Numerics -
A -
B -
C -
D -
E -
F -
G -
H -
I -
K -
L -
M -
N -
O -
P -
R -
S -
T -
U -
V -
Index
Numerics
802.1X
Cisco TrustSec and 10-12
configuration process 8-9
configuring8-8to 8-32
configuring AAA accounting methods 8-31
default settings 8-35
description8-1to 8-7
disabling authentication on the device 8-24
disabling on the device 8-25
displaying statistics 8-34
enabling MAC address authentication bypass 8-23
enabling multiply hosts on an interface 8-22
enabling RADIUS accounting 8-30
enabling single hosts on an interface 8-22
example configuration 8-35
guidelines 8-8
interoperating with NAC LPIP 9-11
licensing requirements 8-7
limitations 8-8
MIBs 8-36
multiple host support 8-6
port security on same port 8-6
prerequisites 8-8
single host support 8-6
supported topologies 8-7
verifying configuration 8-34
virtualization support 8-7
802.1X authentication
authorization states for ports 8-4
controlling on interfaces 8-12
disabling on the device 8-24
initiation 8-3
802.1X defaults
resetting globally 8-26
resetting on interfaces 8-27
802.1X feature
disabling on the device 8-25
enabling 8-10
802.1X reauthentication
enabling global periodic 8-13
enabling periodic on interfaces 8-15
manual 8-16
setting retry counts on interfaces 8-32
802.1X retry counts
setting globally 8-28
setting on interfaces 8-29
802.1X supplicants
manually initializing 8-17
manual reauthentication 8-16
802.1X timers
changes interface timers 8-19
changing global timers 8-18
A
AAA
accounting 2-2
authentication 2-2
authorization 2-2
benefits 2-2
configuration process 2-8
configuring2-7to 2-18
configuring for Cisco TrustSec 10-14
default settings 2-19
description2-1to 2-6
enabling MSCHAP authentication 2-13
example configuration 2-19
guidelines 2-7
licensing requirements 2-7
limitations 2-7
MIBs 2-20
monitoring TACACS+ servers 4-3
prerequisites 2-7
standards 2-20
TACACS+ server groups 4-14
user login process 2-4
verifying configurations 2-19
virtualization support 2-6
AAA accounting
configuring default methods 2-15
configuring methods for 802.1X 8-31
AAA accounting logs
clearing 2-18
displaying 2-18
AAA login authentication
configuring console methods 2-8
configuring default methods 2-10
AAA logins
enabling authentication failure messages 2-12
AAA protocols
RADIUS 2-2
TACACS+ 2-2
AAA server groups
description 2-3
AAA servers
FreeRADIUS VSA format 3-5
specifying SNMPv3 parameters 2-16, 2-18
specifying user roles 2-18
specifying user roles in VSAs 2-16
AAA services
configuration options 2-3
remote 2-3
security 2-2
access control lists
description11-1to 11-12
order of application 11-3
types of 11-2
See also ARP ACLs
See also IP ACLs
See also MAC ACLs
See also policy-based ACLs
See also port ACLs
See also router ACLs
See also VLAN ACLs
accounting
description 2-2
VDC support 2-6
application posture tokens. See APTs 9-4
APTs
description 9-4
predefinded tokens 9-4
ARP ACLs
applying to VLANs 16-9
changing 16-22
creating 16-20
description 16-20
priority of ARP ACLs and DHCP snooping entries 16-4
removing 16-23
ARP inspection
See dynamic ARP inspection
audit servers
description 9-8
authentication
802.1X 8-3
description 2-2
local 2-2
methods 2-4
remote 2-2
user logins 2-4
authentication, authorization, and accounting. See AAA
authentication servers
description 9-3
authorization
description 2-2
user logins 2-4
B
BGP
using with Unicast RPF 20-2
broadcast storms. See traffic storm control
C
CAs
authenticating 5-11
certificate download example 5-28
configuring5-6to 5-23
creating a trust point 5-10
default settings 5-46
deleting digital certificates 5-22
description5-1to 5-5
displaying configuration 5-24
enrollment using cut-and-paste 5-4
example configuration5-24to 5-46
identity 5-2
multiple 5-4
multiple trust points 5-3
peer certificates 5-4
purpose 5-2
certificate authorities. See CAs
