Download  Print this page

Cisco Nexus 7000 Series Command Reference Manual

Hide thumbs
   
1
2
Table Of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990

Advertisement

Table of Contents
Cisco Nexus 7000 Series Security Command Reference
First Published: --
Last Modified: --
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading

  Related Manuals for Cisco Nexus 7000 Series

  Summary of Contents for Cisco Nexus 7000 Series

  • Page 1 Cisco Nexus 7000 Series Security Command Reference First Published: -- Last Modified: -- Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 2 © Cisco Systems, Inc. All rights reserved.
  • Page 3: Table Of Contents

    Cisco Nexus 7000 Series Security Command Reference...
  • Page 4 Cisco Nexus 7000 Series Security Command Reference...
  • Page 5 Cisco Nexus 7000 Series Security Command Reference...
  • Page 6 D Commands C H A P T E R 3 dot1x max-reauth-req dot1x max-req dot1x pae authenticator dot1x port-control dot1x radius-accounting dot1x re-authentication (EXEC) dot1x re-authentication (global configuration and interface configuration) dot1x system-auth-control Cisco Nexus 7000 Series Security Command Reference...
  • Page 7 E Commands C H A P T E R 4 encrypt pause-frame encryption decrypt type6 encryption delete type6 enable enable Cert-DN-match enable secret enable user-server-group encryption re-encrypt obfuscated enrollment terminal Cisco Nexus 7000 Series Security Command Reference...
  • Page 8 G Commands C H A P T E R 6 Cisco Nexus 7000 Series Security Command Reference viii...
  • Page 9 Cisco Nexus 7000 Series Security Command Reference...
  • Page 10 K Commands C H A P T E R 9 Cisco Nexus 7000 Series Security Command Reference...
  • Page 11 C H A P T E R 1 2 nac enable O Commands C H A P T E R 1 3 object-group (identity policy) object-group ip address object-group ip port object-group ipv6 address Cisco Nexus 7000 Series Security Command Reference...
  • Page 12 R Commands C H A P T E R 1 5 radius abort radius commit radius distribute radius-server deadtime radius-server directed-request radius-server host radius-server key radius-server retransmit radius-server test radius-server timeout Cisco Nexus 7000 Series Security Command Reference...
  • Page 13 (policy map class) set precedence (policy map class) source-interface ssh key ssh login-attempts ssh server enable ssh6 statistics per-entry storm-control level switchport port-security Cisco Nexus 7000 Series Security Command Reference xiii...
  • Page 14 Cisco Nexus 7000 Series Security Command Reference...
  • Page 15 Cisco Nexus 7000 Series Security Command Reference...
  • Page 16 Cisco Nexus 7000 Series Security Command Reference...
  • Page 17 Cisco Nexus 7000 Series Security Command Reference xvii...
  • Page 18 C H A P T E R 1 8 tacacs+ abort tacacs+ commit tacacs+ distribute tacacs-server deadtime tacacs-server directed-request tacacs-server host tacacs-server key tacacs-server test tacacs-server timeout telnet telnet server enable telnet6 terminal verify-only test aaa authorization command-type time-range trustedCert Cisco Nexus 7000 Series Security Command Reference xviii...
  • Page 19 C H A P T E R 1 9 user-certdn-match username userprofile user-pubkey-match user-switch-bind use-vrf V Commands C H A P T E R 2 0 vlan access-map vlan filter vlan policy deny vrf policy deny Cisco Nexus 7000 Series Security Command Reference...
  • Page 20 Contents Cisco Nexus 7000 Series Security Command Reference...
  • Page 21: Document Conventions

    This chapter includes the following topics: Audience This publication is for experienced network administrators who configure and maintain Cisco NX-OS on Cisco Nexus 7000 Series Platform switches. Document Conventions • As part of our constant endeavor to remodel our documents to meet our customers' requirements, Note we have modified the manner in which we document configuration tasks.
  • Page 22 An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line. This document uses the following conventions: Means reader take note. Notes contain helpful suggestions or references to material not covered in the Note manual. Cisco Nexus 7000 Series Security Command Reference xxii...
  • Page 23 Preface Document Conventions Means reader be careful. In this situation, you might do something that could result in equipment damage Caution or loss of data. Cisco Nexus 7000 Series Security Command Reference xxiii...
  • Page 24: Related Documentation

    • Install and Upgrade Guides http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/ products-installation-guides-list.html • Licensing Guide http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/ products-licensing-information-listing.html Documentation for Cisco Nexus 7000 Series Switches and Cisco Nexus 2000 Series Fabric Extenders is available at the following URL: http://www.cisco.com/c/en/us/support/switches/nexus-2000-series-fabric-extenders/ products-installation-and-configuration-guides-list.html Cisco Nexus 7000 Series Security Command Reference xxiv...
  • Page 25: Documentation Feedback

    What's New in Cisco Product Documentation. To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What's New in Cisco Product Documentation RSS feed. RSS feeds are a free service.
  • Page 26 Preface Obtaining Documentation and Submitting a Service Request Cisco Nexus 7000 Series Security Command Reference xxvi...
  • Page 27 35 • aaa authorization commands default, page 37 • aaa authorization config-commands default, page 39 • aaa authorization cts default group, page 41 • aaa authorization ssh-certificate, page 43 Cisco Nexus 7000 Series Security Command Reference...
  • Page 28 • aaa authorization ssh-publickey, page 45 • aaa group server ldap, page 47 • aaa group server radius, page 49 • aaa group server tacacs+, page 50 • aaa user default-role, page 51 Cisco Nexus 7000 Series Security Command Reference...
  • Page 29: Absolute

    For information about the values for the time and date arguments, see the “Usage Guidelines” section. Command Default None Cisco Nexus 7000 Series Security Command Reference...
  • Page 30 07:00 17 September 2007 end 23:59:59 19 September 2007 Related Commands Command Description periodic Configures a periodic time range rule. time-range Configures a time range for use in IPv4 or IPv6 ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 31: Accept-Lifetime

    “Usage Guidelines” section. Command Default infinite Command Modes Key configuration Command History Release Modification 4.0(1) This command was introduced. Usage Guidelines By default, the device interprets all time range rules as UTC. Cisco Nexus 7000 Series Security Command Reference...
  • Page 32: Cisco Nexus 7000 Series Security Command Reference

    00:00:00 Jun 13 2008 23:59:59 Sep 12 2008 switch(config-keychain-key)# Related Commands Command Description Configures a key. keychain Configures a keychain. Configures a key string. key-string send-lifetime Configures a send lifetime for a key. show key chain Shows keychain configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 33: Access-Class

    2/1 This example shows how to remove the dynamically learned, secure MAC addresses 0019.D2D0.00AE: switch# config t switch(config)# clear port-security dynamic address 0019.D2D0.00AE Cisco Nexus 7000 Series Security Command Reference...
  • Page 34: Cisco Nexus 7000 Series Security Command Reference

    A Commands access-class Related Commands Command Description ip access-list Provides debugging information for port security. line Enables port security globally. show line Shows information about port security. Cisco Nexus 7000 Series Security Command Reference...
  • Page 35: Action

    The dot separator is required between the Note channel-number and subinterface-number arguments. Command Default None Command Modes VLAN access-map configuration Command History Release Modification 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 36: Cisco Nexus 7000 Series Security Command Reference

    Enables statistics for an access control list or VLAN statistics access map. vlan access-map Configures a VLAN access map. Applies a VLAN access map to one or more VLANs. vlan filter Cisco Nexus 7000 Series Security Command Reference...
  • Page 37: Arp Access-List

    This command does not require a license. Examples This example shows how to enter ARP access list configuration mode for an ARP ACL named arp-acl-01: switch# conf t switch(config)# arp access-list arp-acl-01 switch(config-arp-acl)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 38: Cisco Nexus 7000 Series Security Command Reference

    Applies an ARP ACL to a VLAN. permit (ARP) Configures a permit rule in an ARP ACL. Displays all ARP ACLs or a specific ARP ACL. show arp access-lists Cisco Nexus 7000 Series Security Command Reference...
  • Page 39: Authentication (Ldap)

    10.10.2.2 switch(config-ldap)# authentication compare password-attribute TyuL8r switch(config-ldap)# Related Commands Command Description aaa group server ldap Creates an LDAP server group and enters the LDAP server group configuration mode for that group. Cisco Nexus 7000 Series Security Command Reference...
  • Page 40: Cisco Nexus 7000 Series Security Command Reference

    A Commands authentication (LDAP) Command Description server Configures the LDAP server as a member of the LDAP server group. show ldap-server groups Displays the LDAP server group configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 41: Aaa Accounting Default

    If you specify the group method, the local method, or both, and they fail, then the accounting authentication fails. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 42: Cisco Nexus 7000 Series Security Command Reference

    Configures AAA RADIUS server groups. Configures RADIUS servers. radius-server host show aaa accounting Displays AAA accounting status information. show aaa groups Displays AAA server group information. tacacs-server host Configures TACACS+ servers. Cisco Nexus 7000 Series Security Command Reference...
  • Page 43: Aaa Accounting Dot1X

    If you specify the group method, the local method, or both, and they fail, then the accounting authentication fails. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 44: Cisco Nexus 7000 Series Security Command Reference

    Related Commands Command Description Configures AAA RADIUS server groups. aaa group server radius radius-server host Configures RADIUS servers. show aaa accounting Displays AAA accounting status information. show aaa groups Displays AAA server group information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 45: Aaa Authentication Cts Default Group

    Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the RADIUS server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 46: Cisco Nexus 7000 Series Security Command Reference

    Configures AAA server groups. feature cts Enables the Cisco TrustSec feature. radius-server host Configures RADIUS servers. Displays the AAA authentication configuration. show aaa authentication show aaa groups Displays the AAA server groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 47: Aaa Authentication Dot1X Default Group

    Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the RADIUS server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 48: Cisco Nexus 7000 Series Security Command Reference

    Dot1xGroup Related Commands Command Description feature dot1x Enables 802.1X. radius-server host Configures RADIUS servers. show aaa authentication Displays the AAA authentication configuration. show aaa groups Displays the AAA server groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 49: Aaa Authentication Eou Default Group

    Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the RADIUS server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 50: Cisco Nexus 7000 Series Security Command Reference

    EoUGroup Related Commands Command Description feature eou Enables EAPoUDP. radius-server host Configures RADIUS servers. show aaa authentication Displays the AAA authentication configuration. show aaa groups Displays the AAA server groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 51: Aaa Authentication Login Ascii-Authentication

    This example shows how to disable ASCII authentication for passwords on TACACS+ servers: switch# configure terminal switch(config)# no aaa authentication login ascii-authentication Related Commands Command Description Displays the status of the ASCII authentication for show aaa authentication login ascii-authentication passwords. Cisco Nexus 7000 Series Security Command Reference...
  • Page 52: Aaa Authentication Login Chap Enable

    Modification 5.0(2) This command was introduced. Usage Guidelines You cannot enable both CHAP and MSCHAP or MSCHAP V2 on your Cisco NX-OS device. This command does not require a license. Examples This example shows how to enable CHAP authentication: switch# configure terminal...
  • Page 53: Aaa Authentication Login Console

    • Any configured RADIUS, TACACS+, or LDAP server group name. (Optional) Specifies that no authentication is to be none used. local Specifies to use the local database for authentication. Command Default local Command Modes Global configuration Cisco Nexus 7000 Series Security Command Reference...
  • Page 54: Cisco Nexus 7000 Series Security Command Reference

    Use the show aaa groups command to display the server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 55: Aaa Authentication Login Default

