Page 1 First Published: September 2012 Last Modified: October 4, 2013 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide.  Addresses, phone numbers, and fax numbers  are listed on the Cisco website at  www.cisco.com/go/offices. Text Part Number: OL-27883-02...
Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.
Page 3: Table Of Contents
Obtaining Documentation and Submitting a Service Request New and Changed Information xiii New and Changed Information for Cisco NX-OS Releases xiii New and Changed Information for Cisco NX-OS Release 6.0(2)N2(2) xiii New and Changed Information for Cisco NX-OS Release 6.0(2)N1(2) xiii A Commands...
Page 4 E Commands enable enable secret F Commands feature (user role feature group) feature dhcp feature http-server feature port-security feature privilege feature tacacs+ I Commands interface policy deny ip access-class ip access-group Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 5 P Commands permit (ARP) permit icmp (IPv4) permit igmp (IPv4) permit ip (IPv4) permit tcp (IPv4) permit udp (IPv4) permit icmp (IPv6) permit ipv6 (IPv6) permit sctp (IPv6) permit tcp (IPv6) Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 6 Show Commands show aaa accounting show aaa authentication show aaa authorization show aaa groups show aaa user show access-lists show accounting log Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 7 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 8 U Commands use-vrf username V Commands vlan access-map vlan filter vlan policy deny vrf policy deny vsan policy deny Cisco Nexus 5500 Series NX-OS Security Command Reference viii OL-27883-02...
Page 9: Preface
Preface This preface describes the audience, organization, and conventions of the Cisco Nexus 5500 Series NX-OS Security Command Reference. It also provides information on how to obtain related documentation. This preface includes the following sections: Audience, page ix • Document Conventions, page ix •...
Page 10: Related Documentation
Means reader be careful. In this situation, you might do something that could result in equipment damage Caution or loss of data. Related Documentation Documentation for Cisco Nexus 5000 Series Switches and Cisco Nexus 2000 Series Fabric Extenders is available at the following URL: http://www.cisco.com/en/US/products/ps9670/tsd_products_support_series_home.html The documentation set includes the following types of documents: Licensing Information Guide •...
Page 11: Documentation Feedback
What’s New in Cisco Product Documentation at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html. Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
Page 12 Chapter Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 13: New And Changed Information
5500 Series NX-OS Security Command Reference. The latest version of this document is available at the following Cisco website: http://www.cisco.com/en/US/products/ps9670/prod_command_reference_list.html To check for additional information about this Cisco NX-OS Release, see the Cisco Nexus 5500 Series NX-OS Release Notes, Release 6.0 available at the following Cisco website: http://www.cisco.com/en/US/products/ps9670/prod_release_notes_list.html...
Page 14 Chapter Table 2 New and Changed Information for Release 6.0(2)N1(1) Feature Description Where Documented QSFP+ GEM This feature was introduced. • C Commands • I Commands • Show Commands Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 15: A Commands
A Commands This chapter describes the Cisco NX-OS security commands that begin with A. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 16: Aaa Accounting Default
Related Commands Command Description aaa group server Configures AAA RADIUS server groups. radius radius-server host Configures RADIUS servers. show aaa accounting Displays AAA accounting status information. tacacs-server host Configures TACACS+ servers. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 17: Aaa Authentication Login Console
This example shows how to configure the AAA authentication console login method: switch(config)# aaa authentication login console group radius This example shows how to revert to the default AAA authentication console login method: switch(config)# no aaa authentication login console group radius Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 18 Related Commands Command Description aaa group server Configures AAA server groups. radius-server host Configures RADIUS servers. show aaa Displays AAA authentication information. authentication tacacs-server host Configures TACACS+ servers. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 19: Aaa Authentication Login Default
This example shows how to configure the AAA authentication console login method: switch(config)# aaa authentication login default group radius This example shows how to revert to the default AAA authentication console login method: switch(config)# no aaa authentication login default group radius Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 20 Related Commands Command Description aaa group server Configures AAA server groups. radius-server host Configures RADIUS servers. show aaa Displays AAA authentication information. authentication tacacs-server host Configures TACACS+ servers. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 21: Aaa Authentication Login Error-Enable
This example shows how to disable the display of AAA authentication failure messages to the console: switch(config)# no aaa authentication login error-enable Related Commands Command Description show aaa Displays the status of the AAA authentication failure message display. authentication Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 22: Aaa Authentication Login Mschap Enable
This example shows how to disable MS-CHAP authentication: switch(config)# no aaa authentication login mschap enable Related Commands Command Description show aaa Displays the status of MS-CHAP authentication. authentication Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 23: Aaa Authorization Commands Default
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.
Page 24 Configures default AAA authorization methods for configuration config-commands commands. default aaa server group Configures AAA server groups. feature tacacs+ Enables the TACACS+ feature. show aaa Displays the AAA authorization configuration. authorization tacacs-server host Configures a TACACS+ server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 25: Aaa Authorization Config-Commands Default
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method or the none method is used only if all the configured server groups fail to respond and you have configured local or none as the fallback method.
Page 26 Configures default AAA authorization methods for EXEC commands. commands default aaa server group Configures AAA server groups. feature tacacs+ Enables the TACACS+ feature. show aaa Displays the AAA authorization configuration. authorization tacacs-server host Configures a TACACS+ server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 27: Aaa Authorization Ssh-Certificate
If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
Page 28 Configures local authorization with the SSH public key as the default ssh-publickey AAA authorization method. feature tacacs+ Enables the TACACS+ feature. show aaa authorization Displays the AAA authorization configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 29: Aaa Authorization Ssh-Publickey
Usage Guidelines If you specify more than one server group, the Cisco NX-OS software checks each group in the order that you specify in the list. The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.
Page 30 A Commands aaa authorization ssh-publickey Related Commands Command Description aaa authorization Configures local authorization with certificate authentication as the ssh-certificate default AAA authorization method. show aaa authorization Displays the AAA authorization configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 31: Aaa Group Server Radius
RadServer switch(config-radius)# This example shows how to delete a RADIUS server group: switch(config)# no aaa group server radius RadServer Related Commands Command Description show aaa groups Displays server group information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 32: Aaa User Default-Role
Related Commands Command Description show aaa user Displays the status of the default user for remote authentication. default-role show aaa Displays AAA authentication information. authentication Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 33: Action
Enables statistics for an access control list or VLAN access map. vlan access-map Configures a VLAN access map. vlan filter Applies a VLAN access map to one or more VLANs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 34 Chapter A Commands action Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 35: C Commands
C Commands This chapter describes the Cisco NX-OS security commands that begin with C. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 36: Checkpoint
Checkpoints are local to a switch. When you create a checkpoint, a snapshot of the current running configuration is stored in a checkpoint file. If you do not provide a checkpoint name, Cisco NX-OS sets the checkpoint name to user-checkpoint-number, where the number is from 1 to 10.
Page 37 Displays a summary of all checkpoints configured in the switch. summary show checkpoint Displays all checkpoints created by an user. summary user show checkpoint Displays all checkpoints that were automatically created in the system. system Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 38: Clear Access-List Counters
Applies an IPv4 ACL to an interface. ip access-list Configures an IPv4 ACL. show access-lists Displays information about one or all IPv4, IPv6, and MAC ACLs. show ip access-lists Displays information about one or all IPv4 ACLs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 39: Clear Accounting Log
5.2(1)N1(1) This command was introduced. Examples This example shows how to clear the accounting log: switch# clear accounting log Related Commands Command Description show accounting log Displays the accounting log contents. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 40: Clear Checkpoint Database
This command was introduced. Examples This example shows how to clear the configured checkpoints: switch# clear checkpoint database .Done switch# Related Commands Command Description checkpoint Creates a checkpoint. show checkpoint Displays all configured checkpoints. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 41: Clear Ip Arp
This example shows how to clear the ARP table statistics for VLAN 10 with the VRF vlan-vrf: switch# clear ip arp vlan 10 vrf vlan-vrf switch# Related Commands Command Description show ip arp Displays the ARP configuration status. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 42: Clear Ip Arp Inspection Log
Configures the DAI logging buffer size. log-buffer entries show ip arp inspection Displays the DAI configuration status. show ip arp inspection Displays the DAI log configuration. show ip arp inspection Displays the DAI statistics. statistics Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 43: Clear Ip Arp Inspection Statistics Vlan
Configures the DAI logging buffer size. log-buffer show ip arp inspection Displays the DAI configuration status. show ip arp inspection Displays DAI status for a specified list of VLANs. vlan Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 44: Clear Ip Dhcp Snooping Binding