certificate revocation lists. See CRLs
CFS
TACACS+ support 4-4
Cisco
vendor ID 2-17, 3-4, 4-5
cisco-av-pair
specifying AAA user parameters 2-16, 2-18
Cisco Fabric Services. See CFS
Cisco TrustSec
architecture 10-1
authentication 10-19
authorization 10-9
configuring10-12to 10-47
data-path replay protection 10-21, 10-25
default values 10-51
description10-1to 10-11
enabling 10-12
enabling (example) 10-48
environment data download 10-10
example configurations10-48to 10-51
guidelines 10-11
IEEE 802.1AE support 10-3
licensing 10-11
limitations 10-11
manual mode 10-27
policy acquisition 10-9
prerequisites 10-11
RADIUS relay 10-10
SAP operation modes 10-23
SGACLs10-6to10-9, 10-29to 10-39
SGTs10-6to 10-9, 10-32
SXP10-39to 10-47
verifying configuration 10-47
virtualization support 10-11
Cisco TrustSec authentication
configuring 10-14, 10-19
description10-3to 10-6
Cisco TrustSec authorization 10-9
configuring 10-14
Cisco TrustSec data-path replay protection
configuring 10-21, 10-25
Cisco TrustSec device credentials
configuring 10-13
description 10-6
Cisco TrustSec device identities
configuring 10-13
description 10-6
Cisco TrustSec environment data
download 10-10
Cisco TrustSec manual mode
configuring 10-27
Cisco TrustSec nonseed devices
configuring 10-17
description 10-17
Cisco TrustSec seed devices
configuring 10-15
description 10-10, 10-14
example configuration 10-48
Cisco TrustSec user credentials
description 10-6
clientless endpoint devices
allowing posture validation 9-22
configuration files
licensing 5-6
virtualization support 5-5
consoles
configuring AAA login authentication methods 2-8
control plane class maps
configuring 21-12
example configuration 21-21
verifying configuration 21-21
control plane policing. See CoPP
control plane policy maps
configuring 21-14
example configuration 21-21
verifying configuration 21-21
control plane service policy
changing default policies 21-18
configuring 21-17
CoPP
clearing statistics 21-20
configuring 21-12
default policies 21-4
default settings 21-23
description 21-1
displaying configuration status information 21-19
displaying statistics 21-19
example configuration 21-21
guidelines 21-11
licensing 21-11
limitations 21-11
verifying configuration 21-21
virtualization support 21-11
CRLs
configuring 5-20
configuring revocation checking methods 5-13
description 5-5
downloading example 5-42
generation example 5-41
importing example5-44to 5-46
CTS. See Cisco TrustSec
CTS authentication
rekeying an interface 10-26
D
DAI
interoperating with NAC LPIP 9-12
default setting
traffic storm control 19-6
default settings
802.1X 8-35
AAA 2-19
CoPP 21-23
NAC 9-44
rate limits 22-7
RBAC 7-21
TACACS+ 4-32
denial-of-service attacks
IP address spoofing, mitigating 20-3
DHCP binding database
See DHCP snooping binding database
DHCP option 82
description 15-3
DHCP snooping
binding database
See DHCP snooping binding database
description 15-1
displaying DHCP bindings 15-17
enabling feature 15-7
enabling globally 15-8
enabling on a VLAN 15-9
interface trust state 15-13
interoperating with NAC LPIP 9-11
MAC address verification 15-10
message exchange process 15-4
minimum configuration 15-6
option 82 15-3
overview 15-2
relay agent 15-13
DHCP snooping binding database
described 15-2
entries 15-2
digital certificates
configuration example5-25to 5-27
configuring5-6to 5-23
default settings 5-46
deleting from CAs 5-22
description5-1to 5-5
exporting 5-5, 5-18, 5-19
generating requests for identity certificates 5-14
importing 5-5, 5-19
installing identity certificates 5-16
peers 5-4
purpose 5-2
requesting identity certificate example 5-32
revocation example 5-39
documentation
additional publications iv-xxix
DoS attacks
Unicast RPF, deploying 20-4
dynamic ARP inspection
additional validation 16-10
applying ARP ACLs 16-9
ARP cache poisoning 16-2
ARP requests 16-2
ARP spoofing attack 16-2
