Cisco Nexus 7000 Series Command Reference Manual

Hide thumbs

Advertisement

Table of Contents
Cisco Nexus 7000 Series Security Command Reference
First Published: --
Last Modified: --
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883

Advertisement

Table of Contents
loading

  Related Manuals for Cisco Nexus 7000 Series

  Summary of Contents for Cisco Nexus 7000 Series

  • Page 1 Cisco Nexus 7000 Series Security Command Reference First Published: -- Last Modified: -- Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883...
  • Page 2 © Cisco Systems, Inc. All rights reserved.
  • Page 3: Table Of Contents

    Cisco Nexus 7000 Series Security Command Reference...
  • Page 4 Cisco Nexus 7000 Series Security Command Reference...
  • Page 5 Cisco Nexus 7000 Series Security Command Reference...
  • Page 6 D Commands C H A P T E R 3 dot1x max-reauth-req dot1x max-req dot1x pae authenticator dot1x port-control dot1x radius-accounting dot1x re-authentication (EXEC) dot1x re-authentication (global configuration and interface configuration) dot1x system-auth-control Cisco Nexus 7000 Series Security Command Reference...
  • Page 7 E Commands C H A P T E R 4 encrypt pause-frame encryption decrypt type6 encryption delete type6 enable enable Cert-DN-match enable secret enable user-server-group encryption re-encrypt obfuscated enrollment terminal Cisco Nexus 7000 Series Security Command Reference...
  • Page 8 G Commands C H A P T E R 6 Cisco Nexus 7000 Series Security Command Reference viii...
  • Page 9 Cisco Nexus 7000 Series Security Command Reference...
  • Page 10 K Commands C H A P T E R 9 Cisco Nexus 7000 Series Security Command Reference...
  • Page 11 C H A P T E R 1 2 nac enable O Commands C H A P T E R 1 3 object-group (identity policy) object-group ip address object-group ip port object-group ipv6 address Cisco Nexus 7000 Series Security Command Reference...
  • Page 12 R Commands C H A P T E R 1 5 radius abort radius commit radius distribute radius-server deadtime radius-server directed-request radius-server host radius-server key radius-server retransmit radius-server test radius-server timeout Cisco Nexus 7000 Series Security Command Reference...
  • Page 13 (policy map class) set precedence (policy map class) source-interface ssh key ssh login-attempts ssh server enable ssh6 statistics per-entry storm-control level switchport port-security Cisco Nexus 7000 Series Security Command Reference xiii...
  • Page 14 Cisco Nexus 7000 Series Security Command Reference...
  • Page 15 Cisco Nexus 7000 Series Security Command Reference...
  • Page 16 Cisco Nexus 7000 Series Security Command Reference...
  • Page 17 Cisco Nexus 7000 Series Security Command Reference xvii...
  • Page 18 C H A P T E R 1 8 tacacs+ abort tacacs+ commit tacacs+ distribute tacacs-server deadtime tacacs-server directed-request tacacs-server host tacacs-server key tacacs-server test tacacs-server timeout telnet telnet server enable telnet6 terminal verify-only test aaa authorization command-type time-range trustedCert Cisco Nexus 7000 Series Security Command Reference xviii...
  • Page 19 C H A P T E R 1 9 user-certdn-match username userprofile user-pubkey-match user-switch-bind use-vrf V Commands C H A P T E R 2 0 vlan access-map vlan filter vlan policy deny vrf policy deny Cisco Nexus 7000 Series Security Command Reference...
  • Page 20 Contents Cisco Nexus 7000 Series Security Command Reference...
  • Page 21: Document Conventions

    This chapter includes the following topics: Audience This publication is for experienced network administrators who configure and maintain Cisco NX-OS on Cisco Nexus 7000 Series Platform switches. Document Conventions • As part of our constant endeavor to remodel our documents to meet our customers' requirements, Note we have modified the manner in which we document configuration tasks.
  • Page 22 An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line. This document uses the following conventions: Means reader take note. Notes contain helpful suggestions or references to material not covered in the Note manual. Cisco Nexus 7000 Series Security Command Reference xxii...
  • Page 23 Preface Document Conventions Means reader be careful. In this situation, you might do something that could result in equipment damage Caution or loss of data. Cisco Nexus 7000 Series Security Command Reference xxiii...
  • Page 24: Related Documentation

    • Install and Upgrade Guides http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/ products-installation-guides-list.html • Licensing Guide http://www.cisco.com/c/en/us/support/switches/nexus-7000-series-switches/ products-licensing-information-listing.html Documentation for Cisco Nexus 7000 Series Switches and Cisco Nexus 2000 Series Fabric Extenders is available at the following URL: http://www.cisco.com/c/en/us/support/switches/nexus-2000-series-fabric-extenders/ products-installation-and-configuration-guides-list.html Cisco Nexus 7000 Series Security Command Reference xxiv...
  • Page 25: Documentation Feedback

    What's New in Cisco Product Documentation. To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What's New in Cisco Product Documentation RSS feed. RSS feeds are a free service.
  • Page 26 Preface Obtaining Documentation and Submitting a Service Request Cisco Nexus 7000 Series Security Command Reference xxvi...
  • Page 27 35 • aaa authorization commands default, page 37 • aaa authorization config-commands default, page 39 • aaa authorization cts default group, page 41 • aaa authorization ssh-certificate, page 43 Cisco Nexus 7000 Series Security Command Reference...
  • Page 28 • aaa authorization ssh-publickey, page 45 • aaa group server ldap, page 47 • aaa group server radius, page 49 • aaa group server tacacs+, page 50 • aaa user default-role, page 51 Cisco Nexus 7000 Series Security Command Reference...
  • Page 29: Absolute

    For information about the values for the time and date arguments, see the “Usage Guidelines” section. Command Default None Cisco Nexus 7000 Series Security Command Reference...
  • Page 30 07:00 17 September 2007 end 23:59:59 19 September 2007 Related Commands Command Description periodic Configures a periodic time range rule. time-range Configures a time range for use in IPv4 or IPv6 ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 31: Accept-Lifetime

    “Usage Guidelines” section. Command Default infinite Command Modes Key configuration Command History Release Modification 4.0(1) This command was introduced. Usage Guidelines By default, the device interprets all time range rules as UTC. Cisco Nexus 7000 Series Security Command Reference...
  • Page 32: Cisco Nexus 7000 Series Security Command Reference

    00:00:00 Jun 13 2008 23:59:59 Sep 12 2008 switch(config-keychain-key)# Related Commands Command Description Configures a key. keychain Configures a keychain. Configures a key string. key-string send-lifetime Configures a send lifetime for a key. show key chain Shows keychain configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 33: Access-Class