    • Any configured RADIUS, TACACS+, or LDAP server group name. none (Optional) Specifies that no authentication is to be used. Specifies to use the local database for authentication. local Command Default local Command Modes Global configuration Cisco Nexus 7000 Series Security Command Reference...
  • Page 56: Cisco Nexus 7000 Series Security Command Reference

    Use the show aaa groups command to display the server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 57: Aaa Authentication Login Error-Enable

    This example shows how to disable the display of AAA authentication failure messages to the console: switch# configure terminal switch(config)# no aaa authentication login error-enable Related Commands Command Description Displays the status of the AAA authentication failure show aaa authentication login error-enable message display. Cisco Nexus 7000 Series Security Command Reference...
  • Page 58: Aaa Authentication Login Invalid-Username-Log

    This example shows how to exclude the username in authentication failed messages for all failure reasons: switch# configure terminal switch(config)# no aaa authentication login invalid-username-log Cisco Nexus 7000 Series Security Command Reference...
  • Page 59: Aaa Authentication Login Mschap Enable

    Modification 4.0(1) This command was introduced. Usage Guidelines You cannot enable both MSCHAP and CHAP or MSCHAP V2 on your Cisco NX-OS device. This command does not require a license. Examples This example shows how to enable MSCHAP authentication: switch# configure terminal...
  • Page 60: Aaa Authentication Login Mschapv2 Enable

    Modification 4.1(2) This command was introduced. Usage Guidelines You cannot enable both MSCHAP V2 and CHAP or MSCHAP on your Cisco NX-OS device. This command does not require a license. Examples This example shows how to enable MSCHAP V2 authentication:...
  • Page 61: Aaa Authentication Rejected

    5 in 60 ban 300 Related Commands Command Description clear aaa local user blocked Clears the blocked local user. Displays the AAA authentication configuration. show aaa authentication show aaa local user blocked Displays the blocked local users. Cisco Nexus 7000 Series Security Command Reference...
  • Page 62: Cisco Nexus 7000 Series Security Command Reference

    A Commands aaa authentication rejected Cisco Nexus 7000 Series Security Command Reference...
  • Page 63: Aaa Authorization Commands Default

    If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
  • Page 64: Cisco Nexus 7000 Series Security Command Reference

    By default, context sensitive help and command tab completion show only the commands supported for Note a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.
  • Page 65: Aaa Authorization Config-Commands Default

    If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
  • Page 66: Cisco Nexus 7000 Series Security Command Reference

    By default, context sensitive help and command tab completion show only the commands supported for Note a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.
  • Page 67: Aaa Authorization Cts Default Group

    Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the RADIUS server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 68: Cisco Nexus 7000 Series Security Command Reference

    A Commands aaa authorization cts default group Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show aaa authorization Displays the AAA authorization configuration. show aaa groups Displays the AAA server groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 69: Aaa Authorization Ssh-Certificate

    If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
  • Page 70: Cisco Nexus 7000 Series Security Command Reference

    AAA authorization method for LDAP servers. Enables the LDAP feature. feature ldap feature tacacs+ Enables the TACACS+ feature. show aaa authorization Displays the AAA authorization configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 71: Aaa Authorization Ssh-Publickey

    Use the show aaa groups command to display the server groups on the device. If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
  • Page 72: Cisco Nexus 7000 Series Security Command Reference

    Configures LDAP or local authorization with aaa authorization ssh-certificate certificate authentication as the default AAA authorization method for LDAP servers. Enables the LDAP feature. feature ldap show aaa authorization Displays the AAA authorization configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 73: Aaa Group Server Ldap

    This example shows how to create an LDAP server group and enter LDAP server configuration mode: switch# configure terminal switch(config)# aaa group server ldap LdapServer switch(config-ldap)# This example shows how to delete an LDAP server group: switch# configure terminal switch(config)# no aaa group server ldap LdapServer Cisco Nexus 7000 Series Security Command Reference...
  • Page 74: Cisco Nexus 7000 Series Security Command Reference

    A Commands aaa group server ldap Related Commands Command Description feature ldap Enables LDAP. show aaa groups Displays server group information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 75: Aaa Group Server Radius

    RadServer switch(config-radius)# This example shows how to delete a RADIUS server group: switch# configure terminal switch(config)# no aaa group server radius RadServer Related Commands Command Description Displays server group information. show aaa groups Cisco Nexus 7000 Series Security Command Reference...
  • Page 76: Aaa Group Server Tacacs

    This example shows how to delete a TACACS+ server group: switch# configure terminal switch(config)# no aaa group server tacacs+ TacServer Related Commands Command Description feature tacacs+ Enables TACACS+. Displays server group information. show aaa groups Cisco Nexus 7000 Series Security Command Reference...
  • Page 77: Aaa User Default-Role

    This example shows how to disable default user roles for AAA authentication of remote users: switch# configure terminal switch(config)# no aaa user default-role Related Commands Command Description show aaa user default-role Displays the status of AAA default user role feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 78: Cisco Nexus 7000 Series Security Command Reference

    A Commands aaa user default-role Cisco Nexus 7000 Series Security Command Reference...
  • Page 79: C Commands

    85 • clear ip arp inspection statistics vlan, page 87 • clear ip device tracking, page 89 • clear ip dhcp relay statistics, page 91 • clear ip dhcp snooping binding, page 92 Cisco Nexus 7000 Series Security Command Reference...
  • Page 80: Cisco Nexus 7000 Series Security Command Reference

    139 • crypto certificatemap mapname, page 141 • cts cache enable, page 142 • cts device-id, page 143 • cts role-based sgt-map, page 145 • cts sgt, page 147 Cisco Nexus 7000 Series Security Command Reference...
  • Page 81: Cisco Nexus 7000 Series Security Command Reference

    180 • cts sxp mapping network-map, page 182 • cts sxp node-id, page 183 • cts sxp reconcile-period, page 185 • cts sxp retry-period, page 187 • cts sxp speaker hold-time, page 189 Cisco Nexus 7000 Series Security Command Reference...
  • Page 82: Cipher Suite

    To use this command, you should enable the MACsec Key Agreement (MKA) feature first. • GCM indicates the encryption method. • AES and AES-XPN indicates the hash or integrity algorithm. • The numeral indicates the length of the cipher. Cisco Nexus 7000 Series Security Command Reference...
  • Page 83: Cisco Nexus 7000 Series Security Command Reference

    Displays the configuration of the specified keychain. Displays the details of MKA. show macsec mka show macsec policy Displays all the MACsec policies in the system. Displays the status of MKA. show run mka Cisco Nexus 7000 Series Security Command Reference...
  • Page 84: Clear Access-List Counters

    Related Commands Command Description clear ip access-list counters Clears counters for IPv4 ACLs. clear ipv6 access-list counters Clears counters for IPv6 ACLs. Clears counters for MAC ACLs. clear mac access-list counters Cisco Nexus 7000 Series Security Command Reference...
  • Page 85: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear access-list counters Command Description clear vlan access-list counters Clears counters for VACLs. show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 86: Clear Accounting Log

    This command does not require a license. Examples This example shows how to clear the accounting log: switch# clear accounting log Related Commands Command Description show accounting log Displays the accounting log contents. Cisco Nexus 7000 Series Security Command Reference...
  • Page 87: Clear Copp Statistics

    This example shows how to specify a control plane class map and enter class map configuration mode: switch# clear copp statistics Related Commands Command Description show policy-map interface control-plane Displays the CoPP statistics for interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 88: Clear Cts Cache

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to clear the Cisco TrustSec authentication and authorization cache:...
  • Page 89: Clear Cts Policy

    C Commands clear cts policy clear cts policy To clear the Cisco TrustSec security group access control list (SGACL) policies, use the clear cts policy command. clear cts policy {all| peer device-id| sgt sgt-value} Syntax Description Clears all the Cisco TrustSec SGACL policies on the local device.
  • Page 90: Capture Session

    This example shows how to configure an ACL capture session configuration: switch# configure terminal switch(config)# ip access-list abc1234 switch(config-acl)# capture session 7 switch(config-acl)# Related Commands Command Description ip access-list Creates an access list. monitor session session type acl-capture Configures an ACL capture session. Cisco Nexus 7000 Series Security Command Reference...
  • Page 91: Cts Dot1X

    This command is not supported for F1 Series modules and F2 Series modules. To use this command, you must enable the Cisco TrustSec feature using the feature cts command. After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.
  • Page 92: Cisco Nexus 7000 Series Security Command Reference

    You can use only IPv4 addressing with Cisco TrustSec. This command requires the Advanced Services license. Examples This example shows how to configure Layer 3 Cisco TrustSec global mapping for an SPI and subnet: switch# config t switch(config)# cts l3 spi 3 10.10.1.1/23...
  • Page 93: Class (Policy Map)

    PolicyMapA switch(config-pmap)# class ClassMapA swtich(config-pmap-c) This example shows how to delete a class map from a control plane policy map: switch# configure terminal switch(config)# policy-map type control-plane PolicyMapA switch(config-pmap)# no class ClassMapA Cisco Nexus 7000 Series Security Command Reference...
  • Page 94: Cisco Nexus 7000 Series Security Command Reference

    (policy map) Related Commands Command Description policy-map type control-plane Specifies a control plane policy map and enters policy map configuration mode. show policy-map type control-plane Displays configuration information for control plane policy maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 95: Class-Map Type Control-Plane

    This example shows how to specify a control plane class map and enter class map configuration mode: switch# configure terminal switch(config)# class-map type control-plane ClassMapA switch(config-cmap)# This example shows how to delete a control plane class map: switch# configure terminal switch(config)# no class-map type control-plane ClassMapA Cisco Nexus 7000 Series Security Command Reference...
  • Page 96: Cisco Nexus 7000 Series Security Command Reference

    C Commands class-map type control-plane Related Commands Command Description show class-map type control-plane Displays control plane policy map configuration information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 97: Clear Aaa Local User Blocked

    Related Commands Command Description aaa authentication rejected Configures the login block per user. show aaa authentication Displays the AAA authentication configuration. Displays the blocked local users. show aaa local user blocked Cisco Nexus 7000 Series Security Command Reference...
  • Page 98: Clear Ldap-Server Statistics

    10.10.1.1 Related Commands Command Description Enables LDAP. feature ldap ldap-server host Specifies the IPv4 or IPv6 address or hostname for an LDAP server. show ldap-server statistics Displays the LDAP server statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 99: Clear Mac Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv4 ACLs. clear ip access-list counters clear ipv6 access-list counters Clears counters for IPv6 ACLs. clear vlan access-list counters Clears counters for VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 100: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear mac access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show mac access-lists Displays information about one or all MAC ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 101: Clear Port-Security

    MAC address, in dotted hexadecimal format. Command Default None Command Modes Any command mode Command History Release Modification 4.2(1) Support was added for port-security on port-channel interfaces. 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 102: Cisco Nexus 7000 Series Security Command Reference

    Command Description Provides debugging information for port security. debug port-security feature port-security Enables port security globally. Shows information about port security. show port-security switchport port-security Enables port security on a Layer 2 interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 103: Clear Cts Role-Based Counters

    Related Commands Command Description cts role-based counters enable Enables the RBACL statistics. Displays the configuration status of RBACL statistics show cts role-based counters and lists statistics for all RBACL policies. Cisco Nexus 7000 Series Security Command Reference...
  • Page 104: Clear Dot1X

    This example shows how to clear the 802.1X authenticator instances for an interface: switch# clear dot1x interface ethernet 1/1 Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x all Displays all 802.1X information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 105: Clear Eou

