The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes the Cisco NX-OS Security commands that begin with D.
To configure the dead-time interval for a RADIUS or TACACS+ server group, use the deadtime command. To revert to the default, use the no form of this command.
Number of minutes for the interval. The range is from 0 to 1440 minutes. Note Setting the dead-time interval to 0 disables the timer. |
RADlUS server group configuration
TACACS+ server group configuration
|
|
You must use the feature tacacs+ command before you configure TACACS+.
This example shows how to set the dead-time interval to 2 minutes for a RADIUS server group:
This example shows how to set the dead-time interval to 5 minutes for a TACACS+ server group:
This example shows how to revert to the dead-time interval default:
|
|
---|---|
To delete certificate authority certificates, use the delete ca-certificate command.
|
|
---|---|
This command deletes the CA certificate or certificate chain corresponding to the trustpoint CA. As a result, the trustpoint CA is no longer trusted. If there is an identity certificate form the CA, you must delete it before you can delete the CA certificate. This prevents the accidental deletion of a CA certificate when you have not yet deleted the identity certificate obtained from that CA. Deleting the CA certificate may be necessary when you no longer want to trust the CA because the CA is compromised or the CA certificate has expired.
Note The trustpoint configuration, certificates, and key pair configurations are persistent only after saving to the startup configuration. Deletions become persistent only after you save the running configuration to the startup configuration.
Enter the copy running-config startup-config command to make the certificate and key pair deletions persistent.
This example shows how to delete a certificate authority certificate:
|
|
---|---|
To delete the identity certificate, use the delete certificate command.
|
|
---|---|
Use the delete certificate command to delete the identity certificate obtained from the trustpoint CA when the identity certificate expires or the corresponding key pair is compromised. Applications on the device are left without any identity certificate to use after you delete the last or the only identity certificate present. The Cisco NX-OS software generates an error message if the certificate being deleted is the only certificate present or is the last identity certificate in a chain. You can use the optional force keyword to remove the certificate.
Note The trustpoint configuration, certificates, and key pair configurations are persistent only after saving to the startup configuration. Deletions become persistent only after you save the running configuration to the startup configuration.
Enter the copy running-config startup-config command to make the certificate and key pair deletions persistent.
This example shows how to delete the identity certificate:
This example shows how to force the deletion of the identity certificate:
|
|
---|---|
To delete the certificate revocation list (CRL) from the trustpoint, use the delete crl command.
|
|
---|---|
This example shows how to delete the CRL from the trustpoint:
|
|
---|---|
To create an ARP ACL rule that denies ARP traffic that matches its conditions, use the deny command. To remove a rule, use the no form of this command.
[ sequence-number ] deny ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ log ]
[ sequence-number ] deny request ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ log ]
[ sequence-number ] deny response ip { any | host sender-IP | sender-IP sender-IP-mask } { any | host target-IP | target-IP target-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ any | host target-MAC | target-MAC target-MAC-mask ] [ log ]
no deny ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ log ]
no deny request ip { any | host sender-IP | sender-IP sender-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ log ]
no deny response ip { any | host sender-IP | sender-IP sender-IP-mask } { any | host target-IP | target-IP target-IP-mask } mac { any | host sender-MAC | sender-MAC sender-MAC-mask } [ any | host target-MAC | target-MAC target-MAC-mask ] [ log ]
|
|
A newly created ARP ACL contains no rules.
If you do not specify a sequence number, the device assigns to the rule a sequence number that is 10 greater than the last rule in the ACL.
When the device applies an ARP ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
If you do not specify either the response or request keyword, the rule applies to packets that contain any ARP message.
