Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 4.1
Index
Downloads: This chapterpdf (PDF - 456.0KB) The complete bookPDF (PDF - 14.52MB) | Feedback

Index

Table Of Contents

Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V -

Index

Numerics

802.1X

Cisco TrustSec and 10-12

configuration process 8-9

configuring8-8to 8-32

configuring AAA accounting methods 8-31

default settings 8-35

description8-1to 8-7

disabling authentication on the device 8-24

disabling on the device 8-25

displaying statistics 8-34

enabling MAC address authentication bypass 8-23

enabling multiply hosts on an interface 8-22

enabling RADIUS accounting 8-30

enabling single hosts on an interface 8-22

example configuration 8-35

guidelines 8-8

interoperating with NAC LPIP 9-11

licensing requirements 8-7

limitations 8-8

MIBs 8-36

multiple host support 8-6

port security on same port 8-6

prerequisites 8-8

single host support 8-6

supported topologies 8-7

verifying configuration 8-34

virtualization support 8-7

802.1X authentication

authorization states for ports 8-4

controlling on interfaces 8-12

disabling on the device 8-24

initiation 8-3

802.1X defaults

resetting globally 8-26

resetting on interfaces 8-27

802.1X feature

disabling on the device 8-25

enabling 8-10

802.1X reauthentication

enabling global periodic 8-13

enabling periodic on interfaces 8-15

manual 8-16

setting retry counts on interfaces 8-32

802.1X retry counts

setting globally 8-28

setting on interfaces 8-29

802.1X supplicants

manually initializing 8-17

manual reauthentication 8-16

802.1X timers

changes interface timers 8-19

changing global timers 8-18

A

AAA

accounting 2-2

authentication 2-2

authorization 2-2

benefits 2-2

configuration process 2-8

configuring2-7to 2-18

configuring for Cisco TrustSec 10-14

default settings 2-19

description2-1to 2-6

enabling MSCHAP authentication 2-13

example configuration 2-19

guidelines 2-7

licensing requirements 2-7

limitations 2-7

MIBs 2-20

monitoring TACACS+ servers 4-3

prerequisites 2-7

standards 2-20

TACACS+ server groups 4-14

user login process 2-4

verifying configurations 2-19

virtualization support 2-6

AAA accounting

configuring default methods 2-15

configuring methods for 802.1X 8-31

AAA accounting logs

clearing 2-18

displaying 2-18

AAA login authentication

configuring console methods 2-8

configuring default methods 2-10

AAA logins

enabling authentication failure messages 2-12

AAA protocols

RADIUS 2-2

TACACS+ 2-2

AAA server groups

description 2-3

AAA servers

FreeRADIUS VSA format 3-5

specifying SNMPv3 parameters 2-16, 2-18

specifying user roles 2-18

specifying user roles in VSAs 2-16

AAA services

configuration options 2-3

remote 2-3

security 2-2

access control lists

description11-1to 11-12

order of application 11-3

types of 11-2

See also ARP ACLs

See also IP ACLs

See also MAC ACLs

See also policy-based ACLs

See also port ACLs

See also router ACLs

See also VLAN ACLs

accounting

description 2-2

VDC support 2-6

application posture tokens. See APTs 9-4

APTs

description 9-4

predefinded tokens 9-4

ARP ACLs

applying to VLANs 16-9

changing 16-22

creating 16-20

description 16-20

priority of ARP ACLs and DHCP snooping entries 16-4

removing 16-23

ARP inspection

See dynamic ARP inspection

audit servers

description 9-8

authentication

802.1X 8-3

description 2-2

local 2-2

methods 2-4

remote 2-2

user logins 2-4

authentication, authorization, and accounting. See AAA

authentication servers

description 9-3

authorization

description 2-2

user logins 2-4

B

BGP

using with Unicast RPF 20-2

broadcast storms. See traffic storm control

C

CAs

authenticating 5-11

certificate download example 5-28

configuring5-6to 5-23

creating a trust point 5-10

default settings 5-46

deleting digital certificates 5-22

description5-1to 5-5

displaying configuration 5-24

enrollment using cut-and-paste 5-4

example configuration5-24to 5-46

identity 5-2

multiple 5-4