    Command History Release Modification 4.0(1) This command was introduced. Usage Guidelines You must enable EAPoUDP by using the feature eou command before using the clear eou command. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 106: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to the EAPoUDP sessions with a posture token type of checkup: switch# clear eou posturetoken healthy Related Commands Command Description feature eou Enables EAPoUDP. Displays EAPoUDP information. show eou Cisco Nexus 7000 Series Security Command Reference...
  • Page 107: Clear Hardware Rate-Limiter

    Clears rate-limit statistics for Layer 3 glean fast-path packets. Clears rate-limit statistics for Layer 3 maximum transmission unit (MTU) packets. multicast Specifies Layer 3 multicast rate limits. directly-connected Clears rate-limit statistics for Layer 3 directly connected multicast packets. Cisco Nexus 7000 Series Security Command Reference...
  • Page 108: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to clear the rate-limit statistics for Layer 3 glean packets: switch# clear hardware rate-limiter layer-3 glean This example shows how to clear the rate-limit statistics for Layer 3 directly connected multicast packets: switch# clear hardware rate-limiter layer-3 multicast directly-connected Cisco Nexus 7000 Series Security Command Reference...
  • Page 109: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to clear the rate-limit statistics for received packets: switch# clear hardware rate-limiter receive Related Commands Command Description hardware rate-limiter Configures rate limits. show hardware rate-limiter Displays rate-limit information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 110: Clear Ip Arp Inspection Log

    Configures the DAI logging buffer size. show ip arp inspection Displays the DAI configuration status. show ip arp inspection log Displays the DAI log configuration. show ip arp inspection statistics Displays the DAI statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 111: Clear Ip Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv6 ACLs. clear ipv6 access-list counters clear mac access-list counters Clears counters for MAC ACLs. clear vlan access-list counters Clears counters for VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 112: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear ip access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show ip access-lists Displays information about one or all IPv4 ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 113: Clear Ip Arp Inspection Statistics Vlan

    This example shows how to clear the DAI statistics for VLAN 2 and VLANs 5 through 12: switch# clear ip arp inspection statistics vlan 2,5-12 switch# Related Commands Command Description clear ip arp inspection log Clears the DAI logging buffer. Cisco Nexus 7000 Series Security Command Reference...
  • Page 114: Cisco Nexus 7000 Series Security Command Reference

    Configures the DAI logging buffer size. show ip arp inspection Displays the DAI configuration status. show ip arp inspection vlan Displays DAI status for a specified list of VLANs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 115: Clear Ip Device Tracking

    This example shows how to clear the IP device tracking information for an IP address: switch# clear ip device tracking ip-address 10.10.1.1 This example shows how to clear the IP device tracking information for a MAC address: switch# clear ip device tracking mac-address 000c.30da.86f4 Cisco Nexus 7000 Series Security Command Reference...
  • Page 116: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear ip device tracking Related Commands Command Description ip device tracking Enables IP device tracking. show ip device tracking Displays IP device tracking information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 117: Clear Ip Dhcp Relay Statistics

    This example shows how to clear the global DHCP relay statistics: switch# clear ip dhcp relay statistics Related Commands Command Description ip dhcp relay Enables the DHCP relay agent. show ip dhcp relay statistics Displays the DHCP relay statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 118: Clear Ip Dhcp Snooping Binding

    .subchannel-number (Optional) Number of the Ethernet port-channel subchannel. Note The dot separator is required between the channel-number and subchannel-number arguments. Command Default None Command Modes Any command mode Cisco Nexus 7000 Series Security Command Reference...
  • Page 119: Cisco Nexus 7000 Series Security Command Reference

    Displays IP-MAC address bindings, including the static IP source entries. Displays DHCP snooping statistics. show ip dhcp snooping statistics show running-config dhcp Displays DHCP snooping configuration, including the IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 120: Clear Ipv6 Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv4 ACLs. clear ip access-list counters clear mac access-list counters Clears counters for MAC ACLs. clear vlan access-list counters Clears counters for VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 121: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear ipv6 access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show ipv6 access-lists Displays information about one or all IPv6 ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 122: Clear Ipv6 Dhcp Relay Statistics

    This example shows how to clear the global DHCPv6 relay statistics: switch# clear ipv6 dhcp relay statistics Related Commands Command Description ipv6 dhcp relay Enables the DHCPv6 relay agent. show ipv6 dhcp relay statistics Displays the DHCPv6 relay statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 123: Clear Ipv6 Dhcp-Ldra Statistics

    To use this command, you must enable the DHCP feature and LDRA feature. Examples This example shows how to clear the LDRA related statistics: switch# clear ipv6 dhcp-ldra statistics Related Commands Command Description show ipv6 dhcp-ldra Displays the configuration details of LDRA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 124: Clear Vlan Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv4 ACLs. clear ip access-list counters clear ipv6 access-list counters Clears counters for IPv6 ACLs. clear mac access-list counters Clears counters for MAC ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 125: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear vlan access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show vlan access-map Displays information about one or all VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 126: Conf-Offset

    Enables the MKA feature. Creates a key or enters the configuration mode of an existing key. key chain keychain-name Creates a keychain or enters the configuration mode of an existing keychain. Cisco Nexus 7000 Series Security Command Reference...
  • Page 127: Cisco Nexus 7000 Series Security Command Reference

    Displays the configuration of the specified keychain. Displays the details of MKA. show macsec mka show macsec policy Displays all the MACSec policies in the system. show run mka Displays the status of MKA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 128: Copp Copy Profile

    When you use the copp copy profile command, CoPP renames all class maps and policy maps with the specified prefix or suffix. This command does not require a license. Examples This example shows how to create a clone of the CoPP best practice policy: switch # copp copy profile moderate abc Cisco Nexus 7000 Series Security Command Reference...
  • Page 129: Cisco Nexus 7000 Series Security Command Reference

    Applies the default CoPP best practice policy on the Cisco NX-OS device. show copp status Displays the CoPP status, including the last configuration operation and its status. show running-config copp Displays the CoPP configuration in the running configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 130: Copp Profile

    Added the dense keyword. Usage Guidelines In Cisco NX-OS releases prior to 5.2(1), you must use the setup utility to change or reapply the default CoPP policy. You can access the setup utility using the setup command. Beginning with Cisco NX-OS Release 5.2, the CoPP best practice policy is read-only. If you want to modify its configuration, you must clone it using the copp clone profile command.
  • Page 131: Cisco Nexus 7000 Series Security Command Reference

    C Commands copp profile Examples This example shows how to apply the default CoPP best practice policy on the Cisco NX-OS device: switch# configure terminal switch(config)# copp profile moderate switch(config)# This example shows how remove the default CoPP best practice policy from the Cisco NX-OS device:...
  • Page 132: Crllookup

    This example shows how to configure the attribute name, search filter, and base-DN for the CRL search operation in order to send a search query to the LDAP server: switch# conf t switch(config)# ldap search-map s0 switch(config-ldap-search-map)# CRLLookup attribute-name certificateRevocationList search-filter (&(objectClass=cRLDistributionPoint)) base-DN CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mdsldaptestlab,DC=com switch(config-ldap-search-map)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 133: Cisco Nexus 7000 Series Security Command Reference

    C Commands CRLLookup Related Commands Command Description feature ldap Enables LDAP. ldap search-map Configures an LDAP search map. show ldap-search-map Displays the configured LDAP search maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 134: Crypto Ca Authenticate

    Usage Guidelines You can use this command to authenticate the CA to the Cisco NX-OS device by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you execute this command.
  • Page 135: Cisco Nexus 7000 Series Security Command Reference

    Fingerprint(s): MD5 Fingerprint=65:84:9A:27:D5:71:03:33:9C:12:23:92:38:6F:78:12 Do you accept this certificate? [yes/no]: y Related Commands Command Description crypto ca trustpoint Configures the trustpoint. show crypto ca certificates Displays configured trustpoint certificates. Displays trustpoint configurations. show crypto ca trustpoints Cisco Nexus 7000 Series Security Command Reference...
  • Page 136: Crypto Ca Crl Request

    This command does not require a license. Examples This example shows how to configure a CRL for the trustpoint or replaces the current CRL: switch# configure teminal switch(config)# crypto ca crl request admin-ca bootflash:admin-ca.crl Cisco Nexus 7000 Series Security Command Reference...
  • Page 137: Cisco Nexus 7000 Series Security Command Reference

    C Commands crypto ca crl request Related Commands Command Description revocation-check Configures trustpoint revocation check methods. show crypto ca crl Displays configured certificate revocation lists (CRL). Cisco Nexus 7000 Series Security Command Reference...
  • Page 138: Clear Ldap-Server Statistics

    10.10.1.1 Related Commands Command Description Enables LDAP. feature ldap ldap-server host Specifies the IPv4 or IPv6 address or hostname for an LDAP server. show ldap-server statistics Displays the LDAP server statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 139: Clear Mac Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv4 ACLs. clear ip access-list counters clear ipv6 access-list counters Clears counters for IPv6 ACLs. clear vlan access-list counters Clears counters for VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 140: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear mac access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show mac access-lists Displays information about one or all MAC ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 141: Clear Port-Security

    MAC address, in dotted hexadecimal format. Command Default None Command Modes Any command mode Command History Release Modification 4.2(1) Support was added for port-security on port-channel interfaces. 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 142: Cisco Nexus 7000 Series Security Command Reference

    Command Description Provides debugging information for port security. debug port-security feature port-security Enables port security globally. Shows information about port security. show port-security switchport port-security Enables port security on a Layer 2 interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 143: Clear Radius-Server Statistics

    This command does not require a license. Examples This example shows how to clear statistics for a RADIUS server: switch# clear radius-server statistics 10.10.1.1 Related Commands Command Description show radius-server statistics Displays RADIUS server host statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 144: Clear Ssh Hosts

    This command does not require a license. Examples This example shows how to clear all SSH host sessions and the known host file: switch# clear ssh hosts Related Commands Command Description ssh server enable Enables the SSH server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 145: Clear Tacacs-Server Statistics

    This command does not require a license. Examples This example shows how to clear statistics for a TACACS+ server: switch# clear tacacs-server statistics 10.10.1.1 Related Commands Command Description show tacacs-server statistics Displays TACACS+ server host statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 146: Clear User

    This command does not require a license. Examples This example shows how to clear all SSH host sessions: switch# clear user user1 Related Commands Command Description Displays the user session information. show users Cisco Nexus 7000 Series Security Command Reference...
  • Page 147: Cts L3 Spi (Global)

    (global) To enable Layer 3 Cisco TrustSec and map a security parameter index (SPI) and subnet for the device, use the cts l3 spi command. To remove the mapping to an IPv4 subnet, use the no form of this command.
  • Page 148: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (global) Command Description show cts l3 mapping Displays the Layer 3 Cisco TrustSec mapping for SPI values to IPv4 subnets. Cisco Nexus 7000 Series Security Command Reference...
  • Page 149: Cts L3 Spi (Interface)

    (interface) cts l3 spi (interface) To enable Layer 3 Cisco TrustSec and configure a security parameter index (SPI) on an interface, use the cts l3 spi command. To revert to the default, use the no form of this command.
  • Page 150: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (interface) Command Description show cts l3 interface Displays the Layer 3 Cisco TrustSec configuration on the interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 151: Crypto Ca Enroll

    This command was introduced. Usage Guidelines A Cisco NX-OS device enrolls with the trustpoint CA to obtain an identity certificate. You can enroll your device with multiple trustpoints and obtain a separate identity certificate from each trustpoint. When enrolling with a trustpoint, you must specify an RSA key pair to certify. You must generate the key pair and associate it to the trustpoint before generating the enrollment request.
  • Page 152: Cisco Nexus 7000 Series Security Command Reference

