background image

C H A P T E R

11

Configuring MAC ACLs

This chapter describes how to configure MAC access lists (ACLs) on Cisco NX-OS devices.

This chapter contains the following sections:

About MAC ACLs, on page 285

Licensing Requirements for MAC ACLs, on page 286

Guidelines and Limitations for MAC ACLs, on page 286

Default Settings for MAC ACLs, on page 286

Configuring MAC ACLs, on page 287

Verifying the MAC ACL Configuration, on page 293

Monitoring and Clearing MAC ACL Statistics, on page 293

Configuration Example for MAC ACLs, on page 294

Additional References for MAC ACLs, on page 294

About MAC ACLs

MAC ACLs are ACLs that use information in the Layer 2 header of packets to filter traffic. MAC ACLs share
many fundamental concepts with IP ACLs, including support for virtualization.

MAC Packet Classification

MAC packet classification allows you to control whether a MAC ACL that is on a Layer 2 interface applies
to all traffic entering the interface, including IP traffic, or to non-IP traffic only.

Effect on Interface

MAC Packet Classification
State

• A MAC ACL that is on the interface applies to all traffic entering the

interface, including IP traffic.

• You cannot apply an IP port ACL on the interface.

Enabled

• A MAC ACL that is on the interface applies only to non-IP traffic

entering the interface.

• You can apply an IP port ACL on the interface

Disabled

Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x

285

Summary of Contents for Nexus 9000 Series

Page 1: ...onfiguration Guide Release 9 x First Published 2018 07 17 Last Modified 2018 11 05 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 ...

Page 2: ...RSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES Any Internet Protocol IP addresses and pho...

Page 3: ...and Changed Information 1 C H A P T E R 1 New and Changed Information 1 Overview 3 C H A P T E R 2 Authentication Authorization and Accounting 3 RADIUS and TACACS Security Protocols 4 LDAP 5 SSH and Telnet 5 User Accounts and Roles 5 IP ACLs 5 MAC ACLs 6 VACLs 6 DHCP Snooping 6 Dynamic ARP Inspection 6 IP Source Guard 7 Password Encryption 7 Keychain Management 7 Cisco Nexus 9000 Series NX OS Secu...

Page 4: ... 14 Configuring AAA 15 Process for Configuring AAA 15 Configuring Console Login Authentication Methods 15 Configuring Default Login Authentication Methods 17 Disabling Fallback to Local Authentication 19 Enabling the Default User Role for AAA Authentication 20 Enabling Login Authentication Failure Messages 21 Logging Successful and Failed Login Attempts 22 Enabling CHAP Authentication 23 Enabling ...

Page 5: ...40 Vendor Specific Attributes 41 Licensing Requirements for RADIUS 42 Prerequisites for RADIUS 42 Guidelines and Limitations for RADIUS 42 Default Settings for RADIUS 43 Configuring RADIUS Servers 43 RADIUS Server Configuration Process 44 Configuring RADIUS Server Hosts 44 Configuring Global RADIUS Keys 46 Configuring a Key for a Specific RADIUS Server 47 Configuring RADIUS Server Groups 48 Config...

Page 6: ...ACS Server Encryption Type and Secret Key 69 Command Authorization Support for TACACS Servers 69 TACACS Server Monitoring 69 Vendor Specific Attributes for TACACS 70 Cisco VSA Format for TACACS 70 Licensing Requirements for TACACS 71 Prerequisites for TACACS 71 Guidelines and Limitations for TACACS 71 Default Settings for TACACS 72 Configuring TACACS 72 TACACS Server Configuration Process 72 Enabl...

Page 7: ...ommands for Users of Privilege Roles 96 Manually Monitoring TACACS Servers or Groups 97 Disabling TACACS 98 Monitoring TACACS Servers 99 Clearing TACACS Server Statistics 99 Verifying the TACACS Configuration 100 Configuration Examples for TACACS 100 Where to Go Next 102 Additional References for TACACS 102 Configuring LDAP 105 C H A P T E R 6 About LDAP 105 LDAP Authentication and Authorization 1...

Page 8: ...stics 123 Verifying the LDAP Configuration 123 Configuration Examples for LDAP 124 Where to Go Next 124 Additional References for LDAP 125 Configuring SSH and Telnet 127 C H A P T E R 7 About SSH and Telnet 127 SSH Server 127 SSH Client 127 SSH Server Keys 128 SSH Authentication Using Digital Certificates 128 Telnet Server 129 Licensing Requirements for SSH and Telnet 129 Prerequisites for SSH and...

Page 9: ...ote Devices 148 Clearing Telnet Sessions 149 Verifying the SSH and Telnet Configuration 149 Configuration Example for SSH 150 Configuration Example for SSH Passwordless File Copy 151 Configuration Example for X 509v3 Certificate Based SSH Authentication 153 Additional References for SSH and Telnet 153 Configuring User Accounts and RBAC 155 C H A P T E R 8 About User Accounts and RBAC 155 User Acco...

Page 10: ... Interfaces 180 Ports in Authorized and Unauthorized States 180 MAC Authentication Bypass 181 Dynamic VLAN Assignment based on MAC Based Authentication MAB 181 VLAN Assignment from RADIUS 182 Single Host and Multiple Hosts Support 182 Supported Topology 182 Licensing Requirements for 802 1X 183 Prerequisites for 802 1X 183 802 1X Guidelines and Limitations 183 Default Settings for 802 1X 185 Confi...

Page 11: ... Retry Count on an Interface 204 Verifying the 802 1X Configuration 205 802 1X Support for VXLAN EVPN 205 Guidelines and Limitations for 802 1X Support for VXLAN EVPN 205 Configuring 802 1X Support for VXLAN EVPN 206 Verifying the 802 1X Support for VXLAN EVPN 207 Monitoring 802 1X 210 Configuration Example for 802 1X 210 Additional References for 802 1X 211 Configuring IP ACLs 213 C H A P T E R 1...

Page 12: ...ng TCAM Carving 250 Configuring UDF Based Port ACLs 257 Applying an IP ACL as a Router ACL 259 Applying an IP ACL as a Port ACL 260 Applying an IP ACL as a VACL 262 Configuring IPv4 ACL Logging 262 Configuring ACLs Using HTTP Methods to Redirect Requests 264 Verifying the IP ACL Configuration 267 Monitoring and Clearing IP ACL Statistics 269 Configuration Examples for IP ACLs 269 About System ACLs...

Page 13: ...5 MAC Packet Classification 285 Licensing Requirements for MAC ACLs 286 Guidelines and Limitations for MAC ACLs 286 Default Settings for MAC ACLs 286 Configuring MAC ACLs 287 Creating a MAC ACL 287 Changing a MAC ACL 288 Changing Sequence Numbers in a MAC ACL 289 Removing a MAC ACL 290 Applying a MAC ACL as a Port ACL 290 Applying a MAC ACL as a VACL 291 Enabling or Disabling MAC Packet Classifica...

Page 14: ...Additional References for VACLs 302 Configuring Port Security 303 C H A P T E R 1 3 About Port Security 303 Secure MAC Address Learning 303 Static Method 304 Dynamic Method 304 Sticky Method 304 Dynamic Address Aging 305 Secure MAC Address Maximums 305 Security Violations and Actions 306 Port Security and Port Types 307 Port Security and Port Channel Interfaces 307 Port Type Changes 309 Licensing ...

Page 15: ...ation Example for Port Security 323 Configuration Examples for Port Security in a vPC Domain 324 Example Configuring Port Security on an Orphan Port 324 Example Configuring Port Security on the vPC Leg 324 Additional References for Port Security 325 Configuring DHCP 327 C H A P T E R 1 4 About DHCP Snooping 327 Trusted and Untrusted Sources 328 DHCP Snooping Binding Database 328 DHCP Snooping in a...

Page 16: ...guring an Interface as a DHCP Relay Trusted or Untrusted Port 346 Configuring all Interfaces as Trusted or Untrusted 347 Enabling or Disabling the DHCP Relay Agent 348 Enabling or Disabling Option 82 for the DHCP Relay Agent 349 Enabling or Disabling VRF Support for the DHCP Relay Agent 350 Configuring DHCP Server Addresses on an Interface 351 Configuring the DHCP Relay Source Interface 353 Enabli...

Page 17: ...uidelines and Limitations of First Hop Security 370 About vPC First Hop Security Configuration 371 DHCP Relay On stack 371 DHCP Relay on VPC Leg 372 DHCP Client Relay on Orphan Ports 373 RA Guard 374 Overview of IPv6 RA Guard 374 Guidelines and Limitations of IPv6 RA Guard 375 DHCPv6 Guard 375 Overview of DHCP DHCPv6 Guard 375 Limitation of DHCPv6 Guard 375 IPv6 Snooping 376 Overview of IPv6 Snoop...

Page 18: ... Licensing Requirements for DAI 392 Prerequisites for DAI 392 Guidelines and Limitations for DAI 393 Default Settings for DAI 393 Configuring DAI 394 Enabling or Disabling DAI on VLANs 394 Configuring the DAI Trust State of a Layer 2 Interface 395 Enabling or Disabling Additional Validation 396 Configuring the DAI Logging Buffer Size 397 Configuring DAI Log Filtering 398 Verifying the DAI Configur...

Page 19: ... A P T E R 1 8 About AES Password Encryption and Master Encryption Keys 413 Licensing Requirements for Password Encryption 413 Guidelines and Limitations for Password Encryption 414 Default Settings for Password Encryption 414 Configuring Password Encryption 414 Configuring a Master Key and Enabling the AES Password Encryption Feature 414 Converting Existing Passwords to Type 6 Encrypted Passwords...

Page 20: ...Configuring Traffic Storm Control 431 C H A P T E R 2 0 About Traffic Storm Control 431 Licensing Requirements for Traffic Storm Control 432 Guidelines and Limitations for Traffic Storm Control 433 Default Settings for Traffic Storm Control 434 Configuring Traffic Storm Control 434 Verifying Traffic Storm Control Configuration 436 Monitoring Traffic Storm Control Counters 436 Configuration Example...

Page 21: ...cing 453 C H A P T E R 2 3 About CoPP 453 Control Plane Protection 454 Control Plane Packet Types 454 Classification for CoPP 455 Rate Controlling Mechanisms 455 Dynamic and Static CoPP ACLs 456 Default Policing Policies 457 Modular QoS Command Line Interface 469 CoPP and the Management Interface 470 Licensing Requirements for CoPP 470 Guidelines and Limitations for CoPP 470 Default Settings for C...

Page 22: ...ate Limits 494 Guidelines and Limitations for Rate Limits 494 Default Settings for Rate Limits 495 Configuring Rate Limits 495 Monitoring Rate Limits 497 Clearing the Rate Limit Statistics 497 Verifying the Rate Limit Configuration 498 Configuration Examples for Rate Limits 498 Additional References for Rate Limits 499 Configuring MACsec 501 C H A P T E R 2 5 About MACsec 501 Key Lifetime and Hitl...

Page 23: ...nabling EAPOL Configuration 511 Disabling EAPOL Configuration 512 Verifying the MACsec Configuration 513 Displaying MACsec Statistics 515 Configuration Example for MACsec 518 XML Examples 519 MIBs 527 Related Documentation 528 Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x xxiii Contents ...

Page 24: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x xxiv Contents ...

Page 25: ...the commands and keywords that you enter literally as shown bold Italic text indicates arguments for which the user supplies the values Italic Square brackets enclose an optional element keyword or argument x Square brackets enclosing keywords or arguments separated by a vertical bar indicate an optional choice x y Braces enclosing keywords or arguments separated by a vertical bar indicate a requi...

Page 26: ...co Nexus 9000 Series switch documentation set is available at the following URL http www cisco com en US products ps13386 tsd_products_support_series_home html Documentation Feedback To provide technical feedback on this document or to report an error or omission please send your comments to nexus9k docfeedback cisco com We appreciate your feedback Obtaining Documentation and Submitting a Service ...

Page 27: ...Changed in Release Description Feature Configuring 802 1X on page 177 9 2 2 Added 802 1X support for VXLAN EVPN on all Cisco Nexus 9000 Series switches 802 1x Configuring Control Plane Policing on page 453 9 2 2 Added support for protocol ACL filtering at egress CoPP on Cisco Nexus 9300 EX 9300 FX and 9500 platform switches CoPP Configuring MACsec on page 501 9 2 2 Added the ability to configure t...

Page 28: ...on page 127 9 2 1 Added support for ECDSA the show rekey command and the ability to change the default SSHv2 port SSH Guidelines and Limitations for Traffic Storm Control on page 433 9 2 1 Added the ability to enable packets per second for Cisco Nexus 9336C FX2 Cisco Nexus 93240YC FX2 and Cisco Nexus 93240YC FX2 Z switches Traffic Strom Control Configuring Unicast RPF on page 439 9 2 1 Added suppo...

Page 29: ...t on page 7 Traffic Storm Control on page 7 Control Plane Policing on page 8 Rate Limits on page 8 Software Image on page 8 Virtual Device Contexts on page 8 Authentication Authorization and Accounting Authentication authorization and accounting AAA is an architectural framework for configuring a set of three independent security functions in a consistent modular manner Authentication Provides the...

Page 30: ... TACACS or if you want to configure a backup authentication method Note Related Topics Configuring AAA RADIUS and TACACS Security Protocols AAA uses security protocols to administer its security functions If your router or access server is acting as a network access server AAA is the means through which you establish communication between your network access server and your RADIUS or TACACS securi...

Page 31: ...name as the remote device address Related Topics Configuring SSH and Telnet User Accounts and Roles You can create and manage user accounts and assign roles that limit access to operations on the Cisco NX OS device Role based access control RBAC allows you to define the rules for an assign role that restrict the authorization that the user has to access management operations Related Topics Configu...

Page 32: ...opics Configuring VLAN ACLs DHCP Snooping DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers DHCP snooping performs the following activities Validates DHCP messages received from untrusted sources and filters out invalid messages Builds and maintains the DHCP snooping binding database which contains information about untrusted hosts with leased IP addresses Uses th...

Page 33: ...ype 6 encrypted format A master encryption key is used to encrypt and decrypt the passwords You can also use this feature to convert all existing weakly encrypted passwords to type 6 encrypted passwords Related Topics Configuring Password Encryption Keychain Management Keychain management allows you to create and maintain keychains which are sequences of keys sometimes called shared secrets You ca...

Page 34: ...sult in the control plane spending a large amount of time in handling these packets which makes the control plane unable to process genuine traffic Related Topics Configuring Control Plane Policing Rate Limits Rate limits can prevent redirected packets for egress exceptions from overwhelming the supervisor module on a Cisco NX OS device Related Topics Configuring Rate Limits Software Image The Cis...

Page 35: ... AAA This section includes information about AAA on Cisco NX OS devices AAA Security Services The AAA feature allows you to verify the identity of grant access to and track the actions of users managing a Cisco NX OS device Cisco NX OS devices support Remote Access Dial In User Service RADIUS or Terminal Access Controller Access Control System Plus TACACS protocols Based on the user ID and passwor...

Page 36: ...ting and reporting The accounting feature tracks and maintains a log of every management session used to access the Cisco NX OS device You can use this information to generate reports for troubleshooting and auditing purposes You can store accounting logs locally or send them to remote AAA servers The Cisco NX OS software supports authentication authorization and accounting independently For examp...

Page 37: ...on User management session accounting This table provides the related CLI command for each AAA service configuration option Table 2 AAA Service Configuration Commands Related Command AAA Service Configuration Option aaa authentication login default Telnet or SSH login aaa authentication login console Console login aaa accounting default User session accounting You can specify the following authent...

Page 38: ...es each option in the order specified The local option is the default method when other configured options fail You can disable the local option for the console or default login by using the no aaa authentication login console default fallback error local command Note Authentication and Authorization Process for User Login Figure 1 Authorization and Authentication Flow for User Login This figure s...

Page 39: ...l database No more server groups left means that there is no response from any server in all server groups No more servers left means that there is no response from any server within this server group Note AES Password Encryption and Master Encryption Keys You can enable strong reversible 128 bit Advanced Encryption Standard AES password encryption also known as type 6 encryption To start using ty...

Page 40: ...hentication login ascii authentication command only for TACACS and not for RADIUS If you modify the default login authentication method without using the local keyword the configuration overrides the console login authentication method To explicitly configure the console authentication method use the aaa authentication login console group group list none local none command The login block for and ...

Page 41: ...n your Cisco NX OS device 2 Configure console login authentication methods 3 Configure default login authentication methods for user logins 4 Configure default AAA accounting default methods Configuring Console Login Authentication Methods This section describes how to configure the authentication methods for the console login The authentication methods include the following Global pool of RADIUS ...

Page 42: ...pose Command or Action Enters configuration mode configure terminal Example Step 1 switch configure terminal switch config Configures login authentication methods for the console aaa authentication login console group group list none local none Step 2 The group list argument consists of a space delimited list of group names The group names are the following Example switch config aaa authentication...

Page 43: ...RADIUS servers Named subset of RADIUS TACACS or LDAP servers Local database on the Cisco NX OS device Username only The default method is local but you have the option to disable it Before you begin Configure RADIUS TACACS or LDAP server groups as needed SUMMARY STEPS 1 configure terminal 2 aaa authentication login default group group list none local none 3 exit 4 Optional show aaa authentication ...

Page 44: ...thentication groups with no authentication Local authentication No authentication The local keyword is not supported and is not required when configuring AAA authentication groups because local authentication is the default if remote servers are unreachable For example if you configure aaa authentication login default group g1 local authentication is tried if you are unable to authenticate using A...

Page 45: ...ote authentication for the console or default login SUMMARY STEPS 1 configure terminal 2 no aaa authentication login console default fallback error local 3 Optional exit 4 Optional show aaa authentication 5 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters configuration mode configure terminal Example Step 1 switch configure terminal switch config Disables...

Page 46: ...annot log in to the device SUMMARY STEPS 1 configure terminal 2 aaa user default role 3 exit 4 Optional show aaa user default role 5 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters configuration mode configure terminal Example Step 1 switch configure terminal switch config Enables the default user role for AAA authentication The default is enabled aaa us...

Page 47: ... 3 exit 4 Optional show aaa authentication 5 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters configuration mode configure terminal Example Step 1 switch configure terminal switch config Enables login authentication failure messages The default is disabled aaa authentication login error enable Example Step 2 switch config aaa authentication login error en...

Page 48: ...M_MSG pam_aaa Authentication failed for user admin from 172 22 00 00 When logging level authpriv is 6 additional Linux kernel authentication messages appear along with the previous message If these additional messages need to be ignored the authpriv value should be set to 3 Note Logs all successful authentication messages to the configured syslog server With this configuration the following syslog...

Page 49: ...ver to recognize the CHAP vendor specific attributes VSAs Cisco Nexus 9K Series switches support the CLI command aaa authentication login ascii authentication only for TACAAS but not for RADIUS Ensure that you have disabled aaa authentication login ascii authentication switch so that the default authentication PAP is enabled Otherwise you will see syslog errors For example 2017 Jun 14 16 14 15 N9K...

Page 50: ...login chap enable Exits configuration mode Optional exit Example Step 4 switch config exit switch Displays the CHAP configuration Optional show aaa authentication login chap Example Step 5 switch show aaa authentication login chap Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 6 switch copy running config startup config Enabli...

Page 51: ... Description VSA Vendor Type Number Vendor ID Number Contains the challenge sent by an AAA server to an MSCHAP or MSCHAP V2 user It can be used in both Access Request and Access Challenge packets MSCHAP Challenge 11 311 Contains the response value provided by an MSCHAP or MSCHAP V2 user in response to the challenge It is only used in Access Request packets MSCHAP Response 11 211 Before you begin D...

Page 52: ...g Default Methods Cisco NX OS software supports TACACS and RADIUS methods for accounting Cisco NX OS devices report user activity to TACACS or RADIUS security servers in the form of accounting records Each accounting record contains accounting attribute value AV pairs and is stored on the AAA server When you activate AAA accounting the Cisco NX OS device reports these attributes as accounting reco...

Page 53: ...radius radius Uses the global pool of RADIUS servers for accounting named group Uses a named subset of TACACS or RADIUS servers for accounting The local method uses the local database for accounting The default method is local which is used when no server groups are configured or when all the configured server groups fail to respond Exits configuration mode exit Example Step 3 switch config exit s...

Page 54: ...h authentication results This authorization information is specified through VSAs VSA Format The following VSA protocol options are supported by the Cisco NX OS software Shell Protocol used in access accept packets to provide user profile information Accounting Protocol used in accounting request packets If a value contains any white spaces put it within double quotation marks The following attrib...

Page 55: ...roleA roleB snmpv3 auth SHA priv AES 128 The SNMPv3 authentication protocol options are SHA and MD5 The privacy protocol options are AES 128 and DES If you do not specify these options in the cisco av pair attribute MD5 and DES are the default authentication protocols Configuring Secure Login Features Configuring Login Parameters You can configure login parameters to automatically block further lo...

Page 56: ... be applied to the switch when it changes to quiet mode When the switch is in quiet mode Optional no system login quiet mode access class acl name Step 3 all login requests are denied and the only available connection is through the console Example switch config system login quiet mode access class myacl Displays the login parameters The failures option displays information related only to failed ...

Page 57: ...running config startup config Example Step 4 switch config copy running config startup config Restricting the Password Length You can restrict the minimum and maximum length of the user password This feature enables you to increase system security by forcing the user to provide a strong password Before you begin You must enable password strength checking using the password strength check command I...

Page 58: ...or the Username You can configure the switch to prompt the user to enter a password after entering the username SUMMARY STEPS 1 configure terminal 2 password prompt username 3 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal Configures the switch to prompt the user to en...

Page 59: ...ation mode configure terminal Example Step 1 switch configure terminal Configures the RADIUS or TACACS shared secret with key type 7 You are prompted to enter the shared secret in generate type7_encrypted_secret Example Step 2 plain text twice The secret is hidden as you enter it Then an encrypted version of the secret appears switch config generate type7_encrypted_secret Type 7 Vigenere Encryptio...

Page 60: ...g sequence number or a starting time for the log output The range of the starting index is from 1 to 1000000 Use the last index keyword to display the value of the last index number in the accounting log file Clears the accounting log contents The logflash keyword clears the accounting log stored in the logflash Optional clear accounting log logflash Example Step 2 switch clear aaa accounting log ...

Page 61: ...login sessions allowed per user show running config all i max login Displays the AAA configuration in the startup configuration show startup config aaa Displays the minimum and maximum length of the user password show userpassphrase length max length min length Configuration Examples for AAA The following example shows how to configure AAA aaa authentication login default group radius aaa authenti...

Page 62: ...s Switch presently in Quiet Mode Will remain in Quiet Mode for 98 seconds Denying logins from all sources switch config show login failures Information about last 20 login failure s with the device Username Line SourceIPAddr Appname TimeStamp asd dev pts 0 171 70 55 158 login Mon Aug 3 18 18 54 2015 qweq dev pts 0 171 70 55 158 login Mon Aug 3 18 19 02 2015 qwe dev pts 0 171 70 55 158 login Mon Au...

Page 63: ...nt password will not be hidden N9K 1 config snmp server user user1 Enter auth md5 password Press Enter to Skip Enter auth sha password Press Enter to Skip Additional References for AAA This section includes additional information related to implementing AAA Related Documents Document Title Related Topic Cisco NX OS Licensing Guide Cisco NX OS Licensing Standards Title Standards No new or modified ...

Page 64: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 38 Configuring AAA Additional References for AAA ...