configuring log buffer size 16-11
configuring trust state 16-8
description 16-1
DHCP snooping binding database 16-3
enabling on VLANs 16-7
function of 16-3
interface trust states 16-3
logging of dropped packets 16-5
man-in-the middle attack 16-2
network security issues and interface trust states 16-3
priority of ARP ACLs and DHCP snooping entries 16-4
Dynamic Host Configuration Protocol snooping
See DHCP snooping
E
EAP
relaying NAC messages
EAPoUDP
change global maximum retry values 9-24
change interface maximum retry values 9-25, 9-26
changing global timers 9-30
changing timers on interfaces 9-32
clearing sessions 9-41
description 9-7
disabling 9-42
enabling 9-15
enabling default AAA authentication method 9-16
enabling logging 9-23
encapsulation for NAC
limiting simultaneous posture validation sessions 9-27
manually initializing sessions 9-39
manually revalidating sessions 9-40
resetting defaults on interfaces 9-35
resetting global defaults 9-34
EAP over UDP. See EAPoUDP
endpoint devices
description 9-2
examples
AAA configurations 2-19
Extensible Authentication Protocol. See EAP
F
feature groups
creating 7-12
Fibre Channel interfaces
default settings 6-15
FreeRADIUS
VSA format for role attributes 2-17, 3-5
G
Galois/Counter Mode. See GCM
GCM
Cisco TrustSec SAP encryption 10-3
GCM authentication. See GMAC
GMAC
Cisco TrustSec SAP authentication 10-3
H
host names
configuring for digital certificates 5-7
I
identity policies
configuring 9-20
description 9-7
identity profiles
configuring 9-20
description 9-7
IDs
Cisco vendor ID 2-17, 3-4, 4-5
IKE
default settings 5-46
interfaces
controlling 802.1X authentication 8-12
default settings 6-15
enabling periodic 802.1X reauthentication 8-15
setting 802.1X reauthentication retry counts 8-32
setting 802.1X retransmission retry counts 8-29
IP ACLs
changing an IP ACL 11-15
configuring11-13to 11-21
creating an IP ACL 11-14
default settings 11-34
guidelines 11-13
licensing 11-12
limitations 11-13
prerequisites 11-13
removing an IP ACL 11-17
verifying configuration 11-22
virtualization support 11-12
IP device tracking
clearing information 9-38
configuring for NAC 9-36
description 9-5
IP domain names
configuring for digital certificates 5-7
IP Source Guard
description 17-1
enabling 17-3
interoperating with NAC LPIP 9-12
static IP source entries 17-4
K
key chain
end-time 18-2
lifetime 18-2
start-time 18-2
keychain management
configuring a key 18-5
configuring lifetimes 18-7
configuring text for a key 18-6
creating a keychain 18-3
description 18-1
L
LAN port IP validation. See LPIP 9-5
licensing
802.1X 8-7
AAA 2-7
Cisco TrustSec 10-11
configuration files 5-6
CoPP 21-11
IP ACLs 11-12
NAC 9-13
RADIUS 3-5
rate limits 22-2
TACACS+ 4-6
traffic storm control 19-3
Unicast RPF 20-3
logging
enabling for EAPoUDP 9-23
LPIP
admission triggers 9-6
description 9-5
EAPoUDP 9-7
exception lists 9-7
interoperation with other NX-OS security features 9-11
limitations 9-13
policy enforcement using ACLs 9-8
posture validation 9-6
posture validation methods 9-7
M
MAC ACLs
changing a MAC ACL 12-3
creating a MAC ACL 12-2
description 12-1
removing a MAC ACL 12-6
virtualization support 11-12
MAC addresses
enabling authentication bypass for 802.1X 8-23
management interfaces
default settings 6-15
mgmt0 interfaces
default settings 6-15
MIBs
802.1X 8-36
AAA 2-20
Microsoft Challenge Handshake Authentication Protocol. See MSCHAP
MSCHAP
enabling authentication 2-13
multicast storms. See traffic storm control
multiple hosts
enabling for 802.1X 8-22
N
NAC
allowing clientless endpoint devices 9-22
applying PACLs to interfaces 9-17
configuration process 9-14
configuring 9-14
configuring IP device tracking 9-36
default settings 9-44
description 9-1
device roles 9-2
enabling on interfaces 9-19
example configuration 9-44
feature history 9-45
guidelines 9-13