    2/1 This example shows how to remove the dynamically learned, secure MAC addresses 0019.D2D0.00AE: switch# config t switch(config)# clear port-security dynamic address 0019.D2D0.00AE Cisco Nexus 7000 Series Security Command Reference...
  • Page 34: Cisco Nexus 7000 Series Security Command Reference

    A Commands access-class Related Commands Command Description ip access-list Provides debugging information for port security. line Enables port security globally. show line Shows information about port security. Cisco Nexus 7000 Series Security Command Reference...
  • Page 35: Action

    The dot separator is required between the Note channel-number and subinterface-number arguments. Command Default None Command Modes VLAN access-map configuration Command History Release Modification 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 36: Cisco Nexus 7000 Series Security Command Reference

    Enables statistics for an access control list or VLAN statistics access map. vlan access-map Configures a VLAN access map. Applies a VLAN access map to one or more VLANs. vlan filter Cisco Nexus 7000 Series Security Command Reference...
  • Page 37: Arp Access-List

    This command does not require a license. Examples This example shows how to enter ARP access list configuration mode for an ARP ACL named arp-acl-01: switch# conf t switch(config)# arp access-list arp-acl-01 switch(config-arp-acl)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 38: Cisco Nexus 7000 Series Security Command Reference

    Applies an ARP ACL to a VLAN. permit (ARP) Configures a permit rule in an ARP ACL. Displays all ARP ACLs or a specific ARP ACL. show arp access-lists Cisco Nexus 7000 Series Security Command Reference...
  • Page 39: Authentication (Ldap)

    10.10.2.2 switch(config-ldap)# authentication compare password-attribute TyuL8r switch(config-ldap)# Related Commands Command Description aaa group server ldap Creates an LDAP server group and enters the LDAP server group configuration mode for that group. Cisco Nexus 7000 Series Security Command Reference...
  • Page 40: Cisco Nexus 7000 Series Security Command Reference

    A Commands authentication (LDAP) Command Description server Configures the LDAP server as a member of the LDAP server group. show ldap-server groups Displays the LDAP server group configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 41: Aaa Accounting Default

    If you specify the group method, the local method, or both, and they fail, then the accounting authentication fails. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 42: Cisco Nexus 7000 Series Security Command Reference

    Configures AAA RADIUS server groups. Configures RADIUS servers. radius-server host show aaa accounting Displays AAA accounting status information. show aaa groups Displays AAA server group information. tacacs-server host Configures TACACS+ servers. Cisco Nexus 7000 Series Security Command Reference...
  • Page 43: Aaa Accounting Dot1X

    If you specify the group method, the local method, or both, and they fail, then the accounting authentication fails. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 44: Cisco Nexus 7000 Series Security Command Reference

    Related Commands Command Description Configures AAA RADIUS server groups. aaa group server radius radius-server host Configures RADIUS servers. show aaa accounting Displays AAA accounting status information. show aaa groups Displays AAA server group information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 45: Aaa Authentication Cts Default Group

    Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the RADIUS server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 46: Cisco Nexus 7000 Series Security Command Reference

    Configures AAA server groups. feature cts Enables the Cisco TrustSec feature. radius-server host Configures RADIUS servers. Displays the AAA authentication configuration. show aaa authentication show aaa groups Displays the AAA server groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 47: Aaa Authentication Dot1X Default Group

    Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the RADIUS server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 48: Cisco Nexus 7000 Series Security Command Reference

    Dot1xGroup Related Commands Command Description feature dot1x Enables 802.1X. radius-server host Configures RADIUS servers. show aaa authentication Displays the AAA authentication configuration. show aaa groups Displays the AAA server groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 49: Aaa Authentication Eou Default Group

    Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the RADIUS server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 50: Cisco Nexus 7000 Series Security Command Reference

    EoUGroup Related Commands Command Description feature eou Enables EAPoUDP. radius-server host Configures RADIUS servers. show aaa authentication Displays the AAA authentication configuration. show aaa groups Displays the AAA server groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 51: Aaa Authentication Login Ascii-Authentication

    This example shows how to disable ASCII authentication for passwords on TACACS+ servers: switch# configure terminal switch(config)# no aaa authentication login ascii-authentication Related Commands Command Description Displays the status of the ASCII authentication for show aaa authentication login ascii-authentication passwords. Cisco Nexus 7000 Series Security Command Reference...
  • Page 52: Aaa Authentication Login Chap Enable

    Modification 5.0(2) This command was introduced. Usage Guidelines You cannot enable both CHAP and MSCHAP or MSCHAP V2 on your Cisco NX-OS device. This command does not require a license. Examples This example shows how to enable CHAP authentication: switch# configure terminal...
  • Page 53: Aaa Authentication Login Console

    • Any configured RADIUS, TACACS+, or LDAP server group name. (Optional) Specifies that no authentication is to be none used. local Specifies to use the local database for authentication. Command Default local Command Modes Global configuration Cisco Nexus 7000 Series Security Command Reference...
  • Page 54: Cisco Nexus 7000 Series Security Command Reference

    Use the show aaa groups command to display the server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 55: Aaa Authentication Login Default

    • Any configured RADIUS, TACACS+, or LDAP server group name. none (Optional) Specifies that no authentication is to be used. Specifies to use the local database for authentication. local Command Default local Command Modes Global configuration Cisco Nexus 7000 Series Security Command Reference...
  • Page 56: Cisco Nexus 7000 Series Security Command Reference

    Use the show aaa groups command to display the server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 57: Aaa Authentication Login Error-Enable

    This example shows how to disable the display of AAA authentication failure messages to the console: switch# configure terminal switch(config)# no aaa authentication login error-enable Related Commands Command Description Displays the status of the AAA authentication failure show aaa authentication login error-enable message display. Cisco Nexus 7000 Series Security Command Reference...
  • Page 58: Aaa Authentication Login Invalid-Username-Log

    This example shows how to exclude the username in authentication failed messages for all failure reasons: switch# configure terminal switch(config)# no aaa authentication login invalid-username-log Cisco Nexus 7000 Series Security Command Reference...
  • Page 59: Aaa Authentication Login Mschap Enable

    Modification 4.0(1) This command was introduced. Usage Guidelines You cannot enable both MSCHAP and CHAP or MSCHAP V2 on your Cisco NX-OS device. This command does not require a license. Examples This example shows how to enable MSCHAP authentication: switch# configure terminal...
  • Page 60: Aaa Authentication Login Mschapv2 Enable