This example shows how to enter ARP access list configuration mode for an ARP ACL named arp-acl-01 and add a rule that denies ARP request messages that contain a sender IP address that is within the 10.32.143.0 subnet:
|
|
---|---|
To create an IPv4 ACL rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
[ sequence-number ] deny protocol source destination [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
no deny protocol source destination [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
Internet Control Message Protocol
[ sequence-number ] deny icmp source destination [ icmp-message | icmp-type [ icmp-code ] ] [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
Internet Group Management Protocol
[ sequence-number ] deny igmp source destination [ igmp-message ] [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
[ sequence-number ] deny ip source destination [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
[ sequence-number ] deny tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ flags ] [ established ] [ packet-length operator packet-length [ packet-length ]]
[ sequence-number ] deny udp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp | precedence precedence ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
|
Name or number of the protocol of packets that the rule matches. For details about the methods that you can use to specify this argument, see “Protocol” in the “Usage Guidelines” section. |
|
Source IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
|
Destination IPv4 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
|
(Optional) Specifies that the rule matches only those packets with the specified 6-bit differentiated services value in the DSCP field of the IP header. The dscp argument can be one of the following numbers or keywords:
|
|
(Optional) Specifies that the rule matches only packets that have an IP Precedence field with the value specified by the precedence argument. The precedence argument can be a number or a keyword, as follows:
|
|
(Optional) Specifies that the rule matches only those packets that are noninitial fragments. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. |
|
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: |
|
(Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command. The time-range-name argument can be up to 64 alphanumeric, case-sensitive characters. |
|
(ICMP only: Optional) ICMP message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under “ICMP Message Types” in the “Usage Guidelines” section. |
|
(ICMP only: Optional) ICMP message type that the rule matches. Valid values for the icmp-type argument are an integer from 0 to 255. If the ICMP message type supports message codes, you can use the icmp-code argument to specify the code that the rule matches. For more information about ICMP message types and codes, see http://www.iana.org/assignments/icmp-parameters. |
|
(IGMP only: Optional) IGMP message type that the rule matches. The igmp-message argument can be the IGMP message number, which is an integer from 0 to 15. It can also be one of the following keywords: |
|
(Optional; TCP and UDP only) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see “TCP Port Names” and “UDP Port Names” in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
|
|
(Optional; TCP and UDP only) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port object group specified by the portgroup argument, which can be up to 64 alphanumeric, case-sensitive characters. Whether the IP port object group applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument. Use the object-group ip port command to create and change IP port object groups. |
|
(TCP only; Optional) TCP control bit flags that the rule matches. The value of the flags argument must be one or more of the following keywords: |
|
(TCP only; Optional) Specifies that the rule matches only packets that belong to an established TCP connection. The device considers TCP packets with the ACK or RST bits set to belong to an established connection. |
|
(Optional) Rule matches only packets that have a length in bytes that satisfies the condition specified by the operator and packet-length arguments. Valid values for the packet-length argument are whole numbers from 20 to 9210. The operator argument must be one of the following keywords:
|
A newly created IPv4 ACL contains no rules.
If you do not specify a sequence number, the device assigns the rule a sequence number that is 10 greater than the last rule in the ACL.
|
|
When the device applies an IPv4 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
This command does not require a license.
You can specify the protocol of packets that the rule applies to by the protocol name or the number of the protocol. If you want the rule to apply to all IPv4 traffic, use the ip keyword.
The protocol keyword that you specify affects the additional keywords and arguments that are available. Unless otherwise specified, only the other keywords that apply to all IPv4 protocols are available. Those keywords include the following:
Valid protocol numbers are from 0 to 255.
Valid protocol names are the following keywords:
You can specify the source and destination arguments in one of several ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
The following example shows how to use an IPv4 address object group named lab-gateway-svrs to specify the destination argument:
The following example shows how to specify the source argument with the IPv4 address and network wildcard for the 192.168.67.0 subnet:
The following example shows how to specify the source argument with the IPv4 address and VLSM for the 192.168.67.0 subnet:
This syntax is equivalent to IPv4-address /32 and IPv4-address 0.0.0.0.