impact of supervisor module switchovers 9-11
licensing 9-13
limitations 9-13
LPIP 9-5
prerequisites 9-13
timers 9-9
verifying configuration 9-44
virtualization support 9-13
See also IP device tracking
See also posture validation
NADs
description
network access devices. See NADs
network-admin user role
description 7-3
Network Admission Control
See NAC
network-operator user role
description 7-3
nonrepsonsive hosts
description 9-8
O
object groups
configuring 11-23
description 11-10
verifying 11-27
P
PACLs
applying to interface for NAC 9-17
interoperating with NAC LPIP 9-12
passwords
strong characteristics 7-2
PKI
certificate revocation checking 5-5
enrollment support 5-3
guidelines 5-6
limitations 5-6
policing policies
default classes 21-5
description 21-4
lenient default policy 21-10
moderate default policy 21-9
strict default policy 21-9
policy-based ACLs
creating object groups 11-23
description 11-10
verifying object groups 11-27
port ACLs
applying 11-20
definition 11-2
port-based authentication
configuring
manual reauthentication of a client 8-16
encapsulation 8-2
ports
authorization states for 802.1X 8-4
port security
802.1X on same port 8-6
description 14-1
enabling globally 14-7
enabling on an interface 14-8
interoperating with NAC LPIP 9-11
MAC move 14-4
static MAC address 14-10
violations 14-4
posture validation
configuring automatic validation on interfaces 9-29
configuring global automatic validation 9-28
description
limiting simultaneous sessions 9-27
methods 9-7
posture validation servers
description 9-3
preshared keys
TACACS+ 4-3
Public Key Infrastructure. See PKI
R
RADIUS
configuring global keys 3-9
configuring servers 3-6
configuring timeout intervals 3-16
configuring transmission retry counts 3-16
default settings 3-28
description 3-1
example configurations 3-28
licensing 3-5
network environments 3-2
operation 3-2
prerequisites 3-6
specifying server at login 3-15
verifying configuration 3-27
virtualization support 3-5
VSAs 3-4
RADIUS accounting
enabling for 802.1X 8-30
RADIUS server groups
configuring 3-12
RADIUS servers
configuration process 3-7
configuring accounting attributes 3-19
configuring authentication attributes 3-19
configuring dead-time intervals 3-22
configuring hosts 3-8
configuring keys 3-11, 4-13
configuring periodic monitoring 3-21
configuring timeout interval 3-17
configuring transmission retry count 3-17
displaying statistics 3-27
example configurations 3-28
manually monitoring 3-26
monitoring 3-3
verifying configuration 3-27
rate limits
clearing statistics 22-6
configuring 22-3
default settings 22-7
description 22-1
displaying statistics 22-5
example configuration 22-7
guidelines 22-2
licensing 22-2
limitations 22-2
verifying configuration 22-6
virtualization support 22-2
RBAC
configuring 7-8
default settings 7-21
description 7-3
example configuration 7-21
verifying configuration 7-20
See also user roles
related documents iv-xxix
Reverse Path Forwarding. See Unicast RPF
router ACLs
applying 11-18
definition 11-2
RPF. See Unicast RPF
RSA key-pairs
deleting 5-23
description 5-2
displaying configuration 5-24
exporting 5-5, 5-18
generating 5-8
importing 5-5, 5-18
multiple 5-4
rules. See user role rules
S
SAP
configuring operation modes 10-23
Security Association Protocol. See SAP
security group access lists. See SGACLs
security group tag. See SGT
server groups. See AAA server groups
SGACL policies
clearing 10-39
configuration process 10-30
displaying downloads 10-38
enabling enforcement for VLANs 10-30
enabling enforcement for VRFs 10-31
manually configuring10-35to 10-37
SGACLs
configuring10-29to 10-39
description10-6to 10-9
manually mapping for SGTs 10-33
SGACLs policies
acquisition 10-9
SGT Exchange Protocol. See SXP
SGTs
description10-6to 10-9
manually configuring 10-32
manually mapping 10-33
single hosts