    Modification 4.1(2) This command was introduced. Usage Guidelines You cannot enable both MSCHAP V2 and CHAP or MSCHAP on your Cisco NX-OS device. This command does not require a license. Examples This example shows how to enable MSCHAP V2 authentication:...
  • Page 61: Aaa Authentication Rejected

    5 in 60 ban 300 Related Commands Command Description clear aaa local user blocked Clears the blocked local user. Displays the AAA authentication configuration. show aaa authentication show aaa local user blocked Displays the blocked local users. Cisco Nexus 7000 Series Security Command Reference...
  • Page 62: Cisco Nexus 7000 Series Security Command Reference

    A Commands aaa authentication rejected Cisco Nexus 7000 Series Security Command Reference...
  • Page 63: Aaa Authorization Commands Default

    If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
  • Page 64: Cisco Nexus 7000 Series Security Command Reference

    By default, context sensitive help and command tab completion show only the commands supported for Note a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.
  • Page 65: Aaa Authorization Config-Commands Default

    If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
  • Page 66: Cisco Nexus 7000 Series Security Command Reference

    By default, context sensitive help and command tab completion show only the commands supported for Note a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.
  • Page 67: Aaa Authorization Cts Default Group

    Use the aaa group server command to create a named group of servers. Use the show aaa groups command to display the RADIUS server groups on the device. If you specify more that one server group, the Cisco NX-OS software checks each group in the order that you specify in the list.
  • Page 68: Cisco Nexus 7000 Series Security Command Reference

    A Commands aaa authorization cts default group Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show aaa authorization Displays the AAA authorization configuration. show aaa groups Displays the AAA server groups. Cisco Nexus 7000 Series Security Command Reference...
  • Page 69: Aaa Authorization Ssh-Certificate

    If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
  • Page 70: Cisco Nexus 7000 Series Security Command Reference

    AAA authorization method for LDAP servers. Enables the LDAP feature. feature ldap feature tacacs+ Enables the TACACS+ feature. show aaa authorization Displays the AAA authorization configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 71: Aaa Authorization Ssh-Publickey

    Use the show aaa groups command to display the server groups on the device. If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
  • Page 72: Cisco Nexus 7000 Series Security Command Reference

    Configures LDAP or local authorization with aaa authorization ssh-certificate certificate authentication as the default AAA authorization method for LDAP servers. Enables the LDAP feature. feature ldap show aaa authorization Displays the AAA authorization configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 73: Aaa Group Server Ldap

    This example shows how to create an LDAP server group and enter LDAP server configuration mode: switch# configure terminal switch(config)# aaa group server ldap LdapServer switch(config-ldap)# This example shows how to delete an LDAP server group: switch# configure terminal switch(config)# no aaa group server ldap LdapServer Cisco Nexus 7000 Series Security Command Reference...
  • Page 74: Cisco Nexus 7000 Series Security Command Reference

    A Commands aaa group server ldap Related Commands Command Description feature ldap Enables LDAP. show aaa groups Displays server group information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 75: Aaa Group Server Radius

    RadServer switch(config-radius)# This example shows how to delete a RADIUS server group: switch# configure terminal switch(config)# no aaa group server radius RadServer Related Commands Command Description Displays server group information. show aaa groups Cisco Nexus 7000 Series Security Command Reference...
  • Page 76: Aaa Group Server Tacacs

    This example shows how to delete a TACACS+ server group: switch# configure terminal switch(config)# no aaa group server tacacs+ TacServer Related Commands Command Description feature tacacs+ Enables TACACS+. Displays server group information. show aaa groups Cisco Nexus 7000 Series Security Command Reference...
  • Page 77: Aaa User Default-Role

    This example shows how to disable default user roles for AAA authentication of remote users: switch# configure terminal switch(config)# no aaa user default-role Related Commands Command Description show aaa user default-role Displays the status of AAA default user role feature. Cisco Nexus 7000 Series Security Command Reference...
  • Page 78: Cisco Nexus 7000 Series Security Command Reference

    A Commands aaa user default-role Cisco Nexus 7000 Series Security Command Reference...
  • Page 79: C Commands

    85 • clear ip arp inspection statistics vlan, page 87 • clear ip device tracking, page 89 • clear ip dhcp relay statistics, page 91 • clear ip dhcp snooping binding, page 92 Cisco Nexus 7000 Series Security Command Reference...
  • Page 80: Cisco Nexus 7000 Series Security Command Reference

    139 • crypto certificatemap mapname, page 141 • cts cache enable, page 142 • cts device-id, page 143 • cts role-based sgt-map, page 145 • cts sgt, page 147 Cisco Nexus 7000 Series Security Command Reference...
  • Page 81: Cisco Nexus 7000 Series Security Command Reference

    180 • cts sxp mapping network-map, page 182 • cts sxp node-id, page 183 • cts sxp reconcile-period, page 185 • cts sxp retry-period, page 187 • cts sxp speaker hold-time, page 189 Cisco Nexus 7000 Series Security Command Reference...
  • Page 82: Cipher Suite

    To use this command, you should enable the MACsec Key Agreement (MKA) feature first. • GCM indicates the encryption method. • AES and AES-XPN indicates the hash or integrity algorithm. • The numeral indicates the length of the cipher. Cisco Nexus 7000 Series Security Command Reference...
  • Page 83: Cisco Nexus 7000 Series Security Command Reference

    Displays the configuration of the specified keychain. Displays the details of MKA. show macsec mka show macsec policy Displays all the MACsec policies in the system. Displays the status of MKA. show run mka Cisco Nexus 7000 Series Security Command Reference...
  • Page 84: Clear Access-List Counters

    Related Commands Command Description clear ip access-list counters Clears counters for IPv4 ACLs. clear ipv6 access-list counters Clears counters for IPv6 ACLs. Clears counters for MAC ACLs. clear mac access-list counters Cisco Nexus 7000 Series Security Command Reference...
  • Page 85: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear access-list counters Command Description clear vlan access-list counters Clears counters for VACLs. show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 86: Clear Accounting Log

    This command does not require a license. Examples This example shows how to clear the accounting log: switch# clear accounting log Related Commands Command Description show accounting log Displays the accounting log contents. Cisco Nexus 7000 Series Security Command Reference...
  • Page 87: Clear Copp Statistics

    This example shows how to specify a control plane class map and enter class map configuration mode: switch# clear copp statistics Related Commands Command Description show policy-map interface control-plane Displays the CoPP statistics for interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 88: Clear Cts Cache