This example shows how to clear a specific entry from the DHCP snooping binding database: switch# clear ip dhcp snooping binding vlan 23 mac 0060.3aeb.54f0 ip 10.34.54.9 interface ethernet 2/11 switch# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 45 Copies the running configuration to the startup configuration. startup-config show ip dhcp snooping Displays IP-MAC address bindings, including the static IP source entries. binding show running-config Displays DHCP snooping configuration, including the IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 46: Clear Ip Dhcp Snooping Statistics
Copies the running configuration to the startup configuration. startup-config show ip dhcp snooping Displays DHCP snooping statistics. statistics show running-config Displays DHCP snooping configuration, including the IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 47: Cts Role-Based Batched-Programming
Configuration mode Command History Release Modification 6.0(2)N2(2) This command was introduced. Examples This example shows how to enable CTS batched programming: switch# configure terminal switch(config)# cts role-based batched-programming Related Commands Command Description Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 48 Chapter C Commands cts role-based batched-programming Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 49: D Commands
D Commands This chapter describes the Cisco NX-OS security commands that begin with D. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 50: Deadtime
This example shows how to set the dead-time interval to 5 minutes for a TACACS+ server group: switch(config)# aaa group server tacacs+ TacServer switch(config-tacacs+)# deadtime 5 This example shows how to revert to the dead-time interval default: switch(config)# aaa group server tacacs+ TacServer switch(config-tacacs+)# no deadtime 5 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 51 Enables TACACS+. radius-server host Configures a RADIUS server. show radius-server Displays RADIUS server group information. groups show tacacs-server Displays TACACS+ server group information. groups tacacs-server host Configures a TACACS+ server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 52: Deny (Arp)
Specifying 255.255.255.255 as the sender-IP-mask argument is the equivalent of using the host keyword. Introduces the MAC address portion of the rule. Command Default None Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 53 192.0.32.14 255.255.255.0 mac any switch(config-arp-acl)# Related Commands Command Description arp access-list Configures an ARP ACL. permit (ARP) Configures a permit rule in an ARP ACL. remark Configures a remark in an ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 54: Deny Icmp (Ipv4)
(Optional) Rule that matches only packets of the specified ICMP message type. This argument can be an integer from 0 to 255 or one of the keywords listed under the “ICMP Message Types” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 55 You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 56 When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 57 • echo—Echo (ping) • echo-reply—Echo reply • general-parameter-problem—Parameter problem • • host-isolated—Host isolated • host-precedence-unreachable—Host unreachable for precedence • host-redirect—Host redirect host-tos-redirect—Host redirect for ToS • host-tos-unreachable—Host unreachable for ToS • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 58 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network and a final rule that permits all other IPv4 traffic: switch(config)# ip access-list acl-lab-01 switch(config-acl)# deny icmp 10.23.0.0/16 10.176.0.0/16 switch(config-acl)# deny icmp 192.168.37.0/16 10.176.0.0/16 switch(config-acl)# permit ip any any Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 59 Configures an IPv4 ACL. permit (IPv4) Configures a permit rule in an IPv4 ACL. remark Configures a remark in an IPv4 ACL. show ip access-list Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 60: Deny Igmp (Ipv4)
0 to 15. It can also be one of the following keywords: dvmrp—Distance Vector Multicast Routing Protocol • host-query—Host query • host-report—Host report • pim—Protocol Independent Multicast • trace—Multicast trace • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 61 You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 62 When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 63 Configures an IPv4 ACL. permit (IPv4) Configures a permit rule in an IPv4 ACL. remark Configures a remark in an IPv4 ACL. show ip access-list Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 64: Deny Ip (Ipv4)
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 65 You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 66 When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 67 Configures an IPv4 ACL. permit (IPv4) Configures a permit rule in an IPv4 ACL. remark Configures a remark in an IPv4 ACL. show ip access-list Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 68: Deny Tcp (Ipv4)
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination”section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 69 Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 70 (Optional) Rule that matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords: • • • • • • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 71 The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 72 (rcmd, 514) • daytime—Daytime (13) • discard—Discard (9) • domain—Domain Name Service (53) • drip—Dynamic Routing Information Protocol (3949) • echo—Echo (7) • exec—EXEC (rsh, 512) • finger—Finger (79) • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 73 Configures an IPv4 ACL. permit (IPv4) Configures a permit rule in an IPv4 ACL. remark Configures a remark in an IPv4 ACL. show ip access-list Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 74: Deny Udp (Ipv4)
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 75 Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 76 You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 77 When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 78 Security Association and Key Management Protocol (5) • • mobile-ip—Mobile IP registration (434) • nameserver—IEN116 name service (obsolete, 42) • netbios-dgm—NetBIOS datagram service (138) netbios-ns—NetBIOS name service (137) • netbios-ss—NetBIOS session service (139) • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 79 Configures an IPv4 ACL. permit (IPv4) Configures a permit rule in an IPv4 ACL. remark Configures a remark in an IPv4 ACL. show ip access-list Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 80: Deny Icmp (Ipv6)
(Optional) ICMPv6 message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed in the “ICMPv6 Message Types” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 81 You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. Command Default None Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 82 The icmp-message argument can be the ICMPv6 message number, which is an integer from 0 to 255. It can also be one of the following keywords: beyond-scope—Destination beyond scope • destination-unreachable—Destination address is unreachable • echo-reply—Echo reply • echo-request—Echo request (ping) • header—Parameter header problems • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 83 Related Commands Command Description ipv6 access-list Configures an IPv6 ACL. permit (IPv6) Configures a permit rule in an IPv6 ACL. remark Configures a remark in an ACL. time-range Configures a time range. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 84: Deny Ipv6 (Ipv6)
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 85 Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. Command Default None Command Modes IPv6 ACL configuration Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 86: Any Address-You Can Use The Any Keyword To Specify That A Source Or Destination Is Any Ipv4
This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules denying all IPv6 traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network: switch# configure terminal switch(config)# ipv6 access-list acl-lab13-ipv6 switch(config-ipv6-acl)# deny ipv6 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64 switch(config-ipv6-acl)# deny ipv6 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 87 Related Commands Command Description ipv6 access-list Configures an IPv6 ACL. permit (IPv6) Configures a permit rule in an IPv6 ACL. remark Configures a remark in an ACL. time-range Configures a time range. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 88: Deny Sctp (Ipv6)
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 89 Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 90 You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. Command Default None Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 91 This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules denying all SCTP traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network: switch# configure terminal switch(config)# ipv6 access-list acl-lab13-ipv6 switch(config-ipv6-acl)# deny sctp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64 switch(config-ipv6-acl)# deny sctp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 92 Related Commands Command Description ipv6 access-list Configures an IPv6 ACL. permit (IPv6) Configures a permit rule in an IPv6 ACL. remark Configures a remark in an ACL. time-range Configures a time range. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 93: Deny Tcp (Ipv6)
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 94 Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 95 You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 96 2001:0db8:85a3::/48 any Host address—You can use the host keyword and an IPv6 address to specify a host as a source or • destination. The syntax is as follows: host IPv6-address Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 97 Office Protocol v2 (19) • pop3—Post Office Protocol v3 (11) • smtp—Simple Mail Transport Protocol (25) • sunrpc—Sun Remote Procedure Call (111) • tacacs—TAC Access Control System (49) • • talk—Talk (517) Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 98 Related Commands Command Description ipv6 access-list Configures an IPv6 ACL. permit (IPv6) Configures a permit rule in an IPv6 ACL. remark Configures a remark in an ACL. time-range Configures a time range. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 99: Deny Udp (Ipv6)
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 100 Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 101 You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. Command Default None Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 102: Udp Port Names
0 to 65535. It can also be one of the following keywords: biff—Biff (mail notification, comsat, 512) • bootpc—Bootstrap Protocol (BOOTP) client (68) • bootps—Bootstrap Protocol (BOOTP) server (67) • discard—Discard (9) • dnsix—DNSIX security protocol auditing (195) • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 103 Related Commands Command Description ipv6 access-list Configures an IPv6 ACL. permit (IPv6) Configures a permit rule in an IPv6 ACL. remark Configures a remark in an ACL. time-range Configures a time range. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 104: Deny (Mac)
If you do not specify a sequence number, the switch assigns the rule a sequence number that is 10 greater than the last rule in the ACL. Command Modes MAC ACL configuration mode Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 105 0x8042 (0x8042) • ip—Internet Protocol v4 (0x0800) • lat—DEC LAT (0x6004) • • lavc-sca—DEC LAVC, SCA (0x6007) • mop-console—DEC MOP Remote console (0x6002) • mop-dump—DEC MOP dump (0x6001) vines-echo—VINES Echo (0x0baf) • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 106 Configures a MAC ACL. permit (MAC) Configures a deny rule in a MAC ACL. remark Configures a remark in an ACL. show mac access-list Displays all MAC ACLs or one MAC ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 107: Description (User Role)
