Page 1
First Published: September 2012 Last Modified: October 4, 2013 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices. Text Part Number: OL-27883-02...
Page 2
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Obtaining Documentation and Submitting a Service Request New and Changed Information xiii New and Changed Information for Cisco NX-OS Releases xiii New and Changed Information for Cisco NX-OS Release 6.0(2)N2(2) xiii New and Changed Information for Cisco NX-OS Release 6.0(2)N1(2) xiii A Commands...
Page 4
E Commands enable enable secret F Commands feature (user role feature group) feature dhcp feature http-server feature port-security feature privilege feature tacacs+ I Commands interface policy deny ip access-class ip access-group Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 6
Show Commands show aaa accounting show aaa authentication show aaa authorization show aaa groups show aaa user show access-lists show accounting log Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Preface This preface describes the audience, organization, and conventions of the Cisco Nexus 5500 Series NX-OS Security Command Reference. It also provides information on how to obtain related documentation. This preface includes the following sections: Audience, page ix • Document Conventions, page ix •...
Means reader be careful. In this situation, you might do something that could result in equipment damage Caution or loss of data. Related Documentation Documentation for Cisco Nexus 5000 Series Switches and Cisco Nexus 2000 Series Fabric Extenders is available at the following URL: http://www.cisco.com/en/US/products/ps9670/tsd_products_support_series_home.html The documentation set includes the following types of documents: Licensing Information Guide •...
What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html. Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
5500 Series NX-OS Security Command Reference. The latest version of this document is available at the following Cisco website: http://www.cisco.com/en/US/products/ps9670/prod_command_reference_list.html To check for additional information about this Cisco NX-OS Release, see the Cisco Nexus 5500 Series NX-OS Release Notes, Release 6.0 available at the following Cisco website: http://www.cisco.com/en/US/products/ps9670/prod_release_notes_list.html...
Page 14
Chapter Table 2 New and Changed Information for Release 6.0(2)N1(1) Feature Description Where Documented QSFP+ GEM This feature was introduced. • C Commands • I Commands • Show Commands Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
A Commands This chapter describes the Cisco NX-OS security commands that begin with A. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to configure the AAA authentication console login method: switch(config)# aaa authentication login console group radius This example shows how to revert to the default AAA authentication console login method: switch(config)# no aaa authentication login console group radius Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 18
Related Commands Command Description aaa group server Configures AAA server groups. radius-server host Configures RADIUS servers. show aaa Displays AAA authentication information. authentication tacacs-server host Configures TACACS+ servers. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to configure the AAA authentication console login method: switch(config)# aaa authentication login default group radius This example shows how to revert to the default AAA authentication console login method: switch(config)# no aaa authentication login default group radius Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 20
Related Commands Command Description aaa group server Configures AAA server groups. radius-server host Configures RADIUS servers. show aaa Displays AAA authentication information. authentication tacacs-server host Configures TACACS+ servers. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to disable the display of AAA authentication failure messages to the console: switch(config)# no aaa authentication login error-enable Related Commands Command Description show aaa Displays the status of the AAA authentication failure message display. authentication Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to disable MS-CHAP authentication: switch(config)# no aaa authentication login mschap enable Related Commands Command Description show aaa Displays the status of MS-CHAP authentication. authentication Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.
Page 24
Configures default AAA authorization methods for configuration config-commands commands. default aaa server group Configures AAA server groups. feature tacacs+ Enables the TACACS+ feature. show aaa Displays the AAA authorization configuration. authorization tacacs-server host Configures a TACACS+ server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.
Page 26
Configures default AAA authorization methods for EXEC commands. commands default aaa server group Configures AAA server groups. feature tacacs+ Enables the TACACS+ feature. show aaa Displays the AAA authorization configuration. authorization tacacs-server host Configures a TACACS+ server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
Page 28
Configures local authorization with the SSH public key as the default ssh-publickey AAA authorization method. feature tacacs+ Enables the TACACS+ feature. show aaa authorization Displays the AAA authorization configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Usage Guidelines If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
Page 30
A Commands aaa authorization ssh-publickey Related Commands Command Description aaa authorization Configures local authorization with certificate authentication as the ssh-certificate default AAA authorization method. show aaa authorization Displays the AAA authorization configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
RadServer switch(config-radius)# This example shows how to delete a RADIUS server group: switch(config)# no aaa group server radius RadServer Related Commands Command Description show aaa groups Displays server group information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Related Commands Command Description show aaa user Displays the status of the default user for remote authentication. default-role show aaa Displays AAA authentication information. authentication Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Enables statistics for an access control list or VLAN access map. vlan access-map Configures a VLAN access map. vlan filter Applies a VLAN access map to one or more VLANs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 34
Chapter A Commands action Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
C Commands This chapter describes the Cisco NX-OS security commands that begin with C. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Checkpoints are local to a switch. When you create a checkpoint, a snapshot of the current running configuration is stored in a checkpoint file. If you do not provide a checkpoint name, Cisco NX-OS sets the checkpoint name to user-checkpoint-number, where the number is from 1 to 10.