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to clear the Cisco TrustSec authentication and authorization cache:...
  • Page 89: Clear Cts Policy

    C Commands clear cts policy clear cts policy To clear the Cisco TrustSec security group access control list (SGACL) policies, use the clear cts policy command. clear cts policy {all| peer device-id| sgt sgt-value} Syntax Description Clears all the Cisco TrustSec SGACL policies on the local device.
  • Page 90: Capture Session

    This example shows how to configure an ACL capture session configuration: switch# configure terminal switch(config)# ip access-list abc1234 switch(config-acl)# capture session 7 switch(config-acl)# Related Commands Command Description ip access-list Creates an access list. monitor session session type acl-capture Configures an ACL capture session. Cisco Nexus 7000 Series Security Command Reference...
  • Page 91: Cts Dot1X

    This command is not supported for F1 Series modules and F2 Series modules. To use this command, you must enable the Cisco TrustSec feature using the feature cts command. After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.
  • Page 92: Cisco Nexus 7000 Series Security Command Reference

    You can use only IPv4 addressing with Cisco TrustSec. This command requires the Advanced Services license. Examples This example shows how to configure Layer 3 Cisco TrustSec global mapping for an SPI and subnet: switch# config t switch(config)# cts l3 spi 3 10.10.1.1/23...
  • Page 93: Class (Policy Map)

    PolicyMapA switch(config-pmap)# class ClassMapA swtich(config-pmap-c) This example shows how to delete a class map from a control plane policy map: switch# configure terminal switch(config)# policy-map type control-plane PolicyMapA switch(config-pmap)# no class ClassMapA Cisco Nexus 7000 Series Security Command Reference...
  • Page 94: Cisco Nexus 7000 Series Security Command Reference

    (policy map) Related Commands Command Description policy-map type control-plane Specifies a control plane policy map and enters policy map configuration mode. show policy-map type control-plane Displays configuration information for control plane policy maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 95: Class-Map Type Control-Plane

    This example shows how to specify a control plane class map and enter class map configuration mode: switch# configure terminal switch(config)# class-map type control-plane ClassMapA switch(config-cmap)# This example shows how to delete a control plane class map: switch# configure terminal switch(config)# no class-map type control-plane ClassMapA Cisco Nexus 7000 Series Security Command Reference...
  • Page 96: Cisco Nexus 7000 Series Security Command Reference

    C Commands class-map type control-plane Related Commands Command Description show class-map type control-plane Displays control plane policy map configuration information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 97: Clear Aaa Local User Blocked

    Related Commands Command Description aaa authentication rejected Configures the login block per user. show aaa authentication Displays the AAA authentication configuration. Displays the blocked local users. show aaa local user blocked Cisco Nexus 7000 Series Security Command Reference...
  • Page 98: Clear Ldap-Server Statistics

    10.10.1.1 Related Commands Command Description Enables LDAP. feature ldap ldap-server host Specifies the IPv4 or IPv6 address or hostname for an LDAP server. show ldap-server statistics Displays the LDAP server statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 99: Clear Mac Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv4 ACLs. clear ip access-list counters clear ipv6 access-list counters Clears counters for IPv6 ACLs. clear vlan access-list counters Clears counters for VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 100: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear mac access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show mac access-lists Displays information about one or all MAC ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 101: Clear Port-Security

    MAC address, in dotted hexadecimal format. Command Default None Command Modes Any command mode Command History Release Modification 4.2(1) Support was added for port-security on port-channel interfaces. 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 102: Cisco Nexus 7000 Series Security Command Reference

    Command Description Provides debugging information for port security. debug port-security feature port-security Enables port security globally. Shows information about port security. show port-security switchport port-security Enables port security on a Layer 2 interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 103: Clear Cts Role-Based Counters

    Related Commands Command Description cts role-based counters enable Enables the RBACL statistics. Displays the configuration status of RBACL statistics show cts role-based counters and lists statistics for all RBACL policies. Cisco Nexus 7000 Series Security Command Reference...
  • Page 104: Clear Dot1X

    This example shows how to clear the 802.1X authenticator instances for an interface: switch# clear dot1x interface ethernet 1/1 Related Commands Command Description feature dot1x Enables the 802.1X feature. show dot1x all Displays all 802.1X information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 105: Clear Eou

    Command History Release Modification 4.0(1) This command was introduced. Usage Guidelines You must enable EAPoUDP by using the feature eou command before using the clear eou command. This command does not require a license. Cisco Nexus 7000 Series Security Command Reference...
  • Page 106: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to the EAPoUDP sessions with a posture token type of checkup: switch# clear eou posturetoken healthy Related Commands Command Description feature eou Enables EAPoUDP. Displays EAPoUDP information. show eou Cisco Nexus 7000 Series Security Command Reference...
  • Page 107: Clear Hardware Rate-Limiter

    Clears rate-limit statistics for Layer 3 glean fast-path packets. Clears rate-limit statistics for Layer 3 maximum transmission unit (MTU) packets. multicast Specifies Layer 3 multicast rate limits. directly-connected Clears rate-limit statistics for Layer 3 directly connected multicast packets. Cisco Nexus 7000 Series Security Command Reference...
  • Page 108: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to clear the rate-limit statistics for Layer 3 glean packets: switch# clear hardware rate-limiter layer-3 glean This example shows how to clear the rate-limit statistics for Layer 3 directly connected multicast packets: switch# clear hardware rate-limiter layer-3 multicast directly-connected Cisco Nexus 7000 Series Security Command Reference...
  • Page 109: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to clear the rate-limit statistics for received packets: switch# clear hardware rate-limiter receive Related Commands Command Description hardware rate-limiter Configures rate limits. show hardware rate-limiter Displays rate-limit information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 110: Clear Ip Arp Inspection Log

    Configures the DAI logging buffer size. show ip arp inspection Displays the DAI configuration status. show ip arp inspection log Displays the DAI log configuration. show ip arp inspection statistics Displays the DAI statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 111: Clear Ip Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv6 ACLs. clear ipv6 access-list counters clear mac access-list counters Clears counters for MAC ACLs. clear vlan access-list counters Clears counters for VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 112: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear ip access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show ip access-lists Displays information about one or all IPv4 ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 113: Clear Ip Arp Inspection Statistics Vlan

    This example shows how to clear the DAI statistics for VLAN 2 and VLANs 5 through 12: switch# clear ip arp inspection statistics vlan 2,5-12 switch# Related Commands Command Description clear ip arp inspection log Clears the DAI logging buffer. Cisco Nexus 7000 Series Security Command Reference...
  • Page 114: Cisco Nexus 7000 Series Security Command Reference