The following example shows how to specify the source argument with the host keyword and the 192.168.67.132 IPv4 address:
The icmp-message argument can be one of the following keywords:
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
bgp —Border Gateway Protocol (179)
chargen —Character generator (19)
cmd —Remote commands (rcmd, 514)
domain —Domain Name Service (53)
drip —Dynamic Routing Information Protocol (3949)
ftp —File Transfer Protocol (21)
ftp-data —FTP data connections (20)
hostname —NIC hostname server (11)
irc —Internet Relay Chat (194)
nntp —Network News Transport Protocol (119)
pim-auto-rp —PIM Auto-RP (496)
pop2 —Post Office Protocol v2 (19)
pop3 —Post Office Protocol v3 (11)
smtp —Simple Mail Transport Protocol (25)
sunrpc —Sun Remote Procedure Call (111)
tacacs —TAC Access Control System (49)
uucp —UNIX-to-UNIX Copy Program (54)
www —World Wide Web (HTTP, 80)
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
biff —Biff (mail notification, comsat, 512)
bootpc —Bootstrap Protocol (BOOTP) client (68)
bootps —Bootstrap Protocol (BOOTP) server (67)
dnsix —DNSIX security protocol auditing (195)
domain —Domain Name Service (DNS, 53)
isakmp —Internet Security Association and Key Management Protocol (5)
mobile-ip —Mobile IP registration (434)
nameserver —IEN116 name service (obsolete, 42)
netbios-dgm —NetBIOS datagram service (138)
netbios-ns —NetBIOS name service (137)
netbios-ss —NetBIOS session service (139)
non500-isakmp —Internet Security Association and Key Management Protocol (45)
ntp —Network Time Protocol (123)
pim-auto-rp —PIM Auto-RP (496)
rip —Routing Information Protocol (router, in.routed, 52)
snmp —Simple Network Management Protocol (161)
sunrpc —Sun Remote Procedure Call (111)
tacacs —TAC Access Control System (49)
This example shows how to configure an IPv4 ACL named acl-lab-01 with rules that deny all TCP and UDP traffic from the 10.23.0.0 and 192.168.37.0 networks to the 10.176.0.0 network and a final rule that permits all other IPv4 traffic:
This example shows how to configure an IPv4 ACL named acl-eng-to-marketing with a rule that denies all IP traffic from an IPv4 address object group named eng_workstations to an IP address object group named marketing_group followed by a rule that permits all other IPv4 traffic:
|
|
---|---|
To create an IPv6 ACL rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
[ sequence-number ] deny protocol source destination [ dscp dscp ] [ f low-label flow-label-value ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
no den y protocol source destination [ dscp dscp ] [ flow-label flow-label-value ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
Internet Control Message Protocol
[ sequence-number | no ] deny icmp source destination [ icmp-message | icmp-type [ icmp-code ] ] [ dscp dscp ] [ flow-label flow-label-value ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
[ sequence-number ] deny ipv6 source destination [ dscp dscp ] [ flow-label flow-label-value ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
Stream Control Transmission Protocol
[ sequence-number | no ] deny sctp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp ] [ flow-label flow-label-value ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
[ sequence-number ] deny tcp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp ] [ flow-label flow-label-value ] [ fragments ] [ log ] [ time-range time-range-name ] [ flags ] [ established ] [ packet-length operator packet-length [ packet-length ]]
[ sequence-number | no ] deny udp source [ operator port [ port ] | portgroup portgroup ] destination [ operator port [ port ] | portgroup portgroup ] [ dscp dscp ] [ flow-label flow-label-value ] [ fragments ] [ log ] [ time-range time-range-name ] [ packet-length operator packet-length [ packet-length ]]
(Optional) Sequence number of the deny command, which causes the device to insert the command in that numbered position in the access list. Sequence numbers maintain the order of rules within an ACL. A sequence number can be any integer between 1 and 4294967295. By default, the first rule in an ACL has a sequence number of 10. If you do not specify a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule. Use the resequence command to reassign sequence numbers to rules. |
|
Name or number of the protocol of packets that the rule matches. Valid numbers are from 0 to 255. Valid protocol names are the following keywords:
|
|
Source IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
|
Destination IPv6 addresses that the rule matches. For details about the methods that you can use to specify this argument, see “Source and Destination” in the “Usage Guidelines” section. |
|
(Optional) Specifies that the rule matches only packets with the specified 6-bit differentiated services value in the DSCP field of the IPv6 header. The dscp argument can be one of the following numbers or keywords:
|
|
(Optional) Specifies that the rule matches only IPv6 packets whose Flow Label header field has the value specified by the flow-label-value argument. The flow-label-value argument can be an integer from 0 to 1048575. |
|
(Optional) Specifies that the rule matches noninitial fragmented packets only. The device considers noninitial fragmented packets to be packets with a fragment extension header that contains a fragment offset that is not equal to zero. You cannot specify this keyword in the same rule that you specify Layer 4 options, such as a TCP port number, because the information that the devices requires to evaluate those options is contained only in initial fragments. |
|
(Optional) Specifies that the device generates an informational logging message about each packet that matches the rule. The message includes the following information: |
|
(Optional) Specifies the time range that applies to this rule. You can configure a time range by using the time-range command. |
|