This example shows how to remove the description from a user role: switch(config)# role name MyRole switch(config-role)# no description Related Commands Command Description show role Displays information about the user role configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 108 Chapter D Commands description (user role) Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 109: E Commands
E Commands This chapter describes the Cisco NX-OS security commands that begin with E. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 110: Enable
Enables the cumulative privilege of roles for command authorization on TACACS+ servers. show privilege Displays the current privilege level, username, and status of cumulative privilege support. username Enables a user to use privilege levels for authorization. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 111: Enable Secret
Enables the user to move to a higher privilege level after being prompted for a secret password. feature privilege Enables the cumulative privilege of roles for command authorization on TACACS+ servers. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 112 Chapter E Commands enable secret Command Description show privilege Displays the current privilege level, username, and status of cumulative privilege support. username Enables a user to use privilege levels for authorization. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 113: F Commands
F Commands This chapter describes the Cisco NX-OS security commands that begin with F. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 114: Feature (User Role Feature Group)
MyGroup switch(config-role-featuregrp)# no feature callhome Related Commands Command Description role feature-group Creates or configures a user role feature group. name show role Displays the user role feature groups. feature-group Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 115: Feature Dhcp
Access-control list (ACL) statistics are not supported if the DHCP snooping feature is enabled. Examples This example shows how to enable DHCP snooping: switch(config)# feature dhcp switch(config)# This example shows how to disable DHCP snooping: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 116 Copies the running configuration to the startup configuration. startup-config ip dhcp snooping Globally enables DHCP snooping on the device. show running-config Displays DHCP snooping configuration, including IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 117: Feature Http-Server
5.2(1)N1(1) This command was introduced. Usage Guidelines In releases earlier than Cisco NX-OS Release 5.2(1)N1(1), HTTP and HTTPS are enabled on the switch by default. Examples This example shows how to enable the HTTP server on the switch and verify the status of the HTTP...
Page 118 Copies the running configuration to the startup configuration. startup-config show feature Displays the features enabled or disabled on the switch. show http-server Displays the HTTP or HTTPS server configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 119: Feature Port-Security
This example shows how to disable port security on the switch: switch# configure terminal switch(config)# no feature port-security switch(config)# Related Commands Command Description show feature Displays the features that are enabled or disabled on the switch. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 120 Chapter F Commands feature port-security Command Description show port-security Displays the port security configuration information. switchport Configures the switchport parameters to establish port security. port-security Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 121: Feature Privilege
Displays the features enabled or disabled on the switch. show privilege Displays the current privilege level, username, and status of cumulative privilege support. username Enables a user to use privilege levels for authorization. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 122: Feature Tacacs
5.2(1)N1(1) This command was introduced. Usage Guidelines You must use the feature tacacs+ command before you configure TACACS+. When you disable TACACS+, the Cisco NX-OS software removes the TACACS+ configuration. Note Examples This example shows how to enable TACACS+: switch(config)# feature tacacs+...
Page 123: I Commands
I Commands This chapter describes the Cisco NX-OS security commands that begin with I. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 124: Interface Policy Deny
MyRole switch(config-role)# no interface policy deny Related Commands Command Description role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 125: Ip Access-Class
Specifies that incoming connections be restricted between a particular Cisco Nexus 5000 Series switch and the addresses in the access list. Specifies that outgoing connections be restricted between a particular Cisco Nexus 5000 Series switch and the addresses in the access list.
Page 126 Displays the running configuration of ACLs. aclmgr show startup-config Displays the startup configuration for ACLs. aclmgr Starts an SSH session using IPv4. telnet Starts a Telnet session using IPv4. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 127: Ip Access-Group
If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface. A router ACL can be applied only to ingress traffic. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 128 Displays all ACLs. show ip access-lists Shows either a specific IPv4 ACL or all IPv4 ACLs. show running-config Shows the running configuration of all interfaces or of a specific interface. interface Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 129: Ip Access-List
Examples This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01: switch(config)# ip access-list ip-acl-01 switch(config-acl)# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 130 Applies an IPv4 ACL to an interface. permit (IPv4) Configures a permit rule in an IPv4 ACL. show ip access-lists Displays all IPv4 ACLs or a specific IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 131: Ip Arp Event-History Errors
This example shows how to set the ARP event history buffer to the default: switch(config)# no ip arp event-history errors size medium switch(config)# Related Commands Command Description show running-config Displays the ARP configuration, including the default configurations. arp all Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 132: Ip Arp Inspection Log-Buffer
Clears the DAI logging buffer. feature dhcp Enables DHCP snooping. show ip arp inspection Displays the DAI log configuration. show running-config Displays DHCP snooping configuration, including the DAI configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 133: Ip Arp Inspection Validate
MAC validation, an ARP request frame is considered valid only if the target Ethernet address is the same as the destination Ethernet address in the ARP frame header. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 134 Related Commands Command Description feature dhcp Enables DHCP snooping. show ip arp inspection Displays the DAI configuration status. show running-config Displays DHCP snooping configuration, including DAI configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 135: Ip Arp Inspection Vlan
This command does not require a license. Examples This example shows how to enable DAI on VLANs 13, 15, and 17 through 23: switch# configure terminal switch(config)# ip arp inspection vlan 13,15,17-23 switch(config)# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 136 Displays the DAI configuration status. show ip arp inspection Displays DAI status for a specified list of VLANs. vlan show running-config Displays DHCP snooping configuration, including DAI configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 137: Ip Arp Inspection Trust
Displays the Dynamic ARP Inspection (DAI) configuration status. show ip arp inspection Displays the trust state and the ARP packet rate for a specified interface. interface show running-config Displays DHCP snooping configuration, including DAI configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 138: Ip Dhcp Packet Strict-Validation
Related Commands Command Description feature dhcp Enables DHCP snooping on the switch. show ip dhcp snooping Displays general information about DHCP snooping. show running-config Displays the current DHCP configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 139: Ip Dhcp Snooping
Enables DHCP snooping on the specified VLANs. show ip dhcp snooping Displays general information about DHCP snooping. show running-config Displays DHCP snooping configuration, including IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 140: Ip Dhcp Snooping Information Option
Enables DHCP snooping on the specified VLANs. show ip dhcp snooping Displays general information about DHCP snooping. show running-config Displays DHCP snooping configuration, including IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 141: Ip Dhcp Snooping Trust
Enables DHCP snooping on the specified VLANs. show ip dhcp snooping Displays general information about DHCP snooping. show running-config Displays DHCP snooping configuration, including IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 142: Ip Dhcp Snooping Verify Mac-Address
Related Commands Command Description feature dhcp Enables DHCP snooping on the switch. show running-config Displays the DHCP snooping configuration configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 143: Ip Dhcp Snooping Vlan
Description feature dhcp Enables DHCP snooping on the switch. show ip dhcp snooping Displays general information about DHCP snooping. show running-config Displays DHCP snooping configuration, including IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 144: Ip Port Access-Group
This example shows how to apply an IPv4 ACL named ip-acl-01 to Ethernet interface 1/2 as a port ACL: switch(config)# interface ethernet 1/2 switch(config-if)# ip port access-group ip-acl-01 in This example shows how to remove an IPv4 ACL named ip-acl-01 from Ethernet interface 1/2: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 145 Displays all ACLs. show ip access-lists Shows either a specific IPv4 ACL or all IPv4 ACLs. show running-config Shows the running configuration of all interfaces or of a specific interface. interface Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 146: Ip Source Binding
This example shows how to create a static IP source entry associated with VLAN 100 on Ethernet interface 2/3: switch# configure terminal switch(config)# ip source binding 10.5.22.7 001f.28bd.0013 vlan 100 interface ethernet 2/3 switch(config)# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 147 Description feature dhcp Enables DHCP snooping on the switch. show ip verify source Displays IP-to-MAC address bindings. show interface Displays interface configuration. show running-config Displays the DHCP snooping configuration information. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 148: Ip Verify Source Dhcp-Snooping-Vlan
This example shows how to disable IP Source Guard on a Layer 2 interface: switch# configure terminal switch(config)# interface ethernet 1/5 switch(config-if)# no ip verify source dhcp-snooping-vlan switch(config-if)# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 149 Displays the IP-to-MAC address bindings for an interface. show running-config Displays the IP configuration in the running configuration. dhcp show running-config Displays the interface configuration in the running configuration. interface ethernet Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 150: Ip Verify Unicast Source Reachable-Via