    Configures the DAI logging buffer size. show ip arp inspection Displays the DAI configuration status. show ip arp inspection vlan Displays DAI status for a specified list of VLANs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 115: Clear Ip Device Tracking

    This example shows how to clear the IP device tracking information for an IP address: switch# clear ip device tracking ip-address 10.10.1.1 This example shows how to clear the IP device tracking information for a MAC address: switch# clear ip device tracking mac-address 000c.30da.86f4 Cisco Nexus 7000 Series Security Command Reference...
  • Page 116: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear ip device tracking Related Commands Command Description ip device tracking Enables IP device tracking. show ip device tracking Displays IP device tracking information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 117: Clear Ip Dhcp Relay Statistics

    This example shows how to clear the global DHCP relay statistics: switch# clear ip dhcp relay statistics Related Commands Command Description ip dhcp relay Enables the DHCP relay agent. show ip dhcp relay statistics Displays the DHCP relay statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 118: Clear Ip Dhcp Snooping Binding

    .subchannel-number (Optional) Number of the Ethernet port-channel subchannel. Note The dot separator is required between the channel-number and subchannel-number arguments. Command Default None Command Modes Any command mode Cisco Nexus 7000 Series Security Command Reference...
  • Page 119: Cisco Nexus 7000 Series Security Command Reference

    Displays IP-MAC address bindings, including the static IP source entries. Displays DHCP snooping statistics. show ip dhcp snooping statistics show running-config dhcp Displays DHCP snooping configuration, including the IP Source Guard configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 120: Clear Ipv6 Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv4 ACLs. clear ip access-list counters clear mac access-list counters Clears counters for MAC ACLs. clear vlan access-list counters Clears counters for VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 121: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear ipv6 access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show ipv6 access-lists Displays information about one or all IPv6 ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 122: Clear Ipv6 Dhcp Relay Statistics

    This example shows how to clear the global DHCPv6 relay statistics: switch# clear ipv6 dhcp relay statistics Related Commands Command Description ipv6 dhcp relay Enables the DHCPv6 relay agent. show ipv6 dhcp relay statistics Displays the DHCPv6 relay statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 123: Clear Ipv6 Dhcp-Ldra Statistics

    To use this command, you must enable the DHCP feature and LDRA feature. Examples This example shows how to clear the LDRA related statistics: switch# clear ipv6 dhcp-ldra statistics Related Commands Command Description show ipv6 dhcp-ldra Displays the configuration details of LDRA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 124: Clear Vlan Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv4 ACLs. clear ip access-list counters clear ipv6 access-list counters Clears counters for IPv6 ACLs. clear mac access-list counters Clears counters for MAC ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 125: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear vlan access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show vlan access-map Displays information about one or all VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 126: Conf-Offset

    Enables the MKA feature. Creates a key or enters the configuration mode of an existing key. key chain keychain-name Creates a keychain or enters the configuration mode of an existing keychain. Cisco Nexus 7000 Series Security Command Reference...
  • Page 127: Cisco Nexus 7000 Series Security Command Reference

    Displays the configuration of the specified keychain. Displays the details of MKA. show macsec mka show macsec policy Displays all the MACSec policies in the system. show run mka Displays the status of MKA. Cisco Nexus 7000 Series Security Command Reference...
  • Page 128: Copp Copy Profile

    When you use the copp copy profile command, CoPP renames all class maps and policy maps with the specified prefix or suffix. This command does not require a license. Examples This example shows how to create a clone of the CoPP best practice policy: switch # copp copy profile moderate abc Cisco Nexus 7000 Series Security Command Reference...
  • Page 129: Cisco Nexus 7000 Series Security Command Reference

    Applies the default CoPP best practice policy on the Cisco NX-OS device. show copp status Displays the CoPP status, including the last configuration operation and its status. show running-config copp Displays the CoPP configuration in the running configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 130: Copp Profile

    Added the dense keyword. Usage Guidelines In Cisco NX-OS releases prior to 5.2(1), you must use the setup utility to change or reapply the default CoPP policy. You can access the setup utility using the setup command. Beginning with Cisco NX-OS Release 5.2, the CoPP best practice policy is read-only. If you want to modify its configuration, you must clone it using the copp clone profile command.
  • Page 131: Cisco Nexus 7000 Series Security Command Reference

    C Commands copp profile Examples This example shows how to apply the default CoPP best practice policy on the Cisco NX-OS device: switch# configure terminal switch(config)# copp profile moderate switch(config)# This example shows how remove the default CoPP best practice policy from the Cisco NX-OS device:...
  • Page 132: Crllookup

    This example shows how to configure the attribute name, search filter, and base-DN for the CRL search operation in order to send a search query to the LDAP server: switch# conf t switch(config)# ldap search-map s0 switch(config-ldap-search-map)# CRLLookup attribute-name certificateRevocationList search-filter (&(objectClass=cRLDistributionPoint)) base-DN CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mdsldaptestlab,DC=com switch(config-ldap-search-map)# Cisco Nexus 7000 Series Security Command Reference...
  • Page 133: Cisco Nexus 7000 Series Security Command Reference

    C Commands CRLLookup Related Commands Command Description feature ldap Enables LDAP. ldap search-map Configures an LDAP search map. show ldap-search-map Displays the configured LDAP search maps. Cisco Nexus 7000 Series Security Command Reference...
  • Page 134: Crypto Ca Authenticate

    Usage Guidelines You can use this command to authenticate the CA to the Cisco NX-OS device by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you execute this command.
  • Page 135: Cisco Nexus 7000 Series Security Command Reference

    Fingerprint(s): MD5 Fingerprint=65:84:9A:27:D5:71:03:33:9C:12:23:92:38:6F:78:12 Do you accept this certificate? [yes/no]: y Related Commands Command Description crypto ca trustpoint Configures the trustpoint. show crypto ca certificates Displays configured trustpoint certificates. Displays trustpoint configurations. show crypto ca trustpoints Cisco Nexus 7000 Series Security Command Reference...
  • Page 136: Crypto Ca Crl Request

    This command does not require a license. Examples This example shows how to configure a CRL for the trustpoint or replaces the current CRL: switch# configure teminal switch(config)# crypto ca crl request admin-ca bootflash:admin-ca.crl Cisco Nexus 7000 Series Security Command Reference...
  • Page 137: Cisco Nexus 7000 Series Security Command Reference