(ICMP only: Optional) ICMPv6 message type that the rule matches. This argument can be an integer from 0 to 255 or one of the keywords listed under “ICMPv6 Message Types” in the “Usage Guidelines” section. |
|
(ICMP only: Optional) ICMP message type that the rule matches. Valid values for the icmp-type argument are an integer from 0 to 255. If the ICMP message type supports message codes, you can use the icmp-code argument to specify the code that the rule matches. For more information about ICMP message types and codes, see http://www.iana.org/assignments/icmp-parameters. |
|
(Optional; TCP, UDP, and SCTP only) Rule matches only packets that are from a source port or sent to a destination port that satisfies the conditions of the operator and port arguments. Whether these arguments apply to a source port or a destination port depends upon whether you specify them after the source argument or after the destination argument. The port argument can be the name or the number of a TCP or UDP port. Valid numbers are integers from 0 to 65535. For listings of valid port names, see “TCP Port Names” and “UDP Port Names” in the “Usage Guidelines” section. A second port argument is required only when the operator argument is a range. The operator argument must be one of the following keywords:
|
|
(Optional; TCP, UDP, and SCTP only) Specifies that the rule matches only packets that are from a source port or to a destination port that is a member of the IP port-group object specified by the portgroup argument. Whether the port-group object applies to a source port or a destination port depends upon whether you specify it after the source argument or after the destination argument. Use the object-group ip port command to create and change IP port-group objects. |
|
(TCP only; Optional) Specifies that the rule matches only packets that belong to an established TCP connection. The device considers TCP packets with the ACK or RST bits set to belong to an established connection. |
|
(TCP only; Optional) Rule matches only packets that have specific TCP control bit flags set. The value of the flags argument must be one or more of the following keywords: |
|
(Optional) Rule matches only packets that have a length in bytes that satisfies the condition specified by the operator and packet-length arguments. Valid values for the packet-length argument are whole numbers from 20 to 9210. The operator argument must be one of the following keywords:
|
|
|
A newly created IPv6 ACL contains no rules.
When the device applies an IPv6 ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule whose conditions are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
This command does not require a license.
You can specify the source and destination arguments in one of several ways. In each rule, the method you use to specify one of these arguments does not affect how you specify the other. When you configure a rule, use the following methods to specify the source and destination arguments:
The following example shows how to use an IPv6 address object group named lab-svrs-1301 to specify the destination argument:
The following example shows how to specify the source argument with the IPv6 address and VLSM for the 2001:0db8:85a3:: network:
This syntax is equivalent to IPv6-address /128.
The following example shows how to specify the source argument with the host keyword and the 2001:0db8:85a3:08d3:1319:8a2e:0370:7344 IPv6 address:
The icmp-message argument can be one of the following keywords:
When you specify the protocol argument as tcp, the port argument can be a TCP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
bgp —Border Gateway Protocol (179)
chargen —Character generator (19)
cmd —Remote commands (rcmd, 514)
domain —Domain Name Service (53)
drip —Dynamic Routing Information Protocol (3949)
ftp —File Transfer Protocol (21)
ftp-data —FTP data connections (20)
hostname —NIC hostname server (11)
irc —Internet Relay Chat (194)
nntp —Network News Transport Protocol (119)
pim-auto-rp —PIM Auto-RP (496)
pop2 —Post Office Protocol v2 (19)
pop3 —Post Office Protocol v3 (11)
smtp —Simple Mail Transport Protocol (25)
sunrpc —Sun Remote Procedure Call (111)
tacacs —TAC Access Control System (49)
uucp —Unix-to-Unix Copy Program (54)
www —World Wide Web (HTTP, 80)
When you specify the protocol argument as udp, the port argument can be a UDP port number, which is an integer from 0 to 65535. It can also be one of the following keywords:
biff —Biff (mail notification, comsat, 512)
bootpc —Bootstrap Protocol (BOOTP) client (68)
bootps —Bootstrap Protocol (BOOTP) server (67)
dnsix —DNSIX security protocol auditing (195)
domain —Domain Name Service (DNS, 53)
isakmp —Internet Security Association and Key Management Protocol (5)
mobile-ip —Mobile IP registration (434)
nameserver —IEN116 name service (obsolete, 42)
netbios-dgm —NetBIOS datagram service (138)
netbios-ns —NetBIOS name service (137)
netbios-ss —NetBIOS session service (139)
non500-isakmp —Internet Security Association and Key Management Protocol (45)
ntp —Network Time Protocol (123)
pim-auto-rp —PIM Auto-RP (496)
rip —Routing Information Protocol (router, in.routed, 52)
snmp —Simple Network Management Protocol (161)
sunrpc —Sun Remote Procedure Call (111)
tacacs —TAC Access Control System (49)
This example shows how to configure an IPv6 ACL named acl-lab13-ipv6 with rules denying all TCP and UDP traffic from the 2001:0db8:85a3:: and 2001:0db8:69f2:: networks to the 2001:0db8:be03:2112:: network:
This example shows how to configure an IPv6 ACL named ipv6-eng-to-marketing with a rule that denies all IPv6 traffic from an IPv6-address object group named eng_ipv6 to an IPv6-address object group named marketing_group:
|
|
---|---|
To create a MAC access control list (ACL)+ rule that denies traffic matching its conditions, use the deny command. To remove a rule, use the no form of this command.