    For security reasons your password will not be saved in the configuration. Please make a note of it. Password:nbv123 The subject name in the certificate will be: Vegas-1.cisco.com Include the switch serial number in the subject name? [yes/no]:no Include an IP address in the subject name [yes/no]:yes ip address:209.165.200.226...
  • Page 153: Crypto Ca Export

    This command does not require a license. Examples This example shows how to export a certificate and key pair in the PKCS #12 format: switch# configure terminal switch(config)# crypto ca export admin-ca pkcs12 bootflash:adminid.p12 nbv123 Cisco Nexus 7000 Series Security Command Reference...
  • Page 154: Cisco Nexus 7000 Series Security Command Reference

    CA certificate (chain) to a trustpoint. Generates an RSA key pair. crypto key generate rsa rsakeypair Configures and associates the RSA key pair details to a trustpoint. show crypto key mypubkey rsa Displays any RSA public key configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 155: Crypto Ca Import

    The certificates and CRL associated to a trustpoint are automatically persistent when you save the trustpoint configuration in the startup configuration. Otherwise, if you do not saved the trustpoint in the startup configuration, the Cisco Nexus 7000 Series Security Command Reference...
  • Page 156: Cisco Nexus 7000 Series Security Command Reference

    Generates the RSA key pair. rsakeypair Configures trustpoint RSA key pair details. Displays the identity and CA certificate details. show crypto ca certificates show crypto key mypubkey rsa Displays any RSA public key configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 157: Cisco Nexus 7000 Series Security Command Reference

    C Commands crypto ca import Cisco Nexus 7000 Series Security Command Reference...
  • Page 158: Crypto Ca Lookup

    This example shows how to specify the remote cert-store for certificate authentication: switch(config)# crypto ca lookup remote Related Commands Command Description crypto ca remote ldap crl-refresh-time Configures the refresh time to update the certificate revocation list from the remote cert-store. Cisco Nexus 7000 Series Security Command Reference...
  • Page 159: Cisco Nexus 7000 Series Security Command Reference

    Configures the LDAP server group to be used while communicating with LDAP. show crypto ca certstore Displays the configured cert-store. show crypto ca remote-certstore Displays the remote cert-store configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 160: Crypto Ca Remote Ldap Crl-Refresh-Time

    Related Commands Command Description crypto ca lookup Specifies the cert-store to be used for certificate authentication. crypto ca remote ldap server-group Configures the LDAP server group to be used while communicating with LDAP. Cisco Nexus 7000 Series Security Command Reference...
  • Page 161: Crypto Ca Remote Ldap Server-Group

    Command Description crypto ca lookup Specifies the cert-store to be used for certificate authentication. crypto ca remote ldap crl-refresh-time Configures the refresh time to update the certificate revocation list from the remote cert-store. Cisco Nexus 7000 Series Security Command Reference...
  • Page 162: Crypto Ca Test Verify

    The verify status code value of 0 indicates that the verification is successful. Note Related Commands Command Description Displays configured trustpoint certificates. show crypto ca certificates Cisco Nexus 7000 Series Security Command Reference...
  • Page 163: Crypto Ca Trustpoint

    • A CA must be explicitly associated to a trustpoint using the crypto ca authenticate command. • A Cisco NX-OS device can have many trustpoints and all applications on the device can trust a peer certificate issued by any of the trustpoint CAs.
  • Page 164: Cisco Nexus 7000 Series Security Command Reference

    Authenticates the certificate of the certificate authority. Generates a certificate signing request for a trustpoint. crypto ca enroll show crypto ca certificates Displays the identity and CA certificate details. show crypto ca trustpoints Displays trustpoint configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 165: Crypto Cert Ssh-Authorize

    To use this command, you must create a filter map. This command does not require a license. Examples This example shows how to configure a certificate mapping filter for the SSH protocol: switch(config)# crypto cert ssh-authorize default map filtermap1 Cisco Nexus 7000 Series Security Command Reference...
  • Page 166: Cisco Nexus 7000 Series Security Command Reference

    Related Commands Command Description crypto certificatemap mapname Creates a filter map. filter Configures one or more certificate mapping filters within the filter map. show crypto ssh-auth-map Displays the mapping filters configured for SSH authentication. Cisco Nexus 7000 Series Security Command Reference...
  • Page 167: Crypto Certificatemap Mapname

    This example shows how to create a new filter map: switch(config)# crypto certificatemap mapname filtermap1 Related Commands Command Description Configures one or more certificate mapping filters filter within the filter map. show crypto certificatemap Displays the certificate mapping filters. Cisco Nexus 7000 Series Security Command Reference...
  • Page 168: Cts Cache Enable

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to enable Cisco TrustSec authentication and authorization caching:...
  • Page 169: Cts Device-Id

    This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. The Cisco TrustSec device identifier name must be unique in your Cisco TrustSec network cloud. This command requires the Advanced Services license.
  • Page 170: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts device-id Command Description show cts credentials Displays the Cisco TrustSec credentials information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 171: Cts Role-Based Sgt-Map

    To manually configure the Cisco TrustSec security group tag (SGT) mapping to IP addresses, use the cts role-based sgt-map command. To remove an SGT, use the no form of this command. cts role-based sgt-map ipv4-address sgt-value...
  • Page 172: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts role-based sgt-map Cisco Nexus 7000 Series Security Command Reference...
  • Page 173: Cts Sgt

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to configure the Cisco TrustSec SGT for the device:...
  • Page 174: Cts L3 Spi (Global)

    (global) To enable Layer 3 Cisco TrustSec and map a security parameter index (SPI) and subnet for the device, use the cts l3 spi command. To remove the mapping to an IPv4 subnet, use the no form of this command.
  • Page 175: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (global) Command Description show cts l3 mapping Displays the Layer 3 Cisco TrustSec mapping for SPI values to IPv4 subnets. Cisco Nexus 7000 Series Security Command Reference...
  • Page 176: Cts L3 Spi (Interface)

    (interface) cts l3 spi (interface) To enable Layer 3 Cisco TrustSec and configure a security parameter index (SPI) on an interface, use the cts l3 spi command. To revert to the default, use the no form of this command.
  • Page 177: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (interface) Command Description show cts l3 interface Displays the Layer 3 Cisco TrustSec configuration on the interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 178: Cts L3 Spi (Interface)

    (interface) cts l3 spi (interface) To enable Layer 3 Cisco TrustSec and configure a security parameter index (SPI) on an interface, use the cts l3 spi command. To revert to the default, use the no form of this command.
  • Page 179: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (interface) Command Description show cts l3 interface Displays the Layer 3 Cisco TrustSec configuration on the interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 180: Cts Manual

    C Commands cts manual cts manual To enter Cisco TrustSec manual configuration for an interface, use the cts manual command. To remove the manual configuration, use the no form of this command. cts manual no cts manual Syntax Description This command has no arguments or keywords.
  • Page 181: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts manual Command Description show cts interface Displays Cisco TrustSec configuration information for interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 182: Cts Refresh Environment-Data

    C Commands cts refresh environment-data cts refresh environment-data To refresh the Cisco TrustSec environment data downloaded from the AAA server, use the cts refresh environment-data command. cts refresh environment-data Syntax Description This command has no arguments or keywords. Command Default...
  • Page 183: Cts Refresh Role-Based-Policy

    C Commands cts refresh role-based-policy cts refresh role-based-policy To refresh the Cisco TrustSec security group access control list (SGACL) policies downloaded from the Cisco Secure ACS, use the cts refresh role-based-policy command. cts refresh role-based-policy Syntax Description This command has no arguments or keywords.
  • Page 184: Cts Rekey

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to rekey an interface for Cisco TrustSec:...
  • Page 185: Cts Role-Based Access-List

    To create or specify a Cisco TrustSec security group access control list (SGACL) and enter role-based access control list configuration mode, use the cts role-based access-list command. To remove an SGACL, use the no form of this command.
  • Page 186: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts role-based access-list Cisco Nexus 7000 Series Security Command Reference...
  • Page 187: Cts Role-Based Counters Enable

    When you modify an RBACL policy, statistics for the previously assigned access control entry (ACE) are displayed, and the newly assigned ACE statistics are initialized to 0. RBACL statistics are lost only when the Cisco NX-OS device reloads or you deliberately clear the statistics. This command requires the Advanced Services license.
  • Page 188: Cisco Nexus 7000 Series Security Command Reference

    Clears the RBACL statistics so that all counters are reset to 0. show cts role-based counters Displays the configuration status of RBACL statistics and lists statistics for all RBACL policies. Cisco Nexus 7000 Series Security Command Reference...
  • Page 189: Cts Role-Based Detailed-Logging

    7.3(0)D1(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. To view the detailed ACLLOGS, you need to enable logging ip access-list detailed after enabling cts Note role-based detailed logging.
  • Page 190: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts role-based detailed-logging Cisco Nexus 7000 Series Security Command Reference...
  • Page 191: Cts Role-Based Enforcement

    Routing and Forwarding instance (VRF), use the cts role-based enforcement command. To revert to the default, use the no form of this command. To disable Cisco TrustSec SGACL enforcement in an L3 interface or L3 port-channel, use the no cts role-based enforcement command. To revert to the default, use the cts role-based enforcement command.
  • Page 192: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts role-based enforcement switch(config-vrf)# cts role-based enforcement This example shows how to disable Cisco TrustSec SGACL enforcement in an interface and L3 port-channel: switch# configure terminal switch(config)# interface ethernet 6/2 switch(config-if)# no cts role-based enforcement switch(config-if)# exit switch(config)# interface port-channel 100...
  • Page 193: Cts Role-Based Monitor

    Disabled Command Modes Global configurationVRF configuration Command History Release Modification 7.3(0)D1(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. Cisco Nexus 7000 Series Security Command Reference...
  • Page 194: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to disable monitoring permissions for all source groups to all destination groups: switch# configure terminal switch(config)# no cts role-based monitor all Related Commands Command Description Enables the Cisco TrustSec feature. feature cts show cts role-based enable Displays the Cisco TrustSec SGACL policy enforcement configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 195: Cts Role-Based Policy Priority-Static

    8.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. Examples This example shows how to set higher install priority for ISE configured SGACLs: switch# configure terminal...
  • Page 196: Cts Role-Based Sgt

    To manually configure mapping of Cisco TrustSec security group tags (SGTs) to a security group access control list (SGACL), use the cts role-based sgt command. To remove the SGT mapping to an SGACL, use the no form of this command.
  • Page 197: Cisco Nexus 7000 Series Security Command Reference

    3 sgt 10 Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show cts role-based policy Displays the Cisco TrustSec SGT mapping for an SGACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 198: Cts Sxp Allow Default-Route-Sgt

    Modification 7.3(0)D1(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec SXP feature using the cts sxp enable command. Examples This example shows how to expand the network limit: switch# configure terminal switch(config)# cts sxp allow default-route-sgt...
  • Page 199: Cts Sxp Connection Peer

    To configure a Security Group Tag (SGT) Exchange Protocol (SXP) peer connection for Cisco TrustSec, use the cts sxp connection peer command. To remove the SXP connection, use the no form of this command.
  • Page 200: Cisco Nexus 7000 Series Security Command Reference

    This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. You can use only IPv4 addressing with Cisco TrustSec. If you do not specify a source IPv4 address, you must configure a default SXP source IPv4 address using the cts sxp default source-ip command.
  • Page 201: Cisco Nexus 7000 Series Security Command Reference

