Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 4.2
Index
Downloads: The complete bookPDF (PDF - 8.33MB) | Feedback

Contents

8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V -

Index

8

802.1X
authenticator PAEs 1
configuration process 2
configuring 3
configuring AAA accounting methods 4
configuring AAA authentication methods 5
controlling on interfaces 6
default settings 7
description 1 2
disabling authentication 9
disabling feature 10
enabling feature 11
enabling global periodic reauthentication 12
enabling MAC authentication bypass 13
enabling mulitple hosts mode 14
enabling periodic reauthentication on interfaces 15
enabling single host mode 16
example configuration 17
guidelines 18
interoperating with NAC LPIP 19
licensing requirements 20
limitations 21
MAC authenication bypass 22
monitoring 23
multiple host support 24
prerequisites 25
resetting global settings to default values 26
resetting interface settings to default values 27
setting global maximum retransmission retry count 28
setting interface maximum retransmission retry count 29
single host support 30
supported topologies 31
verifying configuration 32
virtualization support 33
802.1X authentication
authorization states for ports 1
changing global timers 2
changing timers on interfaces 3
enabling RADIUS accounting 4
initiation 5
manually initializing 6
802.1X reauthentication
setting maximum retry count on interfaces 1
802.1X supplicants
manually reauthenticating 1

A

AAA
accounting 1
authentication 2
authorization 3
benefits 4
configuring 5
configuring authentication methods for 802.1X 6
configuring console login authentication 7
configuring default login authentication 8
configuring for Cisco TrustSec 9
configuring nonseed device for Cisco TrustSec 10
configuring seed device for Cisco TrustSec 11
default settings 12
description 1 2
enabling MSCHAP authentication 14
enabling MSCHAP V2 authentication 15
example configuration 16
guidelines 17
licensing requirements 18
limitations 19
monitoring TACACS+ servers 20
prerequisites 21
Process for configuring 22
user login process 23
verifying configurations 24
virtualization support 25
AAA accounting
clearing logs 1
configuring default methods 2
configuring methods for 802.1X 3
monitoring logs 4
AAA authentication
enabling default user roles 1
enabling login authentication failure messages 2
enabling methods for EAPoDUP 3
AAA protocols
RADIUS 1
TACACS+ 2
AAA server groups
description 1
AAA servers
FreeRADIUS VSA format 1
specifying SNMPv3 parameters 1 2
specifying user roles 3
specifying user roles in VSAs 4
AAA services
configuration options 1
remote 2
security 3
AAA timers
description 1
access control lists
description 1
order of application 2
See also ARP ACLs 3
See also IP ACLs 4
See also MAC ACLs 5
See also policy-based ACLs 6
See also port ACLs 7
See also router ACLs 8
See also VLAN ACLs 9
types of 10
accounting
description 1
VDC support 2
application posture tokens.
See APTs 1
APTs
description 1
predefinded tokens 2
ARP ACLs
description 1
priority of ARP ACLs and DHCP snooping entries 2
ARP inspection
See dynamic ARP inspection 1
audit servers
description 1
authentication
802.1X 1
Cisco TrustSec 2
configuring for Cisco TrustSec 3
description 4
methods 5
user logins 6
authentication servers
description 1
authentication, authorization, and accounting
See AAA 1
authenticator PAEs
creating on an interface 1
description 2
removing from an interface 3
authorization
description 1
user logins 2
verifying commands 3