Page 65: ...secure networks against unauthorized access In the Cisco implementation RADIUS clients run on Cisco NX OS devices and send authentication and accounting requests to a central RADIUS server that contains all user authentication and network service access information RADIUS Network Environments RADIUS can be implemented in a variety of network environments that require high levels of security while ...

Page 66: ...the user CHANGE PASSWORD A request is issued by the RADIUS server asking the user to select a new password The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network authorization You must first complete RADIUS authentication before using RADIUS authorization The additional data included with the ACCEPT or REJECT packets consists of the following Services that t...

Page 67: ...horization the separator is equal sign for mandatory attributes and asterisk indicates optional attributes When you use RADIUS servers for authentication on a Cisco NX OS device the RADIUS protocol directs the RADIUS server to return user attributes such as authorization information with authentication results This authorization information is specified through VSAs The following VSA protocol opti...

Page 68: ...attribute is sent only in the VSA portion of the Account Request frames from the RADIUS client on the switch It can be used only with the accounting protocol data units PDUs Licensing Requirements for RADIUS This table shows the licensing requirements for this feature License Requirement Product RADIUS requires no license Any feature not included in a license package is bundled with the nx os imag...

Page 69: ...scii authentication switch so that the default authentication PAP is enabled Otherwise you will see syslog errors Default Settings for RADIUS This table lists the default settings for RADIUS parameters Table 7 Default RADIUS Parameter Settings Default Parameters Authentication and accounting Server roles 0 minutes Dead timer interval 1 Retransmission count 5 seconds Retransmission timer interval 1...

Page 70: ...on is enabled commit the RADIUS configuration to the fabric Related Topics Configuring RADIUS Server Hosts on page 44 Configuring Global RADIUS Keys on page 46 Configuring RADIUS Server Hosts To access a remote RADIUS server you must configure the IP address or hostname of a RADIUS server You can configure up to 64 RADIUS servers By default when you configure a RADIUS server IP address or hostname...

Page 71: ... distribution Optional show radius pending pending diff Example Step 3 switch config show radius pending Applies the RADIUS configuration changes in the temporary database to the running configuration Optional radius commit Example Step 4 switch config radius commit Exits configuration mode exit Example Step 5 switch config exit switch Displays the RADIUS server configuration Optional show radius ...

Page 72: ...lear text format 0 is type 6 radius server key 0 6 7 key value Example Step 2 encrypted 6 or is type 7 encrypted 7 The Cisco NX OS switch config radius server key 0 QsEfThUkO software encrypts a clear text key before saving it to the running configuration The default format is clear text The maximum length is 63 characters Example switch config radius server key 7 fewhg By default no RADIUS key is...

Page 73: ...more RADIUS server hosts Obtain the key value for the remote RADIUS server Configure the key on the RADIUS server SUMMARY STEPS 1 configure terminal 2 radius server host ipv4 address ipv6 address hostname key 0 6 7 key value 3 exit 4 Optional show radius server 5 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal...

Page 74: ...mmand to display the encrypted RADIUS keys Note switch show radius server Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 5 switch copy running config startup config Related Topics Configuring RADIUS Server Hosts on page 44 About AES Password Encryption and Master Encryption Keys on page 413 Configuring RADIUS Server Groups You...

Page 75: ...ple Step 3 If the specified RADIUS server is not found configure it using the radius server host command and retry this command switch config radius server 10 10 1 1 Configures the monitoring dead time The default is 0 minutes The range is from 1 through 1440 Optional deadtime minutes Example Step 4 If the dead time interval for a RADIUS server group is greater than zero 0 that value takes precede...

Page 76: ...fferent source interface for a specific RADIUS server group By default the Cisco NX OS software uses any available interface SUMMARY STEPS 1 configure terminal 2 ip radius source interface interface 3 exit 4 Optional show radius server 5 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch con...

Page 77: ... If you enable this option the user can log in as username vrfname hostname where vrfname is the VRF to use and hostname is the name of a configured RADIUS server If you enable the directed request option the Cisco NX OS device uses only the RADIUS method for authentication and not the default local method Note User specified logins are supported only for Telnet sessions Note SUMMARY STEPS 1 confi...

Page 78: ...tional copy running config startup config Example Step 7 switch copy running config startup config Configuring the Global RADIUS Transmission Retry Count and Timeout Interval You can configure a global retransmission retry count and timeout interval for all RADIUS servers By default a Cisco NX OS device retries transmission to a RADIUS server only once before reverting to local authentication You ...

Page 79: ...g configuration Optional radius commit Example Step 5 switch config radius commit Exits configuration mode exit Example Step 6 switch config exit switch Displays the RADIUS server configuration Optional show radius server Example Step 7 switch show radius server Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 8 switch copy runn...

Page 80: ...r host server1 retransmit 3 Specifies the transmission timeout interval for a specific server The default is the global value radius server host ipv4 address ipv6 address hostname timeout seconds Step 3 Example The timeout interval value specified for a RADIUS server overrides the interval value specified for all RADIUS servers Note switch config radius server host server1 timeout 10 Displays the ...

Page 81: ...ages should be sent if there is a conflict with the default port Before you begin Configure one or more RADIUS server hosts SUMMARY STEPS 1 configure terminal 2 Optional radius server host ipv4 address ipv6 address hostname acct port udp port 3 Optional radius server host ipv4 address ipv6 address hostname accounting 4 Optional radius server host ipv4 address ipv6 address hostname auth port udp po...

Page 82: ...er only for authentication purposes The default is both accounting and authentication Optional radius server host ipv4 address ipv6 address hostname authentication Example Step 5 switch config radius server host 10 10 2 2 authentication Displays the RADIUS configuration pending for distribution Optional show radius pending pending diff Example Step 6 switch config show radius pending Applies the R...

Page 83: ...test servers periodically or you can run a one time only test To protect network security we recommend that you use a username that is not the same as an existing username in the RADIUS database Note The default idle timer value is 0 minutes When the idle time interval is 0 minutes periodic RADIUS server monitoring is not performed Note Before you begin Enable RADIUS SUMMARY STEPS 1 configure term...

Page 84: ...tep 5 switch show radius server Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 6 switch copy running config startup config Related Topics Configuring Periodic RADIUS Server Monitoring on Individual Servers on page 58 Configuring Periodic RADIUS Server Monitoring on Individual Servers You can monitor the availability of individ...

Page 85: ...address ipv6 address hostname test idle time minutes password password Step 2 The default value for the idle timer is 0 minutes and the valid range is from 0 to 1440 minutes idle time minutes username name password password idle time minutes Example For periodic RADIUS server monitoring you must set the idle timer to a value greater than 0 Note switch config radius server host 10 10 1 1 test usern...

Page 86: ...ot marked as dead even if they are not responding You can configure the dead time interval for a RADIUS server group Note SUMMARY STEPS 1 configure terminal 2 radius server deadtime minutes 3 Optional show radius pending pending diff 4 Optional radius commit 5 exit 6 Optional show radius server 7 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global con...

Page 87: ...sco NX OS device by entering both a personal identification number or one time password and the token code being displayed at that moment on their RSA SecurID token The token code used for logging into the Cisco NX OS device changes every 60 seconds To prevent problems with device discovery we recommend using different usernames that are present on the Cisco Secure ACS internal database Note Befor...

Page 88: ...sage to a RADIUS server group to confirm availability test aaa group group name username password Example Step 2 switch test aaa group RadGroup user2 As3He3CI Verifying the RADIUS Configuration To display RADIUS configuration information perform one of the following tasks Purpose Command Displays the RADIUS Cisco Fabric Services distribution status and other details show radius status pending pend...

Page 89: ...er Statistics on page 63 Clearing RADIUS Server Statistics You can display the statistics that the Cisco NX OS device maintains for RADIUS server activity Before you begin Configure RADIUS servers on the Cisco NX OS device SUMMARY STEPS 1 Optional show radius server statistics hostname ipv4 address ipv6 address 2 clear radius server statistics hostname ipv4 address ipv6 address DETAILED STEPS Purp...

Page 90: ...0 10 1 1 Where to Go Next You can now configure AAA authentication methods to include the server groups Additional References for RADIUS This section describes additional information related to implementing RADIUS Related Documents Document Title Related Topic Cisco NX OS Licensing Guide Cisco NX OS Licensing Cisco Nexus 9000 Series NX OS Unicast Routing Configuration Guide VRF configuration Stand...

Page 91: ...IBs go to the following URL ftp ftp cisco com pub mibs supportlists nexus9000 Nexus9000MIBSupportList html MIBs related to RADIUS Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 65 Configuring RADIUS Additional References for RADIUS ...

Page 92: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 66 Configuring RADIUS Additional References for RADIUS ...

Page 93: ...to a Cisco NX OS device TACACS services are maintained in a database on a TACACS daemon running typically on a UNIX or Windows NT workstation You must have access to and must configure a TACACS server before the configured TACACS features on your Cisco NX OS device are available TACACS provides for separate authentication authorization and accounting facilities TACACS allows for a single access co...

Page 94: ...quires user authorization authorization begins REJECT User authentication failed The TACACS daemon either denies further access to the user or prompts the user to retry the login sequence ERROR An error occurred at some time during authentication either at the daemon or in the network connection between the daemon and the Cisco NX OS device If the Cisco NX OS device receives an ERROR response the ...

Page 95: ...equests A Cisco NX OS device can periodically monitor a TACACS server to check whether it is responding or alive to save time in processing AAA requests The Cisco NX OS device marks unresponsive TACACS servers as dead and does not send AAA requests to any dead TACACS servers A Cisco NX OS device periodically monitors dead TACACS servers and brings them to the alive state once they are responding T...

Page 96: ...cept packets to provide user profile information Accounting Protocol used in accounting request packets If a value contains any white spaces you should enclose the value within double quotation marks The Cisco NX OS software supports the following attributes roles Lists all the roles to which the user belongs The value field is a string that lists the role names delimited by white space For exampl...

Page 97: ...ce If you have a user account configured on the local Cisco NX OS device that has the same name as a remote user account on an AAA server the Cisco NX OS software applies the user roles for the local user account to the remote user not the user roles configured on the AAA server Cisco recommends that you configure the dead time interval if more than six servers are configured in a group If you mus...

Page 98: ...that the Cisco NX OS commands for this feature might differ from the Cisco IOS commands that you would use Note TACACS Server Configuration Process Step 1 Enable TACACS Step 2 Establish the TACACS server connections to the Cisco NX OS device Step 3 Configure the secret keys for the TACACS servers Step 4 If needed configure TACACS server groups with subsets of the TACACS servers for AAA authenticat...

Page 99: ...xits configuration mode exit Example Step 3 switch config exit switch Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 4 switch copy running config startup config Configuring TACACS Server Hosts To access a remote TACACS server you must configure the IP address or the hostname for the TACACS server on the Cisco NX OS device You ...

Page 100: ...dress hostname Example Step 2 switch config tacacs server host 10 10 2 2 Displays the TACACS configuration pending for distribution Optional show tacacs pending pending diff Example Step 3 switch config show tacacs pending Applies the TACACS configuration changes in the temporary database to the running configuration Optional tacacs commit Example Step 4 switch config tacacs commit Exits configura...

Page 101: ...inal Example Step 1 switch configure terminal switch config Specifies a TACACS key for all TACACS server You can specify that the key value is in clear text format 0 is tacacs server key 0 6 7 key value Example Step 2 type 6 encrypted 6 or is type 7 encrypted 7 The Cisco switch config tacacs server key 0 QsEfThUkO NX OS software encrypts a clear text key before saving it to the running configurati...

Page 102: ...er Encryption Keys on page 413 Configuring a Key for a Specific TACACS Server You can configure secret keys for a TACACS server A secret key is a shared secret text string between the Cisco NX OS device and the TACACS server host Before you begin Enable TACACS Obtain the secret key values for the remote TACACS servers SUMMARY STEPS 1 configure terminal 2 tacacs server host ipv4 address ipv6 addres...

Page 103: ...ion mode exit Example Step 3 switch config exit switch Displays the TACACS server configuration Optional show tacacs server Step 4 Example The secret keys are saved in encrypted form in the running configuration Use the show running config command to display the encrypted secret keys Note switch show tacacs server Copies the running configuration to the startup configuration Optional copy running ...

Page 104: ...ame Example Step 3 If the specified TACACS server is not found configure it using the tacacs server host command and retry this command switch config tacacs server 10 10 2 2 Exits TACACS server group configuration mode exit Example Step 4 switch config tacacs exit switch config Displays the TACACS server group configuration Optional show tacacs server groups Example Step 5 switch config show tacac...

Page 105: ...erface interface Example Step 2 switch config ip tacacs source interface mgmt 0 Exits configuration mode exit Example Step 3 switch config exit switch Displays the TACACS server configuration information Optional show tacacs server Example Step 4 switch show tacacs server Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 5 switch...

Page 106: ... request 7 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Allows users to specify a TACACS server to send the authentication request when logging in The default is disabled tacacs server directed request Example switch config tacacs server directed reques...

Page 107: ... determines how long the Cisco NX OS device waits for responses from a TACACS server before declaring a timeout failure Before you begin Enable TACACS SUMMARY STEPS 1 configure terminal 2 tacacs server host ipv4 address ipv6 address hostname timeout seconds 3 Optional show tacacs pending pending diff 4 Optional tacacs commit 5 exit 6 Optional show tacacs server 7 Optional copy running config start...

Page 108: ...onfiguration Optional show tacacs server Example Step 6 switch show tacacs server Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 7 switch copy running config startup config Related Topics Enabling TACACS on page 73 Configuring TCP Ports You can configure another TCP port for the TACACS servers if there are conflicts with anoth...

Page 109: ...iguration Optional tacacs commit Example Step 4 switch config tacacs commit Exits configuration mode exit Example Step 5 switch config exit switch Displays the TACACS server configuration Optional show tacacs server Example Step 6 switch show tacacs server Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 7 switch copy running co...

Page 110: ...e default idle timer value is 0 minutes When the idle time interval is 0 minutes periodic TACACS server monitoring is not performed Note Before you begin Enable TACACS SUMMARY STEPS 1 configure terminal 2 tacacs server test idle time minutes password password idle time minutes username name password password idle time minutes 3 tacacs server dead time minutes 4 exit 5 Optional show tacacs server 6...

Page 111: ...p config Related Topics Configuring Periodic TACACS Server Monitoring on Individual Servers on page 85 Configuring Periodic TACACS Server Monitoring on Individual Servers You can monitor the availability of individual TACACS servers The configuration parameters include the username and password to use for the server and an idle timer The idle timer specifies the interval in which a TACACS server r...

Page 112: ...ddress hostname test idle time minutes password password Step 2 The default value for the idle timer is 0 minutes and the valid range is from 0 to 1440 minutes idle time minutes username name password password idle time minutes Example For periodic TACACS server monitoring the idle timer value must be greater than 0 Note switch config tacacs server host 10 10 1 1 test username user1 password Ur2Gd...

Page 113: ...al is 0 minutes TACACS servers are not marked as dead even if they are not responding You can configure the dead timer per group Note Before you begin Enable TACACS SUMMARY STEPS 1 configure terminal 2 tacacs server deadtime minutes 3 Optional show tacacs pending pending diff 4 Optional tacacs commit 5 exit 6 Optional show tacacs server 7 Optional copy running config startup config DETAILED STEPS ...

Page 114: ...guration to the startup configuration Optional copy running config startup config Example Step 7 switch copy running config startup config Configuring ASCII Authentication You can enable ASCII authentication on the TACACS server Before you begin Enable TACACS SUMMARY STEPS 1 configure terminal 2 aaa authentication login ascii authentication 3 Optional show tacacs pending pending diff 4 Optional ta...

Page 115: ...config exit switch Displays the TACACS server configuration Optional show tacacs server Example Step 6 switch show tacacs server Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 7 switch copy running config startup config Configuring AAA Authorization on TACACS Servers You can configure the default AAA authorization method for T...

Page 116: ...A authorization The local method uses the local database for authorization and the none method specifies that no AAA authorization be used Exits global configuration mode exit Example Step 3 switch config exit switch Displays the AAA authorization configuration The all keyword displays the default values Optional show aaa authorization all Example Step 4 switch show aaa authorization Copies the ru...

Page 117: ...tacacs pending pending diff 4 Optional tacacs commit 5 exit 6 Optional show aaa authorization all 7 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Configures the command authorization method for specific roles on a TACACS server aaa authorization commands...

Page 118: ...ending Applies the TACACS configuration changes in the temporary database to the running configuration Optional tacacs commit Example Step 4 switch config tacacs commit Exits global configuration mode exit Example Step 5 switch config exit switch Displays the AAA authorization configuration The all keyword displays the default values Optional show aaa authorization all Example Step 6 switch config...

Page 119: ... and the config commands keyword specifies only configuration commands Example switch test aaa authorization command type commands user TestUser command reload Put double quotes before and after the command string argument if it contains spaces Note Related Topics Enabling TACACS on page 73 Configuring Command Authorization on TACACS Servers on page 90 Configuring User Accounts and RBAC Enabling a...

Page 120: ...authenticates with a TACACS server the privilege level is obtained and used to form a local user role name of the format priv n where n is the privilege level The user assumes the permissions of this local role Sixteen privilege levels which map directly to corresponding user roles are available The following table shows the user role permissions that correspond to each privilege level User Role P...

Page 121: ...rd is in clear text or 5 to specify that the password is in encrypted format The password argument can be up to 64 alphanumeric characters The priv lvl argument is from 1 to 15 To enable the secret password you must have enabled the cumulative privilege of roles by entering the feature privilege command Note Enables or disables a user to use privilege levels for authorization The default is disabl...

Page 122: ... to permit users to execute specific commands or to prevent users from running those commands You must follow these guidelines when changing the rules of privilege roles You cannot modify the priv 14 and priv 15 roles You can add deny rules only to the priv 0 role These commands are always permitted for the priv 0 role configure copy dir enable ping show ssh telnet terminal traceroute end and exit...

Page 123: ... The command string argument can contain spaces Repeat this command for as many rules as needed Note Exits role configuration mode exit Example Step 4 switch config role exit switch config Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 5 switch config copy running config startup config Related Topics Configuring Privilege Leve...

Page 124: ... Hosts on page 73 Configuring TACACS Server Groups on page 77 Disabling TACACS You can disable TACACS When you disable TACACS all related configurations are automatically discarded Caution SUMMARY STEPS 1 configure terminal 2 no feature tacacs 3 exit 4 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example St...

Page 125: ...plays the TACACS statistics show tacacs server statistics hostname ipv4 address ipv6 address Step 1 Example switch show tacacs server statistics 10 10 1 1 Related Topics Configuring TACACS Server Hosts on page 73 Clearing TACACS Server Statistics on page 99 Clearing TACACS Server Statistics You can display the statistics that the Cisco NX OS device maintains for TACACS server activity Before you b...

Page 126: ...ils show tacacs status pending pending diff Displays the TACACS configuration in the running configuration show running config tacacs all Displays the TACACS configuration in the startup configuration show startup config tacacs Displays all configured TACACS server parameters show tacacs server host name ipv4 address ipv6 address directed request groups sorted statistics Displays the current privi...

Page 127: ...he password that was configured by the administrator using the enable secret command Privilege level 15 gives this user network admin privileges under the enable mode User Access Verification login user3 Password Cisco Nexus Operating System NX OS Software TAC support http www cisco com tac Copyright 2013 Cisco Systems Inc All rights reserved The copyrights to certain works contained in this softw...

Page 128: ...d from the priv 0 role then you must permit the command at role priv 5 so that users with roles priv 5 and above have permission to run the command switch configure terminal switch config role name priv 0 switch config role rule 2 deny command show running config switch config role exit switch config role name priv 5 switch config role rule 3 permit command show running config switch config role e...

Page 129: ...modified by this feature MIBs MIBs Link MIBs To locate and download supported MIBs go to the following URL ftp ftp cisco com pub mibs supportlists nexus9000 Nexus9000MIBSupportList html MIBs related to TACACS Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 103 Configuring TACACS Additional References for TACACS ...

Page 130: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 104 Configuring TACACS Additional References for TACACS ...

Page 131: ...on a UNIX or Windows NT workstation You must have access to and must configure an LDAP server before the configured LDAP features on your Cisco NX OS device are available LDAP provides for separate authentication and authorization facilities LDAP allows for a single access control server the LDAP daemon to provide each service authentication and authorization independently Each service can be tied...

Page 132: ...equires user authorization authorization begins REJECT User authentication fails The LDAP daemon either denies further access to the user or prompts the user to retry the login sequence ERROR An error occurs at some time during authentication either at the daemon or in the network connection between the daemon and the Cisco NX OS device If the Cisco NX OS device receives an ERROR response the Cisc...

Page 133: ...llowing figure shows the server states for LDAP server monitoring Figure 4 LDAP Server States The monitoring interval for alive servers and dead servers is different and can be configured by the user The LDAP server monitoring is performed by sending a test authentication request to the LDAP server Note Vendor Specific Attributes for LDAP The Internet Engineering Task Force IETF draft standard spe...

Page 134: ...he LDAP servers For more information on VRFs see the Cisco Nexus 9000 Series NX OS Unicast Routing Configuration Guide Licensing Requirements for LDAP The following table shows the licensing requirements for this feature License Requirement Product LDAP requires no license Any feature not included in a license package is bundled with the nx os image and is provided at no extra charge to you For an...

Page 135: ... seconds Timeout interval 60 minutes Idle timer interval test Periodic server monitoring username Cisco Periodic server monitoring password Configuring LDAP This section describes how to configure LDAP on a Cisco NX OS device LDAP Server Configuration Process You can configure LDAP servers by following this configuration process 1 Enable LDAP 2 Establish the LDAP server connections to the Cisco NX...

Page 136: ... terminal Example Step 1 switch configure terminal switch config Enables LDAP Use the no form of this command to disable LDAP Required no feature ldap Example Step 2 When you disable LDAP all related configurations are automatically discarded Note switch config feature ldap Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 3 swit...

Page 137: ...re that the LDAP server certificate is manually configured on the Cisco NX OS device SUMMARY STEPS 1 configure terminal 2 no ldap server host ipv4 address ipv6 address host name enable ssl 3 Optional show ldap server 4 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal swi...

Page 138: ...rootDN is used to bind to the LDAP server to verify its state Before you begin Enable LDAP Obtain the IPv4 or IPv6 addresses or the hostnames for the remote LDAP servers SUMMARY STEPS 1 configure terminal 2 no ldap server host ipv4 address ipv6 address hostname rootDN root name password password port tcp port timeout seconds timeout seconds 3 Optional show ldap server 4 Optional copy running confi...

Page 139: ... Process on page 109 Enabling or Disabling LDAP on page 110 Configuring LDAP Server Hosts on page 111 Configuring LDAP Server Groups You can specify one or more remote AAA servers to authenticate users using server groups All members of a group must be configured to use LDAP The servers are tried in the same order in which you configure them You can configure these server groups at any time but th...

Page 140: ...mple Step 4 switch config ldap authentication compare password attribute TyuL8r Enables group validation The group name should be configured in the LDAP server Users can login through Optional no enable user server group Example Step 5 public key authentication only if the username is listed as a member of this configured group in the LDAP server switch config ldap enable user server group Enables...

Page 141: ...rver timeout seconds 3 Optional show ldap server 4 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Specifies the timeout interval for LDAP servers The default timeout interval is 5 seconds The range is from 1 to 60 seconds no ldap server timeout seconds Ex...