Page 37
Displays a summary of all checkpoints configured in the switch. summary show checkpoint Displays all checkpoints created by an user. summary user show checkpoint Displays all checkpoints that were automatically created in the system. system Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Applies an IPv4 ACL to an interface. ip access-list Configures an IPv4 ACL. show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show ip access-lists Displays information about one or all IPv4 ACLs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
5.2(1)N1(1) This command was introduced. Examples This example shows how to clear the accounting log: switch# clear accounting log Related Commands Command Description show accounting log Displays the accounting log contents. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This command was introduced. Examples This example shows how to clear the configured checkpoints: switch# clear checkpoint database .Done switch# Related Commands Command Description checkpoint Creates a checkpoint. show checkpoint Displays all configured checkpoints. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to clear the ARP table statistics for VLAN 10 with the VRF vlan-vrf: switch# clear ip arp vlan 10 vrf vlan-vrf switch# Related Commands Command Description show ip arp Displays the ARP configuration status. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Configures the DAI logging buffer size. log-buffer entries show ip arp inspection Displays the DAI configuration status. show ip arp inspection Displays the DAI log configuration. show ip arp inspection Displays the DAI statistics. statistics Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Configures the DAI logging buffer size. log-buffer show ip arp inspection Displays the DAI configuration status. show ip arp inspection Displays DAI status for a specified list of VLANs. vlan Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to clear a specific entry from the DHCP snooping binding database: switch# clear ip dhcp snooping binding vlan 23 mac 0060.3aeb.54f0 ip 10.34.54.9 interface ethernet 2/11 switch# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 45
Copies the running configuration to the startup configuration. startup-config show ip dhcp snooping Displays IP-MAC address bindings, including the static IP source entries. binding show running-config Displays DHCP snooping configuration, including the IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Copies the running configuration to the startup configuration. startup-config show ip dhcp snooping Displays DHCP snooping statistics. statistics show running-config Displays DHCP snooping configuration, including the IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Configuration mode Command History Release Modification 6.0(2)N2(2) This command was introduced. Examples This example shows how to enable CTS batched programming: switch# configure terminal switch(config)# cts role-based batched-programming Related Commands Command Description Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 48
Chapter C Commands cts role-based batched-programming Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
D Commands This chapter describes the Cisco NX-OS security commands that begin with D. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to set the dead-time interval to 5 minutes for a TACACS+ server group: switch(config)# aaa group server tacacs+ TacServer switch(config-tacacs+)# deadtime 5 This example shows how to revert to the dead-time interval default: switch(config)# aaa group server tacacs+ TacServer switch(config-tacacs+)# no deadtime 5 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 51
Enables TACACS+. radius-server host Configures a RADIUS server. show radius-server Displays RADIUS server group information. groups show tacacs-server Displays TACACS+ server group information. groups tacacs-server host Configures a TACACS+ server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Specifying 255.255.255.255 as the sender-IP-mask argument is the equivalent of using the host keyword. Introduces the MAC address portion of the rule. Command Default None Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 53
192.0.32.14 255.255.255.0 mac any switch(config-arp-acl)# Related Commands Command Description arp access-list Configures an ARP ACL. permit (ARP) Configures a permit rule in an ARP ACL. remark Configures a remark in an ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
(Optional) Rule that matches only packets of the specified ICMP message type. This argument can be an integer from 0 to 255 or one of the keywords listed under the “ICMP Message Types” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 55
You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 56
When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 57
• echo—Echo (ping) • echo-reply—Echo reply • general-parameter-problem—Parameter problem • • host-isolated—Host isolated • host-precedence-unreachable—Host unreachable for precedence • host-redirect—Host redirect host-tos-redirect—Host redirect for ToS • host-tos-unreachable—Host unreachable for ToS • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 58
10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network and a final rule that permits all other IPv4 traffic: switch(config)# ip access-list acl-lab-01 switch(config-acl)# deny icmp 10.23.0.0/16 10.176.0.0/16 switch(config-acl)# deny icmp 192.168.37.0/16 10.176.0.0/16 switch(config-acl)# permit ip any any Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 59
Configures an IPv4 ACL. permit (IPv4) Configures a permit rule in an IPv4 ACL. remark Configures a remark in an IPv4 ACL. show ip access-list Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
0 to 15. It can also be one of the following keywords: dvmrp—Distance Vector Multicast Routing Protocol • host-query—Host query • host-report—Host report • pim—Protocol Independent Multicast • trace—Multicast trace • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 61
You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 62
When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 63
Configures an IPv4 ACL. permit (IPv4) Configures a permit rule in an IPv4 ACL. remark Configures a remark in an IPv4 ACL. show ip access-list Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 65
You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 66
When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 67
Configures an IPv4 ACL. permit (IPv4) Configures a permit rule in an IPv4 ACL. remark Configures a remark in an IPv4 ACL. show ip access-list Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination”section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 69
Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 70
(Optional) Rule that matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords: • • • • • • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 71
The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 73
Configures an IPv4 ACL. permit (IPv4) Configures a permit rule in an IPv4 ACL. remark Configures a remark in an IPv4 ACL. show ip access-list Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 75
Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 76
You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 77
When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 78
Security Association and Key Management Protocol (5) • • mobile-ip—Mobile IP registration (434) • nameserver—IEN116 name service (obsolete, 42) • netbios-dgm—NetBIOS datagram service (138) netbios-ns—NetBIOS name service (137) • netbios-ss—NetBIOS session service (139) • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 79
Configures an IPv4 ACL. permit (IPv4) Configures a permit rule in an IPv4 ACL. remark Configures a remark in an IPv4 ACL. show ip access-list Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
(Optional) ICMPv6 message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed in the “ICMPv6 Message Types” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 81
You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. Command Default None Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 82
The icmp-message argument can be the ICMPv6 message number, which is an integer from 0 to 255. It can also be one of the following keywords: beyond-scope—Destination beyond scope • destination-unreachable—Destination address is unreachable • echo-reply—Echo reply • echo-request—Echo request (ping) • header—Parameter header problems • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 83
Related Commands Command Description ipv6 access-list Configures an IPv6 ACL. permit (IPv6) Configures a permit rule in an IPv6 ACL. remark Configures a remark in an ACL. time-range Configures a time range. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 85
Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. Command Default None Command Modes IPv6 ACL configuration Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules denying all IPv6 traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network: switch# configure terminal switch(config)# ipv6 access-list acl-lab13-ipv6 switch(config-ipv6-acl)# deny ipv6 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64 switch(config-ipv6-acl)# deny ipv6 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 87
Related Commands Command Description ipv6 access-list Configures an IPv6 ACL. permit (IPv6) Configures a permit rule in an IPv6 ACL. remark Configures a remark in an ACL. time-range Configures a time range. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 89
Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 90
You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. Command Default None Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 91
This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules denying all SCTP traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network: switch# configure terminal switch(config)# ipv6 access-list acl-lab13-ipv6 switch(config-ipv6-acl)# deny sctp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64 switch(config-ipv6-acl)# deny sctp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 92
Related Commands Command Description ipv6 access-list Configures an IPv6 ACL. permit (IPv6) Configures a permit rule in an IPv6 ACL. remark Configures a remark in an ACL. time-range Configures a time range. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 94
Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 95
You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 96
2001:0db8:85a3::/48 any Host address—You can use the host keyword and an IPv6 address to specify a host as a source or • destination. The syntax is as follows: host IPv6-address Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 97
Office Protocol v2 (19) • pop3—Post Office Protocol v3 (11) • smtp—Simple Mail Transport Protocol (25) • sunrpc—Sun Remote Procedure Call (111) • tacacs—TAC Access Control System (49) • • talk—Talk (517) Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 98
Related Commands Command Description ipv6 access-list Configures an IPv6 ACL. permit (IPv6) Configures a permit rule in an IPv6 ACL. remark Configures a remark in an ACL. time-range Configures a time range. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 100
Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 101
You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. Command Default None Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
0 to 65535. It can also be one of the following keywords: biff—Biff (mail notification, comsat, 512) • bootpc—Bootstrap Protocol (BOOTP) client (68) • bootps—Bootstrap Protocol (BOOTP) server (67) • discard—Discard (9) • dnsix—DNSIX security protocol auditing (195) • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 103
Related Commands Command Description ipv6 access-list Configures an IPv6 ACL. permit (IPv6) Configures a permit rule in an IPv6 ACL. remark Configures a remark in an ACL. time-range Configures a time range. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
If you do not specify a sequence number, the switch assigns the rule a sequence number that is 10 greater than the last rule in the ACL. Command Modes MAC ACL configuration mode Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 106
Configures a MAC ACL. permit (MAC) Configures a deny rule in a MAC ACL. remark Configures a remark in an ACL. show mac access-list Displays all MAC ACLs or one MAC ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to remove the description from a user role: switch(config)# role name MyRole switch(config-role)# no description Related Commands Command Description show role Displays information about the user role configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 108
Chapter D Commands description (user role) Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
E Commands This chapter describes the Cisco NX-OS security commands that begin with E. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Enables the cumulative privilege of roles for command authorization on TACACS+ servers. show privilege Displays the current privilege level, username, and status of cumulative privilege support. username Enables a user to use privilege levels for authorization. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Enables the user to move to a higher privilege level after being prompted for a secret password. feature privilege Enables the cumulative privilege of roles for command authorization on TACACS+ servers. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 112
Chapter E Commands enable secret Command Description show privilege Displays the current privilege level, username, and status of cumulative privilege support. username Enables a user to use privilege levels for authorization. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
F Commands This chapter describes the Cisco NX-OS security commands that begin with F. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
MyGroup switch(config-role-featuregrp)# no feature callhome Related Commands Command Description role feature-group Creates or configures a user role feature group. name show role Displays the user role feature groups. feature-group Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Access-control list (ACL) statistics are not supported if the DHCP snooping feature is enabled. Examples This example shows how to enable DHCP snooping: switch(config)# feature dhcp switch(config)# This example shows how to disable DHCP snooping: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 116
Copies the running configuration to the startup configuration. startup-config ip dhcp snooping Globally enables DHCP snooping on the device. show running-config Displays DHCP snooping configuration, including IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
5.2(1)N1(1) This command was introduced. Usage Guidelines In releases earlier than Cisco NX-OS Release 5.2(1)N1(1), HTTP and HTTPS are enabled on the switch by default. Examples This example shows how to enable the HTTP server on the switch and verify the status of the HTTP...