B

BGP
using with Unicast RPF 1
broadcast storms.
See traffic storm control 1

C

CA trust points
creating associations for PKI 1
CAs
authenticating 1
configuring 2
deleting certificates 3
description 4
displaying configuration 5
enrollment using cut-and-paste 6
example configuration 7
example of downloading certificate 8
generating identity certificaterequests 9
identity 10
installing identity certificates 11
multiple 12
multiple trust points 13
peer certificates 14
purpose 15
certificate authorities.
See CAs 1
certificate revocation checking
configuring methods 1
certificate revocation lists
See CRLs 1
certificates
example of revoking 1
CFS
enabling RADIUS distribution 1
RADIUS 2
TACACS+ support 3
changed information
description 1
Cisco
vendor ID 1 2
Cisco Fabric Services.
See CFS 1
Cisco TrustSec
architecture 1
authorization 2
configuring 3
configuring AAA on nonseed device 4
configuring AAA on seed device 5
configuring device credentials 6
default values 7
description 1 2
enabling 9
enabling (example) 10
environment data download 11
example configurations 12
guidelines 13
IEEE 802.1AE support 14
licensing 15
limitations 16
manually configuring SXP 17
policy acquisition 18
prerequisites 19
RADIUS relay 20
SGACLs 1 2
SGTs 22
verifying configuration 23
virtualization support 24
Cisco TrustSec authentication
802.1X role selection description 1
configuration process 2
configuring 1 2
configuring in manual mode 4
description 1 2
EAP-FAST enhancements 6
manual mode configuration examples 7
summary 8
Cisco TrustSec authorization
configuration process 1
configuring 2
Cisco TrustSec device credentials
description 1
Cisco TrustSec device identities
description 1
Cisco TrustSec environment data
download 1
Cisco TrustSec policies
example enforcement configuration 1 2 3
Cisco TrustSec seed devices
description 1 2
example configuration 2
Cisco TrustSec user credentials
description 1
cisco-av-pair
specifying AAA user parameters 1 2
class maps
configuring for CoPP 1
clientless endpoint devices
allowing 1
command authorization
See TACACS+ command authorization 1
command verification
example configuration 1
commands
disabing authorization verification 1
enabing authorization verification 2
console login
configuring AAA authentication 1
control plane class maps
example configurations 1
verifying the configuration 2
control plane policy maps
example configurations 1
verifying the configuration 2
control plane protection
classification 1
description 2
packet types 3
rate controlling mechanisms 4
CoPP
configuring 1
configuring class maps 2
configuring policy maps 3
default policies 4
default settings 5
description 1 2
example configurations 1 2
guidelines 8
licensing 9
limitations 10
MQC 11
restrictions for management interfaces 12
using to enable a VTY access class 13
verifying the configuration 14
virtualization support 15
CoPP policy maps
configuring 1
CRLs
configuring 1
description 2
downloading 3
generating 4
importing example 5
publishing 6
CTS
See Cisco TrustSec 1

D

DAI
default settings 1
description 2
guidelines 3
interoperating with NAC LPIP 4
limitations 5
deafult settings
port security 1
default setting
traffic storm control 1
default settings
802.1X 1
AAA 2
CoPP 3
DAI 4
IP ACLs 5
IP Source Guard 6
keychain management 7
MAC ACLs 8
NAC 9
PKI 10
RADIUS 11
rate limits 12
RBAC 13
SSH 14
TACACS+ 15
Telnet 16
user accounts 17
VACLs 18
denial-of-service attacks
IP address spoofing, mitigating 1
device roles
description for 802.1X 1
DHCP binding database
See DHCP snooping binding database 1
DHCP option 82
description 1
DHCP snooping
binding database 1
default settings 2
description 1 2
guidelines 4
interoperating with NAC LPIP 5
limitations 6
message exchange process 7
option 82 8
overview 9
DHCP snooping binding database
described 1
description 2
entries 3
See DHCP snooping binding database 4
digital certificates
configuring 1
description 1 2
exporting 3
importing 4
peers 5
digitalcertificates
purpose 1
DoS attacks
Unicast RPF, deploying 1
dynamic ARP inspection
ARP cache poisoning 1
ARP requests 2
ARP spoofing attack 3
description 4
DHCP snooping binding database 5
function of 6
interface trust states 7
logging of dropped packets 8
network security issues and interface trust states 9
priority of ARP ACLs and DHCP snooping entries 10
Dynamic Host Configuration Protocol snooping
See DHCP snooping 1

E

EAP
relaying NAC messages 1
EAP over UDP.
See EAPoUDP 1
EAPoUDP
changing global EAPoUDP maximum retry values 1
changing maximum retry values for interfaces 2
changing UDP ports 3
clearing sessions 4
description 5
disabling 6
encapsulation for NAC 7
manually initializing sessions 8
resetting global values to defaults 9
resetting interface values to defaults 10
EAPoUDP timers
changing globally 1
configuring interfaces 2
EAPoUPD
enabling 1
enabling default AAA authentication methods 2
enabling logging 3
endpoint devices
description 1
examples
AAA configurations 1
SSH configurations 2
Extensible Authentication Protocol.
See EAP 1