Page 142: ...Specifies the timeout interval for a specific server The default is the global value no ldap server host ipv4 address ipv6 address hostname timeout seconds Step 2 Example The timeout interval value specified for an LDAP server overrides the global timeout interval value specified for all LDAP servers Note switch config ldap server host server1 timeout 10 Displays the LDAP server configuration Opti...

Page 143: ...s hostname port tcp port timeout seconds Example Step 2 Optionally specifies the timeout interval for the server The range is from 1 to 60 seconds and the default timeout is switch config ldap server host 10 10 1 1 port 200 timeout 5 the global value or 5 seconds if a global value is not configured The timeout interval value specified for an LDAP server overrides the global timeout interval value ...

Page 144: ...p search map Configures the attribute name search filter and base DN for the user profile trusted certificate CRL certificate DN Optional userprofile trustedCert CRLLookup user certdn match user pubkey match Step 3 match public key match or user switchgroup lookup search user switch bind attribute name attribute name search filter filter base DN base DN name operation These values are used to send...

Page 145: ... only test To protect network security we recommend that you use a username that is not the same as an existing username in the LDAP database Note Before you begin Enable LDAP SUMMARY STEPS 1 configure terminal 2 no ldap server host ipv4 address ipv6 address hostname test rootDN root name idle time minutes password password idle time minutes username name password password idle time minutes 3 no l...

Page 146: ... startup configuration Optional copy running config startup config Example Step 5 switch config copy running config startup config Related Topics LDAP Server Configuration Process on page 109 Enabling or Disabling LDAP on page 110 Configuring LDAP Server Hosts on page 111 Configuring the LDAP Dead Time Interval You can configure the dead time interval for all LDAP servers The dead time interval sp...

Page 147: ...ig Example Step 4 switch config copy running config startup config Related Topics Enabling or Disabling LDAP on page 110 Configuring AAA Authorization on LDAP Servers You can configure the default AAA authorization method for LDAP servers Before you begin Enable LDAP SUMMARY STEPS 1 configure terminal 2 aaa authorization ssh certificate ssh publickey default group group list local 3 Optional show ...

Page 148: ...thorization Displays the AAA authorization configuration The all keyword displays the default values Optional show aaa authorization all Example Step 3 switch config show aaa authorization Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 4 switch config copy running config startup config Related Topics Enabling or Disabling LDAP...

Page 149: ...tics Optional show ldap server statistics hostname ipv4 address ipv6 address Step 1 Example switch show ldap server statistics 10 10 1 1 Clears the LDAP server statistics clear ldap server statistics hostname ipv4 address ipv6 address Step 2 Example switch clear ldap server statistics 10 10 1 1 Related Topics Monitoring LDAP Servers on page 122 Configuring LDAP Server Hosts on page 111 Monitoring ...

Page 150: ... 2 enable ssl aaa group server ldap LdapServer server 10 10 2 2 exit show ldap server show ldap server groups The following example shows how to configure an LDAP search map ldap search map s0 userprofile attribute name att name search filter objectClass inetOrgPerson cn userid base DN dc acme dc com exit show ldap search map The following example shows how to configure AAA authorization with cert...

Page 151: ...No new or modified standards are supported by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link MIBs To locate and download the supported MIBs go to the following URL ftp ftp cisco com pub mibs supportlists nexus9000 Nexus9000MIBSupportList html MIBs related to LDAP Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 125 Configu...

Page 152: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 126 Configuring LDAP Additional References for LDAP ...

Page 153: ...nal References for SSH and Telnet on page 153 About SSH and Telnet This section includes information about SSH and Telnet SSH Server You can use the SSH server to enable an SSH client to make a secure encrypted connection to a Cisco NX OS device SSH uses strong encryption for authentication The SSH server in the Cisco NX OS software can interoperate with publicly and commercially available SSH cli...

Page 154: ...ates an RSA key using 1024 bits SSH supports the following public key formats OpenSSH IETF Secure Shell SECSH Public Key Certificate in Privacy Enhanced Mail PEM If you delete all of the SSH keys you cannot start the SSH services Caution SSH Authentication Using Digital Certificates SSH authentication on Cisco NX OS devices provide X 509 digital certificate support for host authentication An X 509...

Page 155: ...rge to you For an explanation of the Cisco NX OS licensing scheme see the Cisco NX OS Licensing Guide Cisco NX OS Prerequisites for SSH and Telnet Make sure that you have configured IP on a Layer 3 interface out of band on the mgmt 0 interface or inband on an Ethernet interface Guidelines and Limitations for SSH and Telnet SSH and Telnet have the following configuration guidelines and limitations ...

Page 156: ...mber 3 Maximum number of SSH login attempts Disabled SCP server Disabled SFTP server Configuring SSH This section describes how to configure SSH Generating SSH Server Keys You can generate an SSH server key based on your security requirements The default SSH server key is an RSA key that is generated using 1024 bits SUMMARY STEPS 1 configure terminal 2 no feature ssh 3 ssh key dsa force rsa bits f...

Page 157: ...ey dsa you must do the following additional configurations ssh keytypes all and ssh kexalgos all Note Configures the rekey parameters ssh rekey max data max data max time max timei Example Step 4 switch config ssh rekey max data 1K max time 1M Enables SSH feature ssh Example Step 5 switch config feature ssh Exits global configuration mode exit Example Step 6 switch config exit switch Displays the ...

Page 158: ...ver file bootflash filename 2 configure terminal 3 username username sshkey file bootflash filename 4 exit 5 Optional show user account 6 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Downloads the file containing the SSH key in IETF SECSH format from a server The server can be FTP secure copy SCP secure FTP SFTP or TFTP copy server file bootflash filename Ex...

Page 159: ...n OpenSSH format SUMMARY STEPS 1 configure terminal 2 username username sshkey ssh key 3 exit 4 Optional show user account 5 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Configures the SSH public key in OpenSSH format username username sshkey ssh key Ex...

Page 160: ...ficate based authentication and password based authentication If public key authentication is enabled it takes priority If only certificate based and password based authentication are enabled certificate based authentication takes priority If you exceed the configured number of login attempts through all of these methods a message appears indicating that too many authentication failures have occur...

Page 161: ...ch config copy running config startup config Starting SSH Sessions You can start SSH sessions using IPv4 or IPv6 to connect to remote devices from the Cisco NX OS device Before you begin Obtain the hostname for the remote device and if needed the username on the remote device Enable the SSH server on the remote device SUMMARY STEPS 1 ssh username ipv4 address hostname vrf vrf name 2 ssh6 username ...

Page 162: ...o a remote device using the Secure Copy Protocol SCP The default VRF is always used copy scp username hostname filepath directory Example switch copy scp user1 10 10 1 1 users abc Step 3 Configuring SSH Passwordless File Copy You can copy files from a Cisco NX OS device to a secure copy SCP or secure FTP SFTP server without a password To do so you must create an RSA or DSA identity that consists o...

Page 163: ...air export bootflash filename volatile filename rsa dsa force Example Step 4 Use the force keyword to replace an existing key The SSH keys are not exported if the force keyword is omitted and SSH keys are already present switch config username user1 keypair export bootflash key_rsa rsa To export the generated key pair you are prompted to enter a passphrase that encrypts the private key The private...

Page 164: ...from the Cisco NX OS device to the server without a password using standard SSH and SCP commands Configuring SCP and SFTP Servers You can configure an SCP or SFTP server on the Cisco NX OS device in order to copy files to and from a remote device After you enable the SCP or SFTP server you can execute an SCP or SFTP command on the remote device to copy the files to or from the Cisco NX OS device T...

Page 165: ... config startup config Example Step 6 switch copy running config startup config Configuring X 509v3 Certificate Based SSH Authentication You can configure SSH authentication using X 509v3 certificates Before you begin Enable the SSH server on the remote device SUMMARY STEPS 1 configure terminal 2 username user id password 0 5 password 3 username user id ssh cert dn dn name dsa rsa 4 no crypto ca t...

Page 166: ...user id ssh cert dn dn name dsa rsa Example Step 3 an existing user account The distinguished name can be switch config username jsmith ssh cert dn O ABCcompany OU ABC1 up to 512 characters and must follow the format shown in the examples Make sure the email address and state are configured as emailAddress and ST respectively emailAddress jsmith ABCcompany com L Metropolis ST New York C US CN jsmi...

Page 167: ...a crl winca Displays configured user account details Optional show user account Example Step 9 switch config trustpoint show user account Displays the users logged into the device Optional show users Example Step 10 switch config trustpoint show users Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 11 switch config trustpoint c...

Page 168: ...dh sha2 nistp256 ecdh sha2 nistp384 ecdh sha2 nistp521 Enables all supported MACs which are the message authentication codes used to detect traffic modification Optional ssh macs all Example Step 3 Supported MACs are switch config ssh macs all hmac sha1 hmac sha2 256 hmac sha2 512 Enables all supported ciphers to encrypt the connection Optional ssh ciphers all Step 4 Example Supported ciphers are ...

Page 169: ... port provides you with connections that support stronger privacy and session integrity SUMMARY STEPS 1 configure terminal 2 no feature ssh 3 show sockets local port range 4 ssh port local port 5 feature ssh 6 exit 7 Optional show running config security all 8 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Ex...

Page 170: ...ng configuration to the startup configuration Optional copy running config startup config Example Step 8 switch copy running config startup config Clearing SSH Hosts When you download a file from a server using SCP or SFTP or when you start an SSH session from this device to a remote host you establish a trusted SSH relationship with that server You can clear the list of trusted SSH servers for yo...

Page 171: ...2 switch config no feature ssh Exits global configuration mode exit Example Step 3 switch config exit switch Displays the SSH server configuration Optional show ssh server Example Step 4 switch show ssh server Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 5 switch copy running config startup config Deleting SSH Server Keys Yo...

Page 172: ...t is to delete all the SSH keys switch config no ssh key rsa Exits global configuration mode exit Example Step 4 switch config exit switch Displays the SSH server key configuration Optional show ssh key Example Step 5 switch show ssh key Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 6 switch copy running config startup config...

Page 173: ...the Telnet server on the Cisco NX OS device By default the Telnet server is disabled SUMMARY STEPS 1 configure terminal 2 feature telnet 3 exit 4 Optional show telnet server 5 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Enables the Telnet server The de...

Page 174: ...device Enable the Telnet server on the remote device SUMMARY STEPS 1 telnet ipv4 address host name port number vrf vrf name 2 telnet6 ipv6 address host name port number vrf vrf name DETAILED STEPS Purpose Command or Action Starts a Telnet session to a remote device using IPv4 The default port number is 23 The range is from 1 to 65535 The default VRF is the default VRF telnet ipv4 address host name...

Page 175: ...and any later releases this command displays the fingerprint in SHA256 format by default SHA256 is more secure than the old default format of MD5 However the md5 option has been added if you want to see the fingerprint in MD5 format for backward compatibility show ssh key dsa rsa md5 Displays the SSH and user account configuration in the running configuration The all keyword displays the default v...

Page 176: ...Step 2 Generate an SSH server key Example switch config ssh key rsa generating rsa key 1024 bits generated rsa key Step 3 Enable the SSH server Example switch config feature ssh Step 4 Display the SSH server key Example switch config show ssh key could not retrieve dsa key information rsa Keys generated Tue Mar 14 13 13 47 2017 ssh rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDh4 DZboQJbJt10nJhgKBYL5lOlhsFM2...

Page 177: ...store them in the home directory of the Cisco NX OS device for the specified user Example switch configure terminal switch config username admin keypair generate rsa generating rsa key 1024 bits generated rsa key Step 2 Display the public key for the specified user Example switch config show username admin keypair rsa Keys generated Thu Jul 9 11 10 29 2013 ssh rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAxWmjJ...

Page 178: ... 11 10 29 2013 ssh rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAxWmjJT oQhIcvnrMbx2BmD0P8boZElTfJ Fx9fexWp6rOiztlwODtehnjadWc6A DE2DvYNvqsrU9TBypYDPQkR Y6cKubyFW VxSBG NHztQc3 QC1zdkIxGNJbEHyFoajzNEO8LLOVFIMCZ2Td7gxUGRZc fbq S33GZsCAX6v0 bitcount 262144 fingerprint 8d 44 ee 6c ca 0b 44 95 36 d0 7d f2 b5 78 74 7d could not retrieve dsa key information switch config Step 5 On the SCP or SFTP server append the pu...

Page 179: ...sslserver sslclient show crypto ca crl tp1 Trustpoint tp1 CRL Certificate Revocation List CRL Version 2 0x1 Signature Algorithm sha1WithRSAEncryption Issuer CN SecDevCA Last Update Aug 8 20 03 15 2016 GMT Next Update Aug 16 08 23 15 2016 GMT CRL extensions X509v3 Authority Key Identifier keyid 30 43 AA 80 10 FE 72 00 DE 2F A2 17 E4 61 61 44 CE 78 FF 2A show user account user user1 this user accoun...

Page 180: ... X 509v3 Certificates for Secure Shell Authentication RFC 6187 MIBs MIBs Link MIBs To locate and download supported MIBs go to the following URL ftp ftp cisco com pub mibs supportlists nexus9000 Nexus9000MIBSupportList html MIBs related to SSH and Telnet Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 154 Configuring SSH and Telnet Additional References for SSH and Telnet ...

Page 181: ...RBAC on page 173 Additional References for User Accounts and RBAC on page 174 About User Accounts and RBAC You can create and manage users accounts and assign roles that limit access to operations on the Cisco NX OS device RBAC allows you to define the rules for an assign role that restrict the authorization that the user has to access management operations User Accounts You can configure up to a ...

Page 182: ...d Also they cannot include these special characters at the beginning of the password quotation marks or vertical bars or right angle brackets Note All printable ASCII characters are supported in the password string if they are enclosed in quotation marks Note If a password is trivial such as a short easy to decipher password the Cisco NX OS software will reject your password configuration if passw...

Page 183: ... as telnet may be available for this user role Note By default the user accounts without an administrator role can access only the show exit end and configure terminal commands You can add rules to allow users to configure features If you belong to multiple roles you can execute a combination of all the commands permitted by these roles Access to a command takes priority over being denied access t...

Page 184: ...delines and Limitations for User Accounts and RBAC User accounts and RBAC have the following configuration guidelines and limitations You can add up to 256 rules to a user role You can add up to 64 user defined feature groups in addition to the default feature group L3 You can configure up to 256 users You can assign a maximum of 64 user roles to a user account If you have a user account configure...

Page 185: ...eature group Enabling Password Strength Checking You can enable password strength checking which prevents you from creating weak passwords for user accounts When you enable password strength checking the Cisco NX OS software does not check the strength of existing passwords Note SUMMARY STEPS 1 configure terminal 2 password strength check 3 exit 4 Optional show password strength check 5 Optional c...

Page 186: ... of Strong Passwords on page 156 Configuring User Accounts You can create a maximum of 256 user accounts on a Cisco NX OS device User accounts have the following attributes Username Password Expiry date User roles You can enter the password in clear text format or encrypted format The Cisco NX OS password encrypts clear text passwords before saving them to the running configuration Encrypted forma...

Page 187: ...nt z numbers 0 through 9 hyphen period underscore _ plus sign and equal sign The at symbol is supported in remote usernames but not in local usernames Usernames must begin with an alphanumeric character The default password is undefined The 0 option indicates that the password is clear text and the 5 option indicates that the password is encrypted The default is 0 clear text If you do not specify ...

Page 188: ...artup config Example Step 7 switch copy running config startup config Related Topics Configuring Roles on page 162 Creating User Roles and Rules on page 162 Configuring Roles This section describes how to configure user roles Creating User Roles and Rules You can configure up to 64 user roles Each user role can have up to 256 rules You can assign a user role to more than one user account The rule ...

Page 189: ...er role and enters role configuration mode The role name argument is a case sensitive alphanumeric character string with a maximum length of 16 characters role name role name Example switch config role name UserA switch config role Step 2 Configures a command rule rule number deny permit command command string Step 3 Example The command string argument can contain spaces and regular expressions Fo...

Page 190: ...o on The deepest OID can be at the scalar level or at the table root level Note Repeat this command for as many rules as needed Configures the role description You can include spaces in the description Optional description text Example Step 8 switch config role description This role does not allow users to use clear commands Exits role configuration mode exit Example Step 9 switch config role exit...

Page 191: ...Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Specifies a user role feature group and enters role feature group configuration mode role feature group name group name Example Step 2 The group name argument is a case sensitive alphanumeric character string with a maximum length of 32 characters switch config role feature ...

Page 192: ...You can change a user role interface policy to limit the interfaces that the user can access By default a user role allows access to all interfaces Before you begin Create one or more user roles If you want to distribute the user role configuration enable user role configuration distribution on all Cisco NX OS devices to which you want the configuration distributed SUMMARY STEPS 1 configure termin...

Page 193: ...tion Optional show role Example Step 6 switch config role show role Displays the user role configuration pending for distribution Optional show role pending pending diff Example Step 7 switch config role show role pending Applies the user role configuration changes in the temporary database to the running configuration Optional role commit Example Step 8 switch config role role commit Copies the r...

Page 194: ...mple Step 2 switch config role name UserA switch config role Enters role VLAN policy configuration mode vlan policy deny Example Step 3 switch config role vlan policy deny switch config role vlan Specifies a range of VLANs that the role can access permit vlan vlan list Step 4 Example Repeat this command for as many VLANs as needed switch config role vlan permit vlan 1 4 Exits role VLAN policy conf...

Page 195: ...ge a user role VRF policy to limit the VRFs that the user can access By default a user role allows access to all VRFs Before you begin Create one or more user roles If you want to distribute the user role configuration enable user role configuration distribution on all Cisco NX OS devices to which you want the configuration distributed SUMMARY STEPS 1 configure terminal 2 role name role name 3 vrf...

Page 196: ...config role Displays the role configuration Optional show role Example Step 6 switch config role show role Displays the user role configuration pending for distribution Optional show role pending pending diff Example Step 7 switch config role show role pending Applies the user role configuration changes in the temporary database to the running configuration Optional role commit Example Step 8 swit...

Page 197: ...rd recovery 3 Optional copy running config startup config 4 Reload 5 exit 6 Optional show user account 7 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Disables the password recovery mechanism no service password recovery Example Step 2 switch config no s...

Page 198: ... boot config Exits global configuration mode exit Example Step 5 switch config exit switch Displays the role configuration Optional show user account Example Step 6 switch show user account Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 7 switch copy running config startup config Verifying User Accounts and RBAC Configuration ...

Page 199: ...d write feature bgp rule 1 deny command clear The following example shows how to create a user role that can configure an interface to enable and show BGP and show EIGRP role name iftest rule 1 permit command config t interface bgp rule 2 permit read write feature bgp rule 3 permit read feature eigrp In the above example rule 1 allows you to configure BGP on an interface rule 2 allows you to confi...

Page 200: ...it default Rule Perm Type Scope Entity 2 deny read oid 1 3 6 1 2 1 1 9 1 permit read feature snmp The following example shows how to give write permission to a specified OID subtree role name User1 rule 3 permit read write oid 1 3 6 1 2 1 1 5 show role name User1 Role User1 Description new role Vlan policy permit default Interface policy permit default Vrf policy permit default Rule Perm Type Scop...

Page 201: ...d by this feature and support for existing standards has not been modified by this feature MIBs MIBs Link MIBs To locate and download supported MIBs go to the following URL ftp ftp cisco com pub mibs supportlists nexus9000 Nexus9000MIBSupportList html MIBs related to user accounts and RBAC Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 175 Configuring User Accounts and RBAC...

Page 202: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 176 Configuring User Accounts and RBAC Additional References for User Accounts and RBAC ...

Page 203: ...on page 210 Additional References for 802 1X on page 211 About 802 1X 802 1X defines a client server based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports The authentication server authenticates each client connected to a Cisco NX OS device port Until the client is authenticated 802 1X access control allows o...

Page 204: ...e supplicant and the authentication server requesting identity information from the supplicant verifying the requested identity information with the authentication server and relaying a response to the supplicant The authenticator includes the RADIUS client which is responsible for encapsulating and decapsulating the EAP frames and interacting with the authentication server When the authenticator ...

Page 205: ...ate A port in the authorized state means that the supplicant has been successfully authenticated Note When the supplicant supplies its identity the authenticator begins its role as the intermediary passing EAP frames between the supplicant and the authentication server until authentication succeeds or fails If the authentication succeeds the authenticator port becomes authorized The specific excha...

Page 206: ...ion exchange The port transmits and receives normal traffic without 802 1X based authentication of the client This authorization state is the default Force unauthorized Causes the port to remain in the unauthorized state ignoring all attempts by the client to authenticate The authenticator cannot provide authentication services to the client through the interface Auto Enables 802 1X port based aut...

Page 207: ...ocess Clients that were authorized with MAC authentication bypass can be reauthenticated The reauthentication process is the same as that for clients that were authenticated with 802 1X During reauthentication the port remains in the previously assigned VLAN If reauthentication is successful the switch keeps the port in the same VLAN If reauthentication is based on the Session Timeout RADIUS attri...

Page 208: ...ful authentication In this case the interface on which this security association violation is detected EAPOL frame from the other MAC address will be disabled Single host mode is applicable only for host to switch topology and when a single host is connected to the Layer 2 Ethernet access port or Layer 3 port routed port of the Cisco NX OS device Only the first host has to be authenticated on the ...

Page 209: ...ntication to work Beginning with Cisco NX OS Release 9 2 1 multi authentication mode is enabled on an 802 1X port VLAN assignment occurs successfully for the first authenticated host Subsequent authorized based on user credentials data hosts are considered successfully authenticated provided either they have no VLAN assignment or have a VLAN assignment matching the first successfully authenticated...

Page 210: ...1X authentication only on Ethernet interfaces that are in a port channel a trunk or an access port The Cisco NX OS software does not work with the CTS or the MACsec features Global mac learn disable and dot1x feature are mutually exclusive and cannot be configured together The Cisco NX OS software does not support single host mode on trunk interfaces or member interfaces in a port channel The Cisc...

Page 211: ...AA 802 1X authentication method Disabled force authorized The port transmits and receives normal traffic without 802 1X based authentication of the supplicant Note Per interface 802 1X protocol enable state Disabled Periodic reauthentication 3600 seconds Number of seconds between reauthentication attempts 60 seconds number of seconds that the Cisco NX OS device remains in the quiet state following...

Page 212: ...ess for Configuring 802 1X This section describes the process for configuring 802 1X SUMMARY STEPS 1 Enable the 802 1X feature 2 Configure the connection to the remote RADIUS server 3 Enable 802 1X feature on the Ethernet interfaces DETAILED STEPS Step 1 Enable the 802 1X feature Step 2 Configure the connection to the remote RADIUS server Step 3 Enable 802 1X feature on the Ethernet interfaces Ena...

Page 213: ...ning config startup config Configuring AAA Authentication Methods for 802 1X You can use remote RADIUS servers for 802 1X authentication You must configure RADIUS servers and RADIUS server groups and specify the default AAA authentication method before the Cisco NX OS device can perform 802 1X authentication Before you begin Obtain the names or addresses for the remote RADIUS server groups SUMMARY...

Page 214: ... Step 4 switch show radius server Displays the RADIUS server group configuration Optional show radius server group group name Example Step 5 switch show radius server group rad2 Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 6 switch copy running config startup config Controlling 802 1X Authentication on an Interface You can c...

Page 215: ...thentication state on the interface The default is force authorized dot1x port control auto force authorized forced unauthorized Example Step 3 switch config if dot1x port control auto Exits configuration mode exit Example Step 4 switch config exit switch Displays all 802 1X feature status and configuration information Optional show dot1x all Example Step 5 switch show dot1x all Displays 802 1X fe...