multiple trust points 5-3

peer certificates 5-4

purpose 5-2

certificate authorities. See CAs

certificate revocation lists. See CRLs

CFS

TACACS+ support 4-4

Cisco

vendor ID 2-17, 3-4, 4-5

cisco-av-pair

specifying AAA user parameters 2-16, 2-18

Cisco Fabric Services. See CFS

Cisco TrustSec

architecture 10-1

authentication 10-19

authorization 10-9

configuring10-12to 10-47

data-path replay protection 10-21, 10-25

default values 10-51

description10-1to 10-11

enabling 10-12

enabling (example) 10-48

environment data download 10-10

example configurations10-48to 10-51

guidelines 10-11

IEEE 802.1AE support 10-3

licensing 10-11

limitations 10-11

manual mode 10-27

policy acquisition 10-9

prerequisites 10-11

RADIUS relay 10-10

SAP operation modes 10-23

SGACLs10-6to10-9, 10-29to 10-39

SGTs10-6to 10-9, 10-32

SXP10-39to 10-47

verifying configuration 10-47

virtualization support 10-11

Cisco TrustSec authentication

configuring 10-14, 10-19

description10-3to 10-6

Cisco TrustSec authorization 10-9

configuring 10-14

Cisco TrustSec data-path replay protection

configuring 10-21, 10-25

Cisco TrustSec device credentials

configuring 10-13

description 10-6

Cisco TrustSec device identities

configuring 10-13

description 10-6

Cisco TrustSec environment data

download 10-10

Cisco TrustSec manual mode

configuring 10-27

Cisco TrustSec nonseed devices

configuring 10-17

description 10-17

Cisco TrustSec seed devices

configuring 10-15

description 10-10, 10-14

example configuration 10-48

Cisco TrustSec user credentials

description 10-6

clientless endpoint devices

allowing posture validation 9-22

configuration files

licensing 5-6

virtualization support 5-5

consoles

configuring AAA login authentication methods 2-8

control plane class maps

configuring 21-12

example configuration 21-21

verifying configuration 21-21

control plane policing. See CoPP

control plane policy maps

configuring 21-14

example configuration 21-21

verifying configuration 21-21

control plane service policy

changing default policies 21-18

configuring 21-17

CoPP

clearing statistics 21-20

configuring 21-12

default policies 21-4

default settings 21-23

description 21-1

displaying configuration status information 21-19

displaying statistics 21-19

example configuration 21-21

guidelines 21-11

licensing 21-11

limitations 21-11

verifying configuration 21-21

virtualization support 21-11

CRLs

configuring 5-20

configuring revocation checking methods 5-13

description 5-5

downloading example 5-42

generation example 5-41

importing example5-44to 5-46

CTS. See Cisco TrustSec

CTS authentication

rekeying an interface 10-26

D

DAI

interoperating with NAC LPIP 9-12

default setting

traffic storm control 19-6

default settings

802.1X 8-35

AAA 2-19

CoPP 21-23

NAC 9-44

rate limits 22-7

RBAC 7-21

TACACS+ 4-32

denial-of-service attacks

IP address spoofing, mitigating 20-3

DHCP binding database

See DHCP snooping binding database

DHCP option 82

description 15-3

DHCP snooping

binding database

See DHCP snooping binding database

description 15-1

displaying DHCP bindings 15-17

enabling feature 15-7

enabling globally 15-8

enabling on a VLAN 15-9

interface trust state 15-13

interoperating with NAC LPIP 9-11

MAC address verification 15-10

message exchange process 15-4

minimum configuration 15-6

option 82 15-3

overview 15-2

relay agent 15-13

DHCP snooping binding database

described 15-2

entries 15-2

digital certificates

configuration example5-25to 5-27

configuring5-6to 5-23

default settings 5-46

deleting from CAs 5-22

description5-1to 5-5

exporting 5-5, 5-18, 5-19

generating requests for identity certificates 5-14

importing 5-5, 5-19

installing identity certificates 5-16

peers 5-4

purpose 5-2

requesting identity certificate example 5-32

revocation example 5-39

documentation

additional publications iv-xxix

DoS attacks

Unicast RPF, deploying 20-4

dynamic ARP inspection

additional validation 16-10