    Configures the default SXP source IPv4 address for the device. feature cts Enables the Cisco TrustSec feature. show cts sxp connection Displays the Cisco TrustSec SXP peer connection information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 202: Cts Sxp Default Password

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to configure the default SXP password for the device:...
  • Page 203: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts sxp default password Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show cts sxp Displays the Cisco TrustSec SXP configuration information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 204: Cts Sxp Default Source-Ip

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. You can use only IPv4 addressing with Cisco TrustSec. This command requires the Advanced Services license. Examples...
  • Page 205: Cts Sxp Enable

    Modification 4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to enable SXP: switch# configure terminal...
  • Page 206: Cts Sxp Listener Hold-Time

    To configure the global hold-time period of a listener network device in a Cisco TrustSec Security Group Tag (SGT) Exchange Protocol version 4 (SXPv4) network, use the cts sxp listener hold-time command in global configuration mode.
  • Page 207: Cisco Nexus 7000 Series Security Command Reference

    Enables Cisco TrustSec SXP on a device. Configures the hold time of a speaker device in an cts sxp speaker hold-time SXPv4 network. show cts sxp Displays the status of all Cisco TrustSec SXP configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 208: Cts Sxp Mapping Network-Map

    Modification 7.3(0)D1(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature by using the feature cts command. Examples This example shows how to expand the network limit: switch# configure terminal switch(config)# cts sxp mapping network-map 64...
  • Page 209: Cts Sxp Node-Id

    To configure the node ID of a network device for Cisco TrustSec (CTS) Security Group Tag (SGT) Exchange Protocol version 4 (SXPv4), use the cts sxp node-id command in global configuration mode. To remove the node ID, use the no form of this command.
  • Page 210: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts sxp node-id Examples switch(config)# cts sxp node-id 172.16.1.3 Related Commands Command Description cts sxp enable Enables CTS-SXP on a device. Displays the status of all CTS-SXP configurations. show cts sxp Cisco Nexus 7000 Series Security Command Reference...
  • Page 211: Cts Sxp Reconcile-Period

    After a peer terminates an SXP connection, an internal hold down timer starts. If the peer reconnects before the internal hold down timer expires, the SXP reconcile period timer starts. While the SXP reconcile period timer is active, the Cisco NX-OS software retains the SGT mapping entries learned from the previous connection and removes invalid entries.
  • Page 212: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts sxp reconcile-period Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show cts sxp connection Displays the Cisco TrustSec SXP configuration information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 213: Cts Sxp Retry-Period

    The SXP retry period determines how often the Cisco NX-OS software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco NX-OS software makes a new attempt to set up the connection after the SXP retry period timer expires.
  • Page 214: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts sxp retry-period Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show cts sxp connection Displays the Cisco TrustSec SXP peer connection information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 215: Cts Sxp Speaker Hold-Time

    To configure the global hold-time period of a speaker network device in a Cisco TrustSec Security Group Tag (SGT) Exchange Protocol version 4 (SXPv4) network, use the cts sxp speaker hold-time command in global configuration mode.
  • Page 216: Cisco Nexus 7000 Series Security Command Reference

    Enables Cisco TrustSec SXP on a device. Configures the hold time of a listener device in an cts sxp listener hold-time SXPv4 network. show cts sxp Displays the status of all Cisco TrustSec SXP configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 217: D Commands

    (ARP), page 224 • deny (IPv4), page 228 • deny (IPv6), page 243 • deny (MAC), page 259 • deny (role-based access control list), page 262 • description (identity policy), page 264 Cisco Nexus 7000 Series Security Command Reference...
  • Page 218: Cisco Nexus 7000 Series Security Command Reference

    • destination interface, page 268 • device, page 270 • device-role, page 272 • dot1x default, page 274 • dot1x host-mode, page 275 • dot1x initialize, page 277 • dot1x mac-auth-bypass, page 278 Cisco Nexus 7000 Series Security Command Reference...
  • Page 219: Dot1X Max-Reauth-Req

    To change the maximum number of times that the Cisco NX-OS device retransmits reauthentication requests to supplicants on an interface before the session times out, use the dot1x max-reauth-req command. To revert to the default, use the no form of this command.
  • Page 220: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x max-reauth-req Command Description show dot1x all Displays all 802.1X information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 221: Dot1X Max-Req

    To change the maximum number of requests that the Cisco NX-OS device sends to a supplicant before restarting the 802.1X authentication, use the dot1x max-req command. To revert to the default, use the no form of this command.
  • Page 222: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to revert to the default maximum number of request retries for an interface: switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no dot1x max-req Related Commands Command Description feature dot1x Enables the 802.1X feature. Displays all 802.1X information. show dot1x all Cisco Nexus 7000 Series Security Command Reference...
  • Page 223: Dot1X Pae Authenticator

    You must use the feature dot1x command before you configure 802.1X. When you enable 802.1X on an interface, the Cisco NX-OS software creates an authenticator port access entity (PAE) instance. An authenticator PAE is a protocol entity that supports authentication on the interface.
  • Page 224: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x pae authenticator Command Description show dot1x interface Displays 802.1X feature status information for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 225: Dot1X Port-Control

    2/1 switch(config-if)# dot1x port-control auto This example shows how to revert to the default 802.1X authentication action performed on an interface: switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x port-control auto Cisco Nexus 7000 Series Security Command Reference...
  • Page 226: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x port-control Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x interface ethernet Displays 802.1X information for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 227: Dot1X Radius-Accounting

    This example shows how to disable RADIUS accounting for 802.1X authentication: switch# configure terminal switch(config)# no dot1x radius-accounting Related Commands Command Description feature dot1x Enables the 802.1X feature. Displays all 802.1X information in the running show running-config dot1x all configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 228: Dot1X Re-Authentication (Exec)

    This example shows how to reauthenticate the 802.1X supplicant on an interface manually: switch# dot1x re-authentication interface ethernet 2/1 Related Commands Command Description Enables the 802.1X feature. feature dot1x show dot1x all Displays all 802.1X information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 229: Dot1X Re-Authentication (Global Configuration And Interface Configuration)

    You must use the feature dot1x command before you configure 802.1X. In global configuration mode, this command configures periodic reauthentication for all supplicants on the Cisco NX-OS device. In interface configuration mode, this command configures periodic reauthentication only for supplicants on the interface.
  • Page 230: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to disable periodic reauthentication of 802.1X supplicants on an interface: switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# no dot1x re-authentication Related Commands Command Description feature dot1x Enables the 802.1X feature. Displays all 802.1X information. show dot1x all Cisco Nexus 7000 Series Security Command Reference...
  • Page 231: Dot1X System-Auth-Control

    This example shows how to enable 802.1X authentication: switch# configure terminal switch(config)# dot1x system-auth-control Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x Displays 802.1X feature status information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 232: Dot1X Timeout Quiet-Period

    This example shows how to configure the global 802.1X quiet-period timeout: switch# configure terminal switch(config)# dot1x timeout quiet-period 45 This example shows how to revert to the default global 802.1X quiet-period timeout: switch# configure terminal switch(config)# no dot1x timeout quiet-period Cisco Nexus 7000 Series Security Command Reference...
  • Page 233: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to revert to the default 802.1X quiet-period timeout for an interface: switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no dot1x timeout quiet-period Related Commands Command Description feature dot1x Enables the 802.1X feature. Displays all 802.1X information. show dot1x all Cisco Nexus 7000 Series Security Command Reference...
  • Page 234: Dot1X Timeout Ratelimit-Period

    60 This example shows how to revert to the default 802.1X rate-limit period timeout on an interface: switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x timeout ratelimit-period 60 Cisco Nexus 7000 Series Security Command Reference...
  • Page 235: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x timeout ratelimit-period Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x interface ethernet Displays 802.1X information for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 236: Dot1X Timeout Re-Authperiod

    3000 This example shows how to configure the 802.1X reauthentication-period timeout on an interface: switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# dot1x timeout re-authperiod 3300 Cisco Nexus 7000 Series Security Command Reference...
  • Page 237: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x timeout re-authperiod Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x all Displays all 802.1X information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 238: Dot1X Timeout Server-Timeout

    This command was introduced. Usage Guidelines The 802.1X server timeout for an interface is the number of seconds that the Cisco NX-OS device waits before retransmitting a packet to the authentication server. This value overrides the global reauthentication period timeout.
  • Page 239: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x timeout server-timeout Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x interface ethernet Displays 802.1X information for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 240: Dot1X Timeout Supp-Timeout

    This command was introduced. Usage Guidelines The 802.1X supplicant timeout for an interface is the number of seconds that the Cisco NX-OS device waits for the supplicant to respond to an EAP request frame before the Cisco NX-OS device retransmits the frame.
  • Page 241: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x timeout supp-timeout Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x interface ethernet Displays 802.1X information for an interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 242: Dot1X Timeout Tx-Period

    This command was introduced. Usage Guidelines The 802.1X transmission-timeout period is the number of seconds that the Cisco NX-OS device waits for a response to an EAP-request/identity frame from the supplicant before retransmitting the request. You must use the feature dot1x command before you configure 802.1X.
  • Page 243: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to revert to the default 802.1X transmission-period timeout for an interface: switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no dot1x timeout tx-period Related Commands Command Description feature dot1x Enables the 802.1X feature. Displays all 802.1X information. show dot1x all Cisco Nexus 7000 Series Security Command Reference...
  • Page 244: Deadtime

    TacServer switch(config-tacacs+)# deadtime 5 This example shows how to revert to the dead-time interval default: switch# configure terminal switch(config)# feature tacacs+ switch(config)# aaa group server tacacs+ TacServer switch(config-tacacs+)# no deadtime 5 Cisco Nexus 7000 Series Security Command Reference...
  • Page 245: Cisco Nexus 7000 Series Security Command Reference

    Configures AAA server groups. radius-server host Configures a RADIUS server. show radius-server groups Displays RADIUS server group information. Displays TACACS+ server group information. show tacacs-server groups feature tacacs+ Enables TACACS+. tacacs-server host Configures a TACACS+ server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 246: Delete Ca-Certificate

    This example shows how to delete a certificate authority certificate: switch# configure terminal switch(config)# crypto ca trustpoint admin-ca switch(config-trustpoint)# delete ca-certificate Related Commands Command Description Deletes the identity certificate. delete certificate delete crl Deletes the CRL from the trustpoint. Cisco Nexus 7000 Series Security Command Reference...
  • Page 247: Delete Certificate

    The Cisco NX-OS software generates an error message if the certificate being deleted is the only certificate present or is the last identity certificate in a chain. You can use the optional force keyword to remove the certificate.
  • Page 248: Cisco Nexus 7000 Series Security Command Reference

    D Commands delete certificate Related Commands Command Description delete ca-certificate Deletes the certificate authority certificate. delete crl Deletes the CRL from the trustpoint. Cisco Nexus 7000 Series Security Command Reference...
  • Page 249: Delete Crl

    This example shows how to delete the CRL from the trustpoint: switch# configure terminal switch(config)# crypto ca trustpoint admin-ca switch(config-trustpoint)# delete crl Related Commands Command Description delete ca-certificate Deletes the certificate authority certificate. delete certificate Deletes the identity certificate. Cisco Nexus 7000 Series Security Command Reference...
  • Page 250: Deny (Arp)

    ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. Introduces the IP address portion of the rule. Cisco Nexus 7000 Series Security Command Reference...
  • Page 251: Cisco Nexus 7000 Series Security Command Reference