[ sequence-number ] deny source destination [ protocol ] [ cos cos-value ] [ vlan VLAN-ID ] [ time-range time-range-name ]
no deny source destination [ protocol ] [ cos cos-value ] [ vlan VLAN-ID ] [ time-range time-range-name ]
A newly created MAC ACL contains no rules.
If you do not specify a sequence number, the device assigns the rule a sequence number that is 10 greater than the last rule in the ACL.
|
|
When the device applies a MAC ACL to a packet, it evaluates the packet with every rule in the ACL. The device enforces the first rule that has conditions that are satisfied by the packet. When the conditions of more than one rule are satisfied, the device enforces the rule with the lowest sequence number.
This command does not require a license.
You can specify the source and destination arguments in one of two ways. In each rule, the method that you use to specify one of these arguments does not affect how you specify the other argument. When you configure a rule, use the following methods to specify the source and destination arguments:
The following example specifies the source argument with the MAC address 00c0.4f03.0a72:
The following example specifies the destination argument with a MAC address for all hosts with a MAC vendor code of 00603e:
The protocol argument can be the MAC protocol number or a keyword. The protocol number is a four-byte hexadecimal number prefixed with 0x. Valid protocol numbers are from 0x0 to 0xffff. Valid keywords are the following:
This example shows how to configure a MAC ACL named mac-ip-filter with rules that permit any non-IPv4 traffic between two groups of MAC addresses:
|
|
---|---|
To configure a deny action in the security group access control list (SGACL), use the deny command. To remove the action, use the no form of this command.
deny { all | icmp | igmp | ip | {{ tcp | udp } [{ src | dst } {{ eq | gt | lt | neq } port-number } |
range port-number1 port-number2 }]} [ log ]
no deny { all | icmp | igmp | ip | {{ tcp | udp } [{ src | dst } {{ eq | gt | lt | neq } port-number } |
range port-number1 port-number2 }]} [ log ]
Specifies Internet Group Management Protocol (IGMP) traffic. |
|
(Optional) Specifies that packets matching this configuration be logged. |
role-based access control list
|
|
The log keyword was added to support the enabling of role-based access control list (RBACL) logging. |
|
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
To enable RBACL logging, you must enable RBACL policy enforcement on the VLAN and VRF.
To enable RBACL logging, you must set the logging level of ACLLOG syslogs to 6 and the logging level of CTS manager syslogs to 5.
This example shows how to add a deny action to an SGACL and enable RBACL logging:
This example shows how to remove a deny action from an SGACL:
|
|
---|---|
To configure a description for an identity policy, use the description command. To revert to the default, use the no form of this command.
Text string that describes the identity policy. The string is alphanumeric. The maximum length is 100 characters. |
|
|
This example shows how to configure the description for an identity policy:
This example shows how to remove the description from an identity policy:
|
|
---|---|
Creates or specifies an identity policy and enters identity policy configuration mode. |
|
To configure a description for a user role, use the description command. To revert to the default, use the no form of this command.
Text string that describes the user role. The string is alphanumeric. The maximum length is 128 characters. |
|
|
You can include blank spaces in the user role description text.