This command does not require a license. Examples This example shows how to configure loose Unicast RPF checking on an interface: switch# configure terminal switch(config)# interface ethernet 2/3 switch(config-if)# ip verify unicast source reachable-via any Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 151 Displays the IP-related information for an interface. ethernet show running-config Displays the interface configuration in the running configuration. interface ethernet show running-config Displays the IP configuration in the running configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 152: Ipv6 Access-Class
Specifies that incoming connections be restricted between a particular Cisco Nexus 5000 Series switch and the addresses in the access list. Specifies that outgoing connections be restricted between a particular Cisco Nexus 5000 Series switch and the addresses in the access list.
Page 153 Displays the running configuration of ACLs. aclmgr show startup-config Displays the startup configuration for ACLs. aclmgr ssh6 Starts an SSH session using IPv6. telnet6 Starts a Telnet session using IPv6. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 154: Ipv6 Access-List
This example shows how to enter IP access list configuration mode for an IPv6 ACL named ipv6-acl-01: switch(config)# ipv6 access-list ipv6-acl-01 switch(config-ipv6-acl)# Related Commands Command Description deny (IPv6) Configures a deny rule in an IPv6 ACL. permit (IPv6) Configures a permit rule in an IPv6 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 155: Ipv6 Port Traffic-Filter
If the first matching rule denies the packet, the switch drops the packet and returns an ICMP host-unreachable message. If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 156 Configures a virtual Ethernet interface. ipv6 access-list Configures an IPv6 ACL. show access-lists Displays all ACLs. show ipv6 access-lists Shows either a specific IPv6 ACL or all IPv6 ACLs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 157: Ipv6 Traffic-Filter
ICMP host-unreachable message. If you delete the specified ACL from the device without removing the ACL from an interface, the deleted ACL does not affect traffic on the interface. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 158 Configures a virtual Ethernet interface. ipv6 access-list Configures an IPv6 ACL. show access-lists Displays all ACLs. show ipv6 access-lists Shows either a specific IPv6 ACL or all IPv6 ACLs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 159: M Commands
M Commands This chapter describes the Cisco NX-OS security commands that begin with M. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 160: Mac Access-List
This example shows how to enter MAC access list configuration mode for a MAC ACL named mac-acl-01: switch(config)# mac access-list mac-acl-01 switch(config-acl)# Related Commands Command Description deny (MAC) Configures a deny rule in a MAC ACL. mac access-group Applies a MAC ACL to an interface. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 161 Chapter M Commands mac access-list Command Description permit (MAC) Configures a permit rule in a MAC ACL. show mac access-lists Displays all MAC ACLs or a specific MAC ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 162: Mac Port Access-Group
ACL does not affect traffic on the interface. Examples This example shows how to apply a MAC ACL named mac-acl-01 to Ethernet interface 1/2: switch(config)# interface ethernet 1/2 switch(config-if)# mac port access-group mac-acl-01 switch(config-if)# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 163 Displays all ACLs. show mac access-lists Shows either a specific MAC ACL or all MAC ACLs. show running-config Shows the running configuration of all interfaces or of a specific interface. interface Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 164: Match
Displays information about how a VLAN access map is applied. vlan access-map Configures a VLAN access map. vlan filter Applies a VLAN access map to one or more VLANs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 165 Chapter M Commands match Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 166 Chapter M Commands match Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 167: P Commands
P Commands This chapter describes the Cisco NX-OS security commands that begin with P. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 168: Permit (Arp)
Introduces the MAC address portion of the rule. Command Default None Command Modes ARP ACL configuration mode Command History Release Modification 5.2(1)N1(1) This command was introduced. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 169 Configures a deny rule in an ARP ACL. arp access-list Configures an ARP ACL. remark Configures a remark in an ACL. show arp access-lists Displays all ARP ACLs or one ARP ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 170: Permit Icmp (Ipv4)
ICMP message number, which is an integer from 0 to 255, or a keyword. For a list of keywords, see the “ICMP Message Types” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 171 You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 172 When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 173 • echo—Echo (ping) • echo-reply—Echo reply • general-parameter-problem—Parameter problem • • host-isolated—Host isolated • host-precedence-unreachable—Host unreachable for precedence • host-redirect—Host redirect host-tos-redirect—Host redirect for ToS • host-tos-unreachable—Host unreachable for ToS • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 174 This example shows how to configure an IPv4 ACL named acl-lab-01 with rules permitting all ICMP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network: switch(config)# ip access-list acl-lab-01 switch(config)# permit icmp 10.23.0.0/16 10.176.0.0/16 switch(config)# permit icmp 192.168.37.0/16 10/176.0.0/16 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 175 Configures a deny rule in an IPv4 ACL. ip access-list Configures an IPv4 ACL. remark Configures a remark in an ACL. show ip access-lists Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 176: Permit Igmp (Ipv4)
0 to 15. It can also be one of the following keywords: dvmrp—Distance Vector Multicast Routing Protocol • host-query—Host query • host-report—Host report • log—Log matches against this entry • pim—Protocol Independent Multicast • trace—Multicast trace • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 177 You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 178 When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 179 Configures a deny rule in an IPv4 ACL. ip access-list Configures an IPv4 ACL. remark Configures a remark in an ACL. show ip access-lists Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 180: Permit Ip (Ipv4)
“Usage Guidelines” section. destination Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 181 You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 182 When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 183 Configures a deny rule in an IPv4 ACL. ip access-list Configures an IPv4 ACL. remark Configures a remark in an ACL. show ip access-lists Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 184: Permit Tcp (Ipv4)
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 185 Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 186 (Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: Protocol • Source and destination addresses • • Source and destination port numbers, if applicable Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 187 The switch enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the switch enforces the rule with the lowest sequence number. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 188 (rcmd, 514) • daytime—Daytime (13) • discard—Discard (9) • domain—Domain Name Service (53) • drip—Dynamic Routing Information Protocol (3949) • echo—Echo (7) • exec—EXEC (rsh, 512) • finger—Finger (79) • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 189 Configures a deny rule in an IPv4 ACL. ip access-list Configures an IPv4 ACL. remark Configures a remark in an ACL. show ip access-lists Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 190: Permit Udp (Ipv4)
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 191 Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 192 Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 193 You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the switch requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 194 When you configure a rule, use the following methods to specify the source and destination arguments: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 195 Security Association and Key Management Protocol (5) • • mobile-ip—Mobile IP registration (434) • nameserver—IEN116 name service (obsolete, 42) • netbios-dgm—NetBIOS datagram service (138) netbios-ns—NetBIOS name service (137) • netbios-ss—NetBIOS session service (139) • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 196 Configures a deny rule in an IPv4 ACL. ip access-list Configures an IPv4 ACL. remark Configures a remark in an ACL. show ip access-lists Displays all IPv4 ACLs or one IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 197: Permit Icmp (Ipv6)
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 198 You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 199 The syntax is as follows: host IPv6-address This syntax is equivalent to IPv6-address/128. This example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 200 • renum-seq-number—Router renumbering sequence number reset • router-advertisement—Neighbor discovery router advertisements • router-renumbering—All router renumbering • router-solicitation—Neighbor discovery router solicitations • time-exceeded—All time exceeded messages • • unreachable—All unreachable Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 201 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64 Related Commands Command Description deny (IPv6) Configures a deny rule in an IPv6 ACL. ipv6 access-list Configures an IPv6 ACL. remark Configures a remark in an ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 202: Permit Ipv6 (Ipv6)
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 203 (Optional) Specifies that the rule matches only IPv6 packets whose Flow flow-label-value Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 204 2001:0db8:85a3::/48 any Host address—You can use the host keyword and an IPv6 address to specify a host as a source or • destination. The syntax is as follows: host IPv6-address Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 205 Related Commands Command Description deny (IPv6) Configures a deny rule in an IPv6 ACL. ipv6 access-list Configures an IPv6 ACL. remark Configures a remark in an ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 206: Permit Sctp (Ipv6)
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 207 Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 208 (Optional) Specifies that the rule matches only IPv6 packets whose Flow flow-label-value Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 209 2001:0db8:85a3::/48 any Host address—You can use the host keyword and an IPv6 address to specify a host as a source or • destination. The syntax is as follows: host IPv6-address Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 210 Related Commands Command Description deny (IPv6) Configures a deny rule in an IPv6 ACL. ipv6 access-list Configures an IPv6 ACL. remark Configures a remark in an ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 211: Permit Tcp (Ipv6)
