Enter at anytime to skip a dialog. Use ctrl-c at anytime to skip the remaining dialogs. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 517: Additional References For Copp
Use this configuration and save it? (yes/no) [y]: y switch# Additional References for CoPP This section provides additional information related to implementing CoPP. Related Documents Related Topic Document Title Licensing Cisco NX-OS Licensing Guide Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 518 Configuring Control Plane Policing Additional References for CoPP Standards Standards Title RFC 2698 A Two Rate Three Color Marker Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 519: Configuring Rate Limits
About Rate Limits Rate limits can prevent redirected packets for exceptions from overwhelming the supervisor module on a Cisco NX-OS device. You can configure rate limits in packets per second for the following types of redirected packets: • Access-list log packets •...
Page 520: Licensing Requirements For Rate Limits
Nexus 3164Q, 31128PQ, 3232C, and 3264Q switches. • The rate-limiter on egress ports is limited per pipe on the Cisco Nexus 9300 and 9500 Series switches; Cisco Nexus 3164Q and 31128PQ switches; and the Cisco Nexus 3232C and 3264Q switches. The rate-limiter on egress ports is limited per slice on the Cisco Nexus Cisco Nexus 9200 and 9300-EX Series switches.
Page 521: Default Settings For Rate Limits
Default Settings for Rate Limits Note If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use. Default Settings for Rate Limits This table lists the default settings for rate limits parameters.
Page 522 The CoPP policy controls the rate of glean Note packets that are forwarded due to global punt adjacency, and this rate limiter controls the destination-specific glean packets. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 523: Monitoring Rate Limits
| fex | layer-3 glean | layer-3 multicast local-groups | span-egress | module module] Example: switch# show hardware rate-limiter access-list-log Clearing the Rate Limit Statistics You can clear the rate limit statistics. Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 524: Verifying The Rate Limit Configuration
+------------------+--------+---------------+---------------+----------------- access-list-log Port group with configuration same as default configuration Eth4/1-36 Module: 22 R-L Class Config Allowed Dropped Total +------------------+--------+---------------+---------------+----------------- access-list-log Port group with configuration same as default configuration Eth22/1-0 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 525: Additional References For Rate Limits
<<configured Additional References for Rate Limits This section includes additional information related to implementing rate limits. Related Documents Related Topic Document Title Cisco NX-OS licensing Cisco NX-OS Licensing Guide Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 526 Configuring Rate Limits Additional References for Rate Limits Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 527: C H A P T E
C H A P T E R Configuring MACsec This document describes how to configure MACsec on Cisco NX-OS devices. • About MACsec, on page 501 • Licensing Requirements for MACsec, on page 502 • Guidelines and Limitations for MACsec, on page 502 •...
Page 528: Key Lifetime And Hitless Key Rollover
• MACsec is supported on the following interface types: • Layer 2 switchports (access and trunk) • Layer 3 routed interfaces (no subinterfaces) • Layer 2 and Layer 3 port channels (no subinterfaces) Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 529 • Allowing MACSec policy to be modified while the policy is referenced by an interface. • Allowing different MACsec policies across different lanes of a breakout port. • Beginning with Cisco Nexus Release 9.2(1), MACsec is supported on the Cisco Nexus 93180YC-FX and the Cisco Nexus 93108TC-FX switches.