    C Commands crypto ca crl request Related Commands Command Description revocation-check Configures trustpoint revocation check methods. show crypto ca crl Displays configured certificate revocation lists (CRL). Cisco Nexus 7000 Series Security Command Reference...
  • Page 138: Clear Ldap-Server Statistics

    10.10.1.1 Related Commands Command Description Enables LDAP. feature ldap ldap-server host Specifies the IPv4 or IPv6 address or hostname for an LDAP server. show ldap-server statistics Displays the LDAP server statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 139: Clear Mac Access-List Counters

    Clears counters for IPv4, IPv6, and MAC ACLs. Clears counters for IPv4 ACLs. clear ip access-list counters clear ipv6 access-list counters Clears counters for IPv6 ACLs. clear vlan access-list counters Clears counters for VACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 140: Cisco Nexus 7000 Series Security Command Reference

    C Commands clear mac access-list counters Command Description show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show mac access-lists Displays information about one or all MAC ACLs. Cisco Nexus 7000 Series Security Command Reference...
  • Page 141: Clear Port-Security

    MAC address, in dotted hexadecimal format. Command Default None Command Modes Any command mode Command History Release Modification 4.2(1) Support was added for port-security on port-channel interfaces. 4.0(1) This command was introduced. Cisco Nexus 7000 Series Security Command Reference...
  • Page 142: Cisco Nexus 7000 Series Security Command Reference

    Command Description Provides debugging information for port security. debug port-security feature port-security Enables port security globally. Shows information about port security. show port-security switchport port-security Enables port security on a Layer 2 interface. Cisco Nexus 7000 Series Security Command Reference...
  • Page 143: Clear Radius-Server Statistics

    This command does not require a license. Examples This example shows how to clear statistics for a RADIUS server: switch# clear radius-server statistics 10.10.1.1 Related Commands Command Description show radius-server statistics Displays RADIUS server host statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 144: Clear Ssh Hosts

    This command does not require a license. Examples This example shows how to clear all SSH host sessions and the known host file: switch# clear ssh hosts Related Commands Command Description ssh server enable Enables the SSH server. Cisco Nexus 7000 Series Security Command Reference...
  • Page 145: Clear Tacacs-Server Statistics

    This command does not require a license. Examples This example shows how to clear statistics for a TACACS+ server: switch# clear tacacs-server statistics 10.10.1.1 Related Commands Command Description show tacacs-server statistics Displays TACACS+ server host statistics. Cisco Nexus 7000 Series Security Command Reference...
  • Page 146: Clear User

    This command does not require a license. Examples This example shows how to clear all SSH host sessions: switch# clear user user1 Related Commands Command Description Displays the user session information. show users Cisco Nexus 7000 Series Security Command Reference...
  • Page 147: Cts L3 Spi (Global)

    (global) To enable Layer 3 Cisco TrustSec and map a security parameter index (SPI) and subnet for the device, use the cts l3 spi command. To remove the mapping to an IPv4 subnet, use the no form of this command.
  • Page 148: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (global) Command Description show cts l3 mapping Displays the Layer 3 Cisco TrustSec mapping for SPI values to IPv4 subnets. Cisco Nexus 7000 Series Security Command Reference...
  • Page 149: Cts L3 Spi (Interface)

    (interface) cts l3 spi (interface) To enable Layer 3 Cisco TrustSec and configure a security parameter index (SPI) on an interface, use the cts l3 spi command. To revert to the default, use the no form of this command.
  • Page 150: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (interface) Command Description show cts l3 interface Displays the Layer 3 Cisco TrustSec configuration on the interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 151: Crypto Ca Enroll

    This command was introduced. Usage Guidelines A Cisco NX-OS device enrolls with the trustpoint CA to obtain an identity certificate. You can enroll your device with multiple trustpoints and obtain a separate identity certificate from each trustpoint. When enrolling with a trustpoint, you must specify an RSA key pair to certify. You must generate the key pair and associate it to the trustpoint before generating the enrollment request.
  • Page 152: Cisco Nexus 7000 Series Security Command Reference

    For security reasons your password will not be saved in the configuration. Please make a note of it. Password:nbv123 The subject name in the certificate will be: Vegas-1.cisco.com Include the switch serial number in the subject name? [yes/no]:no Include an IP address in the subject name [yes/no]:yes ip address:209.165.200.226...
  • Page 153: Crypto Ca Export

    This command does not require a license. Examples This example shows how to export a certificate and key pair in the PKCS #12 format: switch# configure terminal switch(config)# crypto ca export admin-ca pkcs12 bootflash:adminid.p12 nbv123 Cisco Nexus 7000 Series Security Command Reference...
  • Page 154: Cisco Nexus 7000 Series Security Command Reference

    CA certificate (chain) to a trustpoint. Generates an RSA key pair. crypto key generate rsa rsakeypair Configures and associates the RSA key pair details to a trustpoint. show crypto key mypubkey rsa Displays any RSA public key configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 155: Crypto Ca Import

    The certificates and CRL associated to a trustpoint are automatically persistent when you save the trustpoint configuration in the startup configuration. Otherwise, if you do not saved the trustpoint in the startup configuration, the Cisco Nexus 7000 Series Security Command Reference...
  • Page 156: Cisco Nexus 7000 Series Security Command Reference

    Generates the RSA key pair. rsakeypair Configures trustpoint RSA key pair details. Displays the identity and CA certificate details. show crypto ca certificates show crypto key mypubkey rsa Displays any RSA public key configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 157: Cisco Nexus 7000 Series Security Command Reference

    C Commands crypto ca import Cisco Nexus 7000 Series Security Command Reference...
  • Page 158: Crypto Ca Lookup

    This example shows how to specify the remote cert-store for certificate authentication: switch(config)# crypto ca lookup remote Related Commands Command Description crypto ca remote ldap crl-refresh-time Configures the refresh time to update the certificate revocation list from the remote cert-store. Cisco Nexus 7000 Series Security Command Reference...
  • Page 159: Cisco Nexus 7000 Series Security Command Reference

    Configures the LDAP server group to be used while communicating with LDAP. show crypto ca certstore Displays the configured cert-store. show crypto ca remote-certstore Displays the remote cert-store configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 160: Crypto Ca Remote Ldap Crl-Refresh-Time

    Related Commands Command Description crypto ca lookup Specifies the cert-store to be used for certificate authentication. crypto ca remote ldap server-group Configures the LDAP server group to be used while communicating with LDAP. Cisco Nexus 7000 Series Security Command Reference...
  • Page 161: Crypto Ca Remote Ldap Server-Group