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 212 Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 213 (Optional) Rule matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords: • • • • • • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 214 (VLSM) to specify a host or a network as a source or destination. The syntax is as follows: IPv6-address/prefix-len This example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network: switch(config-acl)# permit tcp 2001:0db8:85a3::/48 any Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 215 (515) • nntp—Network News Transport Protocol (119) • pim-auto-rp—PIM Auto-RP (496) • pop2—Post Office Protocol v2 (19) • pop3—Post Office Protocol v3 (11) • smtp—Simple Mail Transport Protocol (25) • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 216 Related Commands Command Description deny (IPv6) Configures a deny rule in an IPv6 ACL. ipv6 access-list Configures an IPv6 ACL. remark Configures a remark in an ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 217: Permit Udp (Ipv6)
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see the “Source and Destination” section in the “Usage Guidelines” section. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 218 Use the object-group ip port command to create and change IP port-group objects. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 219 (Optional) Specifies that the rule matches only IPv6 packets whose Flow flow-label-value Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 220 2001:0db8:85a3::/48 any Host address—You can use the host keyword and an IPv6 address to specify a host as a source or • destination. The syntax is as follows: host IPv6-address Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 221 • tacacs—TAC Access Control System (49) • talk—Talk (517) • tftp—Trivial File Transfer Protocol (69) • time—Time (37) • who—Who service (rwho, 513) • xdmcp—X Display Manager Control Protocol (177) • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 222 Related Commands Command Description deny (IPv6) Configures a deny rule in an IPv6 ACL. ipv6 access-list Configures an IPv6 ACL. remark Configures a remark in an ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 223: Permit (Mac)
If you do not specify a sequence number, the switch assigns to the rule a sequence number that is 10 greater than the last rule in the ACL. Command Modes MAC ACL configuration mode Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 224 0x8042 (0x8042) • ip—Internet Protocol v4 (0x0800) • lat—DEC LAT (0x6004) • • lavc-sca—DEC LAVC, SCA (0x6007) • mop-console—DEC MOP Remote console (0x6002) • mop-dump—DEC MOP dump (0x6001) vines-echo—VINES Echo (0x0baf) • Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 225 Configures a deny rule in a MAC ACL. mac access-list Configures a MAC ACL. remark Configures a remark in an ACL. show mac access-list Displays all MAC ACLs or one MAC ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 226: Permit Interface
This example shows how to remove an interface from a user role interface policy: switch(config)# role name MyRole switch(config-role)# interface policy deny switch(config-role-interface)# no permit interface ethernet 1/2 Related Commands Command Description interface policy deny Enters interface policy configuration mode for a user role. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 227 Chapter P Commands permit interface Command Description role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 228: Permit Vlan
1, 10, 12, 20 This example shows how to remove a VLAN from a user role VLAN policy: switch(config)# role name MyRole switch(config-role)# vlan policy deny switch(config-role-vlan)# no permit vlan 2 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 229 Enters VLAN policy configuration mode for a user role. role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 230: Permit Vrf
Enters VRF policy configuration mode for a user role. role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 231: Permit Vsan
Denies access to a VSAN policy for a user. role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 232 Chapter P Commands permit vsan Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 233: R Commands
R Commands This chapter describes the Cisco NX-OS security commands that begin with R. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 234: Radius-Server Deadtime
To configure the dead-time interval for all RADIUS servers on a Cisco Nexus 5000 Series switch, use the radius-server deadtime command. To revert to the default, use the no form of this command. radius-server deadtime minutes...
Page 235: Radius-Server Directed-Request
This example shows how to disallow users to send authentication requests to a specific RADIUS server when logging in: switch(config)# no radius-server directed-request Related Commands Command Description show radius-server Displays the directed request RADIUS server configuration. directed-request Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 236: Radius-Server Host
(white spaces are not allowed), is case sensitive, and has a maximum of 63 characters. (Optional) Enables the generation of Protected Access Credentials on the RADIUS Cisco ACS server for use with Cisco TrustSec. accounting (Optional) Configures accounting. acct-port port-number (Optional) Configures the RADIUS server port for accounting.
Page 237 192.168.2.3 test idle-time 10 switch(config)# radius-server host 192.168.2.3 test username tester switch(config)# radius-server host 192.168.2.3 test password 2B9ka5 Related Commands Command Description show radius-server Displays RADIUS server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 238: Radius-Server Key
This example shows how to provide various scenarios to configure RADIUS authentication: switch(config)# radius-server key AnyWord switch(config)# radius-server key 0 AnyWord switch(config)# radius-server key 7 public pac Related Commands Command Description show radius-server Displays RADIUS server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 239: Radius-Server Retransmit
3 This example shows how to revert to the default number of retransmissions to RADIUS servers: switch(config)# no radius-server retransmit 3 Related Commands Command Description show radius-server Displays RADIUS server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 240: Radius-Server Timeout
This example shows how to configure the timeout interval: switch(config)# radius-server timeout 30 This example shows how to revert to the default interval: switch(config)# no radius-server timeout 30 Related Commands Command Description show radius-server Displays RADIUS server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 241: Remark
This example shows how to create a remark in an IPv4 ACL and display the results: switch(config)# ip access-list acl-ipv4-01 switch(config-acl)# 100 remark this ACL denies the marketing department access to the lab switch(config-acl)# show access-list acl-ipv4-01 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 242 Chapter R Commands remark Related Commands Command Description ip access-list Configures an IPv4 ACL. mac access-list Configures a MAC ACL. show access-list Displays all ACLs or one ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 243: Resequence
100 and an increment of 10, using the show ip access-lists command to verify sequence numbering before and after the use of the resequence command: switch(config)# show ip access-lists ip-acl-01 IP access list ip-acl-01 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 244 Related Commands Command Description ip access-list Configures an IPv4 ACL. ipv6 access-list Configures an IPv6 ACL. mac access-list Configures a MAC ACL. show access-lists Displays all ACLs or a specific ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 245: Role Feature-Group Name
Related Commands Command Description feature-group name Specifies or creates a user role feature group and enters user role feature group configuration mode. show role Displays the user role feature groups. feature-group Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 246: Role Name
• priv-8 • • priv-9 • priv-10 • priv-11 priv-12 • priv-13 • Command Default None Command Modes Global configuration mode Command History Release Modification 5.2(1)N1(1) This command was introduced. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 247 Chapter R Commands role name Usage Guidelines A Cisco Nexus 5000 Series switch provides the following default user roles: Network Administrator—Complete read-and-write access to the entire switch • Complete read access to the entire switch • You cannot change or remove the default user roles.
Page 248: Rollback Running-Config
A rollback to a specified checkpoint restores the active configuration of the system to the checkpointed configuration. A rollback to files on bootflash is supported only on files that are created using the checkpoint checkpoint_name command and not on any other type of ASCII file. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 249 Displays the differences between the current checkpoint file and the saved rollback-patch file configuration. show diff Displays the differences between the current running configuration and the rollback-patch saved checkpoint configuration. running-config Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 250: Rule
Deny rules cannot be added to any privilege roles, except the privilege 0 (priv-0) role. Examples This example shows how to add rules to a user role: switch(config)# role name MyRole switch(config-role)# rule 1 deny command clear users switch(config-role)# rule 1 permit read-write feature-group L3 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 251 MyRole switch(config-role)# no rule 10 Related Commands Command Description role name Creates or specifies a user role name and enters user role configuration mode. show role Displays the user roles. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 252 Chapter R Commands rule Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 253: S Commands
S Commands This chapter describes the Cisco NX-OS security commands that begin with S. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 254: Server
RadServer switch(config-radius)# no server 192.168.1.1 This example shows how to add a server to a TACACS+ server group: switch(config)# feature tacacs+ switch(config)# aaa group server tacacs+ TacServer Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 255 Enables TACACS+. radius-server host Configures a RADIUS server. show radius-server Displays RADIUS server group information. groups show tacacs-server Displays TACACS+ server group information. groups tacacs-server host Configures a TACACS+ server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 256: Ssh
This example shows how to start an SSH session using IPv4: switch# ssh 192.168.1.1 vrf management Related Commands Command Description clear ssh session Clears SSH sessions. ssh server enable Enables the SSH server. ssh6 Starts an SSH session using IPv6 addressing. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 257: Ssh6
This example shows how to start an SSH session using IPv6: switch# ssh6 2001:0DB8::200C:417A vrf management Related Commands Command Description clear ssh session Clears SSH sessions. Starts an SSH session using IPv4 addressing. ssh server enable Enables the SSH server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 258: Ssh Key