Page 216: ...how dot1x interface ethernet slot port Example Step 2 switch show do1x interface ethernet 2 1 Selects the interface to configure and enters interface configuration mode interface ethernet slot port Example Step 3 switch config interface ethernet 2 1 switch config if Creates an authenticator PAE instance on the interface Use the no form to remove the PAE instance from the interface no dot1x pae aut...

Page 217: ...mode configure terminal Example Step 1 switch configure terminal switch config Selects the interface to configure and enters interface configuration mode interface ethernet slot port Example Step 2 switch config interface ethernet 2 1 switch config if Enables periodic reauthentication of the supplicants connected to the interface By default periodic authentication is disabled dot1x re authenticati...

Page 218: ...nticated supplicant is not disrupted Note Before you begin Enable the 802 1X feature on the Cisco NX OS device SUMMARY STEPS 1 dot1x re authenticate interface slot port DETAILED STEPS Purpose Command or Action Reauthenticates the supplicants on the Cisco NX OS device or on an interface dot1x re authenticate interface slot port Example Step 1 switch dot1x re authenticate interface 2 1 Manually Init...

Page 219: ...conds Switch to authentication server retransmission timer for Layer 4 packets The authentication server notifies the switch each time that it receives a Layer 4 packet If the switch does not receive a notification after sending a packet the Cisco NX OS device waits a set period of time and then retransmits the packet The default is 30 seconds The range is from 1 to 65535 seconds Switch to supplic...

Page 220: ...inal switch config Selects the interface to configure and enters interface configuration mode interface ethernet slot port Example Step 2 switch config interface ethernet 2 1 switch config if Sets the number of seconds that the authenticator waits for a response to an EAP request identity frame from the Optional dot1x timeout quiet period seconds Example Step 3 supplicant before retransmitting the...

Page 221: ... is the switch config if dot1x timeout tx period 40 global number of seconds set for all interfaces The range is from 1 to 65535 seconds Sets the number of seconds the switch can remain inactive The recommended minimum value is1800 seconds Optional dot1x timeout inactivity period seconds Example Step 8 switch config if dot1x timeout inactivity period 1800 Exits configuration mode exit Example Step...

Page 222: ...ple switch config if dot1x mac auth bypass Step 3 Exits configuration mode exit Example Step 4 switch config if exit switch config Displays all 802 1X feature status and configuration information Optional show dot1x all Example Step 5 switch show dot1x all Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 6 switch config copy run...

Page 223: ...ce Note switch config if dot1x host mode multi host Configures the multiple authentication mode The port is authorized only on a successful authentication of either EAP dot1x host mode multi auth Example Step 4 or MAB or a combination of both Failure to authenticate will restrict network access switch config if dot1x host mode multi auth authentication either EAP or MAB Exits configuration mode ex...

Page 224: ...le the 802 1X feature on the Cisco NX OS device SUMMARY STEPS 1 configure terminal 2 no dot1x system auth control 3 exit 4 Optional show dot1x 5 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Disables 802 1X authentication on the Cisco NX OS device The de...

Page 225: ...able the 802 1X feature on the Cisco NX OS device SUMMARY STEPS 1 configure terminal 2 no feature dot1x 3 exit 4 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Disables 802 1X no feature dot1x Step 2 Example Disabling the 802 1X feature removes all 802 1X...

Page 226: ...guration mode interface ethernet slot port Example Step 2 switch config interface ethernet 2 1 switch config if Reverts to the 802 1X configuration default values for the interface dot1x default Example Step 3 switch config if dot1x default Exits configuration mode exit Example Step 4 switch config if exit switch config Displays all 802 1X feature status and configuration information Optional show...

Page 227: ...minal switch config Selects the interface to configure and enters interface configuration mode interface ethernet slot port Example Step 2 switch config interface ethernet 2 1 switch config if Changes the maximum authorization request retry count The default is 2 times and the range is from 1 to 10 dot1x max req count Example Step 3 Make sure that the dot1x port control interface configuration com...

Page 228: ...S Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Enables RADIUS accounting for 802 1X The default is disabled dot1x radius accounting Example Step 2 switch config dot1x radius accounting Exits configuration mode exit Example Step 3 switch config exit switch Displays the 802 1X configuration Optional show dot1x Ex...

Page 229: ...ent consists of a space delimited list of group names The group names are the following radius For all configured RADIUS servers named group Any configured RADIUS server group name Exits configuration mode exit Step 3 Displays the AAA accounting configuration Optional show aaa accounting Step 4 Copies the running configuration to the startup configuration Optional copy running config startup confi...

Page 230: ...e interface to configure and enters interface configuration mode interface ethernet slot port Example Step 2 switch config interface ethernet 2 1 switch config if Changes the maximum reauthentication request retry count The default is 2 times and the range is from 1 to 10 dot1x max reauth req retry count Example Step 3 switch config if dot1x max reauth req 3 Exits interface configuration mode exit...

Page 231: ...annel interfaces or the member ports of the port channel are not supported vPC ports are not supported The current support of the feature uses regular and dynamic EVPN updates on the BGP EVPN control plane for 802 1X secure MAC updates As a result we cannot prevent the move across EVPN even if the global policy is dot1x mac move deny Ensure that the dot1x mac move policy is configured the same acr...

Page 232: ...ure dot1x The deny parameters denies MAC moves The permit parameter permits MAC moves dot1x mac move permit deny Example Step 3 switch config dot1x mac move permit Displays the 802 1X configuration Optional show running config dot1x all Example Step 4 switch config show running config dot1x all Command show running config dot1x all No configuration change since last restart Time Thu Sep 20 10 22 5...

Page 233: ...1x mac auth bypass Verifying the 802 1X Support for VXLAN EVPN To display the 802 1X Support for VXLAN ENPN configuration information enter one of the following commands Purpose Command Displays dot1x running configuration show running config dot1x all Displays the interface status show dot1x all summary Displays the default settings show dot1x Displays additional interface detail show dot1x all E...

Page 234: ...mmary Interface PAE Client Status Ethernet1 1 AUTH none UNAUTHORIZED Interface PAE Client Status Ethernet1 33 AUTH 00 16 5A 4C 00 07 AUTHORIZED 00 16 5A 4C 00 06 AUTHORIZED 00 16 5A 4C 00 05 AUTHORIZED 00 16 5A 4C 00 04 AUTHORIZED switch switch show mac address table vlan 10 Legend primary entry G Gateway MAC R Routed MAC O Overlay MAC age seconds since last seen primary entry using vPC Peer Link ...

Page 235: ...1x command switch show dot1x Sysauthcontrol Enabled Dot1x Protocol Version 2 Mac Move Deny Example of the show dot1x all command switch show dot1x all Sysauthcontrol Enabled Dot1x Protocol Version 2 Mac Move Deny Dot1x Info for Ethernet1 1 PAE AUTHENTICATOR PortControl AUTO HostMode MULTI AUTH ReAuthentication Disabled QuietPeriod 60 ServerTimeout 30 SuppTimeout 30 ReAuthPeriod 3600 Locally config...

Page 236: ...guration Example for 802 1X The following example shows how to configure 802 1X for an access port feature dot1x aaa authentication dot1x default group rad2 interface Ethernet2 1 dot1x pae authenticator dot1x port control auto The following example shows how to configure 802 1X for a trunk port feature dot1x aaa authentication dot1x default group rad2 interface Ethernet2 1 dot1x pae authenticator ...

Page 237: ...Area Networks Port Based Network Access Control IEEE Std 802 1X 2004 Revision of IEEE Std 802 1X 2001 PPP Extensible Authentication Protocol EAP RFC 2284 IEEE 802 1X Remote Authentication Dial In User Service RADIUS Usage Guidelines RFC 3580 MIBs MIBs Link MIBs To locate and download MIBs go to the following URL http www cisco com public sw center netmgmt cmtk mibs shtml IEEE8021 PAE MIB Cisco Nex...

Page 238: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 212 Configuring 802 1X Additional References for 802 1X ...

Page 239: ...e Range Configuration on page 284 Additional References for IP ACLs on page 284 About ACLs An ACL is an ordered set of rules that you can use to filter traffic Each rule specifies a set of conditions that a packet must satisfy to match the rule When the device determines that an ACL applies to a packet it tests the packet against the conditions of all rules The first matching rule determines wheth...

Page 240: ...o Nexus 9200 9300 and 9300 EX Series switches IPv6 ACLs IPv6 ACLs with UDF based match for Cisco Nexus 9300 EX Series switches MAC ACLs Layer 2 interfaces Layer 2 Ethernet port channel interfaces When a port ACL is applied to a trunk port the ACL filters traffic on all VLANs on the trunk port Port ACL IPv4 ACLs IPv6 ACLs MAC ACLs are supported on Layer 3 interfaces only if you enable MAC packet cl...

Page 241: ...es which ACLs that the device applies to the traffic The device applies the ACLs in the following order 1 Port ACL 2 Ingress VACL 3 Ingress router ACL 4 Ingress VTY ACL 5 Egress VTY ACL 6 Egress router ACL 7 Egress VACL If the packet is bridged within the ingress VLAN the device does not apply router ACLs Figure 7 Order of ACL Application The following figure shows the order in which the device ap...

Page 242: ...re may be more ACL entries than rules especially if you implement policy based ACLs by using object groups when you configure rules You can create rules in access list configuration mode by using the permit or deny command The device allows traffic that matches the criteria in a permit rule and blocks traffic that matches the criteria in a deny rule You have many options for configuring the criter...

Page 243: ...rule deny ipv6 any any This implicit rule ensures that the device denies unmatched IPv6 traffic IPv6 nd na nd ns router advertisement and router solicitation packets will not be permitted as the implicit permit rules on IPv6 ACL You must add the following rules explicitly to allow them permit icmp any any nd na permit icmp any any nd ns permit icmp any any router advertisement permit icmp any any ...

Page 244: ...Class of Service CoS Sequence Numbers The device supports sequence numbers for rules Every rule that you enter receives a sequence number either assigned by you or assigned automatically by the device Sequence numbers simplify the following ACL tasks Adding new rules between existing rules By specifying the sequence number you specify where in the ACL a new rule should be positioned For example if...

Page 245: ...CP and UDP traffic can use logical operators to filter traffic based on port numbers Cisco NX OS supports logical operators in only the ingress direction The device stores operator operand couples in registers called logical operator units LOUs The LOU usage for each type of operator is as follows eq Is never stored in an LOU gt Uses 1 LOU lt Uses 1 LOU neq Uses 1 LOU range Uses 1 LOU IPv4 ACL Log...

Page 246: ...le is active when the current time is later than the start date and time No start date and time with end date and time specified The time range rule is active when the current time is earlier than the end date and time No start or end date and time specified The time range rule is always active For example you could prepare your network to allow access to a new subnet by specifying a time range th...

Page 247: ... you apply a PBACL or update a PBACL that is already applied the device expands each rule that refers to object groups into one ACL entry per object within the group If a rule specifies the source and destination both with object groups the number of ACL entries created on the I O module when you apply the PBACL is equal to the number of objects in the source group multiplied by the number of obje...

Page 248: ...that the updated ACL applies to however an atomic update requires that an I O module that receives an ACL update has enough available resources to store each updated ACL entry in addition to all pre existing entries in the affected ACL After the update occurs the additional resources used for the update are freed If the I O module lacks the required resources the device generates an error message ...

Page 249: ...educe the size of the existing TCAM regions TCAM carving to enable the IPv6 MAC or other desired TCAM regions For every TCAM region configuration command the system evaluates if the new change can be fit in the TCAM If not it reports an error and the command is rejected You must remove or reduce the size of existing TCAM regions to make room for new requirements On Cisco Nexus 9200 Series switches...

Page 250: ... racl 0 hardware access list tcam region span 0 hardware access list tcam region redirect_v4 0 hardware access list tcam region redirect_v6 0 hardware access list tcam region e racl 20480 You can partially use IPv6 RACL with IPv6 IFCAL This is applicable to Cisco Nexus N9K C9508 and N9K C9504 with N9K X96136YC R N9K X9636C R N9K X9636Q R and N9K X9636C RX line cards The following table summarizes ...

Page 251: ...ification policy applied on Layer 2 ports or port channels vacl For IPv4 packets ipv6 vacl For IPv6 packets mac vacl For non IP packets VACL vqos or ns vqos For classifying IPv4 packets ipv6 vqos or ns ipv6 vqos For classifying IPv6 packets ing l3 vlan qos For classifying ingress Layer 3 VLAN and SVI QoS packets Cisco Nexus 9200 Series switches only mac vqos or ns mac vqos For classifying non IP p...

Page 252: ...v6 RACLs RACL l3qos l3qos lite or ns l3qos For classifying IPv4 packets ipv6 l3qos or ns ipv6 l3qos For classifying IPv6 packets For traffic that needs to be classified on 40G ports on Cisco Nexus 9300 Series switches you must carve qos regions and the corresponding ns qos regions Note Layer 3 QoS QoS classification policy applied on Layer 3 ports or port channels span VLAN source or VLAN filter S...

Page 253: ...tering IPv4 traffic on Layer 3 interfaces ipv6 racl For filtering IPv6 traffic on Layer 3 interfaces ing l2 span filter For filtering ingress Layer 2 SPAN traffic Cisco Nexus 9200 and 9300 EX Series switches only ing l3 span filter For filtering ingress Layer 3 and VLAN SPAN traffic Cisco Nexus 9200 and 9300 EX Series switches only SPAN filters svi SVI counters This region enables the packet count...

Page 254: ...etFlow openflow OpenFlow sflow sFlow egr sup Egress supervisor Cisco Nexus 9200 Series switches only ing sup Ingress supervisor Cisco Nexus 9200 Series switches only Supervisor modules Related Topics Configuring ACL TCAM Region Sizes on page 240 Configuring TCAM Carving on page 250 Licensing Requirements for IP ACLs The following table shows the licensing requirements for this feature License Requ...

Page 255: ...es ACL processing for IP packets occurs on the I O modules which use hardware that accelerates ACL processing In some circumstances processing occurs on the supervisor module which can result in slower ACL processing especially during processing that involves an ACL with a large number of rules Management interface traffic is always processed on the supervisor module If IP packets in any of the fo...

Page 256: ...gress VACLs applied on a VLAN for traffic in the access to network direction encapsulation path Supports egress VACLs applied on a VLAN for traffic in the network to access direction decapsulation path Supports ingress RACLs applied on a tenant or server facing SVI for traffic in the access to network direction encapsulation path Supports egress RACLs applied on a tenant or server facing SVI for t...

Page 257: ...n TCAM resources are not shared in the following scenarios VACL VLAN ACL is applied to multiple VLANs Routed ACL is applied to multiple SVIs in the egress direction HTTP methods are not supported on FEX ports The mode tap aggregation command is not required for TAP aggregation unless it is used with MPLS stripping However HTTP methods are not supported after MPLS packets have been stripped The fol...

Page 258: ...uted out through a subinterface gets dropped if the access list is configured on that SVI This is due to an ASIC limitation and egress RACL on L3 subinterfaces is not supported due to this limitation In Cisco NX OS Release 9 2 2 the permit tcp any established rule for the egress IPv4 and IPv6 RACLs is not supported on the Cisco Nexus 9504 and Cisco Nexus 9508 line cards n Cisco Nexus Release 9 2 2...

Page 259: ...ration using the Session Manager This feature allows you to verify the ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration This feature is especially useful for ACLs that include more than about 1000 rules SUMMARY STEPS 1 configure terminal 2 Enter one of the following commands ip access list name ipv6 a...

Page 260: ...295 sequence number permit deny protocol source ip prefix source ip mask destination ip prefix destination ip mask Step 4 Example The permit and deny commands support many ways of identifying traffic switch config acl permit ip 192 168 2 0 24 any For IPv4 and IPv6 access lists you can specify a source and destination IPv4 or IPv6 prefix which matches only Example switch config acl 10 permit ipv6 1...

Page 261: ...sources required by the configuration are available prior to committing them to the running configuration This feature is especially useful for ACLs that include more than about 1000 rules SUMMARY STEPS 1 configure terminal 2 Enter one of the following commands ip access list name ipv6 access list name 3 Optional sequence number permit deny protocol source destination 4 Optional no fragments permi...

Page 262: ... fragments that do not match any explicit permit or deny commands in the ACL The no option removes fragment handling optimization Removes the rule that you specified from the IP ACL Optional no sequence number permit deny protocol source destination Step 5 The permit and deny commands support many ways of identifying traffic Example switch config acl no 80 Specifies that the device maintains globa...

Page 263: ...ss class name in out 7 Optional show ip ipv6 access lists 8 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Creates an ACL and enters IP access list configuration mode for that ACL The maximum length for the name argument is 64 characters ip ipv6 access li...

Page 264: ... the configuration are available prior to committing them to the running configuration This feature is especially useful for ACLs that include more than about 1000 rules SUMMARY STEPS 1 configure terminal 2 resequence ip ipv6 access list name starting sequence number increment 3 Optional show ip access lists name 4 Optional copy running config startup config DETAILED STEPS Purpose Command or Actio...

Page 265: ...ct the configuration of interfaces where you have applied the ACL Instead the device considers the removed ACL to be empty Use the show ip access lists command or the show ipv6 access lists command with the summary keyword to find the interfaces that an IP ACL is configured on SUMMARY STEPS 1 configure terminal 2 Enter one of the following commands no ip access list name no ipv6 access list name 3...

Page 266: ...cedure for all Cisco Nexus 9200 9300 and 9500 Series switches and the Cisco Nexus 3164Q 31128PQ 3232C and 3264Q switches except for NFE2 enabled devices such as the X9432C S 100G line card and the C9508 FM S fabric module which must use TCAM templates to configure ACL TCAM region sizes For more information on using TCAM templates see Using Templates to Configure ACL TCAM Region Sizes Once you appl...

Page 267: ...ess flow counters TCAM region egr copp Configures the size of the egress CoPP TCAM region egr racl Configures the size of the egress IPv4 or IPv6 router ACL RACL TCAM region Cisco Nexus 9200 switches only egr sup Configures the size of the egress supervisor TCAM region Cisco Nexus 9200 switches only e ipv6 qos Configures the size of the IPv6 egress QoS TCAM region e ipv6 racl Configures the size o...

Page 268: ...facl udf Configures the size of the IPv4 port ACL user defined field UDF TCAM region Cisco Nexus 3232C and 3264Q switches only ing ifacl Configures the size of the ingress IPv4 IPv6 or MAC port ACL TCAM region Cisco Nexus 9200 9300 and 9300 EX switches only You can attach user defined fields UDFs to the ing ifacl TCAM region to configure UDF based IPv4 or IPv6 port ACLs UDF based IPv6 port ACLs ar...

Page 269: ...isco Nexus 9200 switches only ipsg Configures the size of the IP source guard SMAC IP binding TCAM region ipv6 ifacl Configures the size of the IPv6 port ACL TCAM region ipv6 l3qos Configures the size of the IPv6 Layer 3 QoS TCAM region ipv6 qos Configures the size of the IPv6 port QoS TCAM region ipv6 racl Configures the size of the IPv6 RACL TCAM region ipv6 vacl Configures the size of the IPv6 ...

Page 270: ...dule GEM ns ipv6 vqos Configures the size of the IPv6 VLAN QoS TCAM region for the X9536PQ X9564PX and X9564TX line cards and the M12PQ generic expansion module GEM ns l3qos Configures the size of the IPv4 Layer 3 QoS TCAM region for the X9536PQ X9564PX and X9564TX line cards and the M12PQ generic expansion module GEM ns mac l3qos Configures the size of the MAC Layer 3 QoS TCAM region for the X953...

Page 271: ...ures the size of the IPv4 router ACL RACL user defined field UDF TCAM region Cisco Nexus 3232C and 3264Q switches redirect Configures the size of the redirect TCAM region redirect tunnel Configures the size of the redirect tunnel TCAM region which is used for BFD over VXLAN This command is supported only if the TP_SERVICES_PKG license is installed Note rp ipv6 qos Configures the size of the IPv6 p...

Page 272: ...56 If the size is more than 256 it has to be multiple of 512 For FHS the range is from 0 4096 You can use the no form of this command to revert to the default TCAM region size You can attach IPv4 user defined fields UDFs to the racl ifacl and vacl TCAM regions using the hardware access list tcam region racl ifacl vacl qualify udf udf names command to configure IPv4 UDF based SPAN or ERSPAN You can...

Page 273: ...ormation about verifying storm control see Verifying Traffic Storm Control Configuration on page 436 The following example shows how to change the size of the RACL TCAM region on a Cisco Nexus 9500 Series switch switch config hardware access list tcam region racl 256 SUCCESS New tcam size will be applicable only at boot time You need to copy run start and reload switch config copy running config s...

Page 274: ...ze 0 Redirect redirect size 512 NS IPV4 Port QoS ns qos size 256 NS IPV6 Port QoS ns ipv6 qos size 0 NS MAC Port QoS ns mac qos size 0 NS IPV4 VLAN QoS ns vqos size 256 NS IPV6 VLAN QoS ns ipv6 vqos size 0 NS MAC VLAN QoS ns mac vqos size 0 NS IPV4 L3 QoS ns l3qos size 256 NS IPV6 L3 QoS ns ipv6 l3qos size 0 NS MAC L3 QoS ns mac l3qos size 0 VPC Convergence vpc convergence size 256 IPSG SMAC IP bi...

Page 275: ... QoS TCAM carving see the Cisco Nexus 9000 Series NX OS Quality of Service Configuration Guide Note SUMMARY STEPS 1 configure terminal 2 no hardware profile tcam resource template template name ref template nfe nfe2 l2 l3 l3 3 Optional region tcam size 4 exit 5 no hardware profile tcam resource service template template name 6 Optional show hardware access list tcam template all nfe nfe2 l2 l3 l3 ...

Page 276: ...l line cards and fabric modules Required no hardware profile tcam resource service template template name Example Step 5 switch config hardware profile tcam resource service template SR_MPLS_CARVE Displays the configuration for all TCAM templates or for a specific template Optional show hardware access list tcam template all nfe nfe2 l2 l3 l3 template name Example Step 6 switch config show hardwar...

Page 277: ... 256 1 256 Redirect 512 1 512 vPC convergence 4K Table 16 Default TCAM Region Configuration Egress For Cisco Nexus 9500 Series Switches Total Size Width Size Region Name 768 1 768 IPv4 RACL 256 1 256 System 1K Table 17 Default TCAM Region Configuration Ingress For Cisco Nexus 9300 FX Series Switches Total Size Width Size Region Name 2304 1 2304 IPv4 RACL 256 1 256 Layer 2 QoS 512 1 512 Layer 3 VLA...

Page 278: ...56 Layer 3 VLAN SPAN ACL 512 1 512 SPAN 4K Table 20 Default TCAM Region Configuration Egress For Cisco Nexus 9300 EX Series Switches Total Size Width Size Region Name 1792 1 1792 IPv4 RACL 256 1 256 System 2K Table 21 Default TCAM Region Configuration Ingress For Cisco Nexus 9300 Series Switches Total Size Width Size Region Name 512 1 512 IPv4 port ACL 512 2 256 IPv4 port QoS 512 1 512 IPv4 VACL 5...

Page 279: ...em 1K Table 23 Default TCAM Region Configuration Ingress For Layer 2 to Layer 3 Configurations on Cisco Nexus 9200 Series Switches Total Size Width Size Region Name 0 1 0 Ingress NAT 256 1 256 Ingress port ACL 256 1 256 Ingress VACL 1536 1 1536 Ingress RACL 256 1 256 Ingress Layer 2 QoS 256 1 256 Ingress Layer 3 VLAN QoS 512 1 512 Ingress supervisor 256 1 256 Ingress Layer 2 ACL SPAN 256 1 256 Ing...