    Command Description crypto ca lookup Specifies the cert-store to be used for certificate authentication. crypto ca remote ldap crl-refresh-time Configures the refresh time to update the certificate revocation list from the remote cert-store. Cisco Nexus 7000 Series Security Command Reference...
  • Page 162: Crypto Ca Test Verify

    The verify status code value of 0 indicates that the verification is successful. Note Related Commands Command Description Displays configured trustpoint certificates. show crypto ca certificates Cisco Nexus 7000 Series Security Command Reference...
  • Page 163: Crypto Ca Trustpoint

    • A CA must be explicitly associated to a trustpoint using the crypto ca authenticate command. • A Cisco NX-OS device can have many trustpoints and all applications on the device can trust a peer certificate issued by any of the trustpoint CAs.
  • Page 164: Cisco Nexus 7000 Series Security Command Reference

    Authenticates the certificate of the certificate authority. Generates a certificate signing request for a trustpoint. crypto ca enroll show crypto ca certificates Displays the identity and CA certificate details. show crypto ca trustpoints Displays trustpoint configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 165: Crypto Cert Ssh-Authorize

    To use this command, you must create a filter map. This command does not require a license. Examples This example shows how to configure a certificate mapping filter for the SSH protocol: switch(config)# crypto cert ssh-authorize default map filtermap1 Cisco Nexus 7000 Series Security Command Reference...
  • Page 166: Cisco Nexus 7000 Series Security Command Reference

    Related Commands Command Description crypto certificatemap mapname Creates a filter map. filter Configures one or more certificate mapping filters within the filter map. show crypto ssh-auth-map Displays the mapping filters configured for SSH authentication. Cisco Nexus 7000 Series Security Command Reference...
  • Page 167: Crypto Certificatemap Mapname

    This example shows how to create a new filter map: switch(config)# crypto certificatemap mapname filtermap1 Related Commands Command Description Configures one or more certificate mapping filters filter within the filter map. show crypto certificatemap Displays the certificate mapping filters. Cisco Nexus 7000 Series Security Command Reference...
  • Page 168: Cts Cache Enable

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to enable Cisco TrustSec authentication and authorization caching:...
  • Page 169: Cts Device-Id

    This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. The Cisco TrustSec device identifier name must be unique in your Cisco TrustSec network cloud. This command requires the Advanced Services license.
  • Page 170: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts device-id Command Description show cts credentials Displays the Cisco TrustSec credentials information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 171: Cts Role-Based Sgt-Map

    To manually configure the Cisco TrustSec security group tag (SGT) mapping to IP addresses, use the cts role-based sgt-map command. To remove an SGT, use the no form of this command. cts role-based sgt-map ipv4-address sgt-value...
  • Page 172: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts role-based sgt-map Cisco Nexus 7000 Series Security Command Reference...
  • Page 173: Cts Sgt

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to configure the Cisco TrustSec SGT for the device:...
  • Page 174: Cts L3 Spi (Global)

    (global) To enable Layer 3 Cisco TrustSec and map a security parameter index (SPI) and subnet for the device, use the cts l3 spi command. To remove the mapping to an IPv4 subnet, use the no form of this command.
  • Page 175: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (global) Command Description show cts l3 mapping Displays the Layer 3 Cisco TrustSec mapping for SPI values to IPv4 subnets. Cisco Nexus 7000 Series Security Command Reference...
  • Page 176: Cts L3 Spi (Interface)

    (interface) cts l3 spi (interface) To enable Layer 3 Cisco TrustSec and configure a security parameter index (SPI) on an interface, use the cts l3 spi command. To revert to the default, use the no form of this command.
  • Page 177: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (interface) Command Description show cts l3 interface Displays the Layer 3 Cisco TrustSec configuration on the interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 178: Cts L3 Spi (Interface)

    (interface) cts l3 spi (interface) To enable Layer 3 Cisco TrustSec and configure a security parameter index (SPI) on an interface, use the cts l3 spi command. To revert to the default, use the no form of this command.
  • Page 179: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts l3 spi (interface) Command Description show cts l3 interface Displays the Layer 3 Cisco TrustSec configuration on the interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 180: Cts Manual

    C Commands cts manual cts manual To enter Cisco TrustSec manual configuration for an interface, use the cts manual command. To remove the manual configuration, use the no form of this command. cts manual no cts manual Syntax Description This command has no arguments or keywords.
  • Page 181: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts manual Command Description show cts interface Displays Cisco TrustSec configuration information for interfaces. Cisco Nexus 7000 Series Security Command Reference...
  • Page 182: Cts Refresh Environment-Data

    C Commands cts refresh environment-data cts refresh environment-data To refresh the Cisco TrustSec environment data downloaded from the AAA server, use the cts refresh environment-data command. cts refresh environment-data Syntax Description This command has no arguments or keywords. Command Default...
  • Page 183: Cts Refresh Role-Based-Policy

    C Commands cts refresh role-based-policy cts refresh role-based-policy To refresh the Cisco TrustSec security group access control list (SGACL) policies downloaded from the Cisco Secure ACS, use the cts refresh role-based-policy command. cts refresh role-based-policy Syntax Description This command has no arguments or keywords.
  • Page 184: Cts Rekey

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to rekey an interface for Cisco TrustSec:...
  • Page 185: Cts Role-Based Access-List

    To create or specify a Cisco TrustSec security group access control list (SGACL) and enter role-based access control list configuration mode, use the cts role-based access-list command. To remove an SGACL, use the no form of this command.
  • Page 186: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts role-based access-list Cisco Nexus 7000 Series Security Command Reference...
  • Page 187: Cts Role-Based Counters Enable

    When you modify an RBACL policy, statistics for the previously assigned access control entry (ACE) are displayed, and the newly assigned ACE statistics are initialized to 0. RBACL statistics are lost only when the Cisco NX-OS device reloads or you deliberately clear the statistics. This command requires the Advanced Services license.
  • Page 188: Cisco Nexus 7000 Series Security Command Reference

    Clears the RBACL statistics so that all counters are reset to 0. show cts role-based counters Displays the configuration status of RBACL statistics and lists statistics for all RBACL policies. Cisco Nexus 7000 Series Security Command Reference...
  • Page 189: Cts Role-Based Detailed-Logging

    7.3(0)D1(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. To view the detailed ACLLOGS, you need to enable logging ip access-list detailed after enabling cts Note role-based detailed logging.
  • Page 190: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts role-based detailed-logging Cisco Nexus 7000 Series Security Command Reference...
  • Page 191: Cts Role-Based Enforcement