This example shows how to configure the description for a user role:
This example shows how to remove the description from a user role:
|
|
---|---|
Creates or specifies a user role and enters user role configuration mode. |
|
To configure a destination for ACL capture packets, use the destination interface command.
destination interface ethernet slot/port
Slot and port identifiers for the interface. The range is from 1 to 253. |
ACL capture configuration mode (config-acl-capture)
|
|
Only the physical interface can be used for the destination. Port-channel interfaces and supervisor in-band ports are not supported.
Port channels and supervisor in-band ports are not supported as a destination for ACL capture.
ACL capture session destination interfaces do not support ingress forwarding and ingress MAC learning. If a destination interface is configured with these options, the monitor keeps the ACL capture session down. Use the show monitor session all command to see if ingress forwarding and MAC learning are enabled.
Note You can use the no switchport monitor command to disable ingress forwarding and MAC learning on the interface.
The source port of the packet and the ACL capture destination port cannot be part of the same ASIC. If both ports belong to the same ASIC, a message appears when you configure the destination ports for ACL capture, and the packet is not captured.
You can enter the destination interface command multiple times to add multiple destinations.
This example shows how to configure a destination for ACL capture packets:
|
|
---|---|
To add a supplicant device to the Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) identity profile exception list, use the device command. To remove a supplicant device, use the no form of this command.
device { authenticate | not-authenticate } { ip-address ipv4-address [ subnet-mask ] | mac-address mac-address [ mac-address-mask ]} policy policy-name
no device { authenticate | not-authenticate } { ip-address ipv4-address [ subnet-mask ] | mac-address mac-address [ mac-address-mask ]} policy policy-name
|
|
This example shows how to add a device to the EAPoUDP identity profile:
This example shows how to remove a device from the EAPoUDP identity profile:
|
|
---|---|
Creates or specifies an identity policy and enters identity policy configuration mode. |
|
To reset the 802.1X global or interface configuration to the default, use the dot1x default command.
Global configuration
Interface configuration
|
|
You must use the feature dot1x command before you configure 802.1X.
This example shows how to set the global 802.1X parameters to the default:
This example shows how to set the interface 802.1X parameters to the default:
|
|
---|---|
To allow 802.1X authentication for either a single supplicant or multiple supplicants on an interface, use the dot1x host-mode command. To revert to the default, use the no form of this command.
dot1x host-mode { multi-host | single-host }
Allows 802.1X authentication for multiple supplicants on the interface. |
|
Allows 802.1X authentication for only a single supplicant on the interface. |
|
|
You must use the feature dot1x command before you configure 802.1X.
This example shows how to allow 802.1X authentication of multiple supplicants on an interface:
This example shows how to revert to the default host mode on an interface:
|
|
---|---|
To initialize 802.1X authentication for supplicants, use the dot1x initialize command.
dot1x initialize [ interface ethernet slot / port ]
(Optional) Specifies the interface for 802.1X authentication initialization. |
|
|
You must use the feature dot1x command before you configure 802.1X.
This example shows how to initialize 802.1X authentication for supplicants on the Cisco NX-OS device:
This example shows how to initialize 802.1X authentication for supplicants on an interface:
|
|
---|---|
To enable MAC address authentication bypass on interfaces with no 802.1X supplicants, use the dot1x mac-auth-bypass command. To disable MAC address authentication bypass, use the no form of this command.
Specifies that the bypass use Extensible Authentication Protocol (EAP). |
|
|
You must use the feature dot1x command before you configure 802.1X.
This example shows how to enable MAC address authentication bypass:
This example shows how to disable MAC address authentication bypass:
|
|
---|---|
To change the maximum number of times that the Cisco NX-OS device retransmits reauthentication requests to supplicants on an interface before the session times out, use the dot1x max-reauth-req command. To revert to the default, use the no form of this command.
dot1x max-reauth-req retry-count
Retry count for reauthentication requests. The range is from 1 to 10. |
|
|
You must use the feature dot1x command before you configure 802.1X.
This example shows how to change the maximum number of reauthorization request retries for an interface:
This example shows how to revert to the default maximum number of reauthorization request retries for an interface:
|
|
---|---|
To change the maximum number of requests that the Cisco NX-OS device sends to a supplicant before restarting the 802.1X authentication, use the dot1x max-req command. To revert to the default, use the no form of this command.