Page 118
Copies the running configuration to the startup configuration. startup-config show feature Displays the features enabled or disabled on the switch. show http-server Displays the HTTP or HTTPS server configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to disable port security on the switch: switch# configure terminal switch(config)# no feature port-security switch(config)# Related Commands Command Description show feature Displays the features that are enabled or disabled on the switch. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 120
Chapter F Commands feature port-security Command Description show port-security Displays the port security configuration information. switchport Configures the switchport parameters to establish port security. port-security Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Displays the features enabled or disabled on the switch. show privilege Displays the current privilege level, username, and status of cumulative privilege support. username Enables a user to use privilege levels for authorization. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
5.2(1)N1(1) This command was introduced. Usage Guidelines You must use the feature tacacs+ command before you configure TACACS+. When you disable TACACS+, the Cisco NX-OS software removes the TACACS+ configuration. Note Examples This example shows how to enable TACACS+: switch(config)# feature tacacs+...
I Commands This chapter describes the Cisco NX-OS security commands that begin with I. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
MyRole switch(config-role)# no interface policy deny Related Commands Command Description role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Specifies that incoming connections be restricted between a particular Cisco Nexus 5000 Series switch and the addresses in the access list. Specifies that outgoing connections be restricted between a particular Cisco Nexus 5000 Series switch and the addresses in the access list.
Page 126
Displays the running configuration of ACLs. aclmgr show startup-config Displays the startup configuration for ACLs. aclmgr Starts an SSH session using IPv4. telnet Starts a Telnet session using IPv4. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface. A router ACL can be applied only to ingress traffic. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 128
Displays all ACLs. show ip access-lists Shows either a specific IPv4 ACL or all IPv4 ACLs. show running-config Shows the running configuration of all interfaces or of a specific interface. interface Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Examples This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01: switch(config)# ip access-list ip-acl-01 switch(config-acl)# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 130
Applies an IPv4 ACL to an interface. permit (IPv4) Configures a permit rule in an IPv4 ACL. show ip access-lists Displays all IPv4 ACLs or a specific IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to set the ARP event history buffer to the default: switch(config)# no ip arp event-history errors size medium switch(config)# Related Commands Command Description show running-config Displays the ARP configuration, including the default configurations. arp all Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Clears the DAI logging buffer. feature dhcp Enables DHCP snooping. show ip arp inspection Displays the DAI log configuration. show running-config Displays DHCP snooping configuration, including the DAI configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
MAC validation, an ARP request frame is considered valid only if the target Ethernet address is the same as the destination Ethernet address in the ARP frame header. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 134
Related Commands Command Description feature dhcp Enables DHCP snooping. show ip arp inspection Displays the DAI configuration status. show running-config Displays DHCP snooping configuration, including DAI configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This command does not require a license. Examples This example shows how to enable DAI on VLANs 13, 15, and 17 through 23: switch# configure terminal switch(config)# ip arp inspection vlan 13,15,17-23 switch(config)# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 136
Displays the DAI configuration status. show ip arp inspection Displays DAI status for a specified list of VLANs. vlan show running-config Displays DHCP snooping configuration, including DAI configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Displays the Dynamic ARP Inspection (DAI) configuration status. show ip arp inspection Displays the trust state and the ARP packet rate for a specified interface. interface show running-config Displays DHCP snooping configuration, including DAI configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Related Commands Command Description feature dhcp Enables DHCP snooping on the switch. show ip dhcp snooping Displays general information about DHCP snooping. show running-config Displays the current DHCP configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Enables DHCP snooping on the specified VLANs. show ip dhcp snooping Displays general information about DHCP snooping. show running-config Displays DHCP snooping configuration, including IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Enables DHCP snooping on the specified VLANs. show ip dhcp snooping Displays general information about DHCP snooping. show running-config Displays DHCP snooping configuration, including IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Enables DHCP snooping on the specified VLANs. show ip dhcp snooping Displays general information about DHCP snooping. show running-config Displays DHCP snooping configuration, including IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Related Commands Command Description feature dhcp Enables DHCP snooping on the switch. show running-config Displays the DHCP snooping configuration configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Description feature dhcp Enables DHCP snooping on the switch. show ip dhcp snooping Displays general information about DHCP snooping. show running-config Displays DHCP snooping configuration, including IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to apply an IPv4 ACL named ip-acl-01 to Ethernet interface 1/2 as a port ACL: switch(config)# interface ethernet 1/2 switch(config-if)# ip port access-group ip-acl-01 in This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 1/2: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 145
Displays all ACLs. show ip access-lists Shows either a specific IPv4 ACL or all IPv4 ACLs. show running-config Shows the running configuration of all interfaces or of a specific interface. interface Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to create a static IP source entry associated with VLAN 100 on Ethernet interface 2/3: switch# configure terminal switch(config)# ip source binding 10.5.22.7 001f.28bd.0013 vlan 100 interface ethernet 2/3 switch(config)# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 147
Description feature dhcp Enables DHCP snooping on the switch. show ip verify source Displays IP-to-MAC address bindings. show interface Displays interface configuration. show running-config Displays the DHCP snooping configuration information. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to disable IP Source Guard on a Layer 2 interface: switch# configure terminal switch(config)# interface ethernet 1/5 switch(config-if)# no ip verify source dhcp-snooping-vlan switch(config-if)# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 149
Displays the IP-to-MAC address bindings for an interface. show running-config Displays the IP configuration in the running configuration. dhcp show running-config Displays the interface configuration in the running configuration. interface ethernet Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This command does not require a license. Examples This example shows how to configure loose Unicast RPF checking on an interface: switch# configure terminal switch(config)# interface ethernet 2/3 switch(config-if)# ip verify unicast source reachable-via any Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 151
Displays the IP-related information for an interface. ethernet show running-config Displays the interface configuration in the running configuration. interface ethernet show running-config Displays the IP configuration in the running configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Specifies that incoming connections be restricted between a particular Cisco Nexus 5000 Series switch and the addresses in the access list. Specifies that outgoing connections be restricted between a particular Cisco Nexus 5000 Series switch and the addresses in the access list.