This example shows how to remove the DSA SSH server key: switch(config)# no ssh server enable switch(config)# no ssh key dsa Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 259 Related Commands Command Description show ssh key Displays the SSH server key information. ssh server enable Enables the SSH server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 260: Ssh Server Enable
This example shows how to disable the SSH server: switch(config)# no ssh server enable Related Commands Command Description show ssh server Displays the SSH server key information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 261: Storm-Control Level
• Use the no form of this command. • Examples This example shows how to enable suppression of broadcast traffic and set the suppression threshold level: switch(config-if)# storm-control broadcast level 30 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 262 This example shows how to disable the suppression mode for multicast traffic: switch(config-if)# no storm-control multicast level Related Commands Command Description show interface Displays the storm-control suppression counters for an interface. show running-config Displays the configuration of the interface. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 263: Show Commands
Show Commands This chapter describes the Cisco NX-OS security show commands. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 264: Show Aaa Accounting
This example shows how to display the configuration of the accounting log: switch# show aaa accounting default: local switch# Related Commands Command Description aaa accounting default Configures AAA methods for accounting. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 265: Show Aaa Authentication
This example shows how to display the authentication login MS-CHAP configuration: switch# show aaa authentication login mschap MSCHAP is disabled switch# Related Commands Command Description aaa authentication Configures AAA authentication methods. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 266: Show Aaa Authorization
Related Commands Command Description aaa authorization Configures default AAA authorization methods for EXEC commands. commands default aaa authorization Configures default AAA authorization methods for configuration config-commands commands. default Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 267: Show Aaa Groups
Examples This example shows how to display AAA group information: switch# show aaa groups radius tacacs rad1 switch# Related Commands Command Description aaa group server Creates a RADIUS server group. radius Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 268: Show Aaa User
Related Commands Command Description aaa user default-role Configures the default user for remote authentication. show aaa Displays AAA authentication information. authentication Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 269: Show Access-Lists
Examples This example shows how to display all IPv4 and MAC ACLs on the switch: switch# show access-lists In Cisco NX-OS Release 5.2(1)N1(1), the following output is displayed: switch# show access-lists IP access list BulkData 10 deny ip any any...
Page 270 Configures an IPv4 ACL. mac access-list Configures a MAC ACL. show ip access-lists Displays all IPv4 ACLs or a specific IPv4 ACL. show mac access-lists Displays all MAC ACLs or a specific MAC ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 271: Show Accounting Log
Examples This example shows how to display the entire accounting log: switch# show accounting log In Cisco NX-OS Release, this command displays the following output: switch# show accounting log Mon Aug 16 09:37:43 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf igure terminal ; interface vfc3 ; bind interface Ethernet1/12 (SUCCESS) Mon Aug 16 09:38:20 2010:type=update:id=72.163.177.184@pts/0:user=admin:cmd=conf...
Page 272 16:00:00 on February 29, 2008: switch# show accounting log start-time 2008 Feb 1 15:59:59 end-time 2008 Feb 29 16:00:00 Related Commands Command Description clear accounting log Clears the accounting log. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 273: Show Checkpoint
5 ! role network-operator username admin password 5 $1$KIPRDtFF$7eUMjCAd7Nkhktzebsg5/0 role network-admin Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 274 4 class-map type qos match-all cq1 match cos 4 match precedence 7 --More-- switch# This example shows how to display all configured rollback checkpoints: switch# show checkpoint all Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 275 Rolls back the configuration to any of the saved checkpoints. show checkpoint Displays configuration rollback checkpoints summary. summary show checkpoint Displays system-defined rollback checkpoints. system show checkpoint user Displays user-configured rollback checkpoints. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 276: Show Checkpoint Summary
This example shows how to display the summary of the system-configured rollback checkpoints: switch# show checkpoint summary system This example shows how to display the summary of the user-configured rollback checkpoints: switch# show checkpoint summary user -------------------------------------------------------------------------------- 1) chkpnt-1: Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 277 Creates a checkpoint. rollback Rolls back the configuration to any of the saved checkpoints. show checkpoint Displays rollback checkpoints. show checkpoint Displays system-defined rollback checkpoints. system show checkpoint user Displays user-configured rollback checkpoints. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 278: Show Checkpoint System
Related Commands Command Description checkpoint Creates a checkpoint. rollback Rolls back the configuration to any of the saved checkpoints. show checkpoint Displays rollback checkpoints. show checkpoint user Displays user-configured rollback checkpoints. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 279: Show Checkpoint User
4 class-map type qos match-all cq1 match cos 4 match precedence 7 <--output truncated--> Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 280 Rolls back the configuration to any of the saved checkpoints. show checkpoint Displays rollback checkpoints. show checkpoint Displays a summary of all configured rollback checkpoints. summary show checkpoint Displays system-defined rollback checkpoints. system Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 281: Show Diff Rollback-Patch Checkpoint
<-- modify configuration in running configuration---> switch# show diff rollback-patch checkpoint user-checkpoint-4 checkpoint chkpnt-1 #Generating Rollback Patch interface Ethernet1/2 no untagged cos no description Sample config exit interface Ethernet1/2 channel-group 1 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 282 Displays the differences between the current checkpoint file and the saved rollback-patch file configuration. show diff Displays the differences between the current running configuration and the rollback-patch saved checkpoint configuration. running-config Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 283: Show Diff Rollback-Patch File
The configuration differences based on the current running configuration and checkpointed configuration are applied to the system to restore the running state of the system. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 284 Displays the differences between the current checkpoint and the saved rollback-patch configuration. checkpoint show diff Displays the differences between the current running configuration and the rollback-patch saved checkpoint configuration. running-config Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 285: Show Diff Rollback-Patch Running-Config
The configuration differences based on the current running configuration and checkpointed configuration are applied to the system to restore the running state of the system. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 286 Collecting Running-Config Collecting Startup-Config #Generating Rollback Patch interface Ethernet1/2 no untagged cos no description Sample config exit password strength-check no username admin no username adminbackup Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 287 Displays the differences between the current checkpoint file and the saved rollback-patch file configuration. show diff Displays the differences between the current startup configuration and the rollback-patch saved checkpoint configuration. startup-config Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 288: Show Diff Rollback-Patch Startup-Config
The configuration differences based on the current running configuration and checkpointed configuration are applied to the system to restore the running state of the system. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 289 5 $1$KIPRDtFF$7eUMjCAd7Nkhktzebsg5/0 role network-admin no password strength-check switch# This example shows how to view the configuration changes between the current startup configuration and a saved startup configuration: switch# checkpoint chkpnt-1 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 290 Displays the differences between the current checkpoint file and the saved rollback-patch file configuration. show diff Displays the differences between the current running configuration and the rollback-patch saved checkpoint configuration. running-config Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 291: Show Http-Server
This example shows how to display the status of the HTTP server: switch# show http-server http-server enabled switch# Related Commands Command Description feature http-server Enables or disables the HTTP or HTTPS server on the switch. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 292: Show Ip Access-Lists
110 permit tcp any gt 300 any lt 400 130 deny tcp any range 200 300 any lt 600 140 deny tcp any range 200 300 any lt 600 IP access list dot Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 293 Related Commands Command Description ip access-list Configures an IPv4 ACL. show access-lists Displays all ACLs or a specific ACL. show mac access-lists Displays all MAC ACLs or a specific MAC ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 294: Show Ip Arp
1 to 4094, except for the VLANs reserved for internal use. fhrp-non-active-learn (Optional) Displays the ARP table information learned only due to a request for a nonactive Cisco First Hop Redundancy Protocol (FHRP) address. static (Optional) Displays the static ARP entries.
Page 295 Switch interface where packets are forwarded. Physical Interface Physical interface, which can one of the following: Ethernet, loopback, EtherChannel, management, or VLAN. Related Commands Command Description clear ip arp Clears the ARP cache and table. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 296 Chapter Show Commands show ip arp Command Description feature interface-vlan Enables the creation of VLAN interfaces. show running-config Displays the running ARP configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 297: Show Ip Arp Inspection
Displays the DAI statistics. statistics show ip arp inspection vlan Displays DAI status for a specified list of VLANs. show running-config dhcp Displays DHCP snooping configuration, including the DAI configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 298: Show Ip Arp Inspection Interfaces
Displays the DAI configuration status. show ip arp inspection vlan Displays DAI status for a specified list of VLANs. show running-config dhcp Displays DHCP snooping configuration, including the DAI configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 299: Show Ip Arp Inspection Log