applying ARP ACLs 16-9

ARP cache poisoning 16-2

ARP requests 16-2

ARP spoofing attack 16-2

configuring log buffer size 16-11

configuring trust state 16-8

description 16-1

DHCP snooping binding database 16-3

enabling on VLANs 16-7

function of 16-3

interface trust states 16-3

logging of dropped packets 16-5

man-in-the middle attack 16-2

network security issues and interface trust states 16-3

priority of ARP ACLs and DHCP snooping entries 16-4

Dynamic Host Configuration Protocol snooping

See DHCP snooping

E

EAP

relaying NAC messages

EAPoUDP

change global maximum retry values 9-24

change interface maximum retry values 9-25, 9-26

changing global timers 9-30

changing timers on interfaces 9-32

clearing sessions 9-41

description 9-7

disabling 9-42

enabling 9-15

enabling default AAA authentication method 9-16

enabling logging 9-23

encapsulation for NAC

limiting simultaneous posture validation sessions 9-27

manually initializing sessions 9-39

manually revalidating sessions 9-40

resetting defaults on interfaces 9-35

resetting global defaults 9-34

EAP over UDP. See EAPoUDP

endpoint devices

description 9-2

examples

AAA configurations 2-19

Extensible Authentication Protocol. See EAP

F

feature groups

creating 7-12

Fibre Channel interfaces

default settings 6-15

FreeRADIUS

VSA format for role attributes 2-17, 3-5

G

Galois/Counter Mode. See GCM

GCM

Cisco TrustSec SAP encryption 10-3

GCM authentication. See GMAC

GMAC

Cisco TrustSec SAP authentication 10-3

H

host names

configuring for digital certificates 5-7

I

identity policies

configuring 9-20

description 9-7

identity profiles

configuring 9-20

description 9-7

IDs

Cisco vendor ID 2-17, 3-4, 4-5

IKE

default settings 5-46

interfaces

controlling 802.1X authentication 8-12

default settings 6-15

enabling periodic 802.1X reauthentication 8-15

setting 802.1X reauthentication retry counts 8-32

setting 802.1X retransmission retry counts 8-29

IP ACLs

changing an IP ACL 11-15

configuring11-13to 11-21

creating an IP ACL 11-14

default settings 11-34

guidelines 11-13

licensing 11-12

limitations 11-13

prerequisites 11-13

removing an IP ACL 11-17

verifying configuration 11-22

virtualization support 11-12

IP device tracking

clearing information 9-38

configuring for NAC 9-36

description 9-5

IP domain names

configuring for digital certificates 5-7

IP Source Guard

description 17-1

enabling 17-3

interoperating with NAC LPIP 9-12

static IP source entries 17-4

K

key chain

end-time 18-2

lifetime 18-2

start-time 18-2

keychain management

configuring a key 18-5

configuring lifetimes 18-7

configuring text for a key 18-6

creating a keychain 18-3

description 18-1

L

LAN port IP validation. See LPIP 9-5

licensing

802.1X 8-7

AAA 2-7

Cisco TrustSec 10-11

configuration files 5-6

CoPP 21-11

IP ACLs 11-12

NAC 9-13

RADIUS 3-5

rate limits 22-2

TACACS+ 4-6

traffic storm control 19-3

Unicast RPF 20-3

logging

enabling for EAPoUDP 9-23

LPIP

admission triggers 9-6

description 9-5

EAPoUDP 9-7

exception lists 9-7

interoperation with other NX-OS security features 9-11

limitations 9-13

policy enforcement using ACLs 9-8

posture validation 9-6

posture validation methods 9-7

M

MAC ACLs

changing a MAC ACL 12-3

creating a MAC ACL 12-2

description 12-1

removing a MAC ACL 12-6

virtualization support 11-12

MAC addresses

enabling authentication bypass for 802.1X 8-23

management interfaces

default settings 6-15

mgmt0 interfaces

default settings 6-15

MIBs

802.1X 8-36

AAA 2-20

Microsoft Challenge Handshake Authentication Protocol. See MSCHAP

MSCHAP

enabling authentication 2-13

multicast storms. See traffic storm control

multiple hosts

enabling for 802.1X 8-22

N

NAC

allowing clientless endpoint devices 9-22

applying PACLs to interfaces 9-17

configuration process 9-14

configuring 9-14

configuring IP device tracking 9-36

default settings 9-44

description 9-1

device roles 9-2

enabling on interfaces 9-19