Page 153
Displays the running configuration of ACLs. aclmgr show startup-config Displays the startup configuration for ACLs. aclmgr ssh6 Starts an SSH session using IPv6. telnet6 Starts a Telnet session using IPv6. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to enter IP access list configuration mode for an IPv6 ACL named ipv6-acl-01: switch(config)# ipv6 access-list ipv6-acl-01 switch(config-ipv6-acl)# Related Commands Command Description deny (IPv6) Configures a deny rule in an IPv6 ACL. permit (IPv6) Configures a permit rule in an IPv6 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message. If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 156
Configures a virtual Ethernet interface. ipv6 access-list Configures an IPv6 ACL. show access-lists Displays all ACLs. show ipv6 access-lists Shows either a specific IPv6 ACL or all IPv6 ACLs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
ICMP host-unreachable message. If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 158
Configures a virtual Ethernet interface. ipv6 access-list Configures an IPv6 ACL. show access-lists Displays all ACLs. show ipv6 access-lists Shows either a specific IPv6 ACL or all IPv6 ACLs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
M Commands This chapter describes the Cisco NX-OS security commands that begin with M. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to enter MAC access list configuration mode for a MAC ACL named mac-acl-01: switch(config)# mac access-list mac-acl-01 switch(config-acl)# Related Commands Command Description deny (MAC) Configures a deny rule in a MAC ACL. mac access-group Applies a MAC ACL to an interface. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 161
Chapter M Commands mac access-list Command Description permit (MAC) Configures a permit rule in a MAC ACL. show mac access-lists Displays all MAC ACLs or a specific MAC ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
ACL does not affect traffic on the interface. Examples This example shows how to apply a MAC ACL named mac-acl-01 to Ethernet interface 1/2: switch(config)# interface ethernet 1/2 switch(config-if)# mac port access-group mac-acl-01 switch(config-if)# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 163
Displays all ACLs. show mac access-lists Shows either a specific MAC ACL or all MAC ACLs. show running-config Shows the running configuration of all interfaces or of a specific interface. interface Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Displays information about how a VLAN access map is applied. vlan access-map Configures a VLAN access map. vlan filter Applies a VLAN access map to one or more VLANs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 165
Chapter M Commands match Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 166
Chapter M Commands match Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
P Commands This chapter describes the Cisco NX-OS security commands that begin with P. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Introduces the MAC address portion of the rule. Command Default None Command Modes ARP ACL configuration mode Command History Release Modification 5.2(1)N1(1) This command was introduced. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 169
Configures a deny rule in an ARP ACL. arp access-list Configures an ARP ACL. remark Configures a remark in an ACL. show arp access-lists Displays all ARP ACLs or one ARP ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
ICMP message number, which is an integer from 0 to 255, or a keyword. For a list of keywords, see the “ICMP Message Types” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 171
You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 172
When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 173
• echo—Echo (ping) • echo-reply—Echo reply • general-parameter-problem—Parameter problem • • host-isolated—Host isolated • host-precedence-unreachable—Host unreachable for precedence • host-redirect—Host redirect host-tos-redirect—Host redirect for ToS • host-tos-unreachable—Host unreachable for ToS • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 174
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules permitting all ICMP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network: switch(config)# ip access-list acl-lab-01 switch(config)# permit icmp 10.23.0.0/16 10.176.0.0/16 switch(config)# permit icmp 192.168.37.0/16 10/176.0.0/16 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 175
Configures a deny rule in an IPv4 ACL. ip access-list Configures an IPv4 ACL. remark Configures a remark in an ACL. show ip access-lists Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
0 to 15. It can also be one of the following keywords: dvmrp—Distance Vector Multicast Routing Protocol • host-query—Host query • host-report—Host report • log—Log matches against this entry • pim—Protocol Independent Multicast • trace—Multicast trace • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 177
You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 178
When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 179
Configures a deny rule in an IPv4 ACL. ip access-list Configures an IPv4 ACL. remark Configures a remark in an ACL. show ip access-lists Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
“Usage Guidelines” section. destination Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 181
You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 182
When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 183
Configures a deny rule in an IPv4 ACL. ip access-list Configures an IPv4 ACL. remark Configures a remark in an ACL. show ip access-lists Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 185
Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 186
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: Protocol • Source and destination addresses • • Source and destination port numbers, if applicable Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 187
The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 189
Configures a deny rule in an IPv4 ACL. ip access-list Configures an IPv4 ACL. remark Configures a remark in an ACL. show ip access-lists Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 191
Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 192
Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 193
You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 194
When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 195
Security Association and Key Management Protocol (5) • • mobile-ip—Mobile IP registration (434) • nameserver—IEN116 name service (obsolete, 42) • netbios-dgm—NetBIOS datagram service (138) netbios-ns—NetBIOS name service (137) • netbios-ss—NetBIOS session service (139) • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 196
Configures a deny rule in an IPv4 ACL. ip access-list Configures an IPv4 ACL. remark Configures a remark in an ACL. show ip access-lists Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 198
You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 199
The syntax is as follows: host IPv6-address This syntax is equivalent to IPv6-address/128. This example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 201
2001:0db8:69f2::/48 2001:0db8:be03:2112::/64 Related Commands Command Description deny (IPv6) Configures a deny rule in an IPv6 ACL. ipv6 access-list Configures an IPv6 ACL. remark Configures a remark in an ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 203
(Optional) Specifies that the rule matches only IPv6 packets whose Flow flow-label-value Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 204
2001:0db8:85a3::/48 any Host address—You can use the host keyword and an IPv6 address to specify a host as a source or • destination. The syntax is as follows: host IPv6-address Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 205
Related Commands Command Description deny (IPv6) Configures a deny rule in an IPv6 ACL. ipv6 access-list Configures an IPv6 ACL. remark Configures a remark in an ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 207
Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 208
(Optional) Specifies that the rule matches only IPv6 packets whose Flow flow-label-value Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 209
2001:0db8:85a3::/48 any Host address—You can use the host keyword and an IPv6 address to specify a host as a source or • destination. The syntax is as follows: host IPv6-address Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 210
Related Commands Command Description deny (IPv6) Configures a deny rule in an IPv6 ACL. ipv6 access-list Configures an IPv6 ACL. remark Configures a remark in an ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 212
Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 213
(Optional) Rule matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords: • • • • • • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 214
(VLSM) to specify a host or a network as a source or destination. The syntax is as follows: IPv6-address/prefix-len This example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network: switch(config-acl)# permit tcp 2001:0db8:85a3::/48 any Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 216
Related Commands Command Description deny (IPv6) Configures a deny rule in an IPv6 ACL. ipv6 access-list Configures an IPv6 ACL. remark Configures a remark in an ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 218
Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 219
(Optional) Specifies that the rule matches only IPv6 packets whose Flow flow-label-value Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 220
2001:0db8:85a3::/48 any Host address—You can use the host keyword and an IPv6 address to specify a host as a source or • destination. The syntax is as follows: host IPv6-address Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 221
• tacacs—TAC Access Control System (49) • talk—Talk (517) • tftp—Trivial File Transfer Protocol (69) • time—Time (37) • who—Who service (rwho, 513) • xdmcp—X Display Manager Control Protocol (177) • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 222
Related Commands Command Description deny (IPv6) Configures a deny rule in an IPv6 ACL. ipv6 access-list Configures an IPv6 ACL. remark Configures a remark in an ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
If you do not specify a sequence number, the switch assigns to the rule a sequence number that is 10 greater than the last rule in the ACL. Command Modes MAC ACL configuration mode Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 225
Configures a deny rule in a MAC ACL. mac access-list Configures a MAC ACL. remark Configures a remark in an ACL. show mac access-list Displays all MAC ACLs or one MAC ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to remove an interface from a user role interface policy: switch(config)# role name MyRole switch(config-role)# interface policy deny switch(config-role-interface)# no permit interface ethernet 1/2 Related Commands Command Description interface policy deny Enters interface policy configuration mode for a user role. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 227
Chapter P Commands permit interface Command Description role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
1, 10, 12, 20 This example shows how to remove a VLAN from a user role VLAN policy: switch(config)# role name MyRole switch(config-role)# vlan policy deny switch(config-role-vlan)# no permit vlan 2 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 229
Enters VLAN policy configuration mode for a user role. role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Enters VRF policy configuration mode for a user role. role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Denies access to a VSAN policy for a user. role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 232
Chapter P Commands permit vsan Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
R Commands This chapter describes the Cisco NX-OS security commands that begin with R. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
To configure the dead-time interval for all RADIUS servers on a Cisco Nexus 5000 Series switch, use the radius-server deadtime command. To revert to the default, use the no form of this command. radius-server deadtime minutes...