F

feature groups
creating for roles 1
FreeRADIUS
VSA format for role attributes 1 2

G

Galois/Counter Mode.
See GCM 1
GCM
Cisco TrustSec SAP encryption 1
GCM authentication.
See GMAC 1
GMAC
Cisco TrustSec SAP authentication 1
guidelines
CoPP 1
DAI 2
DHCP snooping 3
IP ACLs 4
keychain management 5
MAC ACLs 6
port security 7
RADIUS 8
TACACS+ 9
traffic storm control 10
VACLs 11

H

hold timers
description 1
hostnames
configuring for PKI 1

I

identity certificates
deleting for PKI 1
generating requests 2
installing 3
identity policies
configuring 1
description 2
identity profile entries
configuring 1
identity profiles
description 1
IDs
Cisco vendor ID 1 2
interface policies
changing in roles 1
IP ACLs
configuring 1
default settings 2
description 1 2
guidelines 4
licensing 5
limitations 6
prerequisites 7
verifying configuration 8
virtualization support 9
IP device tracking
clearing information 1
configuring 2
description 3
IP devices
configuring tracking for NAC 1
IP domain names
configuring for PKI 1
IP Source Guard
default settings 1
description 1 2 3

K

key chain
end-time 1
lifetime 2
start-time 3
keychain management
default settings 1
description 1 2
guidelines 3
limitations 4
keys
TACACS+ 1

L

LAN port IP validation.
See LPIP 1
licensing
802.1X 1
AAA 2
Cisco TrustSec 3
CoPP 4
IP ACLs 5
NAC 6
PKI 7
RADIUS 8
rate limits 9
roles 10
SSH 11
TACACS+ 12
Telnet 13
traffic storm control 14
Unicast RPF 15
user accounts 16
limitations
CoPP 1
DAI 2
DHCP snooping 3
IP ACLs 4
keychain management 5
MAC ACLs 6
port security 7
TACACS+ 8
traffic storm control 9
VACLs 10
limitiations
RADIUS 1
logging
enabling EAPoUDP 1
login
configuring default AAA authentication 1
login authentication failure messages
enabling or disabling 1
LPIP
admission triggers 1
description 2
EAPoUDP 3
exception lists 4
interoperation with other NX-OS security features 5
limitations 1 2
policy enforcement using ACLs 7
posture validation 8
posture validation methods 9

M

MAC ACLs
default settings 1
description 1 2
guidelines 3
limitations 4
virtualization support 5
MAC authentication
bypass for 802.1X 1
enabling bypass in 802.1X 2
MAC packet classification
configuring 1
description 2
management interfaces
CoPP restrictions 1
Microsoft Challenge Handshake Authentication Protocol
See MSCHAP 1
Microsoft Challenge Handshake Authentication Protocol Version 2
See MSCHAP V2 1
MQC
CoPP 1
MSCHAP
enabling authentication 1
MSCHAP V2
enabling authentication 1
multicast storms.
See traffic storm control 1

N

NAC
configuration process 1
configuring 2
configuring IP device tracking 3
default settings 4
description 1 2
device roles 6
enabling on interfaces 7
example configuration 8
feature history 9
guidelines 10
impact of supervisor module switchovers 11
licensing 12
limitations 13
LPIP 14
prerequisites 15
See also IP device tracking 16
See also posture validation 17
timers 18
verifying configuration 19
virtualization support 20
NADs
description 1
network access devices.
See NADs 1
network-admin user role
description 1
network-operator user role
description 1
new information
description 1
nonrepsonsive hosts
description 1