Retry count for request sent to supplicant before restarting 802.1X reauthentication. The range is from 1 to 10. |
Global configuration
Interface configuration
|
|
You must use the feature dot1x command before you configure 802.1X.
This example shows how to change the maximum number of request retries for the global 802.1X configuration:
This example shows how to revert to the default maximum number of request retries for the global 802.1X configuration:
This example shows how to change the maximum number of request retries for an interface:
This example shows how to revert to the default maximum number of request retries for an interface:
|
|
---|---|
To create the 802.1X authenticator port access entity (PAE) role for an interface, use the dot1x pae authenticator command. To remove the 802.1X authenticator PAE role, use the no form of this command.
802.1X automatically creates the authenticator PAE when you enable the feature on an interface.
|
|
You must use the feature dot1x command before you configure 802.1X.
When you enable 802.1X on an interface, the Cisco NX-OS software creates an authenticator port access entity (PAE) instance. An authenticator PAE is a protocol entity that supports authentication on the interface. When you disable 802.1X on the interface, the Cisco NX-OS software does not automatically clear the authenticator PAE instances. You can explicitly remove the authenticator PAE from the interface and then reapply it, as needed.
This example shows how to create the 802.1X authenticator PAE role on an interface:
This example shows how to remove the 802.1X authenticator PAE role from an interface:
|
|
---|---|
Displays 802.1X feature status information for an interface. |
To control the 802.1X authentication performed on an interface, use the dot1x port-control command. To revert to the default, use the no form of this command.
dot1x port-control { auto | force-authorized | force-unauthorized }
no dot1x port-control { auto | force-authorized | force-unauthorized }
Disables 802.1X authentication on the interface and allows all traffic on the interface without authentication. |
|
|
|
You must use the feature dot1x command before you configure 802.1X.
This example shows how to change the 802.1X authentication action performed on an interface:
This example shows how to revert to the default 802.1X authentication action performed on an interface:
|
|
---|---|
To enable RADIUS accounting for 802.1X, use the dot1x radius-accounting command. To revert to the default, use the no form of this command.
|
|
You must use the feature dot1x command before you configure 802.1X.
This example shows how to enable RADIUS accounting for 802.1X authentication:
This example shows how to disable RADIUS accounting for 802.1X authentication:
|
|
---|---|
Displays all 802.1X information in the running configuration. |
To manually reauthenticate 802.1X supplicants, use the dot1x re-authentication command.
dot1x re-authentication [ interface ethernet slot / port ]
(Optional) Specifies the interface for manual reauthentication. |
|
|
You must use the feature dot1x command before you configure 802.1X.
This example shows how to reauthenticate 802.1X supplicants manually:
This example shows how to reauthenticate the 802.1X supplicant on an interface manually:
|
|
---|---|
To enable periodic reauthenticate of 802.1X supplicants, use the dot1x re-authentication command. To revert to the default, use the no form of this command.
Global configuration
Interface configuration
|
|
You must use the feature dot1x command before you configure 802.1X.
In global configuration mode, this command configures periodic reauthentication for all supplicants on the Cisco NX-OS device. In interface configuration mode, this command configures periodic reauthentication only for supplicants on the interface.
This example shows how to enable periodic reauthentication of 802.1X supplicants:
This example shows how to disable periodic reauthentication of 802.1X supplicants:
This example shows how to enable periodic reauthentication of 802.1X supplicants on an interface:
This example shows how to disable periodic reauthentication of 802.1X supplicants on an interface:
|
|
---|---|
To enable 802.1X authentication, use the dot1x system-auth-control command. To disable 802.1X authentication, use the no form of this command.
|
|
The dot1x system-auth-control command does not delete the 802.1X configuration.
You must use the feature dot1x command before you configure 802.1X.
This example shows how to disable 802.1X authentication:
This example shows how to enable 802.1X authentication:
|
|
---|---|
To configure the 802.1X quiet-period timeout globally or for an interface, use the dot1x timeout quiet-period command. To revert to the default, use the no form of this command.
dot1x timeout quiet-period seconds
Number of seconds for the 802.1X quiet-period timeout. The range is from 1 to 65535. |
Global configuration: 60 seconds
Interface configuration: The value of the global configuration
Global configuration
Interface configuration
|
|
The 802.1X quiet-period timeout is the number of seconds that the device remains in the quiet state following a failed authentication exchange with a supplicant.