Clears the DAI logging buffer. ip arp inspection log-buffer Configures the DAI logging buffer size. show ip arp inspection Displays the DAI configuration status. show running-config dhcp Displays DHCP snooping configuration, including the DAI configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 300: Show Ip Arp Inspection Statistics
Clears the DAI statistics for a specified VLAN. statistics vlan show ip arp inspection log Displays the DAI log configuration. show running-config dhcp Displays DHCP snooping configuration, including the DAI configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 301: Show Ip Arp Inspection Vlan
Displays the DAI configuration status. show ip arp inspection Displays the trust state and the ARP packet rate for a specified interface. interface show running-config Displays DHCP snooping configuration, including the DAI configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 302: Show Ip Arp Sync-Entries
This example shows how to display the global ARP statistics on virtual port channels (vPCs): switch# show ip arp sync-entries Related Commands Command Description ip arp synchronize Enables ARP synchronization on a vPC domain. show running-config Displays the running configuration information for ARP tables. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 303: Show Ip Dhcp Snooping
Copies the running configuration to the startup configuration. startup-config ip dhcp snooping Globally enables DHCP snooping on the device. show ip dhcp snooping Displays DHCP snooping statistics. statistics show running-config Displays the DHCP snooping configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 304: Show Ip Dhcp Snooping Binding
Support for the QSFP+ GEM was added. 5.2(1)N1(1) This command was introduced. Usage Guidelines The binding interface includes static IP source entries. Static entries appear with the term “static” in the Type column. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 305 Creates a static IP source entry for a Layer 2 Ethernet interface. show ip dhcp snooping Displays DHCP snooping statistics. statistics show running-config Displays the DHCP snooping configuration, including the IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 306: Show Ip Dhcp Snooping Statistics
Command Description copy running-config Copies the running configuration to the startup configuration. startup-config ip dhcp snooping Globally enables DHCP snooping on the device. show running-config Displays the DHCP snooping configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 307: Show Ipv6 Access-Lists
The ACL configuration contains the statistics per-entry command. • The ACL is applied to an interface that is administratively up. • Examples This example shows how to display all IPv6 ACLs on a switch: switch# show ipv6 access-lists Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 308 Chapter Show Commands show ipv6 access-lists Related Commands Command Description ipv6 access-list Configures an IPv6 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 309: Show Ip Verify Source
IP source guard is enabled on the following interfaces: ------------------------------------------------------ Ethernet1/2 Ethernet1/5 IP source guard operational entries: ----------------------------------- Interface Filter-mode IP-address Mac-address Vlan ------------ ----------- ---------- -------------- ---- Ethernet1/2 inactive-no-snoop-vlan Ethernet1/5 inactive-no-snoop-vlan switch# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 310 Creates a static IP source entry for the specified Ethernet interface. ip verify source Enables IP Source Guard on an interface. dhcp-snooping-vlan show running-config Displays DHCP snooping configuration, including the IP Source Guard dhcp configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 311: Show Mac Access-Lists
Related Commands Command Description mac access-list Configures a MAC ACL. show access-lists Displays all ACLs or a specific ACL. show ip access-lists Displays all IPv4 ACLs or a specific IPv4 ACL. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 312: Show Privilege
Enables a secret password for a specific privilege level. feature privilege Enables the cumulative privilege of roles for command authorization on RADIUS and TACACS+ servers. username Enables a user to use privilege levels for authorization. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 313: Show Radius-Server
RADIUS servers are configured: 192.168.1.1: available for authentication on port:1812 available for accounting on port:1813 RADIUS shared secret:******** switch# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 314 RADIUS shared secret:******** switch# This example shows how to display statistics for a specified RADIUS servers: switch# show radius-server statistics 192.168.1.1 Server is not monitored Authentication Statistics failed transactions: 0 sucessfull transactions: 0 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 315 0 responses not processed: 0 responses containing errors: 0 switch# Related Commands Command Description show running-config Displays the RADIUS information in the running configuration file. radius Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 316: Show Role
Type Scope Entity ------------------------------------------------------------------- permit read-write Role: network-operator Description: Predefined network operator role has access to all read commands on the switch ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- permit read Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 317 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) Role: priv-8 Description: This is a system defined privilege role. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 318 Description: This is a system defined privilege role. vsan policy: permit (default) Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- permit command traceroute6 * Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 319: Command Description
Vlan policy: permit (default) Interface policy: permit (default) Vrf policy: permit (default) ------------------------------------------------------------------- Rule Perm Type Scope Entity ------------------------------------------------------------------- deny command switch# Related Commands Command Description role name Configures user roles. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 320: Show Role Feature
(Fabric Shortest Path First protocol related commands) rlir (Registered Link Incident Report related commands) rscn (Registered State Change Notification related commands) span (SPAN session relate commands) vsan (VSAN configuration and show commands) Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 321 (ARP protocol related commands) show ip arp * config t; ip arp * clear ip arp * debug ip arp * debug-filter ip arp * switch# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 322 Chapter Show Commands show role feature Related Commands Command Description role feature-group Configures feature groups for user roles. rule Configures rules for user roles. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 323: Show Role Feature-Group
This example shows how to display information for a specific user role feature group: switch# show role feature-group name SecGroup Related Commands Command Description role feature-group Configures feature groups for user roles. rule Configures rules for user roles. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 324: Show Rollback Log
This example shows how to display the rollback verification log: switch# show rollback log verify -------------------------------------------------------------------------------- time: Mon, 09:48:56 06 Sep 2010 Status: success -------------------------------------------------------------------------------- time: Mon, 09:48:58 06 Sep 2010 Status: success switch# Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 325 Chapter Show Commands show rollback log Related Commands Command Description rollback Restores the active configuration to the checkpoint state. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 326: Show Running-Config Aaa
Configures the default AAA authorization methods for all configuration config-commands commands. default aaa group server Creates a RADIUS server group. radius aaa user default-role Enables the default role assigned by the AAA server administrator for remote authentication. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 327: Show Running-Config Aclmgr
130 deny tcp any range 200 300 any lt 600 140 deny tcp any range 200 300 any lt 600 ip access-list dot statistics per-entry 10 permit ip 20.1.1.1 255.255.255.0 20.10.1.1 255.255.255.0 precedence flash-o verride <snip> Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 328 Copies the running configuration to the startup configuration file. startup-config ip access-class Configures IPv4 access classes for VTY. ipv6 access-class Configures IPv6 access classes for VTY. show startup-config Displays the ACL startup configuration. aclmgr Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 329: Show Running-Config Arp
Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 330 Logs ARP debug events into the event history buffer. errors ip arp timeout Configures an ARP timeout. ip arp inspection Displays general information about DHCP snooping. show startup-config Displays the ARP startup configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 331: Show Running-Config Dhcp
This example shows how to display the DHCP snooping configuration with the default information: switch# show running-config dhcp all !Command: show running-config dhcp all !Time: Mon Aug 23 09:10:11 2010 version 5.2(1)N1(1) feature dhcp ip dhcp snooping Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 332 Enables IP Source Guard on a Layer 2 interface. show ip dhcp snooping Displays general information about DHCP snooping. show ip verify source Displays the IP-MAC address bindings. show startup-config Displays the DHCP startup configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 333: Show Running-Config Radius
!Time: Wed Aug 25 10:25:41 2010 version 5.2(1)N1(1) radius-server host 192.168.1.1 key 7 "KkwyCet" authentication accounting aaa group server radius r1 server 192.168.1.1 switch# Related Commands Command Description show radius-server Displays RADIUS information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 334: Show Running-Config Security
Creates a Secure Shell (SSH) connection using IPv4. ssh6 Creates a Secure Shell (SSH) connection using IPv6. telnet Creates a Telnet session using IPv4. telnet6 Creates a Telnet session using IPv6. username Configures a user account. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 335 Chapter Show Commands show running-config security Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 336: Show Ssh Key
2 22:49:27 2010 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA0iACA1fHAeIaY6PD5fSBLqGX3MIn+k72qhdvLNib7dL7 8CRQVS1AlQiDDTrvyIfRZ5yHMDQndvcmRfkJzluSCW2FP8vokZ66aXFk8TBTFc5Bn3NUiUyPZyhPtFD2 LaHBCkxl0MxEP+nmPJ6Qf6mBzZVAIdLw8Nd64ZwqVHHjeFc= bitcount:1024 fingerprint: bb:bf:a4:c0:22:3b:70:15:e4:2b:2b:bb:08:41:82:d4 ************************************** could not retrieve dsa key information ************************************** switch# Related Commands Command Description ssh server key Configures the SSH server key. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 337: Show Ssh Server
This example shows how to display the SSH server status: switch# show ssh server ssh version 2 is enabled switch# Related Commands Command Description ssh server enable Enables the SSH server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 338: Show Startup-Config Aaa