Page 530: Enabling Macsec
• For interoperability between previous releases and Cisco NX-OS Release 9.2(1), pad the MACsec key with zeros if it is less than 32 octets. • On any Cisco NX-OS box , you can configure only one unique combination of an alternate MAC address and Ethernet type on all interfaces.
Page 531: Disabling Macsec
Example: switch(config)# copy running-config startup-config Disabling MACsec Beginning with Cisco NX-OS Release 9.2(1), disabling the MACsec feature only deactivates this feature and does not remove the associated MACsec configurations. Disabling MACsec has the following conditions: • MACsec shutdown is global command and is not available at the interface level.
Page 532: Configuring A Macsec Keychain And Keys
6. send-lifetime start-time duration duration 7. (Optional) show key chain name 8. (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 533 The maximum length is 2147483646 seconds (approximately 68 years). Step 7 (Optional) show key chain name Displays the keychain configuration. Example: switch(config-macseckeychain-macseckey)# show key chain 1 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 534: Configuring Macsec Fallback Key
Configuring MACsec Fallback Key Beginning with Cisco NX-OS Release 9.2(1), you can configure a fallback key on the device to initiate a backup session if the primary session fails as a result of a key/key name (CKN) mismatch or a finite key duration between the switch and peer.
Page 535: Configuring A Macsec Policy
(Optional) show macsec policy (Optional) copy running-config startup-config DETAILED STEPS Command or Action Purpose Step 1 configure terminal Enters global configuration mode. Example: switch# configure terminal switch(config)# Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 536 (Optional) show macsec policy Displays the MACsec policy configuration. Example: switch(config-macsec-policy)# show macsec policy Step 10 (Optional) copy running-config startup-config Copies the running configuration to the startup configuration. Example: switch(config-macsec-policy)# copy running-config startup-config Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 537: Rotating Psks
Use the sak-expiry-timer 60 command to add the SAK rekey timer to the MACsec policy. About Configurable EAPOL Destination and Ethernet Type Beginning Cisco NX-OS Release 9.2(2), Cisco enables networks with WAN MACsec to change the Extensible Authentication Protocol (EAP) over LAN (EAPOL) protocol destination address, and the Ethernet type values to nonstandard values.
Page 538: Disabling Eapol Configuration
Step 6 show macsec mka session detail Displays the EAPOL settings. Disabling EAPOL Configuration You can disable the EAPOL configuration on any available interface. SUMMARY STEPS 1. configure terminal Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 539: Verifying The Macsec Configuration
Displays the running configuration information for MACsec. The following example displays information about the MACsec MKA session for all interfaces. . switch# show macsec mka session Interface Local-TxSCI # Peers Status Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 540 Peer CAK : Match Latest Rx MKPDU : 11:11:58 PDT Mon Oct 01 2018 The following example displays the MACsec MKA configuration: switch# show macsec mka summary Interface Status Cipher (Operational) Key-Server MACSEC-policy Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 541: Displaying Macsec Statistics