O

object groups
configuring 1
description 2
verifying 3

P

PACLs
applying to interfaces 1
interoperating with NAC LPIP 1 2
passwords
enabling strength checking 1
strong characteristics 2
PKI
certificate revocation checking 1
configuring hostnames 2
configuring IP domain names 3
default settings 4
description 1 2
displaying configuration 6
enrollment support 7
example configuration 8
generating RSA key pairs 9
guidelines 10
licensing 11
limitations 12
SSH support 13
virtualization support 14
policing policies
default class maps 1
description 2
lenient default policy 3
moderate default policy 4
strict default policy 5
policy-based ACLs
description 1
verifying object groups 2
port ACLs
definition 1
port security
default settings 1
description 1 2
guidelines 3
interoperating with NAC LPIP 4
limitations 5
MAC move 6
violations 7
ports
authorization states for 802.1X 1
posture validation
configuring automatic for interfaces 1
configuring global automatic 2
description 3
methods 4
posture validation servers
description 1
preventing CoPP overflow by splitting ICMP pings and ARP requests
example configuration 1

R

RADIUS
CFS support 1
clearing distribution sessions 2
committing configuration for distribution 3
configuring authentication attributes 4
configuring dead-time intervals 5
configuring global keys 6
configuring global transmission retry 7
configuring global transmission timeout interval 8
configuring servers 9
default settings 10
description 1 2
discarding temporary configuration changes 12
enabling configuration distribution 13
example configurations 14
guidelines 15
licensing 16
limitations 17
network environments 18
operation 19
prerequisites 20
process for configuring 21
relay for Cisco TrustSec 22
verifying configuration 23
virtualization support 24
VSAs 25
RADIUS accounting
enabling for 802.1X authentication 1
RADIUS groups
example configurations 1
manually monitoring 2
RADIUS server groups
configuring 1
global source interfaces 2
RADIUS servers
allowing users to specify at login 1
configuring 2
configuring accounting attributes 3
configuring keys 4
configuring periodic monitoring 5
configuring transmission retry counts 6
configuring transmission timeout intervals 7
example configurations 8
manually monitoring 9
monitoring 1 2
verifying configuration 11
RADIUS statistics
clearing 1
rate limits
clearing statistics 1
configuration examples 2
configuring 3
default settings 4
description 1 2
guidelines 6
licensing 7
limitations 8
monitoring 9
verifying configuration 10
virtualization support 11
RBAC
default settings 1
description 1 2
example configuration 3
verifying configuration 4
retransmit timers
description 1
revalidation timers
description 1
role
changing VRF policies 1
roles
adding rules 1
changing VLAN policies 2
changiong interface policies 3
clearing distribution sessions 4
configuration distribution to network 5
creating 6
creating feature groups 7
discarding distribution sessions 8
distributing configurations 9
enabling configuration distribution 10
example configuration 11
licensing 12
router ACLs
definition 1
RSA key pairs
deleting from an Cisco NX-OS device 1
exporting 2
generating for PKI 3
importing 4
RSA key-pairs
description 1
displaying configuration 2
exporting 3
importing 4
multiple 5
rules
adding to roles 1
rules.
See user role rules 1

S

SAP
configuring modes on interfaces 1
SAP keys
regenerating on interfaces 1
Security Association Protocol.
See SAP 1
security group access lists
See SGACLs 1
security group tag
See SGT 1
server groups.
See AAA server groups 1
SGACL policies
clearing 1
displaying downloaded policies 2
manually configuring 3
SGACL policy enforcement
enabling on VLANs 1
enabling on VRFs 2
SGACLs
configuring 1
description 2
example manual configuration 3
example SGT mapping configuration 1 2 3
SGACLs policies
acquisition 1
refreshing downloaded policies 2
SGT Exchange Protocol
See SXP 1
SGTs
description 1
example mapping configuration 1 2 3
manually configuring 3
manually configuring address-to-SGACL mapping 1 2
propagation with SXP 5
SNMPv3
specifying AAA parameters 1
specifying parameters for AAA servers 2
source interfaces
RADIUS server groups 1
TACACS+ server groups 2
SPTs
description 1
predefined tokens 2
SSH
default settings 1
description 2
digital certificate support 3
example configuration 4
guidelines 5
licensing 6
limitations 7
prerequisites 8
specifying keys for user accounts 9
verifying configuration 10
virtualization support 11
SSH clients
support on NX-OS devices 1
SSH hosts
clearing on NX-OS devices 1
SSH keys
deleting from the NX-OS device 1
specifying in IETF SECSH format 2
specifying in OpenSSH format 3
SSH servers
clearing on NX-OS devices 1
disabling on NX-OS devices 2
key-pair support 3
support on NX-OS devices 4
SSH sessions
clearing 1
starting 2
status-query timers
description 1
superuser role.
See network-admin user role 1
SXP
changing reconcile periods 1
changing retry periods 2
configuration process 3
configuring default passwords 4
configuring default source IP addresses 5
configuring manually 6
configuring peer connections 7
enabling 8
SGT propagation 9
SXP connections
example manual configuration 1
system posture tokens.
See SPTs 1