This example shows how to disallow users to send authentication requests to a specific RADIUS server when logging in: switch(config)# no radius-server directed-request Related Commands Command Description show radius-server Displays the directed request RADIUS server configuration. directed-request Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
(white spaces are not allowed), is case sensitive, and has a maximum of 63 characters. (Optional) Enables the generation of Protected Access Credentials on the RADIUS Cisco ACS server for use with Cisco TrustSec. accounting (Optional) Configures accounting. acct-port port-number (Optional) Configures the RADIUS server port for accounting.
Page 237
192.168.2.3 test idle-time 10 switch(config)# radius-server host 192.168.2.3 test username tester switch(config)# radius-server host 192.168.2.3 test password 2B9ka5 Related Commands Command Description show radius-server Displays RADIUS server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to provide various scenarios to configure RADIUS authentication: switch(config)# radius-server key AnyWord switch(config)# radius-server key 0 AnyWord switch(config)# radius-server key 7 public pac Related Commands Command Description show radius-server Displays RADIUS server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
3 This example shows how to revert to the default number of retransmissions to RADIUS servers: switch(config)# no radius-server retransmit 3 Related Commands Command Description show radius-server Displays RADIUS server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to configure the timeout interval: switch(config)# radius-server timeout 30 This example shows how to revert to the default interval: switch(config)# no radius-server timeout 30 Related Commands Command Description show radius-server Displays RADIUS server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to create a remark in an IPv4 ACL and display the results: switch(config)# ip access-list acl-ipv4-01 switch(config-acl)# 100 remark this ACL denies the marketing department access to the lab switch(config-acl)# show access-list acl-ipv4-01 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 242
Chapter R Commands remark Related Commands Command Description ip access-list Configures an IPv4 ACL. mac access-list Configures a MAC ACL. show access-list Displays all ACLs or one ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
100 and an increment of 10, using the show ip access-lists command to verify sequence numbering before and after the use of the resequence command: switch(config)# show ip access-lists ip-acl-01 IP access list ip-acl-01 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 244
Related Commands Command Description ip access-list Configures an IPv4 ACL. ipv6 access-list Configures an IPv6 ACL. mac access-list Configures a MAC ACL. show access-lists Displays all ACLs or a specific ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Related Commands Command Description feature-group name Specifies or creates a user role feature group and enters user role feature group configuration mode. show role Displays the user role feature groups. feature-group Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
• priv-8 • • priv-9 • priv-10 • priv-11 priv-12 • priv-13 • Command Default None Command Modes Global configuration mode Command History Release Modification 5.2(1)N1(1) This command was introduced. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 247
Chapter R Commands role name Usage Guidelines A Cisco Nexus 5000 Series switch provides the following default user roles: Network Administrator—Complete read-and-write access to the entire switch • Complete read access to the entire switch • You cannot change or remove the default user roles.
A rollback to a specified checkpoint restores the active configuration of the system to the checkpointed configuration. A rollback to files on bootflash is supported only on files that are created using the checkpoint checkpoint_name command and not on any other type of ASCII file. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 249
Displays the differences between the current checkpoint file and the saved rollback-patch file configuration. show diff Displays the differences between the current running configuration and the rollback-patch saved checkpoint configuration. running-config Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Deny rules cannot be added to any privilege roles, except the privilege 0 (priv-0) role. Examples This example shows how to add rules to a user role: switch(config)# role name MyRole switch(config-role)# rule 1 deny command clear users switch(config-role)# rule 1 permit read-write feature-group L3 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 251
MyRole switch(config-role)# no rule 10 Related Commands Command Description role name Creates or specifies a user role name and enters user role configuration mode. show role Displays the user roles. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 252
Chapter R Commands rule Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
S Commands This chapter describes the Cisco NX-OS security commands that begin with S. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
RadServer switch(config-radius)# no server 192.168.1.1 This example shows how to add a server to a TACACS+ server group: switch(config)# feature tacacs+ switch(config)# aaa group server tacacs+ TacServer Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 255
Enables TACACS+. radius-server host Configures a RADIUS server. show radius-server Displays RADIUS server group information. groups show tacacs-server Displays TACACS+ server group information. groups tacacs-server host Configures a TACACS+ server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to start an SSH session using IPv4: switch# ssh 192.168.1.1 vrf management Related Commands Command Description clear ssh session Clears SSH sessions. ssh server enable Enables the SSH server. ssh6 Starts an SSH session using IPv6 addressing. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to start an SSH session using IPv6: switch# ssh6 2001:0DB8::200C:417A vrf management Related Commands Command Description clear ssh session Clears SSH sessions. Starts an SSH session using IPv4 addressing. ssh server enable Enables the SSH server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to remove the DSA SSH server key: switch(config)# no ssh server enable switch(config)# no ssh key dsa Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 259
Related Commands Command Description show ssh key Displays the SSH server key information. ssh server enable Enables the SSH server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to disable the SSH server: switch(config)# no ssh server enable Related Commands Command Description show ssh server Displays the SSH server key information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
• Use the no form of this command. • Examples This example shows how to enable suppression of broadcast traffic and set the suppression threshold level: switch(config-if)# storm-control broadcast level 30 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 262
This example shows how to disable the suppression mode for multicast traffic: switch(config-if)# no storm-control multicast level Related Commands Command Description show interface Displays the storm-control suppression counters for an interface. show running-config Displays the configuration of the interface. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to display the configuration of the accounting log: switch# show aaa accounting default: local switch# Related Commands Command Description aaa accounting default Configures AAA methods for accounting. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to display the authentication login MS-CHAP configuration: switch# show aaa authentication login mschap MSCHAP is disabled switch# Related Commands Command Description aaa authentication Configures AAA authentication methods. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Examples This example shows how to display AAA group information: switch# show aaa groups radius tacacs rad1 switch# Related Commands Command Description aaa group server Creates a RADIUS server group. radius Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Related Commands Command Description aaa user default-role Configures the default user for remote authentication. show aaa Displays AAA authentication information. authentication Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Examples This example shows how to display all IPv4 and MAC ACLs on the switch: switch# show access-lists In Cisco NX-OS Release 5.2(1)N1(1), the following output is displayed: switch# show access-lists IP access list BulkData 10 deny ip any any...