The following example shows the MACsec MKA statistics for a specific Ethernet interface: switch# show macsec mka statistics interface ethernet 2/2 Per-CA MKA Statistics for Session on interface (Ethernet2/2) with CKN 0x10 ============================================================================ Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 542 SAK Failures SAK Generation....0 Hash Key Generation....0 SAK Encryption/Wrap....0 SAK Decryption/Unwrap.... 0 CA Failures ICK Derivation....0 KEK Derivation....0 Invalid Peer MACsec Capability... 0 MACsec Failures Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 543 Out-Octets Common: 124811118 bytes Output rate for Uncontrolled Pkts: 141 pps Output rate for Uncontrolled Pkts: 257371 bps Output rate for Controlled Pkts: 28 pps Output rate for Controlled Pkts: 40138 bps Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 544: Configuration Example For Macsec
Keychain ------------------ -------------------------------- ------------------------ Ethernet2/13 1/10000000000000000 Ethernet2/14 1/10000000000000000 switch(config)# show macsec mka session Interface Local-TxSCI # Peers Status Key-Server -------------- -------------------- ---------- ---------- ------------- Ethernet2/13 006b.f1be.d31c/0001 Secured Ethernet2/14 006b.f1be.d320/0001 Secured Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 545: Xml Examples
Interface MACSEC-policy Keychain ------------------ -------------------------------- ------------------------ Ethernet2/13 system-default-macsec-policy 1/10000000000000000 Ethernet2/14 system-default-macsec-policy 1/10000000000000000 XML Examples MACsec supports XML output for the following show commands for scripting purposes using | xml: Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 546 4/31 details | xml <?xml version="1.0" encoding="ISO-8859-1"?> <nf:rpc-reply xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://w ww.cisco.com/nxos:1.0"> <nf:data> <show> <macsec> <mka> <session> <__XML__OPT_Cmd_show_macsec_mka_session_interface> <interface> <__XML__INTF_ifname> <__XML__PARAM_value> <__XML__INTF_output>Ethernet4/31</__XML__INTF_output> </__XML__PARAM_value> </__XML__INTF_ifname> </interface> <__XML__OPT_Cmd_show_macsec_mka_session_details> <details/> <__XML__OPT_Cmd_show_macsec_mka_session___readonly__> <__readonly__> <TABLE_mka_session_details> <ROW_mka_session_details> <ifname>Ethernet4/31</ifname> <status>Secured</status> Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 547 <?xml version="1.0" encoding="ISO-8859-1"?> <nf:rpc-reply xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://w ww.cisco.com/nxos:1.0"> <nf:data> <show> <macsec> <mka> <statistics> <__XML__OPT_Cmd_some_macsec_mka_statistics_interface> <interface> <__XML__INTF_ifname> <__XML__PARAM_value> <__XML__INTF_output>Ethernet4/31</__XML__INTF_output> <__XML__INTF_output>Ethernet4/31</__XML__INTF_output> </__XML__PARAM_value> </__XML__INTF_ifname> </interface> <__XML__OPT_Cmd_some_macsec_mka_statistics___readonly__> <__readonly__> <TABLE_mka_intf_stats> <ROW_mka_intf_stats> <TABLE_ca_stats> <ROW_ca_stats> <ca_stat_ckn>0x2</ca_stat_ckn> <ca_stat_pairwise_cak_rekey>0</ca_stat_pairwise_cak_rekey> <sa_stat_sak_generated>0</sa_stat_sak_generated> <sa_stat_sak_rekey>0</sa_stat_sak_rekey> <sa_stat_sak_received>91</sa_stat_sak_received> Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 548 <idb_stat_mkpdu_tx_fail>0</idb_stat_mkpdu_tx_fail> <idb_stat_mkpdu_tx_pkt_build_fail>0</idb_stat_mkpdu_tx_pkt_build_fail> <idb_stat_mkpdu_no_tx_on_intf_down>0</idb_stat_mkpdu_no_tx_on_intf_down> <idb_stat_mkpdu_no_rx_on_intf_down>0</idb_stat_mkpdu_no_rx_on_intf_down> <idb_stat_mkpdu_rx_ca_notfound>0</idb_stat_mkpdu_rx_ca_notfound> <idb_stat_mkpdu_rx_error>0</idb_stat_mkpdu_rx_error> <idb_stat_mkpdu_rx_success>2714</idb_stat_mkpdu_rx_success> <idb_stat_mkpdu_failure_rx_integrity_check_error>0</idb_stat_mkpdu_ failure_rx_integrity_check_error> <idb_stat_mkpdu_failure_invalid_peer_mn_error>0</idb_stat_mkpdu_fai lure_invalid_peer_mn_error> <idb_stat_mkpdu_failure_nonrecent_peerlist_mn_error>1</idb_stat_mkp