enabling for 802.1X 8-22
SNMPv3
specifying AAA parameters 2-16
specifying parameters for AAA servers 2-18
SPTs
description 9-4
predefined tokens 9-4
SSH
generating server key-pairs 1-3, 6-2
statistics
802.1X 8-34
RADIUS servers 3-27
TACACS+ 4-30
traffic storm control 19-5
superuser role. See network-admin user role
SXP
configuration process 10-40
configuring10-39to 10-47
configuring peer connections 10-41
default passwords 10-43
enabling 10-40
reconcile period 10-45
retry period 10-46
source IP address 10-44
system posture tokens. See SPTs 9-4
T
TACACS+
advantages over RADIUS 4-2
configuration distribution 4-4
configuring 4-7
configuring global preshared keys 4-11
configuring global timeout interval 4-18
default settings 4-32
description 4-1
disabling 4-29
displaying statistics 4-30
enabling 4-8
example configurations 4-31
global preshared keys 4-3
guidelines 4-7
licensing requirements 4-6
limitations 4-7
prerequisites 4-6
preshared key 4-3
specifying TACACS+ servers at login 4-17
user login operation 4-2
verifying configuration 4-31
virtualization 4-6
VSAs 4-5
TACACS+ servers
configuration process 4-8
configuring dead-time interval 4-23
configuring hosts 4-10
configuring periodic monitoring 4-22
configuring server groups 4-14
configuring TCP ports 4-20
configuring timeout interval 4-19
displaying statistics 4-30
manually monitoring 4-29
monitoring 4-3
privilege levels 4-6
verifying configuration 4-31
TCP ports
TACACS+ servers 4-20
time range
description 11-28
time ranges
absolute 11-9
changing a time range 11-30
configuring11-28to 11-33
creating a time range 11-28
description 11-9
periodic 11-10
removing a time range 11-32
verifying configuration 11-33
traffic storm control
configuring 19-3
default settings 19-6
description 19-1
displaying statistics 19-5
example configuration 19-5
guidelines 19-3
licensing 19-3
limitations 19-3
verifying configuration 19-5
virtualization support 19-3
trust points
creating 5-10
description 5-2
multiple 5-3
saving configuration across reboots 5-17
U
Unicast Reverse Path Forwarding. See Unicast RPF
Unicast RPF
BGP attributes 20-2
BOOTP and 20-4
configuring 20-4
default settings 20-7
deploying 20-4
description 20-1
DHCP and 20-4
example configurations 20-6
FIB 20-1
guidelines 20-3
implementation 20-2
licensing 20-3
limitations 20-3
loose mode 20-4
statistics 20-3
strict mode 20-4
tunneling and 20-4
verifying configuration 20-6
virtualization support 20-3
unicast storms. See traffic storm control
user accounts
configuring 7-5, 7-6
description 7-2
example configuration 7-21
guidelines 7-5
password characteristics 7-2
verifying configuration 7-20
virtualization support 7-4
user accounts limitations 7-5
user logins
authentication process 2-4
authorization process 2-4
configuring AAA login authentication methods 2-10
user role rules
description 7-3
user roles
change VLAN policies 7-15
changing interface policies 7-13
changing VRF policies 7-16
creating 7-10
creating feature groups 7-12
defaults 7-3
description 7-3
example configuration 7-21
guidelines 7-5
limitations 7-5
specifying on AAA servers 2-16, 2-18
verifying configuration 7-20
virtualization support 7-4
V
VACLs
interoperating with NAC LPIP 9-12
vdc-admin user role
description 7-3
vdc-operator user role
description 7-3
vendor-specific attributes. See VSAs
virtualization
802.1X 8-7
AAA 2-6
Cisco TrustSec 10-11
CoPP 21-11
NAC 9-13
RADIUS 3-5
rate limits 22-2
TACACS+ 4-6
traffic storm control 19-3
user accounts 7-4
user roles 7-4
virtualization support
configuration files 5-5
VLAN ACLs
applying a VACL 13-7
changing VACL entries 13-5
creating and changing VACLs 13-4
definition 11-2
description 13-1
removing a VACL 13-6
VLANs
enabling SGACL policy enforcement 10-30
VRFs
enabling SGACL policy enforcement 10-31
VSAs
format 2-17
protocol options 2-17, 3-4, 4-5
support description 2-17