Page 270
Configures an IPv4 ACL. mac access-list Configures a MAC ACL. show ip access-lists Displays all IPv4 ACLs or a specific IPv4 ACL. show mac access-lists Displays all MAC ACLs or a specific MAC ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Examples This example shows how to display the entire accounting log: switch# show accounting log In Cisco NX-OS Release, this command displays the following output: switch# show accounting log Mon Aug 16 09:37:43 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf igure terminal ; interface vfc3 ; bind interface Ethernet1/12 (SUCCESS) Mon Aug 16 09:38:20 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf...
Page 272
16:00:00 on February 29, 2008: switch# show accounting log start-time 2008 Feb 1 15:59:59 end-time 2008 Feb 29 16:00:00 Related Commands Command Description clear accounting log Clears the accounting log. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
5 ! role network-operator username admin password 5 $1$KIPRDtFF$7eUMjCAd7Nkhktzebsg5/0 role network-admin Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 274
4 class-map type qos match-all cq1 match cos 4 match precedence 7 --More-- switch# This example shows how to display all configured rollback checkpoints: switch# show checkpoint all Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 275
Rolls back the configuration to any of the saved checkpoints. show checkpoint Displays configuration rollback checkpoints summary. summary show checkpoint Displays system-defined rollback checkpoints. system show checkpoint user Displays user-configured rollback checkpoints. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to display the summary of the system-configured rollback checkpoints: switch# show checkpoint summary system This example shows how to display the summary of the user-configured rollback checkpoints: switch# show checkpoint summary user -------------------------------------------------------------------------------- 1) chkpnt-1: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 277
Creates a checkpoint. rollback Rolls back the configuration to any of the saved checkpoints. show checkpoint Displays rollback checkpoints. show checkpoint Displays system-defined rollback checkpoints. system show checkpoint user Displays user-configured rollback checkpoints. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Related Commands Command Description checkpoint Creates a checkpoint. rollback Rolls back the configuration to any of the saved checkpoints. show checkpoint Displays rollback checkpoints. show checkpoint user Displays user-configured rollback checkpoints. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
4 class-map type qos match-all cq1 match cos 4 match precedence 7 <--output truncated--> Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 280
Rolls back the configuration to any of the saved checkpoints. show checkpoint Displays rollback checkpoints. show checkpoint Displays a summary of all configured rollback checkpoints. summary show checkpoint Displays system-defined rollback checkpoints. system Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
<-- modify configuration in running configuration---> switch# show diff rollback-patch checkpoint user-checkpoint-4 checkpoint chkpnt-1 #Generating Rollback Patch interface Ethernet1/2 no untagged cos no description Sample config exit interface Ethernet1/2 channel-group 1 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 282
Displays the differences between the current checkpoint file and the saved rollback-patch file configuration. show diff Displays the differences between the current running configuration and the rollback-patch saved checkpoint configuration. running-config Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
The configuration differences based on the current running configuration and checkpointed configuration are applied to the system to restore the running state of the system. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 284
Displays the differences between the current checkpoint and the saved rollback-patch configuration. checkpoint show diff Displays the differences between the current running configuration and the rollback-patch saved checkpoint configuration. running-config Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
The configuration differences based on the current running configuration and checkpointed configuration are applied to the system to restore the running state of the system. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 286
Collecting Running-Config Collecting Startup-Config #Generating Rollback Patch interface Ethernet1/2 no untagged cos no description Sample config exit password strength-check no username admin no username adminbackup Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 287
Displays the differences between the current checkpoint file and the saved rollback-patch file configuration. show diff Displays the differences between the current startup configuration and the rollback-patch saved checkpoint configuration. startup-config Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
The configuration differences based on the current running configuration and checkpointed configuration are applied to the system to restore the running state of the system. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 289
5 $1$KIPRDtFF$7eUMjCAd7Nkhktzebsg5/0 role network-admin no password strength-check switch# This example shows how to view the configuration changes between the current startup configuration and a saved startup configuration: switch# checkpoint chkpnt-1 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 290
Displays the differences between the current checkpoint file and the saved rollback-patch file configuration. show diff Displays the differences between the current running configuration and the rollback-patch saved checkpoint configuration. running-config Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to display the status of the HTTP server: switch# show http-server http-server enabled switch# Related Commands Command Description feature http-server Enables or disables the HTTP or HTTPS server on the switch. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
110 permit tcp any gt 300 any lt 400 130 deny tcp any range 200 300 any lt 600 140 deny tcp any range 200 300 any lt 600 IP access list dot Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 293
Related Commands Command Description ip access-list Configures an IPv4 ACL. show access-lists Displays all ACLs or a specific ACL. show mac access-lists Displays all MAC ACLs or a specific MAC ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
1 to 4094, except for the VLANs reserved for internal use. fhrp-non-active-learn (Optional) Displays the ARP table information learned only due to a request for a nonactive Cisco First Hop Redundancy Protocol (FHRP) address. static (Optional) Displays the static ARP entries.