du_failure_nonrecent_peerlist_mn_error> <idb_stat_mkpdu_failure_sakuse_kn_mismatch_error>0</idb_stat_mkpdu_ failure_sakuse_kn_mismatch_error> <idb_stat_mkpdu_failure_sakuse_rx_not_set_error>0</idb_stat_mkpdu_f ailure_sakuse_rx_not_set_error> <idb_stat_mkpdu_failure_sakuse_key_mi_mismatch_error>0</idb_stat_mk pdu_failure_sakuse_key_mi_mismatch_error> <idb_stat_mkpdu_failure_sakuse_an_not_in_use_error>0</idb_stat_mkpd u_failure_sakuse_an_not_in_use_error> <idb_stat_mkpdu_failure_sakuse_ks_rx_tx_not_set_error>0</idb_stat_m kpdu_failure_sakuse_ks_rx_tx_not_set_error> <idb_stat_mkpdu_failure_sakuse_eapol_ethertype_mismatch_error>0</id b_stat_mkpdu_failure_sakuse_eapol_ethertype_mismatch_error> <idb_stat_sak_failure_sak_generate_error>0</idb_stat_sak_failure_sa k_generate_error> <idb_stat_sak_failure_hash_generate_error>0</idb_stat_sak_failure_h ash_generate_error> <idb_stat_sak_failure_sak_encryption_error>0</idb_stat_sak_failure_ Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 549 <nf:data> <show> <macsec> <mka> <__XML__OPT_Cmd_some_macsec_summary> <__XML__OPT_Cmd_some_macsec___readonly__> <__readonly__> <TABLE_mka_summary> <ROW_mka_summary> <ifname>Ethernet2/1</ifname> <policy>am2</policy> <keychain>kc2/02000000000000000000000000000000000000000000000000000000 00000000</keychain> </ROW_mka_summary> <ROW_mka_summary> <ifname>Ethernet3/1</ifname> <policy>am2</policy> <keychain>kc2/02000000000000000000000000000000000000000000000000000000 00000000</keychain> </ROW_mka_summary> [TRUNCATED FOR READABILITY] <ROW_mka_summary> <ifname>Ethernet3/32</ifname> <policy>am2</policy> <keychain>kc2/02000000000000000000000000000000000000000000000000000000 00000000</keychain> </ROW_mka_summary> </TABLE_mka_summary> Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 550 Example 6: Displays MACsec security statistics. switch# show macsec secy statistics interface ethernet 4/31 | xml <?xml version="1.0" encoding="ISO-8859-1"?> <nf:rpc-reply xmlns:nf="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="http://w ww.cisco.com/nxos:1.0"> <nf:data> <show> <macsec> <secy> <statistics> <interface> <__XML__INTF_ifname> <__XML__PARAM_value> <__XML__INTF_output>Ethernet4/31</__XML__INTF_output> </__XML__PARAM_value> <__XML__OPT_Cmd_some_macsec_secy_statistics___readonly__> <__readonly__> Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 551 <output_rate_controlled_bps>23</output_rate_controlled_bps> <in_pkts_transform_error>0</in_pkts_transform_error> <in_pkts_control>40</in_pkts_control> <in_pkts_untagged>0</in_pkts_untagged> <in_pkts_no_tag>0</in_pkts_no_tag> <in_pkts_badtag>0</in_pkts_badtag> <in_pkts_no_sci>0</in_pkts_no_sci> <in_pkts_unknown_sci>0</in_pkts_unknown_sci> <in_pkts_tagged_ctrl>0</in_pkts_tagged_ctrl> <out_pkts_transform_error>0</out_pkts_transform_error> <out_pkts_control>41</out_pkts_control> <out_pkts_untagged>0</out_pkts_untagged> <rx_sa_an>1</rx_sa_an> <in_pkts_unchecked>0</in_pkts_unchecked> <in_pkts_delayed>0</in_pkts_delayed> <in_pkts_late>0</in_pkts_late> <in_pkts_ok>1</in_pkts_ok> <in_pkts_invalid>0</in_pkts_invalid> <in_pkts_not_valid>0</in_pkts_not_valid> <in_pkts_not_using_sa>0</in_pkts_not_using_sa> <in_pkts_unused_sa>0</in_pkts_unused_sa> <in_octets_decrypted>223</in_octets_decrypted> <in_octets_validated>0</in_octets_validated> <tx_sa_an>1</tx_sa_an> <out_pkts_encrypted_protected>1</out_pkts_encrypted_protected> <out_pkts_too_long>0</out_pkts_too_long> <out_pkts_sa_not_inuse>0</out_pkts_sa_not_inuse> <out_octets_encrypted_protected>223</out_octets_encrypted_protected> </ROW_statistics> </TABLE_statistics> Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 552 <m:configure> <m:terminal> <feature> <macsec/> </feature> <macsec> <policy> <__XML__PARAM__policy_name> <__XML__value>am2</__XML__value> <m1:cipher-suite> <m1:__XML__PARAM__suite> <m1:__XML__value>GCM-AES-XPN-256</m1:__XML__value> </m1:__XML__PARAM__suite> </m1:cipher-suite> <m1:key-server-priority> <m1:__XML__PARAM__pri> <m1:__XML__value>0</m1:__XML__value> </m1:__XML__PARAM__pri> </m1:key-server-priority> <m1:window-size> <m1:__XML__PARAM__size> <m1:__XML__value>512</m1:__XML__value> </m1:__XML__PARAM__size> </m1:window-size> <m1:conf-offset> <m1:__XML__PARAM__offset> <m1:__XML__value>CONF-OFFSET-0</m1:__XML__value> </m1:__XML__PARAM__offset> </m1:conf-offset> <m1:security-policy> Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 553: Mibs