Page 280: ...supervisor 256 1 256 Ingress Layer 2 ACL SPAN 256 1 256 Ingress Layer 3 ACL SPAN 512 1 512 Port based SPAN 4096 Table 26 Default TCAM Region Configuration Egress For Layer 3 Configurations on Cisco Nexus 9200 Series Switches Total Size Width Size Region Name 0 1 0 Egress VACL 1792 1 1792 Egress RACL 256 1 256 Egress supervisor 2048 The following example sets the IPv6 RACL TCAM size to 256 on a Cis...

Page 281: ...Pv4 Layer 3 QoS 256 1 256 SPAN 512 2 256 CoPP 512 2 256 System 256 1 256 Redirect 512 1 512 vPC convergence 4K Option 2 Remove IPv4 Layer 3 QoS by reducing its size to 0 and add an ingress IPv6 RACL This option is available if you are not using IPv4 Layer 3 QoS switch config hardware access list tcam region l3qos 0 Warning Please reload the linecard for the configuration to take effect switch conf...

Page 282: ...e reload You can wait until you complete all of your TCAM region configurations before you reload the device Attention Depending on the configuration you might exceed the TCAM size or run out of slices If you exceed the 4K ingress limit for all TCAM regions when you configure a TCAM region the following message appears ERROR Aggregate TCAM region configuration exceeded the available Ingress TCAM s...

Page 283: ...cess list tcam region ing ifacl qualify udf udf name v6udf v6udf name 4 copy running config startup config 5 reload 6 ip access list udf acl 7 Enter one of the following commands permit udf udf name value mask permit ip source destination udf udf name value mask 8 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure termina...

Page 284: ...lable otherwise this command will be rejected If necessary you can reduce the TCAM space from unused regions and then re enter this command For more information see Configuring ACL TCAM Region Sizes Note The no form of this command detaches the UDFs from the TCAM region and returns the region to single wide Note Saves the change persistently through reboots and restarts by copying the running conf...

Page 285: ... interfaces Physical Layer 3 interfaces and subinterfaces Layer 3 Ethernet port channel interfaces VLAN interfaces Management interfaces ACLs applied to these interface types are considered router ACLs Egress router ACLs are not supported on subinterfaces and on Cisco Nexus 9300 Series switch uplink ports Note Before you begin Ensure that the ACL you want to apply exists and that it is configured ...

Page 286: ...per direction Enter one of the following commands Step 3 ip access group access list in out ipv6 traffic filter access list in out Example switch config if ip access group acl1 in Displays the ACL configuration Optional show running config aclmgr Example Step 4 switch config if show running config aclmgr Copies the running configuration to the startup configuration Optional copy running config sta...

Page 287: ...fig startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Enters configuration mode for the interface type that you specified Enter one of the following commands Step 2 interface ethernet slot port interface port channel channel number Example switch config interface ethernet 2 3 switch con...

Page 288: ... you first create the access list then enable filtering of IPv4 traffic on an interface using the specified ACL and finally configure the ACL logging process parameters SUMMARY STEPS 1 configure terminal 2 ip access list name 3 permit deny ip source address destination address log 4 exit 5 interface ethernet slot port 6 ip access group name in 7 exit 8 logging ip access list cache interval interva...

Page 289: ...et mask the host address or any to designate any address Updates the configuration and exits IP ACL configuration mode exit Example Step 4 switch config acl exit switch config Enters interface configuration mode interface ethernet slot port Example Step 5 switch config interface ethernet 1 1 switch config if Enables the filtering of IPv4 traffic on an interface using the specified ACL You can appl...

Page 290: ... access list log packets Example switch config hardware rate limiter access list log 200 Step 12 Specifies the minimum severity level to log ACL matches The default is 6 informational The range is from 0 emergency to 7 debugging acllog match log level severity level Example switch config acllog match log level 5 Step 13 Displays information on the active logged flows such as source IP and destinat...

Page 291: ... ACL configuration mode The name argument can be up to 64 characters ip access list name Example Step 2 switch config ip access list acl 01 switch config acl Configures the ACL to redirect specific HTTP methods to a server sequence number permit protocol source destination http method method tcp option length length redirect interface Step 3 The following HTTP methods are supported Example connect...

Page 292: ...splays the IP ACL configuration Optional show ip access lists name Example Step 4 switch config acl show ip access lists acl 01 Displays the interface configuration Optional show run interface interface slot port Example Step 5 switch config acl show run interface ethernet 2 2 Example The following example specifies a length for the TCP options header in the packets and redirects the post HTTP met...

Page 293: ...hes l3 The default TCAM template for Layer 3 configurations on Cisco Nexus 9200 Series switches show hardware access list tcam template all nfe nfe2 l2 l3 l3 template name Displays the IPv4 ACL configuration show ip access lists Displays the IPv6 ACL configuration show ipv6 access lists Displays information on the active logged flows such as source IP and destination IP addresses source port and d...

Page 294: ...onfiguration The all option displays both the default CoPP configured and user configured ACLs in the running configuration Note show running config aclmgr all Displays the ACL log startup configuration show startup config acllog Displays the ACL startup configuration This command displays the user configured ACLs in the startup configuration The all option displays both the default CoPP configure...

Page 295: ...rmit ip 192 168 2 0 24 any interface ethernet 2 1 ip port access group acl 01 in The following example shows how to create an IPv6 ACL named acl 120 and apply it as a router ACL to Ethernet interface 2 3 which is a Layer 3 interface ipv6 access list acl 120 permit tcp 2001 0db8 85a3 48 2001 0db8 be03 2112 64 permit udp 2001 0db8 85a3 48 2001 0db8 be03 2112 64 permit tcp 2001 0db8 69f2 48 2001 0db8...

Page 296: ... if no shutdown About System ACLs You can configure system ACLs on Cisco Nexus 9500 Series switches with R and RX line cards With system ACLs you can now configure a Layer 2 port ACL PACL on all the ports with the same access list in the switch Configuring system ACLs reduces the TCAM usage and also brings down the time and memory usage while the policy is being applied or modified See the followi...

Page 297: ...on Cisco Nexus R series line cards but the non atomic update hardware access list update default result is supported on Cisco Nexus R series line cards Carving a TCAM Region Before configuring the system ACLs carve the TCAM region first Note that for configuring the ACLs less than 1k you do not need to carve the TCAM region See the Configuring ACL TCAM Region Sizes on page 240 section for more inf...

Page 298: ...m acl ip port access group PACL DNA in To validate the system ACLs that are configured on the switch use the sh run aclmgr sec system command switch sh run aclmgr sec system system acl ip port access group test in switch To validate the PACLs that are configured on the switch use the sh ip access lists name summary command switch sh ip access lists test IP access list test 10 deny udp any any eq 2...

Page 299: ... IPV6 VLAN QoS ipv6 vqos size 0 MAC VLAN QoS mac vqos size 0 IPV4 RACL racl size 0 IPV6 RACL ipv6 racl size 128 IPV4 Port QoS Lite qos lite size 0 FEX IPV4 Port QoS Lite fex qos lite size 0 IPV4 VLAN QoS Lite vqos lite size 0 IPV4 L3 QoS Lite l3qos lite size 0 Egress IPV4 QoS e qos size 0 Egress IPV6 QoS e ipv6 qos size 0 Egress MAC QoS e mac qos size 0 Egress IPV4 VACL vacl size 0 Egress IPV6 VAC...

Page 300: ...ging an IPv4 Address Object Group You can create and change an IPv4 address group object SUMMARY STEPS 1 configure terminal 2 object group ip address name 3 Enter one of the following commands sequence number host IPv4 address sequence number IPv4 address prefix len sequence number IPv4 address network wildcard 4 Enter one of the following commands no sequence number no host IPv4 address no IPv4 a...

Page 301: ...want to remove from the object group use the no form of the host command Enter one of the following commands Step 4 no sequence number no host IPv4 address no IPv4 address prefix len no IPv4 address network wildcard Example switch config ipaddr ogroup no host 10 99 32 6 Displays the object group configuration Optional show object group name Example Step 5 switch config ipaddr ogroup show object gr...

Page 302: ...ce number IPv6 address network wildcard You can specify a prefix length for an IPv6 object group which matches only on the first contiguous bits or you can Example specify a wildcard mask which matches on any bit in the switch config ipv6addr ogroup host 2001 db8 0 3ab0 1 address IPv6 wildcard masks are supported for Cisco Nexus 9200 9300 EX and 9300 FX FX2 FXP switches and the Cisco Nexus 9364C s...

Page 303: ...al switch config Creates the protocol port object group and enters port object group configuration mode object group ip port name Example Step 2 switch config object group ip port NYC datacenter ports switch config port ogroup Creates an entry in the object group For each entry that you want to create use one of the following operator commands sequence number operator port number port number Examp...

Page 304: ...iguration Optional copy running config startup config Example Step 6 switch config port ogroup copy running config startup config Removing an Object Group You can remove an IPv4 address object group an IPv6 address object group or a protocol port object group SUMMARY STEPS 1 configure terminal 2 no object group ip address ipv6 address ip port name 3 Optional show object group 4 Optional copy runni...

Page 305: ...for Time Ranges Session Manager supports the configuration of time ranges This feature allows you to create a configuration session and verify your time range configuration changes prior to committing them to the running configuration For more information about Session Manager see the Cisco Nexus 9000 Series NX OS System Management Configuration Guide Creating a Time Range You can create a time ra...

Page 306: ...to 20 00 00 daily All days of the week weekdays Monday through Friday weekend Saturday through Sunday Creates an absolute rule that is in effect beginning at the time and date specified after the start keyword If you Optional sequence number absolute start time date end time date Step 5 omit the end keyword the rule is always in effect after the start time and date have passed Example switch confi...

Page 307: ... STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Enters time range configuration mode for the specified time range time range name Example Step 2 switch config time range workday daytime switch config time range Creates a periodic rule that is in effect for one or more contiguous days between and including t...

Page 308: ... arguments absolute arguments Step 7 Example switch config time range no 80 Displays the time range configuration Optional show time range name Example Step 8 switch config time range show time range workday daytime Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 9 switch config time range copy running config startup config Rel...

Page 309: ...ch copy running config startup config Changing Sequence Numbers in a Time Range You can change all the sequence numbers assigned to rules in a time range SUMMARY STEPS 1 configure terminal 2 resequence time range name starting sequence number increment 3 Optional show time range name 4 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration ...

Page 310: ...g startup config Example Step 4 switch config copy running config startup config Verifying the Time Range Configuration To display time range configuration information perform one of the following tasks Purpose Command Displays the time range configuration show time range Displays ACL configuration including all time ranges show running config aclmgr Additional References for IP ACLs Related Docum...

Page 311: ...t use information in the Layer 2 header of packets to filter traffic MAC ACLs share many fundamental concepts with IP ACLs including support for virtualization MAC Packet Classification MAC packet classification allows you to control whether a MAC ACL that is on a Layer 2 interface applies to all traffic entering the interface including IP traffic or to non IP traffic only Effect on Interface MAC ...

Page 312: ... switches you must define the ethertype for the traffic to be appropriately matched Mac packet classify knob is partially supported on the Cisco Nexus 9300 EX platform switches In the absence of a direct field for marking the packet as an L2 packet the switches match all packets with certain fields such as src_mac dst_mac and vlan in the key field However they cannot match on the eth_type field Th...

Page 313: ... ACL permit deny source destination protocol Step 3 Example The permit and deny commands support many ways of identifying traffic switch config mac acl 100 permit mac 00c0 4f00 0000 0000 00ff ffff any 0x0806 Specifies that the device maintains global statistics for packets that match the rules in the ACL Optional statistics per entry Example Step 4 switch config mac acl statistics per entry Displa...

Page 314: ...cl Creates a rule in the MAC ACL Using a sequence number allows you to specify a position for the rule in the ACL Optional sequence number permit deny source destination protocol Step 3 Without a sequence number the rule is added to the end of the rules Example switch config mac acl 100 permit mac 00c0 4f00 0000 0000 00ff ffff any 0x0806 The permit and deny commands support many ways of identifyin...

Page 315: ...ion Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Assigns sequence numbers to the rules contained in the ACL where the first rule receives the number specified by resequence mac access list name starting sequence number increment Step 2 the starting sequence number that you specify Each Example subsequent rule receives a number larger th...

Page 316: ...n interface the command lists the interfaces Optional show mac access lists name summary Example Step 3 switch config show mac access lists acl mac 01 summary Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 4 switch config copy running config startup config Applying a MAC ACL as a Port ACL You can apply a MAC ACL as a port ACL ...

Page 317: ...h config interface ethernet 2 1 switch config if Example switch config interface port channel 5 switch config if Applies a MAC ACL to the interface mac port access group access list Example Step 3 switch config if mac port access group acl 01 Displays the ACL configuration Optional show running config aclmgr Example Step 4 switch config if show running config aclmgr Copies the running configuratio...

Page 318: ...lobal configuration mode configure terminal Example Step 1 switch configure terminal switch config Enter one of the following commands Step 2 Enters interface configuration mode for an Ethernet interface interface ethernet slot port Enters interface configuration mode for a port channel interface interface port channel channel number Example switch config interface ethernet 2 1 switch config if Ex...

Page 319: ...mand displays the user configured ACLs in the running configuration The all option displays both the default CoPP configured and user configured ACLs in the running configuration Note show running config aclmgr all Displays the ACL startup configuration This command displays the user configured ACLs in the startup configuration The all option displays both the default CoPP configured and user conf...

Page 320: ...er 2 interface in this example mac access list acl mac 01 permit 00c0 4f00 0000 0000 00ff ffff any 0x0806 interface ethernet 2 1 mac port access group acl mac 01 Additional References for MAC ACLs Related Documents Document Title Related Topic Configuring TAP Aggregation and MPLS Stripping TAP aggregation Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 294 Configuring MAC AC...

Page 321: ... configure VACLs to apply to all packets that are routed into or out of a VLAN or are bridged within a VLAN VACLs are strictly for security packet filtering and for redirecting traffic to specific physical interfaces VACLs are not defined by direction ingress or egress VLAN Access Maps and Entries VACLs use access maps to contain an ordered list of one or more map entries Each map entry associates...

Page 322: ...r Support for VACLs Session Manager supports the configuration of VACLs This feature allows you to verify the ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration For more information about Session Manager see the Cisco Nexus 9000 Series NX OS System Management Configuration Guide Licensing Requirements f...

Page 323: ...ents with the action drop to achieve a similar outcome When configuring a VACL with the redirect option the interface that you define as the redirect interface must be configured as a member of the VLAN which you apply this VACL to This VLAN must also be in the forwarding state on this interface for the redirection to work If these conditions are not met then the switch will drop the packets which...

Page 324: ...nning config aclmgr 7 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Enters VLAN access map configuration mode for the VLAN access map specified If the VLAN access map does not exist the device creates it vlan access map map name sequence number Example s...

Page 325: ... show running config aclmgr Example Step 6 switch config access map show running config aclmgr Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 7 switch config access map copy running config startup config Removing a VACL or a VACL Entry You can remove a VACL which means that you will delete the VLAN access map You can also remo...

Page 326: ... startup config Example Step 4 switch config copy running config startup config Applying a VACL to a VLAN You can apply a VACL to a VLAN Before you begin If you are applying a VACL ensure that the VACL exists and is configured to filter traffic in the manner that you need for this application SUMMARY STEPS 1 configure terminal 2 no vlan filter map name vlan list list 3 Optional show running config...

Page 327: ...Note show running config aclmgr all Displays the ACL startup configuration This command displays the user configured ACLs in the startup configuration The all option displays both the default CoPP configured and user configured ACLs in the startup configuration Note show startup config aclmgr all Displays information about VACLs that are applied to a VLAN show vlan filter Displays information abou...

Page 328: ...n access map acl mac map match mac address acl mac 01 action forward vlan filter acl mac map vlan list 50 82 Additional References for VACLs Related Documents Document Title Related Topic Cisco Nexus 9000 Series NX OS Quality of Service Configuration Guide QoS configuration Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 302 Configuring VLAN ACLs Configuration Example for VA...

Page 329: ...rity Port security allows you to configure Layer 2 physical interfaces and Layer 2 port channel interfaces to allow inbound traffic from only a restricted set of MAC addresses The MAC addresses in the restricted set are called secure MAC addresses In addition the device does not allow traffic from these MAC addresses on another interface within the same VLAN The number of MAC addresses that the de...

Page 330: ... The device stores dynamic secure MAC addresses in memory A dynamic secure MAC address entry remains in the configuration of an interface until one of the following events occurs The device restarts The interface restarts The address reaches the age limit that you configured for the interface You explicitly remove the address You configure the interface to act as a Layer 3 interface Sticky Method ...

Page 331: ...rt set the maximum number of addresses to one and configure the MAC address of the attached device Tip The following three limits can determine how many secure MAC addresses are permitted on an interface Device Maximum The device has a nonconfigurable limit of 8192 secure MAC addresses If learning a new address would violate the device maximum the device does not permit the new address to be learn...

Page 332: ...guration command to configure the device to reenable the interface automatically if a shutdown occurs or you can manually reenable the interface by entering the shutdown and no shutdown interface configuration commands Restrict Drops ingress traffic from any nonsecure MAC addresses The device keeps a count of the number of dropped MAC addresses which is called the security violation count Address ...

Page 333: ...in non vPC deployments on Cisco Nexus 9300 EX Series switches Note Port Security and Port Channel Interfaces Port security is supported on Layer 2 port channel interfaces Port security operates on port channel interfaces in the same manner as on physical interfaces except as described in this section General Guidelines Port security on a port channel interface operates in either access mode or tru...

Page 334: ... configuration To ensure that all ports are secure as needed after you remove a port channel interface we recommend that you closely inspect the port security configuration of all member ports Note Removing a Port Channel Interface If you remove a secure port channel interface the following occurs The device discards all secure MAC addresses learned for the port channel interface including static ...

Page 335: ...the device has no port security configuration for the interface Licensing Requirements for Port Security The following table shows the licensing requirements for this feature License Requirement Product Port security requires no license Any feature not included in a license package is bundled with the nx os image and is provided at no extra charge to you For an explanation of the Cisco NX OS licen...

Page 336: ...ANs Static MAC addresses for the secondary VLANs cannot be created Dynamic MAC addresses that learned the secondary VLANs are aged out Guidelines and Limitations for Port Security on vPCs Apart from the guidelines and limitations for port security check that you can meet the following guidelines and limitations for port security on vPCs Port security is not supported on FEX interfaces in vPC deplo...

Page 337: ...d command to verify that the configuration is correct on both vPC peers While a switch undergoes an in service software upgrade ISSU port security operations are stopped on its peer switch The peer switch does not learn any new MAC addresses and MAC moves occurring during this operation are ignored When the ISSU is complete the peer switch is notified and normal port security functionality resumes...

Page 338: ...hport port security configuration for the interface is lost Before you begin You must have enabled port security globally If a Layer 2 Ethernet interface is a member of a port channel interface you cannot enable or disable port security on the Layer 2 Ethernet interface If any member port of a secure Layer 2 port channel interface has port security enabled you cannot disable port security for the ...

Page 339: ...urity Displays the port security configuration Optional show running config port security Example Step 5 switch config if show running config port security Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 6 switch config if copy running config startup config Enabling or Disabling Sticky MAC Address Learning You can disable or en...

Page 340: ...ayer 2 interface switchport Example Step 3 switch config if switchport Enables sticky MAC address learning on the interface The no option disables sticky MAC address learning no switchport port security mac address sticky Example Step 4 switch config if switchport port security mac address sticky Displays the port security configuration Optional show running config port security Example Step 5 swi...

Page 341: ...tional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Enters interface configuration mode for the interface that you specify Enter one of the following commands Step 2 interface ethernet slot port interface port channel channel number Example switch config interfa...

Page 342: ...mmand or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Enters interface configuration mode for the interface from which you want to remove a static secure MAC address Enter one of the following commands Step 2 interface ethernet slot port interface port channel channel number Example switch config interface ethernet 2 1 switch con...

Page 343: ...t channel channel number 3 no switchport port security mac address sticky 4 clear port security dynamic address address 5 Optional show port security address interface ethernet slot port port channel channel number 6 Optional switchport port security mac address sticky DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure termi...

Page 344: ...earning again on the interface Optional switchport port security mac address sticky Example Step 6 switch config if switchport port security mac address sticky Removing a Dynamic Secure MAC Address You can remove dynamically learned secure MAC addresses Before you begin You must have enabled port security globally SUMMARY STEPS 1 configure terminal 2 clear port security dynamic interface ethernet ...

Page 345: ...so configure a maximum number of MAC addresses per VLAN on a Layer 2 interface The largest maximum number of addresses that you can configure on an interface is 1025 addresses The system maximum number of addresses is 8192 By default an interface has a maximum of one secure MAC address VLANs have no default maximum number of secure MAC addresses When you specify a maximum number of addresses that ...

Page 346: ...ich is 1 switch config if switchport port security maximum 425 If you want to specify the VLAN that the maximum applies to use the vlan keyword Displays the port security configuration Optional show running config port security Example Step 4 switch config if show running config port security Copies the running configuration to the startup configuration Optional copy running config startup config ...

Page 347: ...ion resets the aging type to the default which is absolute aging no switchport port security aging type absolute inactivity Example Step 3 switch config if switchport port security aging type inactivity Configures the number of minutes that a dynamically learned MAC address must age before the device drops the no switchport port security aging time minutes Example Step 4 address The maximum valid ...

Page 348: ...protect restrict shutdown 4 Optional show running config port security 5 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Enters interface configuration mode for the interface that you want to configure with a security violation action Enter one of the foll...

Page 349: ...terface show port security interface Displays secure MAC addresses show port security address Verifies configuration on both vPC peers show vpc consistency parameters vpc id Displaying Secure MAC Addresses Use the show port security address command to display secure MAC addresses Configuration Example for Port Security The following example shows a port security configuration for the Ethernet 2 1 ...

Page 350: ... aging type absolute secondaryy_switch config if switchport port security mac sticky secondary_switch config if switchport port security mac address 0 0 1 vlan 101 secondary_switch config if switchport port security mac address 0 0 2 vlan 101 secondary_switch config if copy running config startup config Example Configuring Port Security on the vPC Leg primary_switch config feature port security pr...

Page 351: ...lated Topic Cisco Nexus 9000 Series NX OS Layer 2 Switching Configuration Guide Layer 2 switching MIBs Cisco NX OS provides read only SNMP support for port security MIBs Link MIBs To locate and download MIBs go to the following URL http www cisco com public sw center netmgmt cmtk mibs shtml CISCO PORT SECURITY MIB Traps are supported for notification of secure MAC address violations Note Cisco Nex...

Page 352: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 326 Configuring Port Security Additional References for Port Security ...

Page 353: ...the DHCP Configuration on page 364 Displaying IPv6 RA Guard Statistics on page 364 Displaying DHCP Snooping Bindings on page 364 Clearing the DHCP Snooping Binding Database on page 365 Monitoring DHCP on page 365 Clearing DHCP Snooping Statistics on page 365 Clearing DHCP Relay Statistics on page 365 Clearing DHCPv6 Relay Statistics on page 365 Configuration Examples for DHCP on page 366 Configura...