example configuration 9-44

feature history 9-45

guidelines 9-13

impact of supervisor module switchovers 9-11

licensing 9-13

limitations 9-13

LPIP 9-5

prerequisites 9-13

timers 9-9

verifying configuration 9-44

virtualization support 9-13

See also IP device tracking

See also posture validation

NADs

description

network access devices. See NADs

network-admin user role

description 7-3

Network Admission Control

See NAC

network-operator user role

description 7-3

nonrepsonsive hosts

description 9-8

O

object groups

configuring 11-23

description 11-10

verifying 11-27

P

PACLs

applying to interface for NAC 9-17

interoperating with NAC LPIP 9-12

passwords

strong characteristics 7-2

PKI

certificate revocation checking 5-5

enrollment support 5-3

guidelines 5-6

limitations 5-6

policing policies

default classes 21-5

description 21-4

lenient default policy 21-10

moderate default policy 21-9

strict default policy 21-9

policy-based ACLs

creating object groups 11-23

description 11-10

verifying object groups 11-27

port ACLs

applying 11-20

definition 11-2

port-based authentication

configuring

manual reauthentication of a client 8-16

encapsulation 8-2

ports

authorization states for 802.1X 8-4

port security

802.1X on same port 8-6

description 14-1

enabling globally 14-7

enabling on an interface 14-8

interoperating with NAC LPIP 9-11

MAC move 14-4

static MAC address 14-10

violations 14-4

posture validation

configuring automatic validation on interfaces 9-29

configuring global automatic validation 9-28

description

limiting simultaneous sessions 9-27

methods 9-7

posture validation servers

description 9-3

preshared keys

TACACS+ 4-3

Public Key Infrastructure. See PKI

R

RADIUS

configuring global keys 3-9

configuring servers 3-6

configuring timeout intervals 3-16

configuring transmission retry counts 3-16

default settings 3-28

description 3-1

example configurations 3-28

licensing 3-5

network environments 3-2

operation 3-2

prerequisites 3-6

specifying server at login 3-15

verifying configuration 3-27

virtualization support 3-5

VSAs 3-4

RADIUS accounting

enabling for 802.1X 8-30

RADIUS server groups

configuring 3-12

RADIUS servers

configuration process 3-7

configuring accounting attributes 3-19

configuring authentication attributes 3-19

configuring dead-time intervals 3-22

configuring hosts 3-8

configuring keys 3-11, 4-13

configuring periodic monitoring 3-21

configuring timeout interval 3-17

configuring transmission retry count 3-17

displaying statistics 3-27

example configurations 3-28

manually monitoring 3-26

monitoring 3-3

verifying configuration 3-27

rate limits

clearing statistics 22-6

configuring 22-3

default settings 22-7

description 22-1

displaying statistics 22-5

example configuration 22-7

guidelines 22-2

licensing 22-2

limitations 22-2

verifying configuration 22-6

virtualization support 22-2

RBAC

configuring 7-8

default settings 7-21

description 7-3

example configuration 7-21

verifying configuration 7-20

See also user roles

related documents iv-xxix

Reverse Path Forwarding. See Unicast RPF

router ACLs

applying 11-18

definition 11-2

RPF. See Unicast RPF

RSA key-pairs

deleting 5-23

description 5-2

displaying configuration 5-24

exporting 5-5, 5-18

generating 5-8

importing 5-5, 5-18

multiple 5-4

rules. See user role rules

S

SAP

configuring operation modes 10-23

Security Association Protocol. See SAP

security group access lists. See SGACLs

security group tag. See SGT

server groups. See AAA server groups

SGACL policies

clearing 10-39

configuration process 10-30

displaying downloads 10-38

enabling enforcement for VLANs 10-30

enabling enforcement for VRFs 10-31

manually configuring10-35to 10-37

SGACLs

configuring10-29to 10-39

description10-6to 10-9

manually mapping for SGTs 10-33

SGACLs policies

acquisition 10-9

SGT Exchange Protocol. See SXP

SGTs

description10-6to 10-9

manually configuring 10-32

manually mapping 10-33