T

TACACS+
advantages over RADIUS 1
allowing users to specify server name at login 2
clearing active distribution sessions 3
committing configuration changes to the network 4
configuration distribution 5
configuration process 6
configuring 7
configuring global keys 8
configuring global timeout intervals 9
configuring TCP ports 10
configuring the dead-time interval 11
default settings 12
description 1 2
disabling 14
discarding distribution sessions 15
enabling configuration distribution 16
enabling feature 17
example configurations 18
guidelines 19
keys 20
licensing requirements 21
limitations 22
prerequisites 23
user login operation 24
verifying command authorization 25
verifying configuration 26
virtualization 27
VSAs 28
TACACS+ servers
configuring 1
TACACS+ command authorization
configuring 1
description 2
testing 3
TACACS+ groups
configuring 1
manually monitoring 2
TACACS+ server groups
example configuration 1
global source interfaces 2
TACACS+ servers
configuring keys 1
configuring periodic monitoring 2
configuring timeout intervals 3
example configuration 4
manually monitoring 5
monitoring 1 2
TACACS+ statistics
clearing 1
TCP ports
configuring for TACACS+ 1
Telnet
clearing sessions on NX-OS devices 1
default settings 2
description 3
enabling server on NX-OS devices 4
guidelines 5
licensing 6
limitations 7
prerequisites 8
starting sessions to remote devices 9
verifying configuration 10
virtualization support 11
Telnet servers
support on NX-OS devices 1
time range
description 1
time ranges
absolute 1
configuring 1 2
description 3
periodic 4
verifying configuration 5
traffic storm control
default settings 1
description 1 2
example configuration 3
guidelines 4
licensing 5
limitations 6
monitoring counters 7
verifying configuration 8
virtualization support 9
trust points
description 1
multiple 2
saving configuration across reboots 3

U

Unicast RPF
BGP attributes 1
BOOTP and 2
default settings 3
deploying 4
description 1 2
DHCP and 6
example configurations 7
FIB 8
guidelines 9
implementation 10
licensing 11
limitations 12
loose mode 13
statistics 14
strict mode 15
tunneling and 16
verifying configuration 17
virtualization support 18
unicast storms.
See traffic storm control 1
user accounts
configuring 1
default settings 2
description 3
example configuration 4
guidelines 5
licensing 6
password characteristics 7
verifying configuration 8
virtualization support 9
user accounts limitations 1
user logins
authentication process 1
authorization process 2
user role rules
description 1
user roles
configuring 1
defaults 2
description 3
guidelines 4
limitations 5
specifying on AAA servers 1 2
verifying configuration 7
virtualization support 8

V

VACLs
default settings 1
description 2
guidelines 3
interoperating with NAC LPIP 4
limitations 5
vdc-admin user role
description 1
vdc-operator user role
description 1
vendor-specific attributes.
See VSAs 1
virtualization
802.1X 1
AAA 2
Cisco TrustSec 3
CoPP 4
DAI 5
NAC 6
RADIUS 7
rate limits 8
TACACS+ 9
traffic storm control 10
user accounts 11
user roles 12
virtualization support
PKI 1
virutalization
IP Source Guard 1
VLAN ACLs
definition 1
description 2
VLAN policies
changing for roles 1
VRF policies
changing in roles 1
VSAs
format 1
protocol options 1 2 3
support description 3
VTY access class
enabling using CoPP 1