<__XML__PARAM__interface> <__XML__value>Ethernet4/31</__XML__value> <m2:macsec> <m2:keychain> <m2:__XML__PARAM__keychain_name> <m2:__XML__value>kc2</m2:__XML__value> <m2:policy> <m2:__XML__PARAM__policy_name> <m2:__XML__value>am2</m2:__XML__value> </m2:__XML__PARAM__policy_name> </m2:policy> </m2:__XML__PARAM__keychain_name> </m2:keychain> </m2:macsec> </__XML__PARAM__interface> </interface> </m:terminal> </m:configure> </nf:filter> </nf:get-config> </nf:rpc> ]]>]]> MIBs MACsec supports the following MIBs: • IEEE8021-SECY-MIB Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 554: Related Documentation
To locate and download supported MIBs, go to the following URL: ftp://ftp.cisco.com/pub/mibs/supportlists/nexus9000/Nexus9000MIBSupportList.html. Related Documentation Related Topic Document Title Keychain management Cisco Nexus 9000 Series NX-OS Security Configuration Guide System messages Cisco Nexus 9000 Series NX-OS System Messages References Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x...
Page 555 {commands | config-commands} {console | default} clear hardware rate-limiter module {group} clear ip access-list counters 121, 122 aaa authorization {group | local} clear ip arp inspection log Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x IN-1...
Page 556 DHCP relay on VPC Leg hardware profile tcam resource service-template description hardware profile tcam resource template DHCP relay on-stack hardware rate-limiter access-list-log 262, 264, 495, 496 description hardware rate-limiter bfd 495, 496 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x IN-2...
Page 557 802.1X ipv6 dhcp relay option type cisco mac packet-classify ipv6 dhcp relay option vpn mac port access-group ipv6 dhcp relay source-interface 509, 510 macsec policy Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x IN-3...
Page 558 475, 476, 481, 483, 484, 485 sak-expiry-time 509, 510 policy-map scale-factor 478, 479 policy-map type control-plane secure MAC addresses 303, 306, 309, 310 port security learning default settings description Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x IN-4...
Page 559 395, 396 show ip arp inspection interface show role 161, 163, 164, 166, 167, 168, 169, 170, 173 show ip arp inspection interfaces Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x IN-5...
Page 560 80, 81, 100 74, 80, 81, 82, 83, 87, 88, 89, 91, 92 tacacs+ commit show tacacs-server groups 78, 100 telnet show tacacs-server sorted Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x IN-6...
Page 561 First Hop Security Configuration DHCP and description example configurations vrf policy deny 169, 170 guidelines implementation licensing window-size 509, 510 Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x IN-7...
Page 562 INDEX Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x IN-8...

Cisco Nexus 9000 Series Configuration Manual

Chapter 1

Chapter 2

CHAPTER 3 Configuring AAA

CHAPTER 4 Configuring RADIUS

CHAPTER 5 Configuring TACACS

CHAPTER 6 Configuring LDAP

CHAPTER 7 Configuring SSH and Telnet

CHAPTER 8 Configuring User Accounts and RBAC

CHAPTER 9 Configuring 802.1X

C H a P T E

Configuring IP Acls

Quick Links

Related Manuals for Cisco Nexus 9000 Series

Summary of Contents for Cisco Nexus 9000 Series