single hosts

enabling for 802.1X 8-22

SNMPv3

specifying AAA parameters 2-16

specifying parameters for AAA servers 2-18

SPTs

description 9-4

predefined tokens 9-4

SSH

generating server key-pairs 1-3, 6-2

statistics

802.1X 8-34

RADIUS servers 3-27

TACACS+ 4-30

traffic storm control 19-5

superuser role. See network-admin user role

SXP

configuration process 10-40

configuring10-39to 10-47

configuring peer connections 10-41

default passwords 10-43

enabling 10-40

reconcile period 10-45

retry period 10-46

source IP address 10-44

system posture tokens. See SPTs 9-4

T

TACACS+

advantages over RADIUS 4-2

configuration distribution 4-4

configuring 4-7

configuring global preshared keys 4-11

configuring global timeout interval 4-18

default settings 4-32

description 4-1

disabling 4-29

displaying statistics 4-30

enabling 4-8

example configurations 4-31

global preshared keys 4-3

guidelines 4-7

licensing requirements 4-6

limitations 4-7

prerequisites 4-6

preshared key 4-3

specifying TACACS+ servers at login 4-17

user login operation 4-2

verifying configuration 4-31

virtualization 4-6

VSAs 4-5

TACACS+ servers

configuration process 4-8

configuring dead-time interval 4-23

configuring hosts 4-10

configuring periodic monitoring 4-22

configuring server groups 4-14

configuring TCP ports 4-20

configuring timeout interval 4-19

displaying statistics 4-30

manually monitoring 4-29

monitoring 4-3

privilege levels 4-6

verifying configuration 4-31

TCP ports

TACACS+ servers 4-20

time range

description 11-28

time ranges

absolute 11-9

changing a time range 11-30

configuring11-28to 11-33

creating a time range 11-28

description 11-9

periodic 11-10

removing a time range 11-32

verifying configuration 11-33

traffic storm control

configuring 19-3

default settings 19-6

description 19-1

displaying statistics 19-5

example configuration 19-5

guidelines 19-3

licensing 19-3

limitations 19-3

verifying configuration 19-5

virtualization support 19-3

trust points

creating 5-10

description 5-2

multiple 5-3

saving configuration across reboots 5-17

U

Unicast Reverse Path Forwarding. See Unicast RPF

Unicast RPF

BGP attributes 20-2

BOOTP and 20-4

configuring 20-4

default settings 20-7

deploying 20-4

description 20-1

DHCP and 20-4

example configurations 20-6

FIB 20-1

guidelines 20-3

implementation 20-2

licensing 20-3

limitations 20-3

loose mode 20-4

statistics 20-3

strict mode 20-4

tunneling and 20-4

verifying configuration 20-6

virtualization support 20-3

unicast storms. See traffic storm control

user accounts

configuring 7-5, 7-6

description 7-2

example configuration 7-21

guidelines 7-5

password characteristics 7-2

verifying configuration 7-20

virtualization support 7-4

user accounts limitations 7-5

user logins

authentication process 2-4

authorization process 2-4

configuring AAA login authentication methods 2-10

user role rules

description 7-3

user roles

change VLAN policies 7-15

changing interface policies 7-13

changing VRF policies 7-16

creating 7-10

creating feature groups 7-12

defaults 7-3

description 7-3

example configuration 7-21

guidelines 7-5

limitations 7-5

specifying on AAA servers 2-16, 2-18

verifying configuration 7-20

virtualization support 7-4

V

VACLs

interoperating with NAC LPIP 9-12

vdc-admin user role

description 7-3

vdc-operator user role

description 7-3

vendor-specific attributes. See VSAs

virtualization

802.1X 8-7

AAA 2-6

Cisco TrustSec 10-11

CoPP 21-11

NAC 9-13

RADIUS 3-5

rate limits 22-2

TACACS+ 4-6

traffic storm control 19-3

user accounts 7-4

user roles 7-4

virtualization support

configuration files 5-5

VLAN ACLs

applying a VACL 13-7

changing VACL entries 13-5

creating and changing VACLs 13-4

definition 11-2

description 13-1

removing a VACL 13-6

VLANs

enabling SGACL policy enforcement 10-30

VRFs

enabling SGACL policy enforcement 10-31

VSAs

format 2-17

protocol options 2-17, 3-4, 4-5

support description 2-17