Page 354: ...You must configure DHCP server interfaces as trusted You can also configure other interfaces as trusted if they connect to devices such as switches or routers inside your network You usually do not configure host port interfaces as trusted For DHCP snooping to function properly all DHCP servers must be connected to the device through trusted interfaces Note DHCP Snooping Binding Database Using inf...

Page 355: ...rios When the remote vPC is online all the binding entries for that vPC link should be synchronized with the peer When DHCP snooping is enabled on the peer switch the dynamic binding entries for all vPC links should be synchronized with the peer Packet Validation The device validates DHCP packets received on the untrusted interfaces of VLANs that have DHCP snooping enabled The device forwards the ...

Page 356: ...s first received before it is forwarded to the other vPC peer switch Note 3 The device forwards the DHCP request that includes the Option 82 field to the DHCP server 4 The DHCP server receives the packet If the server is Option 82 capable it can use the remote ID the circuit ID or both to assign IP addresses and implement policies such as restricting the number of IP addresses that can be assigned...

Page 357: ...ace The relay agent sets the gateway address giaddr field of the DHCP packet and if configured adds the relay agent information option Option 82 in the packet and forwards it to the DHCP server The reply from the server is forwarded back to the client after removing Option 82 After you enable Option 82 the device uses the binary ifindex format by default If needed you can change the Option 82 sett...

Page 358: ...DHCP relay the circuit ID is filled with the ifindex of the SVI or Layer 3 interface on which DHCP relay is configured 3 The device adds the IP address of the relay agent to the DHCP packet 4 The device forwards the DHCP request that includes the Option 82 field to the DHCP server 5 The DHCP server receives the packet If the server is Option 82 capable it can use the remote ID the circuit ID or bo...

Page 359: ...2 for the DHCP relay agent If a DHCP request arrives on an interface that you have configured with a DHCP relay address and VRF information and the address of the DCHP server belongs to a network on an interface that is a member of a different VRF the device inserts Option 82 information in the request and forwards it to the DHCP server in the server VRF The Option 82 information includes the foll...

Page 360: ...ng secondary addresses About the DHCPv6 Relay Agent DHCPv6 Relay Agent You can configure the device to run a DHCPv6 relay agent which forwards DHCPv6 packets between clients and servers This feature is useful when clients and servers are not on the same physical subnet Relay agents receive DHCPv6 messages and then generate a new DHCPv6 message to send out on another interface The relay agent sets ...

Page 361: ...bnet broadcast is not supported You must enable the insertion of Option 82 information for DHCP packets to support the highest DHCP snooping scale Before you globally enable DHCP snooping on the device make sure that the devices acting as the DHCP server and the DHCP relay agent are configured and enabled DHCP snooping should not be followed by DHCP relay in the network DHCP snooping does not work...

Page 362: ...you configure DHCPv6 server addresses on an interface a destination interface cannot be used with global IPv6 addresses The following guidelines and limitations apply to the DHCP client feature You can configure multiple SVIs but each interface VLAN should be in a different subnet The DHCP client feature cannot configure different IP addresses with the same subnet on different interface VLANs on t...

Page 363: ...s Step 4 Make sure that the DHCP server is connected to the device using a trusted interface Step 5 Optional Enable the DHCP relay agent Step 6 Optional If DHCP servers and clients are in different VRFs do the following a Enable Option 82 for the DHCP relay agent b Enable VRF support for the DHCP relay agent Step 7 Optional Configure an interface with the IP address of the DHCP server Enabling or ...

Page 364: ...g config dhcp Example Step 3 switch config show running config dhcp Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 4 switch config copy running config startup config Configuring DHCP Snooping Enabling or Disabling DHCP Snooping Globally You can enable or disable DHCP snooping globally on the device Before you begin Make sure t...

Page 365: ...fig Enabling or Disabling DHCP Snooping on a VLAN You can enable or disable DHCP snooping on one or more VLANs By default DHCP snooping is disabled on all VLANs Before you begin Make sure that the DHCP feature is enabled If a VACL is configured on a VLAN that you are configuring with DHCP snooping make sure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts Note SUMMARY STEPS 1...

Page 366: ...the source MAC address and the DHCP client hardware address do not match address verification causes the device to drop the packet MAC address verification is enabled by default Before you begin Make sure that the DHCP feature is enabled SUMMARY STEPS 1 configure terminal 2 no ip dhcp snooping verify mac address 3 Optional show running config dhcp 4 Optional copy running config startup config DETA...

Page 367: ...formation for DHCP packets Note You must add Option82 as specified in the format string in the command configuration The length of the Option82 string increases based on the length of the format string The circuit id must include the ascii value of the format string Note Before you begin Make sure that the DHCP feature is enabled SUMMARY STEPS 1 configure terminal 2 no ip dhcp snooping information...

Page 368: ...h config ip dhcp snooping sub option circuit id format type string format WORD Format string Max Size 64 If you specify p instead of word the circuit id displays the port name If you specify h p instead of word the circuit id displays both host and port name The no option disables this behavior Note Enters the interface configuration mode where slot port is the interface where you want to enable o...

Page 369: ...S 1 configure terminal 2 no ip dhcp packet strict validation 3 Optional show running config dhcp 4 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Enables the strict validation of DHCP packets The no form of this command disables strict DHCP packet validat...

Page 370: ...figure terminal switch config Do one of the following options Step 2 Enters interface configuration mode where slot port is the Layer 2 Ethernet interface that you want to configure as trusted or untrusted for DHCP snooping interface ethernet slot port interface port channel channel number Enters interface configuration mode where slot port is the Layer 2 port channel interface that you want to co...

Page 371: ...inal 2 no ip dhcp relay information option trust 3 Optional show ip dhcp relay 4 Optional show ip dhcp relay information trusted sources 5 Optional show running config dhcp 6 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Enables the DHCP relay trusted po...

Page 372: ...e is enabled SUMMARY STEPS 1 configure terminal 2 interface ethernet slot port number port channel channel number 3 no ip dhcp relay information trusted 4 Optional show ip dhcp relay information trusted sources 5 Optional show running config dhcp 6 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1...

Page 373: ...ning config dhcp Example Step 5 switch config if show running config dhcp Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 6 switch config if copy running config startup config Configuring all Interfaces as Trusted or Untrusted You can configure all Layer 3 interfaces as DHCP relay trusted or untrusted interfaces By default all ...

Page 374: ...cp relay information trusted sources Displays the DHCP configuration Optional show running config dhcp Example Step 4 switch config show running config dhcp Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 5 switch config copy running config startup config Enabling or Disabling the DHCP Relay Agent You can enable or disable the ...

Page 375: ...ig Enabling or Disabling Option 82 for the DHCP Relay Agent You can enable or disable the device to insert and remove Option 82 information on DHCP packets forwarded by the relay agent By default the DHCP relay agent does not include Option 82 information in DHCP packets Before you begin Ensure that the DHCP feature is enabled SUMMARY STEPS 1 switch configure terminal 2 switch config no ip dhcp re...

Page 376: ...ommand is programmed When the ip dhcp relay sub option circuit id format type string command is removed the ip dhcp relay sub option circuit id customized command is programmed When both commands are removed the ifindex is programmed For other interfaces if the ip dhcp relay sub option circuit id format type string command is configured it is used Otherwise the default ifindex is programmed Displa...

Page 377: ...ype cisco The no option causes DHCP to use RFC numbers 5 11 and 151 for the link selection server ID override and VRF name VPN ID suboptions Displays the DHCP relay configuration Optional show ip dhcp relay Example Step 4 switch config show ip dhcp relay Displays the DHCP configuration Optional show running config dhcp Example Step 5 switch config show running config dhcp Copies the running config...

Page 378: ...p config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Do one of the following options Step 2 Enters interface configuration mode where slot port is the physical Ethernet interface that you want to interface ethernet slot port number configure with a DHCP server IP address If you want interface vl...

Page 379: ...p 5 switch config if show running config dhcp Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 6 switch config if copy running config startup config Configuring the DHCP Relay Source Interface You can configure the source interface for the DHCP relay agent By default the DHCP relay agent uses the relay agent address as the sourc...

Page 380: ...ig show ip dhcp relay Displays the DHCP configuration Optional show running config dhcp Example Step 4 switch config show running config dhcp Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 5 switch config copy running config startup config Enabling or Disabling DHCP Smart Relay Globally You can enable or disable DHCP smart rel...

Page 381: ...ies the running configuration to the startup configuration Optional copy running config startup config Example Step 5 switch config copy running config startup config Enabling or Disabling DHCP Smart Relay on a Layer 3 Interface You can enable or disable DHCP smart relay on Layer 3 interfaces Before you begin Ensure that the DHCP feature is enabled Ensure that the DHCP relay agent is enabled SUMMA...

Page 382: ...de exit Example Step 4 switch config if exit switch config Exits global configuration mode exit Example Step 5 switch config exit switch Displays the DHCP smart relay configuration Optional show ip dhcp relay Example Step 6 switch show ip dhcp relay Displays the DHCP configuration Optional show running config dhcp Example Step 7 switch show running config dhcp Copies the running configuration to t...

Page 383: ...terface Example Step 3 switch config show ipv6 dhcp relay Displays the DHCP configuration Optional show running config dhcp Example Step 4 switch config show running config dhcp Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 5 switch config copy running config startup config Enabling or Disabling VRF Support for the DHCPv6 Rel...

Page 384: ...ned in RFC 6607 This command is useful when you want to use DHCPv6 servers that do not support RFC 6607 but allocate IPv6 addresses based on the client VRF name Displays the DHCPv6 relay configuration Optional show ipv6 dhcp relay interface interface Example Step 4 switch config show ipv6 dhcp relay Displays the DHCP configuration Optional show running config dhcp Example Step 5 switch config show...

Page 385: ...ollowing options Step 2 Enters interface configuration mode where slot port is the physical Ethernet interface that you want to configure with a DHCPv6 server IP address interface ethernet slot port interface port channel channel id Enters interface configuration mode where channel id is the ID of the port channel that you want to configure with a DHCPv6 server IP address Example switch config int...

Page 386: ...ddress as the source address of the outgoing packet Configuring the source interface enables you to use a more stable address such as the loopback interface address as the source address of relayed messages Before you begin Ensure that the DHCP feature is enabled Ensure that the DHCPv6 relay agent is enabled SUMMARY STEPS 1 configure terminal 2 no ipv6 dhcp relay source interface interface 3 Optio...

Page 387: ...ent RA guard feature for Cisco Nexus 9200 9300 and 9300 EX Series switches and the N9K X9732C EX line card This feature is used to drop all incoming IPv6 RA packets on a Layer 2 interface Before you begin You must enable DHCP using the feature dhcp command To enable DHCP relay on any interface you must disable DHCP on interfaces that have an IPv4 or IPv6 address assigned using DHCP dynamic IP addr...

Page 388: ... use the DHCP client feature to enable the configuration of an IPv4 or IPv6 address on an interface Interfaces can include routed ports the management port and switch virtual interfaces SVIs Layer 3 subinterfaces are not supported DHCP client is independent of the DHCP relay and DHCP snooping processes so it does not require that the feature dhcp command be enabled Note SUMMARY STEPS 1 configure t...

Page 389: ...step This command is ipv6 address use link local only Example Step 3 not required if you will assign an IPv4 address to the interface switch config if ipv6 address use link local only Assigns an IPv4 or IPv6 address to the interface no ip ipv6 address dhcp Step 4 Example The no form of this command releases the IP address switch config if ip address dhcp Displays the IPv4 or IPv6 address assigned ...

Page 390: ...thernet slot port mgmt 0 vlan vlan id Displays the DHCP configuration in the startup configuration show startup config dhcp all Displaying IPv6 RA Guard Statistics To display IPv6 RA guard statistics perform one of the following tasks Purpose Command Displays IPv6 related RA guard statistics show ipv6 raguard statistics The following example shows sample statistics switch show ipv6 raguard statist...

Page 391: ...DHCP snooping Use the show ip dhcp relay statistics interface interface command to monitor DHCP relay statistics at the global or interface level Use the show ipv6 dhcp relay statistics interface interface command to monitor DHCPv6 relay statistics at the global or interface level Clearing DHCP Snooping Statistics Use the clear ip dhcp snooping statistics vlan vlan id command to clear the DHCP sno...

Page 392: ...st packets received on Ethernet interface 2 2 to the DHCP server 10 55 11 3 inserting 192 168 100 1 in the giaddr field If the DHCP server has a pool configured for the 192 168 100 0 24 network it responds If the server does not respond the device sends two more requests using 192 168 100 1 in the giaddr field If the device still does not receive a response it starts using 172 16 31 254 in the gia...

Page 393: ...PCs Cisco Nexus 9000 Series NX OS Unicast Routing Configuration Guide VRFs and Layer 3 virtualization Standards Title Standards Dynamic Host Configuration Protocol http tools ietf org html rfc2131 RFC 2131 DHCP Relay Agent Information Option http tools ietf org html rfc3046 RFC 3046 Virtual Subnet Selection Options for DHCPv4 and DHCPv6 http tools ietf org html rfc6607 RFC 6607 Cisco Nexus 9000 Se...

Page 394: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 368 Configuring DHCP Additional References for DHCP ...

Page 395: ...nologies such as server virtualization Overlay Transport Virtualization OTV and Layer 2 mobility These devices are sometimes referred to as first hops specifically when they are facing end nodes The First Hop Security feature provides end node protection and optimizes link operations on IPv6 or dual stack networks First Hop Security FHS is a set of features to optimize IPv6 link operation and help...

Page 396: ... the Cisco Nexus Series switch to Cisco NX OS Release 7 0 3 I7 1 using the In Service Software Upgrades ISSU you must reload the Cisco NX OS box before configuring the port level FHS policies Note IPv6 First Hop Security Binding Table A database table of IPv6 neighbors connected to the device is created from information sources such as IPv6 snooping This database or binding table is used by variou...

Page 397: ...ecting clients behind an intermediary switch with DHCP relay running on the Nexus switch is ideal because you can configure the IPv6 Snooping feature on the vPC interface links directly instead of at a VLAN level Configuration at the interface level is efficient for the following reasons Control traffic DHCP ND will not be redirected to CPU for processing on both vPC peers if it goes over the peer...

Page 398: ...s Instead the DHCP relay agent or a DHCP server is runs behind a vPC link it can be towards the access or even somewhere in the core In such a deployment scenario the IPv6 Snooping feature doesn t implicitly trust the DHCP Server messages and drops DHCP Server messages by default You can customize the IPv6 policy to implement Security level glean IPv6 DHCP Guard policy with device role server In t...

Page 399: ...ion you can connect the client via an orphan port The IPv6 Snooping feature only syncs client bindings on vPC ports but not on orphan ports as these are not directly connected to both vPC peers In such a configuration the IPv6 Snooping feature runs independently on both switches The figure illustrates the following On the first switch you must attach the IPv6 Snooping policy on the client facing i...

Page 400: ...ed or rogue RA guard messages that arrive at the network device platform RAs are used by devices to announce themselves on the link The IPv6 RA Guard feature analyzes these RAs and filters out RAs that are sent by unauthorized devices In host mode all RA and router redirect messages are disallowed on the port The RA guard feature compares configuration information on the Layer 2 L2 device with the...

Page 401: ...ients Client messages or messages sent by relay agents from clients to servers are not blocked The filtering decision is determined by the device role assigned to the receiving switch port trunk or VLAN This functionality helps to prevent traffic redirection or denial of service DoS Packets are classified into one of the three DHCP type messages All client messages are always switched regardless o...

Page 402: ...e platform dependent modules Upon receiving redirected traffic the classifier calls all entry points from any registered feature for the target on which the traffic is being received including the IPv6 snooping entry point This entry point is the last to be called so any decision such as drop made by another feature supersedes the IPv6 snooping decision IPv6 snooping provides IPv6 host liveness tr...

Page 403: ... Step 1 Device configure terminal Defines the RA guard policy name and enters RA guard policy configuration mode ipv6 nd raguard policy policy name Example Step 2 Device config ipv6 nd raguard policy policy1 Specifies the role of the device attached to the port device role host router monitor switch Step 3 Example device role host Interface or VLAN where you connect a regular node or host This whe...

Page 404: ...ig ra guard managed config flag on Optional Enables verification of the advertised other configuration parameter other config flag on off Example Step 6 Device config ra guard other config flag on Optional Enables verification that the advertised default router preference parameter value is lower than or equal to a specified limit router preference maximum high low medium Example Device config ra ...

Page 405: ...olicy name Example Step 3 Device config if ipv6 nd raguard attach policy Exits interface configuration mode exit Example Step 4 Device config if exit Displays the RA guard policy on all interfaces configured with the RA guard show ipv6 nd raguard policy policy name Example Step 5 switch show ipv6 nd raguard policy host Policy host configuration device role host Policy applied on the following inte...

Page 406: ...e configure terminal Defines the DHCPv6 guard policy name and enters DHCP guard configuration mode ipv6 dhcp guard policy policy name Example Step 2 Device config ipv6 dhcp guard policy pol1 Specifies the device role of the device attached to the target interface or VLAN device role client server Example Step 3 device role client Interface where a normal DHCPv6 client is connected It blocks any in...

Page 407: ...nd returns to global configuration mode exit Example Step 7 Device config dhcp guard exit Specifies an interface and enters interface configuration mode interface type number Example Step 8 Device config interface GigabitEthernet 0 2 0 Puts an interface that is in Layer 3 mode into Layer 2 mode for Layer 2 configuration switchport Example Step 9 Device config if switchport Attaches a DHCPv6 guard ...

Page 408: ... is applied show ipv6 dhcp guard policy policy name Example Step 16 Device show ipv6 dhcp policy guard pol1 Configuring IPv6 Snooping SUMMARY STEPS 1 configure terminal 2 ipv6 snooping policy policy name 3 device role node switch 4 no limit address count 5 no protocol dhcp ndp 6 trusted port 7 security level glean guard inspect 8 tracking 9 exit 10 interface type number 11 no switchport 12 ipv6 sn...

Page 409: ...HCP or NDP gleaning no protocol dhcp ndp Example Step 5 Device config snoop policy protocol dhcp Device config snoop policy protocol ndp Specifies that the policy be applied to a trusted port If an entry is a trusted port none of it s traffic will be blocked or dropped trusted port Example Device config snoop policy trusted port Step 6 Specifies the type of security applied to the policy glean gua...

Page 410: ...config if exit Specifies a VLAN and enters VLAN configuration mode vlan configuration vlan id Example Step 14 Device config vlan configuration 333 Attaches the IPv6 snooping policy to a VLAN ipv6 snooping attach policy policy name Example Step 15 Device config vlan config ipv6 snooping attach policy policy1 Exits VLAN configuration mode and returns to global configuration mode exit Example Step 16...

Page 411: ...face counter show ipv6 snooping counter interface type number Example Step 2 Device show ipv6 snooping counter interface FastEthernet 4 12 Displays information about snooping features configured on the device show ipv6 snooping features Example Step 3 Device show ipv6 snooping features Displays information about the configured policies and the interfaces to which they are attached show ipv6 snoopi...

Page 412: ...configure terminal ipv6 dhcp guard policy pol1 device role server preference min 0 preference max 255 trusted port interface GigabitEthernet 0 2 0 switchport ipv6 dhcp guard attach policy pol1 vlan configuration 1 ipv6 dhcp guard attach policy pol1 show ipv6 dhcp guard policy pol1 Example Configuring IPv6 First Hop Security Binding Table config terminal ipv6 neighbor binding vlan 100 2001 db8 1 in...

Page 413: ... Et1 0 vlan all Policy applied on the following vlans vlan 1 100 200 300 400 Additional References for IPv6 First Hop Security This section includes additional information related to configuring IPv6 First Hop Security Related Documents Document Title Related Topic Cisco NX OS Licensing Guide Cisco NX OS Licensing Cisco Nexus 7000 Series NX OS Security Command Reference Command reference Cisco Nex...

Page 414: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 388 Configuring IPv6 First Hop Security Additional References for IPv6 First Hop Security ...

Page 415: ...cast domain by mapping an IP address to a MAC address For example host B wants to send information to host A but does not have the MAC address of host A in its ARP cache In ARP terms host B is the sender and host A is the target To get the MAC address of host A host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of...

Page 416: ...at host C intercepts that traffic Likewise host A and the device use the MAC address MC as the destination MAC address for traffic intended for IB Because host C knows the true MAC addresses associated with IA and IB it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination This topology in which host C has inserted itself into the traffic stream fro...

Page 417: ...ire their IP addresses from the DHCP server connected to device A only device A binds the IP to MAC address of host 1 If the interface between device A and device B is untrusted the ARP packets from host 1 are dropped by device B and connectivity between host 1 and host 2 is lost If you configure interfaces as trusted when they should be untrusted you may open a security hole in a network If devic...

Page 418: ...ts that DAI drops If the log buffer overflows the device overwrites the oldest DAI log entries with newer entries You can configure the maximum number of entries in the buffer Cisco NX OS does not generate system messages about DAI packets that are logged Note Licensing Requirements for DAI This table shows the licensing requirements for DAI License Requirement Product DAI requires no license Any ...

Page 419: ... modules receive the DHCP and DAI configuration approximately 30 seconds after you complete the rollback DAI is supported on access ports trunk ports and port channel ports The DAI trust configuration of a port channel determines the trust state of all physical ports that you assign to the port channel For example if you have configured a physical port as a trusted interface and then you add that ...

Page 420: ...ed Make sure that the VLANs on which you want to enable DAI are configured Make sure that the ACL TCAM region size for DAI arp ether is configured SUMMARY STEPS 1 configure terminal 2 no ip arp inspection vlan vlan list 3 Optional show ip arp inspection vlan vlan id 4 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure ter...

Page 421: ...dress bindings before updating the local cache and forwarding the packet to the appropriate destination If the device determines that packets have invalid bindings it drops the packets and logs them according to the logging configuration Before you begin If you are enabling DAI make sure that the DHCP feature is enabled SUMMARY STEPS 1 configure terminal 2 interface type port slot 3 no ip arp insp...

Page 422: ...ss the sender and target IP addresses and the source MAC address You can use the following keywords with the ip arp inspection validate command to implement additional validations dst mac Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body for ARP responses When enabled packets with different MAC addresses are classified as invalid and are dropp...

Page 423: ... switch config ip arp inspection validate src mac dst mac ip Displays the DHCP snooping configuration including the DAI configuration Optional show running config dhcp Example Step 3 switch config show running config dhcp Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 4 switch config copy running config startup config Configur...

Page 424: ...DAI Log Filtering You can configure how the device determines whether to log a DAI packet By default the device logs DAI packets that are dropped SUMMARY STEPS 1 configure terminal 2 no ip arp inspection vlan vlan list logging dhcp bindings all none permit 3 Optional show running config dhcp 4 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global config...

Page 425: ...st state and ARP packet rate for a specific interface or port channel show ip arp inspection interfaces ethernet slot port port channel number Displays the DAI log configuration show ip arp inspection log Displays the DAI configuration for a specific VLAN show ip arp inspection vlan vlan id Displays the DAI configuration show running config dhcp all Monitoring and Clearing DAI Statistics To monito...

Page 426: ...ermit ARP packets that have dynamically assigned IP addresses This configuration does not work if the DHCP server is moved from device A to a different location To ensure that this configuration does not compromise security configure Ethernet interface 2 3 on device A and Ethernet interface 1 4 on device B as trusted Configuring Device A To enable DAI and configure Ethernet interface 2 3 on device...