Page 295
Switch interface where packets are forwarded. Physical Interface Physical interface, which can one of the following: Ethernet, loopback, EtherChannel, management, or VLAN. Related Commands Command Description clear ip arp Clears the ARP cache and table. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 296
Chapter Show Commands show ip arp Command Description feature interface-vlan Enables the creation of VLAN interfaces. show running-config Displays the running ARP configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Displays the DAI statistics. statistics show ip arp inspection vlan Displays DAI status for a specified list of VLANs. show running-config dhcp Displays DHCP snooping configuration, including the DAI configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Displays the DAI configuration status. show ip arp inspection vlan Displays DAI status for a specified list of VLANs. show running-config dhcp Displays DHCP snooping configuration, including the DAI configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Clears the DAI logging buffer. ip arp inspection log-buffer Configures the DAI logging buffer size. show ip arp inspection Displays the DAI configuration status. show running-config dhcp Displays DHCP snooping configuration, including the DAI configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Clears the DAI statistics for a specified VLAN. statistics vlan show ip arp inspection log Displays the DAI log configuration. show running-config dhcp Displays DHCP snooping configuration, including the DAI configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Displays the DAI configuration status. show ip arp inspection Displays the trust state and the ARP packet rate for a specified interface. interface show running-config Displays DHCP snooping configuration, including the DAI configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to display the global ARP statistics on virtual port channels (vPCs): switch# show ip arp sync-entries Related Commands Command Description ip arp synchronize Enables ARP synchronization on a vPC domain. show running-config Displays the running configuration information for ARP tables. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Copies the running configuration to the startup configuration. startup-config ip dhcp snooping Globally enables DHCP snooping on the device. show ip dhcp snooping Displays DHCP snooping statistics. statistics show running-config Displays the DHCP snooping configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Support for the QSFP+ GEM was added. 5.2(1)N1(1) This command was introduced. Usage Guidelines The binding interface includes static IP source entries. Static entries appear with the term “static” in the Type column. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 305
Creates a static IP source entry for a Layer 2 Ethernet interface. show ip dhcp snooping Displays DHCP snooping statistics. statistics show running-config Displays the DHCP snooping configuration, including the IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Command Description copy running-config Copies the running configuration to the startup configuration. startup-config ip dhcp snooping Globally enables DHCP snooping on the device. show running-config Displays the DHCP snooping configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
The ACL configuration contains the statistics per-entry command. • The ACL is applied to an interface that is administratively up. • Examples This example shows how to display all IPv6 ACLs on a switch: switch# show ipv6 access-lists Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 308
Chapter Show Commands show ipv6 access-lists Related Commands Command Description ipv6 access-list Configures an IPv6 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
IP source guard is enabled on the following interfaces: ------------------------------------------------------ Ethernet1/2 Ethernet1/5 IP source guard operational entries: ----------------------------------- Interface Filter-mode IP-address Mac-address Vlan ------------ ----------- ---------- -------------- ---- Ethernet1/2 inactive-no-snoop-vlan Ethernet1/5 inactive-no-snoop-vlan switch# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 310
Creates a static IP source entry for the specified Ethernet interface. ip verify source Enables IP Source Guard on an interface. dhcp-snooping-vlan show running-config Displays DHCP snooping configuration, including the IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Related Commands Command Description mac access-list Configures a MAC ACL. show access-lists Displays all ACLs or a specific ACL. show ip access-lists Displays all IPv4 ACLs or a specific IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Enables a secret password for a specific privilege level. feature privilege Enables the cumulative privilege of roles for command authorization on RADIUS and TACACS+ servers. username Enables a user to use privilege levels for authorization. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
RADIUS servers are configured: 192.168.1.1: available for authentication on port:1812 available for accounting on port:1813 RADIUS shared secret:******** switch# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 314
RADIUS shared secret:******** switch# This example shows how to display statistics for a specified RADIUS servers: switch# show radius-server statistics 192.168.1.1 Server is not monitored Authentication Statistics failed transactions: 0 sucessfull transactions: 0 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 315
0 responses not processed: 0 responses containing errors: 0 switch# Related Commands Command Description show running-config Displays the RADIUS information in the running configuration file. radius Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Type Scope Entity ------------------------------------------------------------------- permit read-write Role: network-operator Description: Predefined network operator role has access to all read commands on the switch ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- permit read Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 317
Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-8 Description: This is a system defined privilege role. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 318
Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- permit command traceroute6 * Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
(Fabric Shortest Path First protocol related commands) rlir (Registered Link Incident Report related commands) rscn (Registered State Change Notification related commands) span (SPAN session relate commands) vsan (VSAN configuration and show commands) Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 321
(ARP protocol related commands) show ip arp * config t; ip arp * clear ip arp * debug ip arp * debug-filter ip arp * switch# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 322
Chapter Show Commands show role feature Related Commands Command Description role feature-group Configures feature groups for user roles. rule Configures rules for user roles. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to display information for a specific user role feature group: switch# show role feature-group name SecGroup Related Commands Command Description role feature-group Configures feature groups for user roles. rule Configures rules for user roles. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to display the rollback verification log: switch# show rollback log verify -------------------------------------------------------------------------------- time: Mon, 09:48:56 06 Sep 2010 Status: success -------------------------------------------------------------------------------- time: Mon, 09:48:58 06 Sep 2010 Status: success switch# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 325
Chapter Show Commands show rollback log Related Commands Command Description rollback Restores the active configuration to the checkpoint state. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Configures the default AAA authorization methods for all configuration config-commands commands. default aaa group server Creates a RADIUS server group. radius aaa user default-role Enables the default role assigned by the AAA server administrator for remote authentication. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
130 deny tcp any range 200 300 any lt 600 140 deny tcp any range 200 300 any lt 600 ip access-list dot statistics per-entry 10 permit ip 20.1.1.1 255.255.255.0 20.10.1.1 255.255.255.0 precedence flash-o verride <snip> Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 328
Copies the running configuration to the startup configuration file. startup-config ip access-class Configures IPv4 access classes for VTY. ipv6 access-class Configures IPv6 access classes for VTY. show startup-config Displays the ACL startup configuration. aclmgr Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 330
Logs ARP debug events into the event history buffer. errors ip arp timeout Configures an ARP timeout. ip arp inspection Displays general information about DHCP snooping. show startup-config Displays the ARP startup configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to display the DHCP snooping configuration with the default information: switch# show running-config dhcp all !Command: show running-config dhcp all !Time: Mon Aug 23 09:10:11 2010 version 5.2(1)N1(1) feature dhcp ip dhcp snooping Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 332
Enables IP Source Guard on a Layer 2 interface. show ip dhcp snooping Displays general information about DHCP snooping. show ip verify source Displays the IP-MAC address bindings. show startup-config Displays the DHCP startup configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Creates a Secure Shell (SSH) connection using IPv4. ssh6 Creates a Secure Shell (SSH) connection using IPv6. telnet Creates a Telnet session using IPv4. telnet6 Creates a Telnet session using IPv6. username Configures a user account. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 335
Chapter Show Commands show running-config security Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