    Routing and Forwarding instance (VRF), use the cts role-based enforcement command. To revert to the default, use the no form of this command. To disable Cisco TrustSec SGACL enforcement in an L3 interface or L3 port-channel, use the no cts role-based enforcement command. To revert to the default, use the cts role-based enforcement command.
  • Page 192: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts role-based enforcement switch(config-vrf)# cts role-based enforcement This example shows how to disable Cisco TrustSec SGACL enforcement in an interface and L3 port-channel: switch# configure terminal switch(config)# interface ethernet 6/2 switch(config-if)# no cts role-based enforcement switch(config-if)# exit switch(config)# interface port-channel 100...
  • Page 193: Cts Role-Based Monitor

    Disabled Command Modes Global configurationVRF configuration Command History Release Modification 7.3(0)D1(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. Cisco Nexus 7000 Series Security Command Reference...
  • Page 194: Cisco Nexus 7000 Series Security Command Reference

    This example shows how to disable monitoring permissions for all source groups to all destination groups: switch# configure terminal switch(config)# no cts role-based monitor all Related Commands Command Description Enables the Cisco TrustSec feature. feature cts show cts role-based enable Displays the Cisco TrustSec SGACL policy enforcement configuration. Cisco Nexus 7000 Series Security Command Reference...
  • Page 195: Cts Role-Based Policy Priority-Static

    8.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. Examples This example shows how to set higher install priority for ISE configured SGACLs: switch# configure terminal...
  • Page 196: Cts Role-Based Sgt

    To manually configure mapping of Cisco TrustSec security group tags (SGTs) to a security group access control list (SGACL), use the cts role-based sgt command. To remove the SGT mapping to an SGACL, use the no form of this command.
  • Page 197: Cisco Nexus 7000 Series Security Command Reference

    3 sgt 10 Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show cts role-based policy Displays the Cisco TrustSec SGT mapping for an SGACL. Cisco Nexus 7000 Series Security Command Reference...
  • Page 198: Cts Sxp Allow Default-Route-Sgt

    Modification 7.3(0)D1(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec SXP feature using the cts sxp enable command. Examples This example shows how to expand the network limit: switch# configure terminal switch(config)# cts sxp allow default-route-sgt...
  • Page 199: Cts Sxp Connection Peer

    To configure a Security Group Tag (SGT) Exchange Protocol (SXP) peer connection for Cisco TrustSec, use the cts sxp connection peer command. To remove the SXP connection, use the no form of this command.
  • Page 200: Cisco Nexus 7000 Series Security Command Reference

    This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. You can use only IPv4 addressing with Cisco TrustSec. If you do not specify a source IPv4 address, you must configure a default SXP source IPv4 address using the cts sxp default source-ip command.
  • Page 201: Cisco Nexus 7000 Series Security Command Reference

    Configures the default SXP source IPv4 address for the device. feature cts Enables the Cisco TrustSec feature. show cts sxp connection Displays the Cisco TrustSec SXP peer connection information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 202: Cts Sxp Default Password

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to configure the default SXP password for the device:...
  • Page 203: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts sxp default password Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show cts sxp Displays the Cisco TrustSec SXP configuration information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 204: Cts Sxp Default Source-Ip

    4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. You can use only IPv4 addressing with Cisco TrustSec. This command requires the Advanced Services license. Examples...
  • Page 205: Cts Sxp Enable

    Modification 4.0(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature using the feature cts command. This command requires the Advanced Services license. Examples This example shows how to enable SXP: switch# configure terminal...
  • Page 206: Cts Sxp Listener Hold-Time

    To configure the global hold-time period of a listener network device in a Cisco TrustSec Security Group Tag (SGT) Exchange Protocol version 4 (SXPv4) network, use the cts sxp listener hold-time command in global configuration mode.
  • Page 207: Cisco Nexus 7000 Series Security Command Reference

    Enables Cisco TrustSec SXP on a device. Configures the hold time of a speaker device in an cts sxp speaker hold-time SXPv4 network. show cts sxp Displays the status of all Cisco TrustSec SXP configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 208: Cts Sxp Mapping Network-Map

    Modification 7.3(0)D1(1) This command was introduced. Usage Guidelines To use this command, you must enable the Cisco TrustSec feature by using the feature cts command. Examples This example shows how to expand the network limit: switch# configure terminal switch(config)# cts sxp mapping network-map 64...
  • Page 209: Cts Sxp Node-Id

    To configure the node ID of a network device for Cisco TrustSec (CTS) Security Group Tag (SGT) Exchange Protocol version 4 (SXPv4), use the cts sxp node-id command in global configuration mode. To remove the node ID, use the no form of this command.
  • Page 210: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts sxp node-id Examples switch(config)# cts sxp node-id 172.16.1.3 Related Commands Command Description cts sxp enable Enables CTS-SXP on a device. Displays the status of all CTS-SXP configurations. show cts sxp Cisco Nexus 7000 Series Security Command Reference...
  • Page 211: Cts Sxp Reconcile-Period

    After a peer terminates an SXP connection, an internal hold down timer starts. If the peer reconnects before the internal hold down timer expires, the SXP reconcile period timer starts. While the SXP reconcile period timer is active, the Cisco NX-OS software retains the SGT mapping entries learned from the previous connection and removes invalid entries.
  • Page 212: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts sxp reconcile-period Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show cts sxp connection Displays the Cisco TrustSec SXP configuration information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 213: Cts Sxp Retry-Period

    The SXP retry period determines how often the Cisco NX-OS software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco NX-OS software makes a new attempt to set up the connection after the SXP retry period timer expires.
  • Page 214: Cisco Nexus 7000 Series Security Command Reference

    C Commands cts sxp retry-period Related Commands Command Description feature cts Enables the Cisco TrustSec feature. show cts sxp connection Displays the Cisco TrustSec SXP peer connection information. Cisco Nexus 7000 Series Security Command Reference...
  • Page 215: Cts Sxp Speaker Hold-Time

    To configure the global hold-time period of a speaker network device in a Cisco TrustSec Security Group Tag (SGT) Exchange Protocol version 4 (SXPv4) network, use the cts sxp speaker hold-time command in global configuration mode.
  • Page 216: Cisco Nexus 7000 Series Security Command Reference

    Enables Cisco TrustSec SXP on a device. Configures the hold time of a listener device in an cts sxp listener hold-time SXPv4 network. show cts sxp Displays the status of all Cisco TrustSec SXP configurations. Cisco Nexus 7000 Series Security Command Reference...
  • Page 217: D Commands