    ARP messages. response (Optional) Specifies that the rule applies only to packets containing ARP response messages. If you omit both the request and the Note response keywords, the rule applies to all ARP messages. Cisco Nexus 7000 Series Security Command Reference...
  • Page 252: Cisco Nexus 7000 Series Security Command Reference

    Command Default None Command Modes ARP ACL configuration Command History Release Modification 4.0(1) This command was introduced. Usage Guidelines A newly created ARP ACL contains no rules. Cisco Nexus 7000 Series Security Command Reference...
  • Page 253: Cisco Nexus 7000 Series Security Command Reference

    Applies an ARP ACL to a VLAN. Configures a permit rule in an ARP ACL. permit (ARP) remark Configures a remark in an ACL. Displays all ARP ACLs or one ARP ACL. show arp access-list Cisco Nexus 7000 Series Security Command Reference...
  • Page 254: Deny (Ipv4)

    [ sequence-number ] deny udp source [operator port [ port ]| portgroup portgroup] destination [operator port [ port ]| portgroup portgroup] [dscp dscp| precedence precedence] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [ packet-length ]] Cisco Nexus 7000 Series Security Command Reference...
  • Page 255: Cisco Nexus 7000 Series Security Command Reference

    “Usage Guidelines” section. destination Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. Cisco Nexus 7000 Series Security Command Reference...
  • Page 256: Cisco Nexus 7000 Series Security Command Reference

    D Commands deny (IPv4) dscp dscp Cisco Nexus 7000 Series Security Command Reference...
  • Page 257: Cisco Nexus 7000 Series Security Command Reference

    (100110) • cs1—Class-selector (CS) 1, precedence 1 (001000) • cs2—CS2, precedence 2 (010000) • cs3—CS3, precedence 3 (011000) • cs4—CS4, precedence 4 (100000) • cs5—CS5, precedence 5 (101000) • cs6—CS6, precedence 6 (110000) Cisco Nexus 7000 Series Security Command Reference...
  • Page 258: Cisco Nexus 7000 Series Security Command Reference

    The message includes the following information: • Whether the protocol was TCP, UDP, ICMP or a number • Source and destination addresses • Source and destination port numbers, if applicable Cisco Nexus 7000 Series Security Command Reference...
  • Page 259: Cisco Nexus 7000 Series Security Command Reference

    IGMP message number, which is an integer from 0 to 15. It can also be one of the following keywords: • dvmrp—Distance Vector Multicast Routing Protocol • host-query—Host query • host-report—Host report • pim—Protocol Independent Multicast • trace—Multicast trace Cisco Nexus 7000 Series Security Command Reference...
  • Page 260: Cisco Nexus 7000 Series Security Command Reference

    Use the object-group ip port command to create and change IP port object groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 261: Cisco Nexus 7000 Series Security Command Reference

    A newly created IPv4 ACL contains no rules. If you do not specify a sequence number, the device assigns the rule a sequence number that is 10 greater than the last rule in the ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 262: Cisco Nexus 7000 Series Security Command Reference

    • eigrp—Specifies that the rule applies to Enhanced Interior Gateway Routing Protocol (EIGRP) traffic only. • esp—Specifies that the rule applies to Encapsulating Security Protocol (ESP) traffic only. • gre—Specifies that the rule applies to General Routing Encapsulation (GRE) traffic only. Cisco Nexus 7000 Series Security Command Reference...
  • Page 263: Cisco Nexus 7000 Series Security Command Reference

    The syntax is as follows: IPv4-address network-wildcard The following example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet: switch(config-acl)# deny tcp 192.168.67.0 0.0.0.255 any Cisco Nexus 7000 Series Security Command Reference...
  • Page 264: Cisco Nexus 7000 Series Security Command Reference

    • general-parameter-problem—Parameter problem • host-isolated—Host isolated • host-precedence-unreachable—Host unreachable for precedence • host-redirect—Host redirect • host-tos-redirect—Host redirect for ToS • host-tos-unreachable—Host unreachable for ToS • host-unknown—Host unknown • host-unreachable—Host unreachable • information-reply—Information replies Cisco Nexus 7000 Series Security Command Reference...
  • Page 265: Cisco Nexus 7000 Series Security Command Reference

    When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords: bgp—Border Gateway Protocol (179) chargen—Character generator (19) Cisco Nexus 7000 Series Security Command Reference...
  • Page 266: Cisco Nexus 7000 Series Security Command Reference

    When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords: biff—Biff (mail notification, comsat, 512) bootpc—Bootstrap Protocol (BOOTP) client (68) Cisco Nexus 7000 Series Security Command Reference...
  • Page 267: Cisco Nexus 7000 Series Security Command Reference

    IPv4 traffic: switch# configure terminal switch(config)# ip access-list acl-lab-01 switch(config-acl)# deny tcp 10.23.0.0/16 10.176.0.0/16 switch(config-acl)# deny udp 10.23.0.0/16 10.176.0.0/16 switch(config-acl)# deny tcp 192.168.37.0/16 10.176.0.0/16 switch(config-acl)# deny udp 192.168.37.0/16 10.176.0.0/16 switch(config-acl)# permit ip any any Cisco Nexus 7000 Series Security Command Reference...
  • Page 268: Cisco Nexus 7000 Series Security Command Reference

    Configures a remark in an IPv4 ACL. remark show ip access-list Displays all IPv4 ACLs or one IPv4 ACL. statistics per-entry Enables collection of statistics for each entry in an ACL. time-range Configures a time range. Cisco Nexus 7000 Series Security Command Reference...
  • Page 269: Deny (Ipv6)

    [sequence-number| no] deny udp source [operator port [ port ]| portgroup portgroup] destination [operator port [ port ]| portgroup portgroup] [dscp dscp] [flow-label flow-label-value] [fragments] [log] [time-range time-range-name] [packet-length operator packet-length [ packet-length ]] Cisco Nexus 7000 Series Security Command Reference...
  • Page 270: Cisco Nexus 7000 Series Security Command Reference

    ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. Cisco Nexus 7000 Series Security Command Reference...
  • Page 271: Cisco Nexus 7000 Series Security Command Reference

    D Commands deny (IPv6) protocol Cisco Nexus 7000 Series Security Command Reference...
  • Page 272: Cisco Nexus 7000 Series Security Command Reference

    • udp—Specifies that the rule applies to UDP traffic only. When you use this keyword, the operator argument and the portgroup keyword are available, in addition to the keywords that are available for all valid values of the protocol Cisco Nexus 7000 Series Security Command Reference...
  • Page 273: Cisco Nexus 7000 Series Security Command Reference

    “Usage Guidelines” section. destination Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. Cisco Nexus 7000 Series Security Command Reference...
  • Page 274: Cisco Nexus 7000 Series Security Command Reference

    D Commands deny (IPv6) dscp dscp Cisco Nexus 7000 Series Security Command Reference...
  • Page 275: Cisco Nexus 7000 Series Security Command Reference

    (100110) • cs1—Class-selector (CS) 1, precedence 1 (001000) • cs2—CS2, precedence 2 (010000) • cs3—CS3, precedence 3 (011000) • cs4—CS4, precedence 4 (100000) • cs5—CS5, precedence 5 (101000) • cs6—CS6, precedence 6 (110000) Cisco Nexus 7000 Series Security Command Reference...
  • Page 276: Cisco Nexus 7000 Series Security Command Reference

    (ICMP only: Optional) ICMPv6 message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under “ICMPv6 Message Types” in the “Usage Guidelines” section. Cisco Nexus 7000 Series Security Command Reference...
  • Page 277: Cisco Nexus 7000 Series Security Command Reference

    • range—Requires two port arguments and matches only if the port in the packet is equal to or greater than the first port argument and equal to or less than the second port argument. Cisco Nexus 7000 Series Security Command Reference...
  • Page 278: Cisco Nexus 7000 Series Security Command Reference

    TCP control bit flags set. The value of the flags argument must be one or more of the following keywords: • ack • fin • psh • rst • syn • urg Cisco Nexus 7000 Series Security Command Reference...
  • Page 279: Cisco Nexus 7000 Series Security Command Reference

    You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 7000 Series Security Command Reference...
  • Page 280: Cisco Nexus 7000 Series Security Command Reference

    • beyond-scope—Destination beyond scope • destination-unreachable—Destination address is unreachable • echo-reply—Echo reply • echo-request—Echo request (ping) • header—Parameter header problems • hop-limit—Hop limit exceeded in transit • mld-query—Multicast Listener Discovery Query • mld-reduction—Multicast Listener Discovery Reduction Cisco Nexus 7000 Series Security Command Reference...
  • Page 281: Cisco Nexus 7000 Series Security Command Reference

    Gateway Protocol (179) chargen—Character generator (19) cmd—Remote commands (rcmd, 514) daytime—Daytime (13) discard—Discard (9) domain—Domain Name Service (53) drip—Dynamic Routing Information Protocol (3949) echo—Echo (7) exec—Exec (rsh, 512) finger—Finger (79) ftp—File Transfer Protocol (21) Cisco Nexus 7000 Series Security Command Reference...
  • Page 282: Cisco Nexus 7000 Series Security Command Reference

    (195) domain—Domain Name Service (DNS, 53) echo—Echo (7) isakmp—Internet Security Association and Key Management Protocol (5) mobile-ip—Mobile IP registration (434) nameserver—IEN116 name service (obsolete, 42) netbios-dgm—NetBIOS datagram service (138) Cisco Nexus 7000 Series Security Command Reference...
  • Page 283: Cisco Nexus 7000 Series Security Command Reference

    Command Description fragments Configures how an IP ACL processes noninitial fragments. ipv6 access-list Configures an IPv6 ACL. object-group ipv6 address Configures an IPv6-address object group. Configures an IP-port object group. object-group ip port Cisco Nexus 7000 Series Security Command Reference...
  • Page 284: Cisco Nexus 7000 Series Security Command Reference

    Configures a remark in an ACL. show ipv6 access-list Displays all IPv6 ACLs or one IPv6 ACL. Enables collection of statistics for each entry in an statistics per-entry ACL. time-range Configures a time range. Cisco Nexus 7000 Series Security Command Reference...
  • Page 285: Deny (Mac)

    (Optional) Specifies that the rule matches only packets with an IEEE 802.1Q header that contains the Class of Service (CoS) value given in the cos-value argument. The cos-value argument can be an integer from 0 to 7. Cisco Nexus 7000 Series Security Command Reference...
  • Page 286: Cisco Nexus 7000 Series Security Command Reference

    • Any address—You can use the any keyword to specify that a source or destination is any MAC address. For examples of the use of the any keyword, see the examples in this section. Each of the examples shows how to specify a source or destination by using the any keyword. Cisco Nexus 7000 Series Security Command Reference...
  • Page 287: Cisco Nexus 7000 Series Security Command Reference

    Configures a remark in an ACL. Displays all MAC ACLs or one MAC ACL. show mac access-list statistics per-entry Enables collection of statistics for each entry in an ACL. Configures a time range. time-range Cisco Nexus 7000 Series Security Command Reference...
  • Page 288: Deny (Role-Based Access Control List)

    Specifies a port range for TCP or UDP. range port-number1 First port in the range. The range is from 0 to 65535. port-number2 Last port in the range. The range is from 0 to 65535. Cisco Nexus 7000 Series Security Command Reference...
  • Page 289: Cisco Nexus 7000 Series Security Command Reference

    This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. To enable RBACL logging, you must enable RBACL policy enforcement on the VLAN and VRF. To enable RBACL logging, you must set the logging level of ACLLOG syslogs to 6 and the logging level of CTS manager syslogs to 5.
  • Page 290: Description (Identity Policy)