Page 427: ...Type VLAN Interface 00 60 0b 00 12 89 10 0 0 1 0 dhcp snooping 1 Ethernet2 3 switchA Step 5 Check the statistics before and after DAI processes any packets switchA show ip arp inspection statistics vlan 1 Vlan 1 ARP Req Forwarded 0 ARP Res Forwarded 0 ARP Req Dropped 0 ARP Res Dropped 0 DHCP Drops 0 DHCP Permits 0 SMAC Fails ARP Req 0 SMAC Fails ARP Res 0 DMAC Fails ARP Res 0 IP Fails ARP Req 0 IP...

Page 428: ... and configure Ethernet interface 1 4 on device B as trusted follow these steps Step 1 While logged into device B verify the connection between device B and device A switchB show cdp neighbors Capability Codes R Router T Trans Bridge B Source Route Bridge S Switch H Host I IGMP r Repeater V VoIP Phone D Remotely Managed Device s Supports STP Dispute Device ID Local Intrfce Hldtme Capability Platfo...

Page 429: ...w ip arp inspection statistics vlan 1 Vlan 1 ARP Req Forwarded 0 ARP Res Forwarded 0 ARP Req Dropped 0 ARP Res Dropped 0 DHCP Drops 0 DHCP Permits 0 SMAC Fails ARP Req 0 SMAC Fails ARP Res 0 DMAC Fails ARP Res 0 IP Fails ARP Req 0 IP Fails ARP Res 0 switchB If Host 2 sends out an ARP request with the IP address 10 0 0 2 and the MAC address 0001 0001 0001 the packet is forwarded and the statistics ...

Page 430: ... Res Forwarded 0 ARP Req Dropped 1 ARP Res Dropped 0 DHCP Drops 1 DHCP Permits 1 SMAC Fails ARP Req 0 SMAC Fails ARP Res 0 DMAC Fails ARP Res 0 IP Fails ARP Req 0 IP Fails ARP Res 0 switchB Additional References for DAI Related Documents Document Title Related Topic Configuring IP ACLs ACL TCAM regions Configuring DHCP on page 327 DHCP and DHCP snooping Standards Title Standard An Ethernet Address...

Page 431: ...AC address bindings Entries in the Dynamic Host Configuration Protocol DHCP snooping binding table Static IP source entries that you configure Filtering on trusted IP and MAC address bindings helps prevent spoofing attacks in which an attacker uses the IP address of a valid host to gain unauthorized network access To circumvent IP Source Guard an attacker would have to spoof both the IP address an...

Page 432: ... explanation of the Cisco NX OS licensing scheme see the Cisco NX OS Licensing Guide Cisco NX OS Prerequisites for IP Source Guard IP Source Guard has the following prerequisites You must enable the DHCP feature and DHCP snooping before you can configure IP Source Guard See Configuring DHCP on page 327 You must configure the ACL TCAM region size for IP Source Guard using the hardware access list t...

Page 433: ...arameters Table 34 Default IP Source Guard Parameters Default Parameters Disabled on each interface IP Source Guard None No static or default IP source entries exist by default IP source entries Configuring IP Source Guard Enabling or Disabling IP Source Guard on a Layer 2 Interface You can enable or disable IP Source Guard on a Layer 2 interface By default IP Source Guard is disabled on all inter...

Page 434: ...ow running config dhcp Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 5 switch config if copy running config startup config Adding or Removing a Static IP Source Entry You can add or remove a static IP source entry on the device By default there are no static IP source entries SUMMARY STEPS 1 configure terminal 2 no ip source ...

Page 435: ... on that port will be dropped unless there is a DHCP snooping entry to allow it in the TCAM However when IP Source Guard is configured on trunk ports and you do not want traffic coming on certain VLANs to undergo this check even if DHCP snooping is not enabled on them you can specify a list of VLANs to exclude Before you begin Make sure that the DHCP feature and DHCP snooping are enabled SUMMARY S...

Page 436: ...Statistics To clear IP Source Guard statistics use the commands in this table Purpose Command Clears IP Source Guard statistics clear access list ipsg stats instance number module number Configuration Example for IP Source Guard This example shows how to create a static IP source entry and enable IP Source Guard on an interface ip source binding 10 5 22 17 001f 28bd 0013 vlan 100 interface etherne...

Page 437: ...Document Title Related Topic Configuring IP ACLs ACL TCAM regions Configuring DHCP on page 327 DHCP and DHCP snooping Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 411 Configuring IP Source Guard Additional References ...

Page 438: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 412 Configuring IP Source Guard Related Documents ...

Page 439: ...feature and configure a master encryption key which is used to encrypt and decrypt passwords After you enable AES password encryption and configure a master key all existing and newly created clear text passwords for supported applications currently RADIUS and TACACS are stored in type 6 encrypted format unless you disable type 6 password encryption You can also configure Cisco NX OS to convert al...

Page 440: ...ing the master key stops type 6 encryption and causes all existing type 6 encrypted passwords to become unusable unless the same master key is reconfigured To move the device configuration to another device either decrypt the configuration before porting it to the other device or configure the same master key on the device to which the configuration will be applied Default Settings for Password En...

Page 441: ...tep 2 switch configure terminal switch config Enables or disables the AES password encryption feature no feature password encryption aes Example Step 3 switch config feature password encryption aes Displays the configuration status of the AES password encryption feature and the master key Optional show encryption service stat Example Step 4 switch config show encryption service stat Copies the run...

Page 442: ...pted Passwords Back to Their Original States You can convert type 6 encrypted passwords back to their original states Before you begin Ensure that you have configured a master key SUMMARY STEPS 1 encryption decrypt type6 DETAILED STEPS Purpose Command or Action Converts type 6 encrypted passwords back to their original states encryption decrypt type6 Example Step 1 switch encryption decrypt type6 ...

Page 443: ...aster key enable the AES password encryption feature and configure a type 6 encrypted password for a TACACS application key config key ascii New Master Key Retype Master Key configure terminal feature password encryption aes show encryption service stat Encryption service is enabled Master Encryption Key is configured Type 6 encryption is being used feature tacacs tacacs server key Cisco123 show r...

Page 444: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 418 Configuring Password Encryption Configuration Examples for Password Encryption ...

Page 445: ...in keychains which are sequences of keys sometimes called shared secrets You can use keychains with features that secure communications with other devices by using key based authentication The device allows you to configure multiple keychains Some routing protocols that support key based authentication can use a keychain to implement a hitless key rollover for authentication For more information s...

Page 446: ...ommend that you configure key lifetimes that overlap within every keychain This practice avoids failure of neighbor authentication due to the absence of active keys Licensing Requirements for Keychain Management This table shows the licensing requirements for keychain management License Requirement Product Keychain management requires no license Any feature not included in a license package is bun...

Page 447: ...ice A new keychain contains no keys SUMMARY STEPS 1 configure terminal 2 key chain name 3 Optional show key chain name 4 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Creates the keychain and enters keychain configuration mode key chain name Example Step...

Page 448: ...nfigure terminal 2 no key chain name 3 Optional show key chain name 4 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Removes the keychain and any keys that the keychain contains no key chain name Example Step 2 switch config no key chain bgp keys Confirms...

Page 449: ...the AES password encryption feature before configuring a master key a message appears stating that password encryption will not take place unless a master key is configured If a master key is already configured you are prompted to enter the current master key before entering a new master key Enters global configuration mode configure terminal Example Step 2 switch configure terminal switch config ...

Page 450: ...e you begin Determine the text for the key You can enter the text as unencrypted text or in the encrypted form that Cisco NX OS uses to display key text when you use the show key chain command Using the encrypted form is particularly helpful if you are creating key text to match a key as shown in the show key chain command output from another device SUMMARY STEPS 1 configure terminal 2 key chain n...

Page 451: ...uding the key text configuration The mode decrypt option which can be used Optional show key chain name mode decrypt Example Step 5 by a device administrator only displays the keys in cleartext switch config keychain key show key chain bgp keys Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 6 switch config keychain key copy ru...

Page 452: ...d the device treats these times as local times Example switch config keychain key accept lifetime 00 00 00 Jun 13 2013 23 59 59 Sep 12 2013 The start time argument is the time of day and date that the key becomes active Specify the end of the lifetime with one of the following options duration duration value The length of the lifetime in seconds The maximum length is 2147483646 seconds approximate...

Page 453: ...ng config startup config Example Step 7 switch config keychain key copy running config startup config Related Topics Configuring a Master Key and Enabling the AES Password Encryption Feature on page 414 Configuring a Key for OSPFv2 Cryptographic Authentication You can configure message digest 5 MD5 or hash based message authentication code secure hash algorithm HMAC SHA authentication for OSPFv2 S...

Page 454: ...hows the keychain configuration Optional show key chain name Example Step 5 switch config keychain key show key chain bgp keys Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 6 switch config keychain key copy running config startup config Determining Active Key Lifetimes To determine which keys within a key chain have active ac...

Page 455: ...yd accept lifetime 00 00 00 Nov 12 2013 23 59 59 Mar 12 2013 send lifetime 00 00 00 Dec 12 2013 23 59 59 Feb 12 2013 Where to Go Next For information about routing features that use keychains see the Cisco Nexus 9000 Series NX OS Unicast Routing Configuration Guide Additional References for Keychain Management Related Documents Document Title Related Topic Cisco Nexus 9000 Series NX OS Unicast Rou...

Page 456: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 430 Configuring Keychain Management Additional References for Keychain Management ...

Page 457: ...nce You can use the traffic storm control feature to prevent disruptions on Layer 2 ports by a broadcast multicast or unicast traffic storm on physical interfaces Traffic storm control also called traffic suppression allows you to monitor the levels of the incoming broadcast multicast and unicast traffic over a 3 9 millisecond interval During this interval the traffic level which is a percentage o...

Page 458: ...he end of the interval If you enable broadcast and multicast traffic storm control and the combined broadcast and multicast traffic exceeds the level within the 3 9 millisecond interval traffic storm control drops all broadcast and multicast traffic until the end of the interval If you enable broadcast and multicast traffic storm control and broadcast traffic exceeds the level within the 3 9 milli...

Page 459: ... Traffic period 60 s Storm control pps 1000 This is applicable only for Cisco Nexus 9336C FX Cisco Nexus 93300YC FX and Cisco Nexus 93240YC FX2Z switches Beginning with Cisco Nexus Release 9 2 1 you can use the percentage of port capacity or packets per second for the Cisco Nexus 9336C FX2 Cisco Nexus 93300YC FX2 and Cisco Nexus 93240YC FX2 Z switches If you have configured a SVI for the VLAN on C...

Page 460: ...ic storm control is not supported on 100G ports on the Cisco Nexus 9300 Series switches It is supported on the Cisco Nexus 9300 EX FX and FX2 Series switches and the Cisco Nexus 9500 Series switches with the 9700 EX FX line card Traffic storm control is not supported on FEX interfaces Traffic storm control is only for ingress traffic specifically for unknown unicast unknown multicast and broadcast...

Page 461: ...g Enters interface configuration mode interface ethernet slot port port channel number Example Step 2 switch interface ethernet 1 1 switch config if Configures traffic storm control for traffic on the interface You can also configure bandwidth level as a percentage no storm control broadcast multicast unicast level level value pps pps value Step 3 either of port capacity or packets per second The ...

Page 462: ...ying Traffic Storm Control Configuration To display traffic storm control configuration information perform one of the following tasks Purpose Command Displays the traffic storm control configuration show running config interface Displays the storm control statistics for arp packets on the interface show access list storm control arp stats interface ethernet port channel number Monitoring Traffic ...

Page 463: ...ics Interface port channel132 Member Interface Entry ID Rate RedPacket Count GreenPacket Count Ethernet1 35 3976 50 0 0 slot 7 ARP Policer Entry Statistics Interface port channel132 Member Interface Entry ID Rate RedPacket Count GreenPacket Count Additional References for Traffic Storm Control This section includes additional information related to implementing traffic storm control Related Docume...

Page 464: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 438 Configuring Traffic Storm Control Additional References for Traffic Storm Control ...

Page 465: ...murf and Tribal Flood Network TFN attacks can take advantage of forged or rapidly changing source IPv4 or IPv6 addresses to allow attackers to thwart efforts to locate or filter the attacks Unicast RPF deflects attacks by forwarding only the packets that have source addresses that are valid and consistent with the IP routing table When you enable unicast RPF on an interface the switch examines all...

Page 466: ...namic routing add routes to the FIB IP source addresses at the receiving interface must match the routing entry for the interface Unicast RPF is an input function and is applied only on the input interface of a device at the upstream end of a connection You can use unicast RPF for downstream networks even if the downstream network has other connections to the Internet Be careful when using optiona...

Page 467: ...ccess server helps limit the scope of the attack and trace the source of the attack however deploying uRPF across many sites does add to the administration cost of operating the network The more entities that deploy uRPF across Internet intranet and extranet resources means the better the chances of mitigating large scale network disruptions throughout the Internet community and of tracing the sou...

Page 468: ... strict uRPF per the configured routing interface Strict uRPF is implemented per learned route on strict uRPF enabled interfaces If a route is resolved as ECMP strict uRPF will fall back to loose mode Because of the hardware limitation on the trap resolution uRPF might not be applied on supervisor bound packets via inband For IP traffic both IPv4 and IPv6 configurations should be enabled simultane...

Page 469: ...mode interface ethernet slot port Example Step 2 switch config interface ethernet 2 3 switch config if Specifies an IPv4 or IPv6 address for the interface ip ipv6 address ip address length Example Step 3 switch config if ip address 172 23 231 240 23 Configures unicast RPF on the interface for both IPv4 and IPv6 ip ipv6 verify unicast source reachable via any Example Step 4 When you enable uRPF for...

Page 470: ...ck fails the packet is discarded You can use this type of Unicast RPF check where packet flows are expected to be symmetrical Loose Unicast RPF mode A loose mode check is successful when a lookup of a packet source address in the FIB returns a match and the FIB result indicates that the source is reachable through at least one real interface The ingress interface through which the packet is receiv...

Page 471: ...ify unicast source reachable via any When you enable Unicast RPF for IPv4 or IPv6 using the ip or ipv6 keyword Unicast RPF is enabled for both IPv4 and IPv6 You can configure only one version of the available IPv4 and IPv6 Unicast RPF command on an interface When you configure one version all the mode changes must be done by this version and all other versions will be blocked by that interface Not...

Page 472: ...Pv4 packets on a Cisco Nexus 9500 Series switch with an R line card interface Ethernet2 3 ip address 172 23 231 240 23 ip verify unicast source reachable via any The following example shows how to configure loose unicast RPF for IPv6 packets on a Cisco Nexus 9500 Series switch with an R line card interface Ethernet2 1 ipv6 address 2001 0DB8 c18 1 3 64 ipv6 verify unicast source reachable via any T...

Page 473: ... interface ethernet slot port Displays the IPv4 configuration in the running configuration show running config ip all Displays the IPv6 configuration in the running configuration show running config ipv6 all Displays the interface configuration in the startup configuration show startup config interface ethernet slot port Displays the IP configuration in the startup configuration show startup confi...

Page 474: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 448 Configuring Unicast RPF Additional References for Unicast RPF ...

Page 475: ...tch Security issues could arise if unknown multicast and unicast traffic is forwarded to a switch port You can enable switchport blocking to guarantee that no multicast or unicast traffic is flooded to the port Licensing Requirements for Switchport Blocking The following table shows the licensing requirements for this feature License Requirement Product Switchport blocking requires no license Any ...

Page 476: ...ult Switchport Blocking Parameters Default Parameters Disabled Switchport blocking Configuring Switchport Blocking By default the switch floods packets with unknown destination MAC addresses to all ports To prevent the forwarding of such traffic you can configure a port to block unknown multicast or unicast packets SUMMARY STEPS 1 configure terminal 2 interface ethernet slot port port channel numb...

Page 477: ...ing tasks Purpose Command Displays the switchport blocking configuration for all interfaces show interface switchport Displays the switchport blocking configuration for the specified interface show interface ethernet slot port port channel number switchport Displays the switchport blocking configuration in the running configuration show running config interface ethernet slot port port channel numb...

Page 478: ...Ethernet1 2 switchport switchport block multicast switchport block unicast Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 452 Configuring Switchport Blocking Configuration Example for Switchport Blocking ...

Page 479: ...ied to the control plane This policy map looks like a normal QoS policy and is applied to all traffic entering the switch from a non management port A common attack vector for network devices is the denial of service DoS attack where excessive traffic is directed at the device interfaces The Cisco NX OS device provides CoPP to prevent DoS attacks from impacting performance Such attacks which can b...

Page 480: ...raffic Examples of DoS attacks include Internet Control Message Protocol ICMP echo requests IP fragments TCP SYN flooding These attacks can impact the device performance and have the following negative effects Reduced service quality such as poor voice video or critical applications traffic High route processor or switch processor CPU utilization Route flaps due to loss of routing protocol updates...

Page 481: ...ets could be maliciously used to attack the control plane and overwhelm the Cisco NX OS device CoPP classifies these packets to different classes and provides a mechanism to individually control the rate at which the supervisor module receives these packets Classification for CoPP For effective protection the Cisco NX OS device classifies the packets that reach the supervisor modules to allow you ...

Page 482: ...tatic CoPP ACLs work for ACL based supervisor redirected packets Dynamic CoPP ACLs are supported for myIP and link local multicast traffic and static CoPP ACLs are supported for all other types of traffic Static CoPP ACLs are identified by a substring Any ACL that has one of these substrings is categorized as a static CoPP ACL MAC based static CoPP ACL substrings acl mac cdp udld vtp acl mac cfsoe...

Page 483: ...olicy has optimized values suitable for basic device operations You must add specific class and access control list ACL rules that meet your DoS protection requirements The default CoPP policy does not change when you upgrade the software Selecting the skip option and not subsequently configuring CoPP protection can leave your Cisco NX OS device vulnerable to DoS attacks Caution You can reassign t...

Page 484: ...liced match access group name copp system p acl mac stp match access group name copp system p acl mac lacp match access group name copp system p acl mac cfsoe match access group name copp system p acl mac sdp srp match access group name copp system p acl mac l2 tunnel match access group name copp system p acl mac cdp udld vtp The copp system class l3mc data class has the following configuration cl...

Page 485: ...p name copp system p acl pim6 match access group name copp system p acl pim reg match access group name copp system p acl pim6 reg match access group name copp system p acl pim mdt join The copp system class nat flow class has the following configuration class map type control plane match any copp system p class nat flow match exception nat flow The copp system class ndp class has the following co...

Page 486: ...s copp system p class l3uc data set cos 1 police cir 800 kbps bc 32000 bytes conform transmit violate drop class copp system p class critical set cos 7 police cir 36000 kbps bc 1280000 bytes conform transmit violate drop class copp system p class important set cos 6 police cir 2500 kbps bc 1280000 bytes conform transmit violate drop class copp system p class multicast router set cos 6 police cir 2...

Page 487: ...class default set cos 0 police cir 400 kbps bc 32000 bytes conform transmit violate drop On Cisco Nexus 9300 and 9500 Series and 3164Q 31128PQ 3232C and 3264Q switches the strict CoPP policy has the following configuration policy map type control plane copp system p policy strict class copp system p class l3uc data set cos 1 police cir 250 pps bc 32 packets conform transmit violate drop class copp...

Page 488: ...6 police cir 1500 pps bc 128 packets conform transmit violate drop class copp system p class nat flow set cos 7 police cir 100 pps bc 64 packets conform transmit violate drop class copp system p class l2 default set cos 0 police cir 50 pps bc 32 packets conform transmit violate drop class class default set cos 0 police cir 50 pps bc 32 packets conform transmit violate drop Moderate Default CoPP Po...

Page 489: ...nsmit violate drop class copp system p class l2 unpoliced set cos 7 police cir 50 mbps bc 8192000 bytes conform transmit violate drop class copp system p class undesirable set cos 0 police cir 200 kbps bc 48000 bytes conform transmit violate drop class copp system p class nat flow set cos 7 police cir 800 kbps bc 64000 bytes conform transmit violate drop class copp system p class l2 default set co...

Page 490: ...s exception diag set cos 1 police cir 50 pps bc 48 packets conform transmit violate drop class copp system p class monitoring set cos 1 police cir 300 pps bc 192 packets conform transmit violate drop class copp system p class l2 unpoliced set cos 7 police cir 20000 pps bc 8192 packets conform transmit violate drop class copp system p class undesirable set cos 0 police cir 15 pps bc 48 packets conf...

Page 491: ... igmp set cos 3 police cir 3000 kbps bc 64000 bytes conform transmit violate drop class copp system p class redirect set cos 1 police cir 280 kbps bc 64000 bytes conform transmit violate drop class copp system p class exception set cos 1 police cir 150 kbps bc 64000 bytes conform transmit violate drop class copp system p class exception diag set cos 1 police cir 150 kbps bc 64000 bytes conform tra...

Page 492: ... class copp system p class normal dhcp relay response set cos 1 police cir 400 pps bc 128 packets conform transmit violate drop class copp system p class normal igmp set cos 3 police cir 6000 pps bc 64 packets conform transmit violate drop class copp system p class redirect set cos 1 police cir 1500 pps bc 64 packets conform transmit violate drop class copp system p class exception set cos 1 polic...

Page 493: ...bps bc 128000 bytes conform transmit violate drop class copp system p class ndp set cos 1 police cir 350 kbps bc 32000 bytes conform transmit violate drop class copp system p class normal dhcp set cos 1 police cir 750 kbps bc 128000 bytes conform transmit violate drop class copp system p class normal dhcp relay response set cos 1 police cir 750 kbps bc 128000 bytes conform transmit violate drop cl...

Page 494: ... 32 packets conform transmit violate drop class copp system p class normal set cos 1 police cir 750 pps bc 32 packets conform transmit violate drop class copp system p class ndp set cos 1 police cir 750 pps bc 32 packets conform transmit violate drop class copp system p class normal dhcp set cos 1 police cir 150 pps bc 128 packets conform transmit violate drop class copp system p class normal dhcp...

Page 495: ... 2 Create a traffic policy using the policy map command A traffic policy policy map contains a traffic class and one or more CoPP features that will be applied to the traffic class The CoPP features in the traffic policy determine how to treat the classified traffic 3 Attach the traffic policy policy map to the control plane using the control plane and service policy commands DETAILED STEPS Step 1...

Page 496: ...eatures used in your specific environment as well as the supervisor features that are required by the server environment As these protocols and features change CoPP must be modified We recommend that you continuously monitor CoPP If drops occur determine if CoPP dropped traffic unintentionally or in response to a malfunction or attack In either event analyze the situation and evaluate the need to ...

Page 497: ...bootflash filename command If an incompatibility exists disable any features that are incompatible with the downgrade image before downgrading the software You cannot disable CoPP If you attempt to disable it packets are rate limited at 50 packets per seconds Skip CoPP policy option has been removed from the Cisco NX OS initial setup utility because using it can impact the control plane of the net...

Page 498: ...c CoPP ACLs You cannot override the existing dynamic CoPP with a new policy You must remove the existing dynamic CoPP before you add a new policy The deny action is not applicable Every entry is programmed in TCAM and uses a different TCAM space if two MAC or IP ACLs with the same entries are created and bound to either the same or a different class map The maximum TCAM carving supported for the e...

Page 499: ...igured the IP ACLs if you want to use ACE hit counters in the class maps SUMMARY STEPS 1 configure terminal 2 class map type control plane match all match any class map name 3 Optional match access group name access list name 4 Optional match exception ip ipv6 icmp redirect 5 Optional match exception ip ipv6 icmp unreachable 6 Optional match exception ip ipv6 option 7 match protocol arp 8 exit 9 O...