You must use the feature dot1x command before you configure 802.1X.
Note You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.
This example shows how to configure the global 802.1X quiet-period timeout:
This example shows how to revert to the default global 802.1X quiet-period timeout:
This example shows how to configure the 802.1X quiet-period timeout for an interface:
This example shows how to revert to the default 802.1X quiet-period timeout for an interface:
|
|
---|---|
To configure the 802.1X rate-limit period timeout for the supplicants on an interface, use the dot1x timeout ratelimit-period command. To revert to the default, use the no form of this command.
dot1x timeout ratelimit-period seconds
no dot1x timeout ratelimit-period
Number of seconds for the 802.1X rate-limit period timeout. The range is from 1 to 65535. |
|
|
The 802.1X rate-limit timeout period is the number of seconds that the authenticator ignores EAPOL-Start packets from supplicants that have successfully authenticated. This value overrides the global quiet period timeout.
You must use the feature dot1x command before you configure 802.1X.
Note You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.
This example shows how to configure the 802.1X rate-limit period timeout on an interface:
This example shows how to revert to the default 802.1X rate-limit period timeout on an interface:
|
|
---|---|
To configure the 802.1X reauthentication-period timeout either globally or on an interface, use the dot1x timeout re-authperiod command. To revert to the default, use the no form of this command.
dot1x timeout re-authperiod seconds
no dot1x timeout re-authperiod
Number of seconds for the 802.1X reauthentication-period timeout. The range is from 1 to 65535. |
Global configuration
Interface configuration
|
|
The 802.1X reauthentication timeout period is the number of seconds between reauthentication attempts.
You must use the feature dot1x command before you configure 802.1X.
Note You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.
This example shows how to configure the global 802.1X reauthentication-period timeout:
This example shows how to configure the 802.1X reauthentication-period timeout on an interface:
|
|
---|---|
To configure the 802.1X server timeout for an interface, use the dot1x timeout server-timeout command. To revert to the default, use the no form of this command.
dot1x timeout server-timeout seconds
no dot1x timeout server-timeout
Number of seconds for the 802.1X server timeout. The range is from 1 to 65535. |
|
|
The 802.1X server timeout for an interface is the number of seconds that the Cisco NX-OS device waits before retransmitting a packet to the authentication server. This value overrides the global reauthentication period timeout.
You must use the feature dot1x command before you configure 802.1X.
Note You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.
This example shows how to configure the global 802.1X server timeout interval:
This example shows how to revert to the default global 802.1X server timeout interval:
|
|
---|---|
To configure the 802.1X supplicant timeout for an interface, use the dot1x timeout supp-timeout command. To revert to the default, use the no form of this command.
dot1x timeout supp-timeout seconds
Number of seconds for the 802.1X supplicant timeout. The range is from 1 to 65535. |
|
|
The 802.1X supplicant timeout for an interface is the number of seconds that the Cisco NX-OS device waits for the supplicant to respond to an EAP request frame before the Cisco NX-OS device retransmits the frame.
You must use the feature dot1x command before you configure 802.1X.
Note You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.
This example shows how to configure the 802.1X server timeout interval on an interface:
This example shows how to revert to the default 802.1X server timeout interval on an interface:
|
|
---|---|
To configure the 802.1X transmission-period timeout either globally or for an interface, use the dot1x timeout tx-period command. To revert to the default, use the no form of this command.
dot1x timeout tx-period seconds
Number of seconds for the 802.1X transmission-period timeout. The range is from 1 to 65535. |
Global configuration
Interface configuration
|
|
The 802.1X transmission-timeout period is the number of seconds that the Cisco NX-OS device waits for a response to an EAP-request/identity frame from the supplicant before retransmitting the request.
You must use the feature dot1x command before you configure 802.1X.
Note You should change the default value only to adjust for unusual circumstances, such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.
This example shows how to configure the global 802.1X transmission-period timeout:
This example shows how to revert to the default global 802.1X transmission-period timeout:
This example shows how to configure the 802.1X transmission-period timeout for an interface:
This example shows how to revert to the default 802.1X transmission-period timeout for an interface:
|
|
---|---|