    AdminPolicy switch(config-id-policy)# no description Related Commands Command Description identity policy Creates or specifies an identity policy and enters identity policy configuration mode. show identity policy Displays identity policy information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 291: Cisco Nexus 7000 Series Security Command Reference

    D Commands description (identity policy) Cisco Nexus 7000 Series Security Command Reference...
  • Page 292: Description (User Role)

    MyRole switch(config-role)# no description Related Commands Command Description role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 293: Cisco Nexus 7000 Series Security Command Reference

    D Commands description (user role) Cisco Nexus 7000 Series Security Command Reference...
  • Page 294: Destination Interface

    You can enter the destination interface command multiple times to add multiple destinations. This command does not require a license. Examples This example shows how to configure a destination for ACL capture packets: switch# configure terminal Cisco Nexus 7000 Series Security Command Reference...
  • Page 295: Cisco Nexus 7000 Series Security Command Reference

    D Commands destination interface switch(config)# monitor session 7 type acl-capture switch(config-acl-capture)# destination interface ethernet 5/5 Related Commands Command Description monitor session session type acl-capture Configures an ACL capture session. Cisco Nexus 7000 Series Security Command Reference...
  • Page 296: Device

    Specifies the policy to use for the supplicant device. Command Default None Command Modes Identity policy configuration Command History Release Modification 4.0(1) This command was introduced. Usage Guidelines This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 297: Cisco Nexus 7000 Series Security Command Reference

    10.10.2.2 255.255.255.245 policy UserPolicy Related Commands Command Description identity policy Creates or specifies an identity policy and enters identity policy configuration mode. show identity policy Displays identity policy information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 298: Device-Role

    Related Commands Command Description ipv6 nd raguard policy Defines the RA guard policy name and enters RA guard policy configuration mode. Cisco Nexus 7000 Series Security Command Reference...
  • Page 299: Cisco Nexus 7000 Series Security Command Reference

    D Commands device-role Cisco Nexus 7000 Series Security Command Reference...
  • Page 300: Dot1X Default

    This example shows how to set the interface 802.1X parameters to the default: switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# dot1x default Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x Displays 802.1X feature status information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 301: Dot1X Host-Mode

    This example shows how to revert to the default host mode on an interface: switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# no dot1x host-mode Related Commands Command Description feature dot1x Enables the 802.1X feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 302: Cisco Nexus 7000 Series Security Command Reference

    D Commands dot1x host-mode Command Description show dot1x all Displays all 802.1X information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 303: Dot1X Initialize

    You must use the feature dot1x command before you configure 802.1X. This command does not require a license. Examples This example shows how to initialize 802.1X authentication for supplicants on the Cisco NX-OS device: switch# dot1x initialize This example shows how to initialize 802.1X authentication for supplicants on an interface:...
  • Page 304: Dot1X Mac-Auth-Bypass

    This example shows how to disable MAC address authentication bypass: switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no dot1x mac-auth-bypass Related Commands Command Description Enables the 802.1X feature. feature dot1x show dot1x all Displays all 802.1X information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 305: E Commands

    302 • eou ratelimit, page 303 • eou revalidate (EXEC), page 305 • eou revalidate (global configuration and interface configuration), page 307 • eou timeout, page 309 • eq, page 312 Cisco Nexus 7000 Series Security Command Reference...
  • Page 306: Encrypt Pause-Frame

    E Commands encrypt pause-frame encrypt pause-frame To configure pause frame encryption for Cisco Trusted Security (Cisco TrustSec) on an interface, use the encrypt pause-frame command. To remove the pause frame encryption, use the no form of this command. encrypt pause-frame...
  • Page 307: Cisco Nexus 7000 Series Security Command Reference

    Enables Cisco TrustSec authentication on an interface cts dot1x and enters Cisco TrustSec 802.1X configuration mode. Enters Cisco TrustSec manual configuration mode cts manual for an interface. show cts interface Displays the Cisco TrustSec configuration information for interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 308: Encryption Decrypt Type6

    # encryption decrypt type6 Please enter current Master Key: Related Commands Command Description encryption re-encrypt obfuscated Converts the existing obfuscated passwords to type6 encrypted passwords. key config-key Configures the master key for the type-6 encryption. Cisco Nexus 7000 Series Security Command Reference...
  • Page 309: Encryption Delete Type6

    Please enter current Master Key: switch(config)# Related Commands Command Description encryption re-encrypt obfuscated Converts the existing obfuscated passwords to type-6 encrypted passwords key config-key Configures the master key for the type-6 encryption. Cisco Nexus 7000 Series Security Command Reference...
  • Page 310: Enable

    Enables a secret password for a specific privilege level. feature privilege Enables the cumulative privilege of roles for command authorization on TACACS+ servers. Displays the current privilege level, username, and show privilege status of cumulative privilege support. Cisco Nexus 7000 Series Security Command Reference...
  • Page 311: Cisco Nexus 7000 Series Security Command Reference

    E Commands enable Command Description username user-id priv-lvl Enables a user to use privilege levels for authorization. Cisco Nexus 7000 Series Security Command Reference...
  • Page 312: Enable Cert-Dn-Match

    Enables group validation for an LDAP server group. enable user-server-group server Configures the LDAP server as a member of the LDAP server group. Displays the LDAP server group configuration. show ldap-server groups Cisco Nexus 7000 Series Security Command Reference...
  • Page 313: Cisco Nexus 7000 Series Security Command Reference

    E Commands enable Cert-DN-match Cisco Nexus 7000 Series Security Command Reference...
  • Page 314: Enable Secret

    This example shows how to enable a secret password for a specific privilege level: switch# configure terminal switch(config)# feature privilege switch(config)# enable secret 5 def456 priv-lvl 15 switch(config)# username user2 priv-lvl 15 switch(config)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 315: Cisco Nexus 7000 Series Security Command Reference

    Enables the cumulative privilege of roles for command authorization on TACACS+ servers. Displays the current privilege level, username, and show privilege status of cumulative privilege support. username user-id priv-lvl Enables a user to use privilege levels for authorization. Cisco Nexus 7000 Series Security Command Reference...
  • Page 316: Enable User-Server-Group

    Cert-DN-match Enables LDAP users to login only if the user profile lists the subject-DN of the user certificate as authorized for login. Cisco Nexus 7000 Series Security Command Reference...
  • Page 317: Cisco Nexus 7000 Series Security Command Reference

    E Commands enable user-server-group Command Description server Configures the LDAP server as a member of the LDAP server group. show ldap-server groups Displays the LDAP server group configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 318: Encryption Re-Encrypt Obfuscated

    This example shows how to convert the existing obfuscated passwords to type-6 encrypted passwords: switch # encryption re-encrypt obfuscated Related Commands Command Description encryption decrypt type6 Converts type6 encrypted passwords back to their original state. Cisco Nexus 7000 Series Security Command Reference...
  • Page 319: Enrollment Terminal

    Syntax Description This command has no arguments or keywords. Command Default The default is the manual cut-and-paste method, which is the only enrollment method that the Cisco NX-OS software supports. Command Modes Trustpoint configuration Command History...
  • Page 320: Eou Allow Clientless

    This example shows how to prevent EAPoUDP posture validation of clientless endpoint devices: switch# config t switch(config)# no eou allow clientless Related Commands Command Description Enables EAPoUDP. feature eou show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 321: Eou Default

    This example shows how to change the EAPoUDP configuration for an interface to the default: switch# config t switch(config)# interface ethernet 1/1 switch(config-if)# eou default Related Commands Command Description feature eou Enables EAPoUDP. show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 322: Eou Initialize

    Initializes the EAPoUDP sessions for a specific MAC address. posturetoken name Initializes the EAPoUDP sessions for a specific posture token. Command Default None Command Modes Any command mode Command History Release Modification 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 323 0019.076c.dac4 This example shows how to initialize all the EAPoUDP sessions for a posture token: switch# eou initialize posturetoken healthy Related Commands Command Description feature eou Enables EAPoUDP. show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 324: Eou Logging

    This example shows how to enable EAPoUDP logging for an interface: switch# config t switch(config)# interface ethernet 1/1 switch(config-if)# eou logging This example shows how to disable EAPoUDP logging for an interface: switch# config t switch(config)# interface ethernet 1/1 switch(config-if)# no eou logging Cisco Nexus 7000 Series Security Command Reference...
  • Page 325 E Commands eou logging Related Commands Command Description feature eou Enables EAPoUDP. show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 326: Eou Max-Retry

    This example shows how to change the maximum number of EAPoUDP retry attempts for an interface: switch# config t switch(config) interface ethernet 1/1 switch(config-if)# eou max-retry 3 Cisco Nexus 7000 Series Security Command Reference...
  • Page 327 This example shows how to revert to the maximum number of EAPoUDP retry attempts for an interface: switch# config t switch(config) interface ethernet 1/1 switch(config-if)# no eou max-retry Related Commands Command Description feature eou Enables EAPoUDP. Displays EAPoUDP information. show eou Cisco Nexus 7000 Series Security Command Reference...
  • Page 328: Eou Port

    This example shows how to revert to the default UDP port number for EAPoUDP: switch# config t switch(config)# no eou port Related Commands Command Description Enables EAPoUDP. feature eou show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 329: Eou Ratelimit

    This example shows how to change the global maximum number of simultaneous EAPoUDP posture-validation sessions: switch# config t switch(config)# eou ratelimit 30 This example shows how to revert to the default global maximum number of simultaneous EAPoUDP posture-validation sessions: switch# config t switch(config)# no eou ratelimit Cisco Nexus 7000 Series Security Command Reference...
  • Page 330 This example shows how to revert to the default maximum number of simultaneous EAPoUDP posture-validation sessions for an interface: switch# config t switch(config)# interface ethernet 1/1 switch(config-if)# no eou ratelimit Related Commands Command Description feature eou Enables EAPoUDP. show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 331: Eou Revalidate (Exec)

    Revalidates the EAPoUDP sessions for a specific MAC address. posturetoken name Revalidates the EAPoUDP sessions for a specific posture token. Command Default None Command Modes Any command mode Command History Release Modification 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 332 You must use the feature eou command before you configure EAPoUDP. This command does not require a license. The Cisco NX-OS software supports an eou revalidate command in global configuration mode. To use Note an EXEC-level eou revalidate command in global configuration mode, include the required keywords.
  • Page 333: Eou Revalidate (Global Configuration And Interface Configuration)

    The automatic revalidation setting for an interface overrides the global setting for automatic revalidation. Note The Cisco NX-OS software supports an eou revalidate command in EXEC configuration mode. To use an EXEC-level eou revalidate command in global configuration mode, include the required keywords.
  • Page 334 This example shows how to enable automatic revalidation of EAPoUDP sessions for an interface: switch# config t switch(config)# eou revalidate Related Commands Command Description feature eou Enables EAPoUDP. eou timeout Configures the timeout interval for EAPoUDP automatic periodic validation. show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 335: Eou Timeout

    Global revalidation timeout interval: 36000 seconds (10 hours) Global status query timeout interval: 300 seconds (5 minutes) Interface timeout intervals: Global configuration values Command Modes Global configurationInterface configuration Command History Release Modification 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 336 240 This example shows how to change the status-query timeout interval for an interface: switch# config t switch(config)# interface ethernet 1/1 switch(config-if)# eou timeout status-query 270 Cisco Nexus 7000 Series Security Command Reference...
  • Page 337 E Commands eou timeout Related Commands Command Description feature eou Enables EAPoUDP. eou revalidate (global configuration) Enables periodic automatic revalidation of endpoint devices. show eou Displays EAPoUDP information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 338 This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 443: switch# config t switch(config)# object-group ip port port-group-05 switch(config-port-ogroup)# eq 443 Cisco Nexus 7000 Series Security Command Reference...
  • Page 339 Specifies a not-equal-to group member in an IP port object group. object-group ip port Configures an IP port object group. range Specifies a port-range group member in an IP port object group. show object-group Displays object groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 340 E Commands Cisco Nexus 7000 Series Security Command Reference...
  • Page 341: F Commands