This example shows how to display the AAA information in the startup configuration: switch# show startup-config aaa Related Commands Command Description show running-config Displays AAA configuration information in the running configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 339: Show Startup-Config Aclmgr
110 permit tcp any gt 300 any lt 400 130 deny tcp any range 200 300 any lt 600 140 deny tcp any range 200 300 any lt 600 <snip> vlan access-map vacl-mac match mac address acl-mac action forward Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 340 Copies the running configuration to the startup configuration file. startup-config ip access-class Configures IPv4 access classes for VTY. ipv6 access-class Configures IPv6 access classes for VTY. show running-config Displays the ACL running configuration. aclmgr Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 341: Show Startup-Config Arp
Logs ARP debug events into the event history buffer. errors ip arp timeout Configures an ARP timeout. ip arp inspection Displays general information about DHCP snooping. show running-config Displays the ARP running configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 342: Show Startup-Config Dhcp
15,37-48 switch# Related Commands Command Description copy running-config Copies the running configuration to the startup configuration. startup-config Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 343 Chapter Show Commands show startup-config dhcp Command Description feature dhcp Enables the DHCP snooping feature on the device. show running-config Displays the DHCP running configuration. dhcp Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 344: Show Startup-Config Radius
This example shows how to display the RADIUS information in the startup configuration: switch# show startup-config radius Related Commands Command Description show running-config Displays RADIUS server information in the running configuration. radius Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 345: Show Startup-Config Security
This example shows how to display the user account, SSH server, and Telnet server information in the startup configuration: switch# show startup-config security Related Commands Command Description show running-config Displays user account, Secure Shell (SSH) server, and Telnet server security information in the running configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 346: Show Tacacs-Server
192.168.2.2 This example shows how to display the TACACS+ directed request configuration: switch# show tacacs-server directed-request This example shows how to display information for TACACS+ server groups: switch# show tacacs-server groups Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 347 This example shows how to display statistics for a specified TACACS+ server: switch# show tacacs-server statistics 192.168.2.2 Related Commands Command Description show running-config Displays the TACACS+ information in the running configuration file. tacacs+ Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 348: Show Telnet Server
5.2(1)N1(1) This command was introduced. Examples This example shows how to display the Telnet server status: switch# show telnet server Related Commands Command Description telnet server enable Enables the Telnet server. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 349: Show User-Account
This example shows how to display information about a specific user account: switch# show user-account admin user:admin this user account has no expiry date roles:network-admin switch# Related Commands Command Description username Configures a user account. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 350: Show Users
Aug 24 22:19 10:41 4681 admin pts/0 Aug 25 03:39 8890 (72.163.177.191) * switch# Related Commands Command Description clear user Logs out a specific user. username Creates and configures a user account. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 351: Show Vlan Access-List
Displays all IPv4 ACLs or a specific IPv4 ACL. show mac access-lists Displays all MAC ACLs or a specific MAC ACL. vlan access-map Configures a VLAN access map. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 352: Show Vlan Access-Map
Displays information about how a VLAN access map is applied. vlan access-map Configures a VLAN access map. vlan filter Applies a VLAN access map to one or more VLANs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 353: Show Vlan Filter
Displays all VLAN access maps or a VLAN access map. vlan access-map Configures a VLAN access map. vlan filter Applies a VLAN access map to one or more VLANs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 354 Chapter Show Commands show vlan filter Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 355: T Commands
T Commands This chapter describes the Cisco NX-OS security commands that begin with T. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 356: Tacacs-Server Deadtime
10 Related Commands Command Description deadtime Sets a dead-time interval for monitoring a nonresponsive RADIUS or TACACS+ server group. feature tacacs+ Enables TACACS+. show tacacs-server Displays TACACS+ server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 357: Tacacs-Server Directed-Request
This example shows how to disallow users to send authentication requests to a specific TACACS+ server when logging in: switch(config)# no tacacs-server directed-request Related Commands Command Description feature tacacs+ Enables TACACS+. show tacacs-server Displays a directed request TACACS+ server configuration. directed request Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 358: Tacacs-Server Host
32 characters. timeout seconds (Optional) Configures a TACACS+ server timeout period (in seconds) between retransmissions to the TACACS+ server. The range is from 1 to 60 seconds. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 359 192.168.2.3 test idle-time 10 switch(config)# tacacs-server host 192.168.2.3 test username tester switch(config)# tacacs-server host 192.168.2.3 test password 2B9ka5 Related Commands Command Description feature tacacs+ Enables TACACS+. show tacacs-server Displays TACACS+ server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 360: Tacacs-Server Key
This example shows how to display configure TACACS+ server shared keys: switch(config)# tacacs-server key AnyWord switch(config)# tacacs-server key 0 AnyWord switch(config)# tacacs-server key 7 public Related Commands Command Description feature tacacs+ Enables TACACS+. show tacacs-server Displays TACACS+ server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 361: Tacacs-Server Timeout
This example shows how to revert to the default TACACS+ server timeout value: switch(config)# no tacacs-server timeout 3 Related Commands Command Description feature tacacs+ Enables TACACS+. show tacacs-server Displays TACACS+ server information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 362: Telnet
Chapter T Commands telnet telnet To create a Telnet session using IPv4 on a Cisco Nexus 5000 Series switch, use the telnet command. telnet {ipv4-address | hostname} [port-number] [vrf {vrf-name | default | management}] Syntax Description ipv4-address IPv4 address of the remote switch.
Page 363: Telnet Server Enable
This example shows how to enable the Telnet server: switch(config)# telnet server enable This example shows how to disable the Telnet server: switch(config)# no telnet server enable Related Commands Command Description show telnet server Displays the Telnet server status. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 364: Telnet6
Chapter T Commands telnet6 telnet6 To create a Telnet session using IPv6 on the Cisco NX-OS switch, use the telnet6 command. telnet6 {ipv6-address | hostname} [port-number] [vrf {vrf-name | default | management}] Syntax Description ipv6-address IPv6 address of the remote device.
Page 365: U Commands
U Commands This chapter describes the Cisco NX-OS security commands that begin with U. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 366: Use-Vrf
TacServer switch(config-tacacs+)# use-vrf management This example shows how to remove the VRF instance from a TACACS+ server group: switch(config)# aaa group server tacacs+ TacServer switch(config-tacacs+)# no use-vrf management Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 367 Enables TACACS+. radius-server host Configures a RADIUS server. show radius-server Displays RADIUS server information. groups show tacacs-server Displays TACACS+ server information. groups tacacs-server host Configures a TACACS+ server. Configures a VRF instance. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 368: Username
User identifier for the user account. The user-id argument is a case-sensitive, alphanumeric character string with a maximum length of 28 characters. The Cisco NX-OS software does not allowed the “#” and “@” Note characters in the user-id argument text string.
Page 369 If you do not specify a password for the user account, the user might not be able to log in to the account. Caution You must enable the cumulative privilege roles for TACACS+ server using the feature privilege command to see the priv-lvl keyword. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 370 Enables the cumulative privilege of roles for command authorization on TACACS+ servers. show privilege Displays the current privilege level, username, and status of cumulative privilege support for a user. show user-account Displays the user account configuration. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 371: Commands
V Commands This chapter describes the Cisco NX-OS security commands that begin with V. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 372: Vlan Access-Map
Displays all VLAN access maps or a VLAN access map. show vlan filter Displays information about how a VLAN access map is applied. vlan filter Applies a VLAN access map to one or more VLANs. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 373: Vlan Filter
VLANs where it is currently applied, use the VLAN-list argument to specify the VLANs where the access map should be removed. Examples This example shows how to apply a VLAN access map named vlan-map-01 to VLANs 20 through 45: switch(config)# vlan filter vlan-map-01 20-45 Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 374 Displays all VLAN access maps or a VLAN access map. show vlan filter Displays information about how a VLAN access map is applied. vlan access-map Configures a VLAN access map. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 375: Vlan Policy Deny
MyRole switch(config-role)# no vlan policy deny Related Commands Command Description role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 376: Vrf Policy Deny
MyRole switch(config-role)# no vrf policy deny Related Commands Command Description role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 377: Vsan Policy Deny
Configures permit access to a VSAN policy for a user. role name Creates or specifies a user role and enters user role configuration mode. show role Displays user role information. Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...
Page 378 Chapter V Commands vsan policy deny Cisco Nexus 5500 Series NX-OS Security Command Reference OL-27883-02...

Cisco Nexus 5500 Series Command Reference Manual

Preface

New and Changed Information

A Commands

C Commands

D Commands

E Commands

F Commands

I Commands

M Commands

P Commands

R Commands

S Commands

Show Commands

T Commands

U Commands

Commands

Quick Links

Related Manuals for Cisco Nexus 5500 Series

Summary of Contents for Cisco Nexus 5500 Series