2 22:49:27 2010 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0iACA1fHAeIaY6PD5fSBLqGX3MIn+k72qhdvLNib7dL7 8CRQVS1AlQiDDTrvyIfRZ5yHMDQndvcmRfkJzluSCW2FP8vokZ66aXFk8TBTFc5Bn3NUiUyPZyhPtFD2 LaHBCkxl0MxEP+nmPJ6Qf6mBzZVAIdLw8Nd64ZwqVHHjeFc= bitcount:1024 fingerprint: bb:bf:a4:c0:22:3b:70:15:e4:2b:2b:bb:08:41:82:d4 ************************************** could not retrieve dsa key information ************************************** switch# Related Commands Command Description ssh server key Configures the SSH server key. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to display the SSH server status: switch# show ssh server ssh version 2 is enabled switch# Related Commands Command Description ssh server enable Enables the SSH server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to display the AAA information in the startup configuration: switch# show startup-config aaa Related Commands Command Description show running-config Displays AAA configuration information in the running configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
110 permit tcp any gt 300 any lt 400 130 deny tcp any range 200 300 any lt 600 140 deny tcp any range 200 300 any lt 600 <snip> vlan access-map vacl-mac match mac address acl-mac action forward Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 340
Copies the running configuration to the startup configuration file. startup-config ip access-class Configures IPv4 access classes for VTY. ipv6 access-class Configures IPv6 access classes for VTY. show running-config Displays the ACL running configuration. aclmgr Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Logs ARP debug events into the event history buffer. errors ip arp timeout Configures an ARP timeout. ip arp inspection Displays general information about DHCP snooping. show running-config Displays the ARP running configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
15,37-48 switch# Related Commands Command Description copy running-config Copies the running configuration to the startup configuration. startup-config Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 343
Chapter Show Commands show startup-config dhcp Command Description feature dhcp Enables the DHCP snooping feature on the device. show running-config Displays the DHCP running configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to display the RADIUS information in the startup configuration: switch# show startup-config radius Related Commands Command Description show running-config Displays RADIUS server information in the running configuration. radius Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to display the user account, SSH server, and Telnet server information in the startup configuration: switch# show startup-config security Related Commands Command Description show running-config Displays user account, Secure Shell (SSH) server, and Telnet server security information in the running configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
192.168.2.2 This example shows how to display the TACACS+ directed request configuration: switch# show tacacs-server directed-request This example shows how to display information for TACACS+ server groups: switch# show tacacs-server groups Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 347
This example shows how to display statistics for a specified TACACS+ server: switch# show tacacs-server statistics 192.168.2.2 Related Commands Command Description show running-config Displays the TACACS+ information in the running configuration file. tacacs+ Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
5.2(1)N1(1) This command was introduced. Examples This example shows how to display the Telnet server status: switch# show telnet server Related Commands Command Description telnet server enable Enables the Telnet server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to display information about a specific user account: switch# show user-account admin user:admin this user account has no expiry date roles:network-admin switch# Related Commands Command Description username Configures a user account. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Aug 24 22:19 10:41 4681 admin pts/0 Aug 25 03:39 8890 (72.163.177.191) * switch# Related Commands Command Description clear user Logs out a specific user. username Creates and configures a user account. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Displays all IPv4 ACLs or a specific IPv4 ACL. show mac access-lists Displays all MAC ACLs or a specific MAC ACL. vlan access-map Configures a VLAN access map. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Displays information about how a VLAN access map is applied. vlan access-map Configures a VLAN access map. vlan filter Applies a VLAN access map to one or more VLANs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Displays all VLAN access maps or a VLAN access map. vlan access-map Configures a VLAN access map. vlan filter Applies a VLAN access map to one or more VLANs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 354
Chapter Show Commands show vlan filter Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
T Commands This chapter describes the Cisco NX-OS security commands that begin with T. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
10 Related Commands Command Description deadtime Sets a dead-time interval for monitoring a nonresponsive RADIUS or TACACS+ server group. feature tacacs+ Enables TACACS+. show tacacs-server Displays TACACS+ server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to disallow users to send authentication requests to a specific TACACS+ server when logging in: switch(config)# no tacacs-server directed-request Related Commands Command Description feature tacacs+ Enables TACACS+. show tacacs-server Displays a directed request TACACS+ server configuration. directed request Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
32 characters. timeout seconds (Optional) Configures a TACACS+ server timeout period (in seconds) between retransmissions to the TACACS+ server. The range is from 1 to 60 seconds. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 359
192.168.2.3 test idle-time 10 switch(config)# tacacs-server host 192.168.2.3 test username tester switch(config)# tacacs-server host 192.168.2.3 test password 2B9ka5 Related Commands Command Description feature tacacs+ Enables TACACS+. show tacacs-server Displays TACACS+ server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to display configure TACACS+ server shared keys: switch(config)# tacacs-server key AnyWord switch(config)# tacacs-server key 0 AnyWord switch(config)# tacacs-server key 7 public Related Commands Command Description feature tacacs+ Enables TACACS+. show tacacs-server Displays TACACS+ server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
This example shows how to revert to the default TACACS+ server timeout value: switch(config)# no tacacs-server timeout 3 Related Commands Command Description feature tacacs+ Enables TACACS+. show tacacs-server Displays TACACS+ server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Chapter T Commands telnet telnet To create a Telnet session using IPv4 on a Cisco Nexus 5000 Series switch, use the telnet command. telnet {ipv4-address | hostname} [port-number] [vrf {vrf-name | default | management}] Syntax Description ipv4-address IPv4 address of the remote switch.
This example shows how to enable the Telnet server: switch(config)# telnet server enable This example shows how to disable the Telnet server: switch(config)# no telnet server enable Related Commands Command Description show telnet server Displays the Telnet server status. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Chapter T Commands telnet6 telnet6 To create a Telnet session using IPv6 on the Cisco NX-OS switch, use the telnet6 command. telnet6 {ipv6-address | hostname} [port-number] [vrf {vrf-name | default | management}] Syntax Description ipv6-address IPv6 address of the remote device.
U Commands This chapter describes the Cisco NX-OS security commands that begin with U. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
TacServer switch(config-tacacs+)# use-vrf management This example shows how to remove the VRF instance from a TACACS+ server group: switch(config)# aaa group server tacacs+ TacServer switch(config-tacacs+)# no use-vrf management Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 367
Enables TACACS+. radius-server host Configures a RADIUS server. show radius-server Displays RADIUS server information. groups show tacacs-server Displays TACACS+ server information. groups tacacs-server host Configures a TACACS+ server. Configures a VRF instance. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
User identifier for the user account. The user-id argument is a case-sensitive, alphanumeric character string with a maximum length of 28 characters. The Cisco NX-OS software does not allowed the “#” and “@” Note characters in the user-id argument text string.
Page 369
If you do not specify a password for the user account, the user might not be able to log in to the account. Caution You must enable the cumulative privilege roles for TACACS+ server using the feature privilege command to see the priv-lvl keyword. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 370
Enables the cumulative privilege of roles for command authorization on TACACS+ servers. show privilege Displays the current privilege level, username, and status of cumulative privilege support for a user. show user-account Displays the user account configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
V Commands This chapter describes the Cisco NX-OS security commands that begin with V. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Displays all VLAN access maps or a VLAN access map. show vlan filter Displays information about how a VLAN access map is applied. vlan filter Applies a VLAN access map to one or more VLANs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
VLANs where it is currently applied, use the VLAN-list argument to specify the VLANs where the access map should be removed. Examples This example shows how to apply a VLAN access map named vlan-map-01 to VLANs 20 through 45: switch(config)# vlan filter vlan-map-01 20-45 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 374
Displays all VLAN access maps or a VLAN access map. show vlan filter Displays information about how a VLAN access map is applied. vlan access-map Configures a VLAN access map. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
MyRole switch(config-role)# no vlan policy deny Related Commands Command Description role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
MyRole switch(config-role)# no vrf policy deny Related Commands Command Description role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Configures permit access to a VSAN policy for a user. role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 378
Chapter V Commands vsan policy deny Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...