    333 • feature ssh, page 334 • feature tacacs+, page 335 • feature telnet, page 336 • filter, page 337 • fips mode enable, page 339 • fragments, page 341 Cisco Nexus 7000 Series Security Command Reference...
  • Page 342: Feature (User Role Feature Group)

    Syntax Description feature-name Cisco NX-OS feature name as listed in the show role feature command output. Command Default None Command Modes User role feature group configuration...
  • Page 343: Feature Cts

    F Commands feature cts feature cts To enable the Cisco TrustSec feature, use the feature cts command. To revert to the default, use the no form of this command. feature cts no feature cts Syntax Description This command has no arguments or keywords.
  • Page 344 F Commands feature cts Cisco Nexus 7000 Series Security Command Reference...
  • Page 345: Feature Dhcp

    Access-control list (ACL) statistics are not supported if the DHCP snooping feature is enabled. This command does not require a license. Examples This example shows how to enable DHCP snooping: switch# configure terminal Cisco Nexus 7000 Series Security Command Reference...
  • Page 346 Enables or disables the DHCP relay agent. show ip dhcp snooping Displays general information about DHCP snooping. Displays DHCP snooping configuration, including show running-config dhcp IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 347: Feature Dot1X

    This example shows how to enable 802.1X: switch# configure terminal switch(config)# feature dot1x This example shows how to disable 802.1X: switch# configure terminal switch(config)# no feature dot1x Related Commands Command Description show dot1x Displays 802.1X status information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 348: Feature Eou

    4.0(1) This command was introduced. Usage Guidelines You must use the feature eou command before you configure EAPoUDP. When you disable EAPoUDP, the Cisco NX-OS software removes the EAPoUDP configuration. Note This command does not require a license. Examples This example shows how to enable EAPoUDP:...
  • Page 349: Feature Ldap

    5.0(2) This command was introduced. Usage Guidelines You must use the feature ldap command before you configure LDAP. When you disable LDAP, the Cisco NX-OS software removes the LDAP configuration. Note This command does not require a license. Examples This example shows how to enable LDAP:...
  • Page 350 F Commands feature ldap Cisco Nexus 7000 Series Security Command Reference...
  • Page 351: Feature Mka

    Creates a key or enters the configuration mode of an existing key. key chain keychain-name Creates a keychain or enters the configuration mode of an existing keychain. key-octet-string Configures the text for a MACsec key. Cisco Nexus 7000 Series Security Command Reference...
  • Page 352 Displays the configuration of the specified keychain. Displays the details of MKA. show macsec mka show macsec policy Displays all the MACsec policies in the system. show run mka Displays the status of MKA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 353: Feature Password Encryption Aes

    This example shows how to disable the AES password encryption feature: switch(config)# no feature password encryption aes switch(config)# Related Commands Command Description key config-key Configures the master key for type-6 encryption. show encryption service stat Displays the status of the encryption service. Cisco Nexus 7000 Series Security Command Reference...
  • Page 354: Feature Port-Security

    MAC addresses, regardless of the method by which the device learned the addresses. Examples This example shows how to enable port security globally: switch# configure terminal switch(config)# feature port-security switch(config)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 355 Clears dynamically learned, secure MAC addresses. debug port-security Provides debugging information for port security. show port-security Shows information about port security. Enables port security on a Layer 2 interface. switchport port-security Cisco Nexus 7000 Series Security Command Reference...
  • Page 356: Feature Privilege

    2010 Feb 12 12:52:06 switch %FEATURE-MGR-2-FM_AUTOCKPT_SUCCEEDED AutoCheckpoint created successfully Related Commands Command Description enable level Enables a user to move to a higher privilege level. Enables a secret password for a specific privilege enable secret priv-lvl level. Cisco Nexus 7000 Series Security Command Reference...
  • Page 357 F Commands feature privilege Command Description show privilege Displays the current privilege level, username, and status of cumulative privilege support. username username priv-lvl Enables a user to use privilege levels for authorization. Cisco Nexus 7000 Series Security Command Reference...
  • Page 358: Feature Scp-Server

    To configure a secure copy (SCP) server on the Cisco NX-OS device in order to copy files to and from a remote device, use the feature scp-server command. To disable an SCP server, use the no form of this command.
  • Page 359: Feature Sftp-Server

    To configure a secure FTP (SFTP) server on the Cisco NX-OS device in order to copy files to and from a remote device, use the feature sftp-server command. To disable an SFTP server, use the no form of this command.
  • Page 360: Feature Ssh

    Modification 4.1(2) This command was introduced to replace the ssh server enable command. Usage Guidelines The Cisco NX-OS software supports SSH version 2. This command does not require a license. Examples This example shows how to enable the SSH server:...
  • Page 361: Feature Tacacs

    Usage Guidelines You must use the feature tacacs+ command before you configure TACACS+. Note When you disable TACACS+, the Cisco NX-OS software removes the TACACS+ configuration. This command does not require a license. Examples This example shows how to enable TACACS+:...
  • Page 362: Feature Telnet

    XML interface to system may become unavailable since ssh is disabled Related Commands Command Description Displays the enable status of the features. show feature show telnet server Displays the SSH server key information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 363: Filter

    To use this command, you must create a new filter map. The validation passes if the certificate passes all of the filters configured in the map. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 364 This example shows how to configure a certificate mapping filter within the filter map: switch# configure terminal switch(config)# crypto certificatemap mapname filtermap1 switch(config-certmap-filter)# filter altname-email jsmith@acme.com Related Commands Command Description Creates a filter map. crypto certificatemap mapname show crypto certificatemap Displays the certificate mapping filters. Cisco Nexus 7000 Series Security Command Reference...
  • Page 365: Fips Mode Enable

    SHA for authentication and AES/3DES for privacy. • Delete all SSH server RSA1 key-pairs. • Enable HMAC-SHA1 message integrity checking (MIC) for use during the Cisco TrustSec Security Association Protocol (SAP) negotiation. To do so, enter the sap hash-algorithm HMAC-SHA-1 command from the cts-manual or cts-dot1x mode.
  • Page 366 F Commands fips mode enable FIPS mode is disabled Related Commands Command Description show fips status Displays the status of Federal Information Processing Standard (FIPS) mode. Cisco Nexus 7000 Series Security Command Reference...
  • Page 367: Fragments

    This example shows how to enable fragment optimization in an IPv4 ACL named lab-acl. The permit-all keyword means that the ACL permits any noninitial fragment that does not match a deny command that includes the fragments keyword. switch# configure terminal Cisco Nexus 7000 Series Security Command Reference...
  • Page 368 Configures a permit rule in an IPv6 ACL. permit (IPv6) show ip access-list Displays all IPv4 ACLs or a specific IPv4 ACL. Displays all IPv6 ACLs or a specific IPv6 ACL. show ipv6 access-list Cisco Nexus 7000 Series Security Command Reference...
  • Page 369: G Commands

    G Commands • gt, page 344 Cisco Nexus 7000 Series Security Command Reference...
  • Page 370 This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 49152 through port 65535: switch# configure terminal switch(config)# object-group ip port port-group-05 switch(config-port-ogroup)# gt 49151 Cisco Nexus 7000 Series Security Command Reference...
  • Page 371 Specifies a not-equal-to group member in an IP port object group. object-group ip port Configures an IP port object group. range Specifies a port-range group member in an IP port object group. show object-group Displays object groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 372 G Commands Cisco Nexus 7000 Series Security Command Reference...
  • Page 373: H Commands

    351 • hardware access-list resource pooling, page 352 • hardware access-list update, page 354 • hardware rate-limiter, page 356 • hop-limit, page 360 • host (IPv4), page 362 • host (IPv6), page 365 Cisco Nexus 7000 Series Security Command Reference...
  • Page 374: Hardware Access-List Allow Deny Ace

    This example shows how to disable deny ace feature: switch# configure terminal switch(config)# no hardware access-list allow deny ace switch(config)# Related Commands Command Description hardware access-list update Configures how a supervisor module updates an I/O module with changes to an ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 375: Hardware Access-List Capture

    This example shows how to enable ACL capture on all VDCs: switch# configure terminal switch(config)# hardware access-list capture This example shows how to disable ACL capture on all VDCs: switch # configure terminal switch(config)# no hardware access-list capture Cisco Nexus 7000 Series Security Command Reference...
  • Page 376 H Commands hardware access-list capture Related Commands Command Description hardware access-list update Configures how a supervisor module updates an I/O module with changes to an ACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 377: Hardware Access-List Resource Feature Bank-Mapping

    This example shows how to enable ACL TCAM bank mapping for feature groups and classes: switch(config)# hardware access-list resource feature bank-mapping Related Commands Command Description show system internal access-list feature bank-class Displays the ACL TCAM bank mapping feature group and class combination tables. Cisco Nexus 7000 Series Security Command Reference...
  • Page 378: Hardware Access-List Resource Pooling

    Modification 7.3(0)D1(1) This command was modified to support flexible bank chaining feature with VLAN-VLAN and PORT-VLAN modes. 4.2(1) The hyphen was removed between the resource and pooling keywords. 4.1(2) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 379 The command allows you to make more than 16,000 TCAM entries available to ACL-based features. If you want to enable bank chaining for the entire system, Cisco recommends adding the configuration for the entire module range, even if a module is not present, using the module range command, as described in the Examples section.
  • Page 380: Hardware Access-List Update

    VDC only and affects all VDCs. By default, when a supervisor module of a Cisco Nexus 7000 Series device updates an I/O module with changes to an ACL, it performs an atomic ACL update. An atomic update does not disrupt traffic that the updated ACL applies to;...
  • Page 381 Examples Note In Cisco NX-OS Release 4.1(4) and later releases, the hardware access-list update command is available in the default VDC only. To verify that the current VDC is the VDC 1 (the default VDC), use the show vdc current-vdc command.
  • Page 382: Hardware Rate-Limiter

    1 to 18. port start end (Optional) Specifies a port start index. The range is from 1 to 32. You specify the start port and and end port with a space in between them. Cisco Nexus 7000 Series Security Command Reference...
  • Page 383 Specifies Layer-3 control packets. The default rate is 10000 packets per second. glean Specifies Layer-3 glean packets. The default rate is 100 packets per second. glean-fast Specifies Layer 3 glean fast-path packets. The default rate is 100 packets per second. Cisco Nexus 7000 Series Security Command Reference...
  • Page 384 Added the f1, rl-1, rl-2, rl-3, rl-4, and rl-5 keywords. Also, added the following keywords: module, disable, and port. 5.0(2) Added the l2pt keyword. 4.1(2) This command was introduced to replace the platform rate-limit command. Cisco Nexus 7000 Series Security Command Reference...
  • Page 385 This example shows how to configure the port group multiplier: switch# configure terminal switch(config)# hardware rate-limiter portgroup-multiplier 0.5 module 3 Related Commands Command Description Clears rate-limit statistics. clear hardware rate-limiter show hardware rate-limiter Displays rate-limit information. show running-config Displays the running configuration. Cisco Nexus 7000 Series Security Command Reference...