Page 500: ... ICMP unreachable exception packets Optional match exception ip ipv6 icmp unreachable Example Step 5 switch config cmap match exception ip icmp unreachable Specifies matching for IPv4 or IPv6 option exception packets Optional match exception ip ipv6 option Example Step 6 switch config cmap match exception ip option Specifies matching for IP Address Resolution Protocol ARP and Reverse Address Resol...

Page 501: ...eshold drop count level syslog level 6 Optional set cos cos value 7 exit 8 exit 9 Optional show policy map type control plane expand name class map name 10 Optional copy running config startup config DETAILED STEPS Purpose Command or Action Enters global configuration mode configure terminal Example Step 1 switch configure terminal switch config Specifies a control plane policy map and enters poli...

Page 502: ...ies switches The conform transmit action transmits the packet You can specify the BC and conform action for the same CIR Note Specifies the threshold value for dropped packets and generates a syslog if the drop count exceeds the configured Optional logging drop threshold drop count level syslog level Step 5 threshold The range for the drop count argument is from Example 1 to 8000000000 bytes The r...

Page 503: ..._NON_ATOMIC Non atomic ACL QoS policy update done for CoPP 2013 Nov 13 23 16 46 switch ACLQOS SLOT21 5 ACLQOS_NON_ATOMIC Non atomic ACL QoS policy update done for CoPP 2013 Nov 13 23 16 46 switch ACLQOS SLOT25 5 ACLQOS_NON_ATOMIC Non atomic ACL QoS policy update done for CoPP 2013 Nov 13 23 16 46 switch ACLQOS SLOT26 5 ACLQOS_NON_ATOMIC Non atomic ACL QoS policy update done for CoPP 2013 Nov 13 23...

Page 504: ...show running config copp Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 6 switch config copy running config startup config Related Topics Configuring a Control Plane Policy Map on page 475 Configuring the CoPP Scale Factor Per Line Card You can configure the CoPP scale factor per line card The scale factor configuration is use...

Page 505: ... of 1 00 use the no scale factor value module multiple module range command or explicitly set the default scale factor value to 1 00 using the scale factor 1 module multiple module range command Displays the applied scale factor values when a CoPP policy is applied Optional show policy map interface control plane Example Step 4 switch config cp show policy map interface control plane Copies the ru...

Page 506: ...y If you want to modify its configuration you must copy it SUMMARY STEPS 1 copp copy profile strict moderate lenient dense prefix suffix string 2 Optional show copp status 3 Optional show running config copp DETAILED STEPS Purpose Command or Action Creates a copy of the CoPP best practice policy copp copy profile strict moderate lenient dense prefix suffix string Step 1 CoPP renames all class maps...

Page 507: ...rg copp size 3 copy running config startup config 4 reload 5 configure terminal 6 mac access list mac foo 1 7 class map type control plane match all match any class map name 8 Optional match access group name access list name 9 policy map type control plane policy map name 10 class class map name insert before class map name2 class default 11 Enter one of the following commands police cir cir rate...

Page 508: ...rs class map configuration mode The default class matching is class map type control plane match all match any class map name Step 7 match any The name can be a maximum of 64 characters long and is case sensitive Example switch config class map type control plane match any c map2 switch config cmap Optional match access group name access list name Step 8 Example switch config cmap match access gro...

Page 509: ...raffic ENd service policy dynamic input policy map name Example Step 13 switch config cp dyn service policy dynamic input PolicyMap1 Configuring IP ACL Filtering for CoPP You can configure IP ACL filtering at egress CoPP Before you begin Ensure that you have configured a control plane policy map SUMMARY STEPS 1 configure terminal 2 no hardware access list tcam region erg copp size 3 copy running c...

Page 510: ...oads the device reload Step 4 Example The new size values are effective only after you enter copy running config startup config reload or reload all line card modules Note switch config reload Enters global configuration mode configure terminal Example Step 5 switch configure terminal switch config ip access list IP foo 1 Step 6 Example switch ip access list mac foo 1 switch config acl permit tcp ...

Page 511: ... a policy map switch config pmap class ClassMap2 switch config pmap c Specifies the committed information rate CIR The rate range is as follows Enter one of the following commands Step 12 police cir cir rate rate type The committed burst BC range is as follows police cir cir rate rate type bc burst size burst size type police cir cir rate rate type conform transmit violate drop Example switch conf...

Page 512: ...d When the scale factor value is the default 1 00 it is not displayed The scale factor changes the CIR and BC values internally on each module but the display shows the configured CIR and BC values only The actual applied value on a module is the scale factor multiplied by the configured value Note show policy map interface control plane Displays the control plane class map configuration including...

Page 513: ...te lenient dense show copp diff profile Displays the details of the CoPP best practice policy along with the classes and policer values show copp profile strict moderate lenient dense Displays the user configured access control lists ACLs in the running configuration The all option displays both the default CoPP configured and user configured ACLs in the running configuration show running config a...

Page 514: ...hat are part of the applied CoPP policy switch show policy map interface control plane Step 1 Statistics are specified in terms of OutPackets packets admitted to the control plane and DropPackets packets dropped because of rate limiting Example This example shows how to monitor CoPP switch show policy map interface control plane Control Plane Service policy input copp system p policy strict class ...

Page 515: ...ol plane switch clear copp statistics Configuration Examples for CoPP This section includes example CoPP configurations CoPP Configuration Example The following example shows how to configure CoPP using IP ACLs and MAC ACLs configure terminal ip access list copp system p acl igmp permit igmp any 10 0 0 0 24 ip access list copp system p acl msdp permit tcp any any eq 639 mac access list copp system...

Page 516: ...input copp system p policy Create CoPP class and associate ACL class map type control plane copp arp class match access group name copp arp acl Add the class to the CoPP policy policy map type control plane copp system policy class copp arp class police pps 500 Changing or Reapplying the Default CoPP Policy Using the Setup Utility The following example shows how to change or reapply the default Co...

Page 517: ...re default interface layer L3 L2 L3 CR Configure default switchport interface state shut noshut shut CR Configure best practices CoPP profile strict moderate lenient dense skip strict strict The following configuration will be applied password strength check no license grace period no telnet server enable no system default switchport system default switchport shutdown policy map type control plane...

Page 518: ...andards Title Standards A Two Rate Three Color Marker RFC 2698 Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 492 Configuring Control Plane Policing Additional References for CoPP ...

Page 519: ... Configuration on page 498 Configuration Examples for Rate Limits on page 498 Additional References for Rate Limits on page 499 About Rate Limits Rate limits can prevent redirected packets for exceptions from overwhelming the supervisor module on a Cisco NX OS device You can configure rate limits in packets per second for the following types of redirected packets Access list log packets Bidirectio...

Page 520: ...Nexus 9000 9300 and 9500 Series switches and the Cisco Nexus 3164Q 31128PQ 3232C and 3264Q switches The rate limiter on egress ports is limited per pipe on the Cisco Nexus 9300 and 9500 Series switches Cisco Nexus 3164Q and 31128PQ switches and the Cisco Nexus 3232C and 3264Q switches The rate limiter on egress ports is limited per slice on the Cisco Nexus Cisco Nexus 9200 and 9300 EX Series switc...

Page 521: ...ou can set rate limits on supervisor bound traffic SUMMARY STEPS 1 configure terminal 2 hardware rate limiter access list log packets disable module module port start end 3 hardware rate limiter bfd packets module module port start end 4 hardware rate limiter exception packets module module port start end 5 hardware rate limiter fex packets module module port start end 6 hardware rate limiter laye...

Page 522: ...r second for supervisor bound FEX trafffic The range is from 0 to 10000 hardware rate limiter fex packets module module port start end Example Step 5 switch config hardware rate limiter fex 500 Configures rate limits in packets per second for Layer 3 glean packets The range is from 0 to 10000 hardware rate limiter layer 3 glean packets module module port start end Step 6 Example A node receiving t...

Page 523: ...cess list log bfd exception fex layer 3 glean layer 3 multicast local groups span egress module module Step 9 Example switch show hardware rate limiter Copies the running configuration to the startup configuration Optional copy running config startup config Example Step 10 switch copy running config startup config Monitoring Rate Limits You can monitor rate limits SUMMARY STEPS 1 show hardware rat...

Page 524: ...layer 3 glean layer 3 multicast local groups span egress module module Configuration Examples for Rate Limits The following example shows how to configure rate limits for packets copied to the supervisor module for access list logging switch config hardware rate limiter access list log switch config show hardware rate limiter access list log Units for Config packets per second Allowed Dropped Tota...

Page 525: ...Module 1 R L Class Config Allowed Dropped Total L3 glean 100 0 0 0 L3 mcast loc grp 3000 0 0 0 access list log 100 0 0 0 bfd 10000 0 0 0 exception 50 0 0 0 fex 3000 0 0 0 span 50 0 0 0 dpss 6400 0 0 0 span egress 123 0 0 0 configured Additional References for Rate Limits This section includes additional information related to implementing rate limits Related Documents Document Title Related Topic ...

Page 526: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 500 Configuring Rate Limits Additional References for Rate Limits ...

Page 527: ...n page 528 About MACsec Media Access Control Security MACsec an IEEE 802 1AE along with MACsec Key Agreement MKA protocol provide secure communications on Ethernet links It offers the following Provides line rate encryption capabilities Helps to ensure data confidentiality by providing strong encryption at Layer 2 Provides integrity checking to help ensure that data cannot be modified in transit C...

Page 528: ...en the key rollover is hitless that is the key rolls over without traffic interruption Fallback Key A MACsec session can fail due to a key key name CKN mismatch or a finite key duration between the switch and a peer If a MACsec session does fail a fallback session can take over if a fallback key is configured A fallback session prevents downtime due to primary session failure and allows a user tim...

Page 529: ...econds If the key is not completely configured with the key octet string and or the send lifetime within the 6 second window incomplete information may be used to bring up the MACsec session and could result in the session being stuck in an Authorization Pending state If the MACsec sessions are not converged after the configuration is complete you might be advised to shut no shut the ports For a g...

Page 530: ...ease 9 2 1 you must use keys with the AES_256_CMAC cryptographic algorithm For interoperability between previous releases and Cisco NX OS Release 9 2 1 pad the MACsec key with zeros if it is less than 32 octets On any Cisco NX OS box you can configure only one unique combination of an alternate MAC address and Ethernet type on all interfaces Within the same slice of the forwarding engine EAPOL eth...

Page 531: ...es this feature and does not remove the associated MACsec configurations Disabling MACsec has the following conditions MACsec shutdown is global command and is not available at the interface level The macsec shutdown show macsec mka session summary show macsec mka session detail and show macsec mka secy statistics commands will display the Macsec is shutdown message However the show macsec policy ...

Page 532: ...fig Configuring a MACsec Keychain and Keys You can create a MACsec keychain and keys on the device Only MACsec keychains will result in converged MKA sessions Note Before you begin Make sure that MACsec is enabled SUMMARY STEPS 1 configure terminal 2 Optional no key chain macsec psk no show 3 key chain name macsec 4 key key id 5 key octet string octet string cryptographic algorithm AES_128_CMAC AE...

Page 533: ...ctet string cryptographic algorithm AES_128_CMAC AES_256_CMAC Step 5 octet key is encoded internally so the key in clear text does Example not appear in the output of the show running config macsec command switch config macseckeychain macseckey key octet string abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789 cryptographic algorithm AES_256_CMAC MACsec peers must run the same Cisco...

Page 534: ...ose Command or Action Enters the global configuration mode configure terminal Example Step 1 switch configure terminal switch config Specifies the interface that you are configuring You can specify the interface type and identity For an Ethernet port use ethernet slot port interface name Example switch config interface ethernet 1 1 switch config if Step 2 Specifies the fallback keychain to use aft...

Page 535: ...ctive on an interface Dynamic changes are not allowed to the MACsec policy once the policy is enabled under the interface Note Before you begin Make sure that MACsec is enabled SUMMARY STEPS 1 configure terminal 2 macsec policy name 3 cipher suite name 4 key server priority number 5 security policy name 6 window size number 7 sak expiry time time 8 conf offset name 9 Optional show macsec policy 10...

Page 536: ...ce will not accept any packet that is less window size number Example Step 6 than the configured window size The range is from 0 to 596000000 switch config macsec policy window size 512 Configures the time in seconds to force an SAK rekey This command can be used to change the session key to a predictable time interval The default is 0 sak expiry time time Example switch config macsec policy sak e...

Page 537: ...ocol destination address and the Ethernet type values to nonstandard values Configurable EAPOL MAC and Ethernet type provides you the ability to change the MAC address and the Ethernet type of the MKA packet inorder to allow CE device to form MKA sessions over the ethernet networks that consume the standard MKA packets The EAPOL destination Ethernet type can be changed from the default Ethernet ty...

Page 538: ...e EAPOL configuration on the specified interface type and identity eapol mac address mac_address ethertype eth_type Step 3 If the ethernet type is not specified the default ethernet type of MKA packets which is 0x888e is considered Note Enables the broadcast address as the alternate mac address eapol mac address broadcast address ethertype eth_type Step 4 Copies the running configuration to the st...

Page 539: ...he MACsec Configuration To display MACsec configuration information perform one of the following tasks Purpose Command Displays the keychain configuration show key chain name Displays information about the MACsec MKA session for a specific interface or for all interfaces show macsec mka session interface type slot port detail Displays information about the MAC address and the ethernet type that is...

Page 540: ...Local Tx SCI 005d 7357 6070 0001 Local Tx SSCI 2 MKA Port Identifier 2 CAK Name CKN 11 CA Authentication Mode PRIMARY PSK Member Identifier MI 3B13644BFD1D631EC1B68CB8 Message Number MN 124282 MKA Policy Name pn_256_shud_sak_2592000_conf_30 Key Server Priority 16 Key Server Yes Include ICV No SAK Cipher Suite GCM AES 256 SAK Cipher Suite Operational GCM AES 256 Replay Window Size 148809600 Confide...

Page 541: ...d show startup config commands when the key chain macsec psk no show command is not configured key chain KC256 1 macsec key 2000 key octet string 7 075e701e1c5a4a5143475e5a527d7c7c706a6c724306170103555a5c57510b051e47080 a05000101005e0e50510f005c4b5f5d0b5b070e234e4d0a1d0112175b5e cryptographic algorithm AES_256_CMAC The following example displays the key octet string in the output of the show runni...

Page 542: ...il 0 MKPDUS No Tx on intf down 0 MKPDUS No Rx on intf down 0 MKPDUs Rx CA Not found 0 MKPDUs Rx Error 0 MKPDUs Rx Success 0 MKPDU Failures MKPDU Rx Validation 0 MKPDU Rx Bad Peer MN 0 MKPDU Rx Non recent Peerlist MN 0 MKPDU Rx Drop SAKUSE KN mismatch 0 MKPDU Rx Drop SAKUSE Rx Not Set 0 MKPDU Rx Drop SAKUSE Key MI mismatch 0 MKPDU Rx Drop SAKUSE AN Not in Use 0 MKPDU Rx Drop SAKUSE KS Rx Tx Not Set...

Page 543: ...supported In Octets Uncontrolled 134073396 bytes In Octets Controlled 155064074 bytes Input rate for Uncontrolled Pkts 152 pps Input rate for Uncontrolled Pkts 276485 bps Input rate for Controlled Pkts 30 pps Input rate for Controlled Pkts 43045 bps Interface Tx Statistics Unicast Uncontrolled Pkts 547976 Multicast Uncontrolled Pkts 1952 Broadcast Uncontrolled Pkts 0 Uncontrolled Pkts Rx Drop 0 Un...

Page 544: ...guration Example for MACsec The following example shows how to configure a user defined MACsec policy and then apply the policy to interfaces switch config macsec policy 1 switch config macsec policy cipher suite GCM AES 256 switch config macsec policy window size 512 switch config macsec policy key server priority 0 switch config macsec policy conf offset CONF OFFSET 0 switch config macsec policy...

Page 545: ...onfig int e2 13 14 switch config if range macsec keychain 1 switch config if range exit switch config switch config show running config macsec Command show running config macsec Time Mon Dec 5 04 50 16 2016 version 7 0 3 I4 5 feature macsec interface Ethernet2 13 macsec keychain 1 policy system default macsec policy interface Ethernet2 14 macsec keychain 1 policy system default macsec policy switc...

Page 546: ...how_keychain_cmd_keychain chain key show nf data nf rpc reply Example 2 Displays information about the MACsec MKA session for a specific interface switch show macsec mka session interface ethernet 4 31 details xml xml version 1 0 encoding ISO 8859 1 nf rpc reply xmlns nf urn ietf params xml ns netconf base 1 0 xmlns http w ww cisco com nxos 1 0 nf data show macsec mka session __XML__OPT_Cmd_show_m...

Page 547: ...Csec MKA statistics switch show macsec mka statistics interface ethernet 4 31 xml xml version 1 0 encoding ISO 8859 1 nf rpc reply xmlns nf urn ietf params xml ns netconf base 1 0 xmlns http w ww cisco com nxos 1 0 nf data show macsec mka statistics __XML__OPT_Cmd_some_macsec_mka_statistics_interface interface __XML__INTF_ifname __XML__PARAM_value __XML__INTF_output Ethernet4 31 __XML__INTF_output...

Page 548: ...mkpdu_no_tx_on_intf_down idb_stat_mkpdu_no_rx_on_intf_down 0 idb_stat_mkpdu_no_rx_on_intf_down idb_stat_mkpdu_rx_ca_notfound 0 idb_stat_mkpdu_rx_ca_notfound idb_stat_mkpdu_rx_error 0 idb_stat_mkpdu_rx_error idb_stat_mkpdu_rx_success 2714 idb_stat_mkpdu_rx_success idb_stat_mkpdu_failure_rx_integrity_check_error 0 idb_stat_mkpdu_ failure_rx_integrity_check_error idb_stat_mkpdu_failure_invalid_peer_m...

Page 549: ...rpc reply Example 4 Displays the MACsec MKA configuration switch show macsec mka summary xml xml version 1 0 encoding ISO 8859 1 nf rpc reply xmlns nf urn ietf params xml ns netconf base 1 0 xmlns http w ww cisco com nxos 1 0 nf data show macsec mka __XML__OPT_Cmd_some_macsec_summary __XML__OPT_Cmd_some_macsec___readonly__ __readonly__ TABLE_mka_summary ROW_mka_summary ifname Ethernet2 1 ifname po...

Page 550: ...window_size conf_offset 0 conf_offset security_policy must secure security_policy sak expiry time 60 sak expiry time ROW_macsec_policy TABLE_macsec_policy __readonly__ __XML__OPT_Cmd_some_macsec___readonly__ __XML__OPT_Cmd_some_macsec_policy_name policy macsec show nf data nf rpc reply Example 6 Displays MACsec security statistics switch show macsec secy statistics interface ethernet 4 31 xml xml ...

Page 551: ...ntrolled 0 out_rx_drop_pkts_controlled out_rx_err_pkts_controlled 0 out_rx_err_pkts_controlled out_octets_uncontrolled 6806 out_octets_uncontrolled out_octets_controlled 470 out_octets_controlled out_octets_common 7340 out_octets_common output_rate_uncontrolled_pps 2598190092 output_rate_uncontrolled_pps output_rate_uncontrolled_bps 2598190076 output_rate_uncontrolled_bps output_rate_controlled_pp...

Page 552: ...o com nxos 7 0 3 I4 6 configure__if eth non member message id 1 nf get config nf source nf running nf source nf filter m configure m terminal feature macsec feature macsec policy __XML__PARAM__policy_name __XML__value am2 __XML__value m1 cipher suite m1 __XML__PARAM__suite m1 __XML__value GCM AES XPN 256 m1 __XML__value m1 __XML__PARAM__suite m1 cipher suite m1 key server priority m1 __XML__PARAM_...

Page 553: ...ARAM__policy_name m2 policy m2 __XML__PARAM__keychain_name m2 keychain m2 macsec __XML__PARAM__interface interface TRUNCATED FOR READABILITY interface __XML__PARAM__interface __XML__value Ethernet4 31 __XML__value m2 macsec m2 keychain m2 __XML__PARAM__keychain_name m2 __XML__value kc2 m2 __XML__value m2 policy m2 __XML__PARAM__policy_name m2 __XML__value am2 m2 __XML__value m2 __XML__PARAM__polic...

Page 554: ...00MIBSupportList html Related Documentation Document Title Related Topic Cisco Nexus 9000 Series NX OS Security Configuration Guide Keychain management Cisco Nexus 9000 Series NX OS System Messages References System messages Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x 528 Configuring MACsec Related Documentation ...

Page 555: ...16 17 18 aaa authentication login default 11 aaa authentication login error enable 21 aaa authorization commands config commands console default group 91 aaa authorization group local 121 122 aaa authorization ssh certificate ssh publickey 121 122 aaa authorization default 121 122 aaa authorization ssh certificate default 89 90 aaa group server ldap 113 114 aaa group server radius 49 aaa group ser...

Page 556: ...scription for 802 1X 177 DHCP client relay on orphan ports 373 description 373 DHCP relay on VPC Leg 372 description 372 DHCP relay on stack 371 description 371 DoS attacks 441 Unicast RPF deploying 441 dot1x default 200 dot1x host mode multi host single host 197 dot1x max req 201 dot1x port control auto force authorized forced unauthorized 189 dot1x re authentication 191 dot1x timeout quiet perio...

Page 557: ... 408 ip verify unicast source reachable via 444 445 ip verify unicast source reachable via any 443 ipv6 access class 237 238 ipv6 access list 233 234 235 236 237 ipv6 address use link local only 362 363 ipv6 dhcp relay 357 ipv6 dhcp relay address 359 ipv6 dhcp relay option type cisco 358 ipv6 dhcp relay option vpn 358 ipv6 dhcp relay source interface 360 ipv6 port traffic filter 261 ipv6 traffic f...

Page 558: ...0 limitations 310 MAC address learning 303 MAC move 306 violations 306 ports 180 authorization states for 802 1X 180 R RADIUS accounting 202 enabling for 802 1X authentication 202 radius commit 45 51 52 53 55 56 60 61 radius server deadtime 57 58 59 60 radius server directed request 51 52 radius server host 33 45 47 49 54 55 56 59 radius server host accounting 55 56 radius server host acct port 55...

Page 559: ...ction interfaces 399 show ip arp inspection log 399 show ip arp inspection statistics 399 show ip arp inspection vlan 394 395 399 show ip dhcp relay 345 348 349 350 353 354 355 356 364 show ip dhcp relay address 364 show ip dhcp relay information trusted sources 345 346 347 348 show ip dhcp relay statistics 365 show ip dhcp snooping binding 364 408 409 show ip interface 443 show ip ver source 409 ...

Page 560: ...w system login failures 30 show tacacs server 74 75 76 77 79 81 82 83 84 85 86 87 88 89 100 show tacacs server directed request 80 81 100 show tacacs server groups 78 100 show tacacs server sorted 100 show tacacs server statistics 99 100 show tacacs pending pending diff 74 80 81 82 83 87 88 89 91 92 show tacacs status pending pending diff 100 show telnet server 147 148 149 show time range 281 282 ...

Page 561: ...delines 441 implementation 440 licensing 441 Unicast RPF continued limitations 441 tunneling and 441 verifying configuration 447 use vrf 49 113 114 user max logins 31 username 95 132 username keypair export 136 137 username keypair export rsa dsa 136 137 username keypair generate 136 137 username keypair import 136 137 username keypair import rsa dsa 136 137 username password 139 140 161 username ...

Page 562: ...Cisco Nexus 9000 Series NX OS Security Configuration Guide Release 9 x IN 8 INDEX ...

Reviews: