Table Of Contents
clear ip arp inspection statistics vlan
clear ip dhcp snooping binding
clear ipv6 access-list counters
clear mac access-list counters
clear radius-server statistics
clear tacacs-server statistics
clear vlan access-list counters
crypto ca remote ldap crl-refresh-time
crypto ca remote ldap server-group
cts role-based counters enable
C Commands
This chapter describes the Cisco NX-OS security commands that begin with C.
capture session
To enable a capture session for the access control list (ACL), use the capture session command.
capture session session
Syntax Description
Defaults
None
Command Modes
ACL capture configuration mode (config-acl-capture)
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to configure an ACL capture session configuration:
switch# configure terminal
switch(config)# ip access-list abc1234
switch(config-acl)# capture session 7
switch(config-acl)#Related Commands
Command Descriptionip access-list
Creates an access list.
monitor session session type acl-capture
Configures an ACL capture session.
class (policy map)
To specify a control plane class map for a control plane policy map, use the class command. To delete a control plane class map from a control plane policy map, use the no form of this command.
class {class-map-name [insert-before class-map-name2] | class-default}
no class class-map-name
Syntax Description
Defaults
None
Command Modes
Policy map configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to configure a class map for a control plane policy map:
switch# configure terminalswitch(config)# policy-map type control-plane PolicyMapAswitch(config-pmap)# class ClassMapAswtich(config-pmap-c)This example shows how to delete a class map from a control plane policy map:
switch# configure terminalswitch(config)# policy-map type control-plane PolicyMapAswitch(config-pmap)# no class ClassMapARelated Commands
class-map type control-plane
To create or specify a control plane class map and enter class map configuration mode, use the class-map type control-plane command. To delete a control plane class map, use the no form of this command.
class-map type control-plane [match-all | match-any] class-map-name
no class-map type control-plane [match-all | match-any] class-map-name
Syntax Description
Defaults
match-any
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You cannot use match-all, match-any, or class-default as names for control plane class maps.
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to specify a control plane class map and enter class map configuration mode:
switch# configure terminalswitch(config)# class-map type control-plane ClassMapAswitch(config-cmap)#This example shows how to delete a control plane class map:
switch# configure terminalswitch(config)# no class-map type control-plane ClassMapARelated Commands
Command Descriptionshow class-map type control-plane
Displays control plane policy map configuration information.
clear access-list counters
To clear the counters for all IPv4, IPv6, and MAC access control lists (ACLs) or a single ACL, use the clear access-list counters command.
clear access-list counters [access-list-name]
Syntax Description
access-list-name
(Optional) Name of the ACL whose counters the device clears. The name can be up to 64 alphanumeric, case-sensitive characters.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Release Modification4.1(2)
Added support for clearing IPv6 ACL counters.
4.0(1)
This command was introduced.
Usage Guidelines
This command does not require a license.
Examples
This example shows how to clear counters for all IPv4, IPv6, and MAC ACLs:
switch# clear access-list countersswitch#This example shows how to clear counters for an IPv4 ACL named acl-ipv4-01:
switch# clear access-list counters acl-ipv4-01switch#Related Commands
clear accounting log
To clear the accounting log, use the clear accounting log command.
clear accounting log [logflash]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The clear accounting log command operates only in the default virtual device context (VDC 1).
This command does not require a license.
Examples
This example shows how to clear the accounting log:
switch# clear accounting logRelated Commands
clear copp statistics
To clear control plane policing (CoPP) statistics, use the clear copp statistics command.
clear copp statistics
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to specify a control plane class map and enter class map configuration mode:
switch# clear copp statisticsRelated Commands
Command Descriptionshow policy-map interface control-plane
Displays the CoPP statistics for interfaces.
clear cts role-based counters
To clear the role-based access control list (RBACL) statistics so that all counters are reset to 0, use the clear cts role-based counters command.
clear cts role-based counters
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command requires the Advanced Services license.
Examples
This example shows how to clear the RBACL statistics:
switch# clear cts role-based countersRelated Commands
clear dot1x
To clear 802.1X authenticator instances, use the clear dot1x command.
clear dot1x {all | interface ethernet slot/port}
Syntax Description
all
Specifies all 802.1X authenticator instances.
interface ethernet slot/port
Specifies the 802.1X authenticator instances for a specified interface.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must use the feature dot1x command before you configure 802.1X.
This command does not require a license.
Examples
This example shows how to clear all 802.1X authenticator instances:
switch# clear dot1x allThis example shows how to clear the 802.1X authenticator instances for an interface:
switch# clear dot1x interface ethernet 1/1Related Commands
Command Descriptionfeature dot1x
Enables the 802.1X feature.
show dot1x all
Displays all 802.1X information.
clear eou
To clear Extensible Authentication Protocol over User Datagram Protocol (EAPoUDP) sessions, use the clear eou command.
clear eou {all | authentication {clientless | eap | static} | interface ethernet slot/port | ip-address ipv4-address | mac-address mac-address | posturetoken type}
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You must enable EAPoUDP by using the feature eou command before using the clear eou command.
This command does not require a license.
Examples
This example shows how to clear all the EAPoUDP sessions:
switch# clear eou allThis example shows how to clear the statically authenticated EAPoUDP sessions:
switch# clear eou authentication staticThis example shows how to clear the EAPoUDP sessions for an interface:
switch# clear eou interface ethernet 1/1This example shows how to clear the EAPoUDP sessions for an IP address:
switch# clear eou ip-address 10.10.1.1This example shows how to clear the EAPoUDP sessions for a MAC address:
switch# clear eou mac-address 0019.076c.dac4This example shows how to the EAPoUDP sessions with a posture token type of checkup:
switch# clear eou posturetoken healthyRelated Commands
clear hardware rate-limiter
To clear rate-limit statistics, use the clear hardware rate-limiter command.
clear rate-limiter {access-list-log | all | copy | layer-2 {l2pt | mcast-snooping | port-security | storm-control | vpc-low} | layer-3 {control | glean | mtu | multicast {directly-connected | local-groups | rpf-leak} | ttl} | receive}
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
Command History
Release Modification5.0(2)
Added the l2pt keyword.
4.0(3)
Added the port-security keyword.
4.0(1)
This command was introduced.
Usage Guidelines
You can use the command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to clear all the rate-limit statistics:
switch# clear hardware rate-limiter allThis example shows how to clear the rate-limit statistics for access-list log packets:
switch# clear hardware rate-limiter access-list-logThis example shows how to clear the rate-limit statistics for Layer 2 storm-control packets:
switch# clear hardware rate-limiter layer-2 storm-controlThis example shows how to clear the rate-limit statistics for Layer 3 glean packets:
switch# clear hardware rate-limiter layer-3 gleanThis example shows how to clear the rate-limit statistics for Layer 3 directly-connected multicast packets:
switch# clear hardware rate-limiter layer-3 multicast directly-connectedThis example shows how to clear the rate-limit statistics for received packets:
switch# clear hardware rate-limiter receiveRelated Commands
Command Descriptionhardware rate-limiter
Configures rate limits.
show hardware rate-limiter
Displays rate-limit information.
clear ip access-list counters
To clear the counters for all IPv4 access control lists (ACLs) or a single IPv4 ACL, use the clear ip access-list counters command.
clear ip access-list counters [access-list-name]
Syntax Description
access-list-name
(Optional) Name of the IPv4 ACL whose counters the device clears. The name can be up to 64 alphanumeric, case-sensitive characters.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to clear counters for all IPv4 ACLs:
switch# clear ip access-list countersswitch#This example shows how to clear counters for an IP ACL named acl-ipv4-101:
switch# clear ip access-list counters acl-ipv4-101switch#Related Commands
clear ip arp inspection log
To clear the Dynamic ARP Inspection (DAI) logging buffer, use the clear ip arp inspection log command.
clear ip arp inspection log
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to clear the DAI logging buffer:
switch# clear ip arp inspection logswitch#Related Commands
clear ip arp inspection statistics vlan
To clear the Dynamic ARP Inspection (DAI) statistics for a specified VLAN, use the clear ip arp inspection statistics vlan command.
clear ip arp inspection statistics vlan vlan-list
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to clear the DAI statistics for VLAN 2:
switch# clear ip arp inspection statistics vlan 2switch#This example shows how to clear the DAI statistics for VLANs 5 through 12:
switch# clear ip arp inspection statistics vlan 5-12switch#This example shows how to clear the DAI statistics for VLAN 2 and VLANs 5 through 12:
switch# clear ip arp inspection statistics vlan 2,5-12switch#Related Commands
clear ip device tracking
To clear IP device tracking information, use the clear ip device tracking command.
clear ip device tracking {all | interface ethernet slot/port | ip-address ipv4-address | mac-address mac-address}
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-admin
VDC userCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to clear all the IP device tracking information:
switch# clear ip device tracking allThis example shows how to clear the IP device tracking information for an interface:
switch# clear ip device tracking interface ethernet 1/1This example shows how to clear the IP device tracking information for an IP address:
switch# clear ip device tracking ip-address 10.10.1.1This example shows how to clear the IP device tracking information for a MAC address:
switch# clear ip device tracking mac-address 000c.30da.86f4Related Commands
Command Descriptionip device tracking
Enables IP device tracking.
show ip device tracking
Displays IP device tracking information.
clear ip dhcp snooping binding
To clear the DHCP snooping binding database, use the clear ip dhcp snooping binding command.
clear ip dhcp snooping binding
clear ip dhcp snooping binding [vlan vlan-id mac mac-address ip ip-address interface ethernet slot/port[.subinterface-number]]
clear ip dhcp snooping binding [vlan vlan-id mac mac-address ip ip-address interface port-channel channel-number[.subchannel-number]]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-admin
VDC userCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to clear the DHCP snooping binding database:
switch# clear ip dhcp snooping bindingswitch#This example shows how to clear a specific entry from the DHCP snooping binding database:
switch# clear ip dhcp snooping binding vlan 23 mac 0060.3aeb.54f0 ip 10.34.54.9 interface ethernet 2/11switch#Related Commands
clear ipv6 access-list counters
To clear the counters for all IPv6 access control lists (ACLs) or a single IPv6 ACL, use the clear ipv6 access-list counters command.
clear ipv6 access-list counters [access-list-name]
Syntax Description
access-list-name
(Optional) Name of the IPv6 ACL whose counters the device clears. The name can be up to 64 alphanumeric, case-sensitive characters.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to clear counters for all IPv6 ACLs:
switch# clear ipv6 access-list countersswitch#This example shows how to clear counters for an IPv6 ACL named acl-ipv6-3A:
switch# clear ipv6 access-list counters acl-ipv6-3Aswitch#Related Commands
clear ldap-server statistics
To clear the Lightweight Directory Access Protocol (LDAP) server statistics, use the clear ldap-server statistics command.
clear ldap-server statistics {ipv4-address | ipv6-address | host-name}
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
network-operator
vdc-admin
vdc-operatorCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to clear the statistics for an LDAP server:
switch# clear ldap-server statistics 10.10.1.1Related Commands
Command Descriptionfeature ldap
Enables LDAP.
ldap-server host
Specifies the IPv4 or IPv6 address or hostname for an LDAP server.
show ldap-server statistics
Displays the LDAP server statistics.
clear mac access-list counters
To clear the counters for all MAC access control lists (ACLs) or a single MAC ACL, use the clear mac access-list counters command.
clear mac access-list counters [access-list-name]
Syntax Description
access-list-name
(Optional) Name of the MAC ACL whose counters the device clears. The name can be up to 64 alphanumeric, case-sensitive characters.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to clear counters for all MAC ACLs:
switch# clear mac access-list countersswitch#This example shows how to clear counters for a MAC ACL named acl-mac-0060:
switch# clear mac access-list counters acl-ipv4-0060switch#Related Commands
clear port-security
To clear a single, dynamically learned, secure MAC address or to clear all dynamically learned, secure MAC addresses for a specific interface, use the clear port-security command.
clear port-security dynamic interface ethernet slot/port [vlan vlan-id]
clear port-security dynamic interface port-channel channel-number [vlan vlan-id]
clear port-security dynamic address address [vlan vlan-id]
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Release Modification4.2(1)
Support was added for port-security on port-channel interfaces.
4.0(1)
This command was introduced.
Usage Guidelines
You must enable port security by using the feature port-security command before you can use the clear port-security command.
This command does not require a license.
Examples
This example shows how to remove dynamically learned, secure MAC addresses from the Ethernet 2/1 interface:
switch# configure terminalswitch(config)# clear port-security dynamic interface ethernet 2/1This example shows how to remove the dynamically learned, secure MAC address 0019.D2D0.00AE:
switch# configure terminalswitch(config)# clear port-security dynamic address 0019.D2D0.00AERelated Commands
clear radius-server statistics
To clear the statistics for a RADIUS server host, use the clear radius-server statistics command.
clear radius-server statistics {ipv4-address | ipv6-address | server-name}
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to clear statistics for a RADIUS server:
switch# clear radius-server statistics 10.10.1.1Related Commands
clear ssh hosts
To clear the Secure Shell (SSH) host sessions and the known host file for a virtual device context (VDC), use the clear ssh hosts command.
clear ssh hosts
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to clear all SSH host sessions and the known host file:
switch# clear ssh hostsRelated Commands
clear tacacs-server statistics
To clear the statistics for a TACACS+ server host, use the clear tacacs-server statistics command.
clear tacacs-server statistics {ipv4-address | ipv6-address | server-name}
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to clear statistics for a TACACS+ server:
switch# clear tacacs-server statistics 10.10.1.1Related Commands
clear user
To clear a user session for a virtual device context (VDC), use the clear user command.
clear user user-id
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
Use the show users command to display the current user sessions on the device.
This command does not require a license.
Examples
This example shows how to clear all SSH host sessions:
switch# clear user user1Related Commands
clear vlan access-list counters
To clear the counters for all VLAN access control lists (VACLs) or a single VACL, use the clear vlan access-list counters command.
clear vlan access-list counters [access-map-name]
Syntax Description
access-map-name
(Optional) Name of the VLAN access map whose counters the device clears. The name can be up to 64 alphanumeric, case-sensitive characters.
Defaults
None
Command Modes
Privileged EXEC
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command does not require a license.
Examples
This example shows how to clear counters for all VACLs:
switch# clear vlan access-list countersswitch#This example shows how to clear counters for a VACL named vlan-map-101:
switch# clear vlan access-list counters vlan-map-101switch#Related Commands
copp copy profile
To create a copy of the Control Plane Policing (CoPP) best practice policy, use the copp clone profile command.
copp copy profile {lenient | moderate | strict} {prefix | suffix} string
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
When you use the copp copy profile command, CoPP renames all class maps and policy maps with the specified prefix or suffix.
This command does not require a license.
Examples
This example shows how to create a clone of the CoPP best practice policy:
switch # copp copy profile moderate abc
Related Commands
copp profile
To apply the default Control Plane Policing (CoPP) best practice policy on the Cisco NX-OS device without rerunning the setup utility, use the copp profile command. To remove the default CoPP policy from the Cisco NX-OS device, use the no form of this command.
copp profile {lenient | moderate | strict}
no copp profile {lenient | moderate | strict}
Syntax Description
lenient
Specifies the lenient profile.
moderate
Specifies the moderate profile.
strict
Specifies the strict profile.
Defaults
strict
Command Modes
Global configuration (config)
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
In Cisco NX-OS releases prior to 5.2(1), you must use the setup utility to change or reapply the default CoPP policy. You can access the setup utility using the setup command.
Beginning with Cisco NX-OS Release 5.2, the CoPP best practice policy is read-only. If you want to modify its configuration, you must clone it using the copp clone profile command. Cloned policies are treated as user configurations.
When you use in-service software downgrade (ISSU) to upgrade to Cisco NX-OS Release 5.2, the policy attached to the control plane is treated as a user-configured policy. Check the CoPP profile using the show copp profile command and make any required changes.
If you use ISSU to downgrade from Cisco NX-OS Release 5.2, CoPP reports the incompatible configuration and instructs you to clone the CoPP profile. In the lower version, all configurations are restored in user-configuration mode.
This command does not require a license.
Examples
This example shows how to apply the default CoPP best practice policy on the Cisco NX-OS device:
switch# configure terminalswitch(config)# copp profile moderate
switch(config)#This example shows how remove thedefault CoPP best practice policy from the Cisco NX-OS device:
switch(config)# no copp profile moderateswitch(config)#Related Commands
CRLLookup
To configure the attribute name, search filter, and base-DN for the certificate revocation list (CRL) search operation in order to send a search query to the Lightweight Directory Access Protocol (LDAP) server, use the CRLLookup command. To disable this configuration, use the no form of this command.
CRLLookup attribute-name attribute-name search-filter filter base-DN base-DN-name
no CRLLookup
Syntax Description
Defaults
None
Command Modes
Lightweight Directory Access Protocol (LDAP) search map configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable LDAP.
This command does not require a license.
Examples
This example shows how to configure the attribute name, search filter, and base-DN for the CRL search operation in order to send a search query to the LDAP server:
switch# conf tswitch(config)# ldap search-map s0switch(config-ldap-search-map)# CRLLookup attribute-name certificateRevocationList search-filter (&(objectClass=cRLDistributionPoint)) base-DN CN=CDP,CN=Public Key Services,CN=Services,CN=Configuration,DC=mdsldaptestlab,DC=comswitch(config-ldap-search-map)#Related Commands
Command Descriptionfeature ldap
Enables LDAP.
ldap search-map
Configures an LDAP search map.
show ldap-search-map
Displays the configured LDAP search maps.
crypto ca authenticate
To associate and authenticate a certificate of the certificate authority (CA) and configure its CA certificate (or certificate chain), use the crypto ca authenticate command. To remove the association and authentication, use the no form of this command.
crypto ca authenticate trustpoint-label
no crypto ca authenticate trustpoint-label
Syntax Description
trustpoint-label
Name of the trustpoint. The name The name is alphanumeric, case sensitive, and has a maximum length of 64 characters.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can use this command to authenticate the CA to the Cisco NX-OS device by obtaining the self-signed certificate of the CA that contains the public key of the CA. Because the CA signs its own certificate, you should manually authenticate the public key of the CA by contacting the CA administrator when you execute this command. The CA certificate or certificate chain must be available in Privacy Enhanced Mail (PEM) (base-64) encoded format.
Use this command when you initially configure certificate authority support for the device. First create the trustpoint using the crypto ca trustpoint command using the CA certificate fingerprint published by the CA. You must compare the certificate fingerprint displayed during authentication with the one published by the CA and accept the CA certificate only if it matches.
If the CA to authenticate is a subordinate CA (it is not self-signed), then another CA certifies it, which in turn may be certified by yet another CA, and so on, until there is a self-signed CA. In this case, the subordinate CA has a CA certificate chain. You must enter the entire chain during CA authentication. The maximum length that the CA certificate chain supports is ten.
The trustpoint CA is the certificate authority that you configure on the device as the trusted CA. The device accepts any peer certificate if it is signed by a locally trusted CA or its subordinates.
Note The trustpoint configuration that you create with the crypto ca trustpoint command persists across device reboots only if you save it explicitly using the copy running-config startup-config command. The certificates and CRL associated to a trustpoint are automatically persistent when you save the trustpoint configuration in the startup configuration. Otherwise, if you do not saved the trustpoint in the startup configuration, the associated certificates and CRL are not automatically persistent because they cannot exist without the corresponding trustpoint after the device reboots.
To ensure that the configured certificates, CRLs, and key pairs are persistent, always save the running configuration in the startup configuration.
This command does not require a license.
Examples
This example shows how to authenticate a CA certificate called admin-ca:
switch# configure terminal
switch(config)# crypto ca authenticate myCA
input (cut & paste) CA certificate (chain) in PEM format;end the input with a line containing only END OF INPUT :-----BEGIN CERTIFICATE-----MIIC4jCCAoygAwIBAgIQBWDSiay0GZRPSRIljK0ZejANBgkqhkiG9w0BAQUFADCBkDEgMB4GCSqGSIb3DQEJARYRYW1hbmRrZUBjaXNjby5jb20xCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJhbmdhbG9yZTEOMAwGA1UEChMFQ2lzY28xEzARBgNVBAsTCm5ldHN0b3JhZ2UxEjAQBgNVBAMTCUFwYXJuYSBDQTAeFw0wNTA1MDMyMjQ2MzdaFw0wNzA1MDMyMjU1MTdaMIGQMSAwHgYJKoZIhvcNAQkBFhFhbWFuZGtlQGNpc2NvLmNvbTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQ4wDAYDVQQKEwVDaXNjbzETMBEGA1UECxMKbmV0c3RvcmFnZTESMBAGA1UEAxMJQXBhcm5hIENBMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMW/7b3+DXJPANBsIHHzluNccNM87ypyzwuoSNZXOMpeRXXIOzyBAgiXT2ASFuUOwQ1iDM8rO/41jf8RxvYKvysCAwEAAaOBvzCBvDALBgNVHQ8EBAMCAcYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJyjyRoMbrCNMRU2OyRhQGgsWbHEwawYDVR0fBGQwYjAuoCygKoYoaHR0cDovL3NzZS0wOC9DZXJ0RW5yb2xsL0FwYXJuYSUyMENBLmNybDAwoC6gLIYqZmlsZTovL1xcc3NlLTA4XENlcnRFbnJvbGxcQXBhcm5hJTIwQ0EuY3JsMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA0EAHv6UQ+8nE399Tww+KaGr0g0NIJaqNgLh0AFcT0rEyuyt/WYGPzksF9EaNBG7E0oN66zex0EOEfG1Vs6mXp1//w==-----END CERTIFICATE-----END OF INPUTFingerprint(s): MD5 Fingerprint=65:84:9A:27:D5:71:03:33:9C:12:23:92:38:6F:78:12Do you accept this certificate? [yes/no]: yRelated Commands
crypto ca crl request
To configure a new certificate revocation list (CRL) downloaded from the certificate authority (CA), use the crypto ca crl request command.
crypto ca crl request trustpoint-label source-file
Syntax Description
trustpoint-label
Name of the trustpoint. The maximum size is 64 characters.
source-file
Location of the CRL in the form bootflash:filename. The maximum size is 512.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
The crypto ca crl request command allows you to pre-download CRLs for the trustpoints and cache the CRLs in the certificate (cert) store. The CRL file specified should contain the latest CRL in either the Privacy Enhanced Mail (PEM) format or Distinguished Encoding Rules (DER) format.
Note The trustpoint configuration that you create with the crypto ca trustpoint command persists across device reboots only if you save it explicitly using the copy running-config startup-config command. The certificates and CRL associated to a trustpoint are automatically persistent when you save the trustpoint configuration in the startup configuration. Otherwise, if you do not save the trustpoint in the startup configuration, the associated certificates and CRL are not automatically persistent because they cannot exist without the corresponding trustpoint after the device reboots.
To ensure that the configured certificates, CRLs and key pairs are persistent, always save the running configuration in the startup configuration.
This command does not require a license.
Examples
This example shows how to configure a CRL for the trustpoint or replaces the current CRL:
switch# configure teminalswitch(config)# crypto ca crl request admin-ca bootflash:admin-ca.crl
Related Commands
Command Descriptionrevocation-check
Configures trustpoint revocation check methods.
show crypto ca crl
Displays configured certificate revocation lists (CRL).
crypto ca enroll
To request a certificate for the device RSA key pair created for this trustpoint CA, use the crypto ca enroll command.
crypto ca enroll trustpoint-label
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
A Cisco NX-OS device enrolls with the trustpoint CA to obtain an identity certificate. You can enroll your device with multiple trustpoints and obtain a separate identity certificate from each trustpoint.
When enrolling with a trustpoint, you must specify an RSA key pair to certify. You must generate the key pair and associate it to the trustpoint before generating the enrollment request.
Use the crypto ca enroll command to generate a request to obtain an identity certificate from each of your trustpoints that correspond to authenticated CAs. The certificate signing request (CSR) generated is per the Public-Key Cryptography Standards (PKCS) #10 standard and is displayed in the PEM format. You then cut and paste the certificate and submit it to the corresponding CA through an e-mail or on the CA website. The CA administrator issues the certificate and makes it available to you either through the website or by sending it in an e-mail. You need to import the obtained identity certificate that corresponds to the trustpoint using the crypto ca import trustpoint-label certificate command.
Note The device does not save the challenge password with the configuration. Record this password so that you can provide it if you need to revoke your certificate.
This command does not require a license.
Examples
This example shows how to generate a certificate request for an authenticated CA:
switch# configure terminal
switch(config)# crypto ca enroll myCA
Create the certificate request ..Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password:nbv123The subject name in the certificate will be: Vegas-1.cisco.comInclude the switch serial number in the subject name? [yes/no]:noInclude an IP address in the subject name [yes/no]:yesip address:209.165.200.226The certificate request will be displayed...-----BEGIN CERTIFICATE REQUEST-----MIIBqzCCARQCAQAwHDEaMBgGA1UEAxMRVmVnYXMtMS5jaXNjby5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL8Y1UAJ2NC7jUJ1DVaSMqNIgJ2kt8rl4lKY0JC6ManNy4qxk8VeMXZSiLJ4JgTzKWdxbLDkTTysnjuCXGvjb+wj0hEhv/y51T9yP2NJJ8ornqShrvFZgC7ysN/PyMwKcgzhbVpj+rargZvHtGJ91XTq4WoVkSCzXv8SVqyH0vEvAgMBAAGgTzAVBgkqhkiG9w0BCQcxCBMGbmJ2MTIzMDYGCSqGSIb3DQEJDjEpMCcwJQYDVR0RAQH/BBswGYIRVmVnYXMtMS5jaXNjby5jb22HBKwWH6IwDQYJKoZIhvcNAQEEBQADgYEAkT60KER6Qo8nj0sDXZVHSfJZh6K6JtDz3Gkd99GlFWgtPftrNcWUE/pw6HayfQl2T3ecgNwel2d15133YBF2bktExiI6Ul88nTOjglXMjja88a23bNDpNsM8rklwA6hWkrVL8NUZEFJxqbjfngPNTZacJCUS6ZqKCMetbKytUx0=-----END CERTIFICATE REQUEST-----Related Commands% The 'show crypto ca certificate' command will also show the fingerprint.
crypto ca export
To export the RSA key pair and the associated certificates (identity and CA) of a trustpoint within a Public-Key Cryptography Standards (PKCS) #12 format file to a specified location, use the crypto ca export command.
crypto ca export trustpoint-label pkcs12 destination-file-url pkcs12-password
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
You can export the identity certificate with the associated RSA key pair and CA certificate (or certificate chain) to a PKCS #12 format file for backup purposes. You can later import the certificate and RSA key pair to recover from a system crash on your device.
This command does not require a license.
Examples
This example shows how to export a certificate and key pair in the PKCS #12 format:
switch# configure terminal
switch(config)# crypto ca export admin-ca pkcs12 bootflash:adminid.p12 nbv123
Related Commands
crypto ca import
To import the identity certificate in the Privacy Enhanced Mail (PEM) format or the identity certificate and associated RSA key pair and CA certificate (or certificate chain) in the Public-Key Cryptography Standards (PKCS) #12 format, use the crypto ca import command.
crypto ca import trustpoint-label {certificate | pkcs12 source-file-url pkcs12-password}
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
Use the certificate keyword to import (by cut and paste means) the identity certificate obtained from the CA, corresponding to the enrollment request generated earlier in the trustpoint and submitted to the CA.
Use the pkcs12 source-file-url pkcs12-password keyword and argumen t to import the complete identity information, which includes the identity certificate and associated RSA key pair and CA certificate or certificate chain, into an empty trustpoint. This method allows you to restore the configuration after a system crash.
Note The trustpoint configuration that you create with the crypto ca trustpoint command persists across device reboots only if you save it explicitly using the copy running-config startup-config command. The certificates and CRL associated to a trustpoint are automatically persistent when you save the trustpoint configuration in the startup configuration. Otherwise, if you do not saved the trustpoint in the startup configuration, the associated certificates and CRL are not automatically persistent because they cannot exist without the corresponding trustpoint after the device reboots.
To ensure that the configured certificates, CRLs and key pairs are persistent, always save the running configuration in the startup configuration.
This command does not require a license.
Examples
This example shows how to install an identity certificate obtained from a CA corresponding to an enrollment request made and submitted earlier:
switch# configure terminalswitch(config)# crypto ca import myCA certificateinput (cut & paste) certificate in PEM format:-----BEGIN CERTIFICATE-----MIIEADCCA6qgAwIBAgIKCjOOoQAAAAAAdDANBgkqhkiG9w0BAQUFADCBkDEgMB4GCSqGSIb3DQEJARYRYW1hbmRrZUBjaXNjby5jb20xCzAJBgNVBAYTAklOMRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJhbmdhbG9yZTEOMAwGA1UEChMFQ2lzY28xEzARBgNVBAsTCm5ldHN0b3JhZ2UxEjAQBgNVBAMTCUFwYXJuYSBDQTAeFw0wNTExMTIwMzAyNDBaFw0wNjExMTIwMzEyNDBaMBwxGjAYBgNVBAMTEVZlZ2FzLTEuY2lzY28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/GNVACdjQu41CdQ1WkjKjSICdpLfK5eJSmNCQujGpzcuKsZPFXjF2UoiyeCYE8ylncWyw5E08rJ47glxr42/sI9IRIb/8udU/cj9jSSfKK56koa7xWYAu8rDfz8jMCnIM4W1aY/q2q4Gbx7RifdV06uFqFZEgs17/Elash9LxLwIDAQABo4ICEzCCAg8wJQYDVR0RAQH/BBswGYIRVmVnYXMtMS5jaXNjby5jb22HBKwWH6IwHQYDVR0OBBYEFKCLi+2sspWEfgrRbhWmlVyo9jngMIHMBgNVHSMEgcQwgcGAFCco8kaDG6wjTEVNjskYUBoLFmxxoYGWpIGTMIGQMSAwHgYJKoZIhvcNAQkBFhFhbWFuZGtlQGNpc2NvLmNvbTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQ4wDAYDVQQKEwVDaXNjbzETMBEGA1UECxMKbmV0c3RvcmFnZTESMBAGA1UEAxMJQXBhcm5hIENBghAFYNKJrLQZlE9JEiWMrRl6MGsGA1UdHwRkMGIwLqAsoCqGKGh0dHA6Ly9zc2UtMDgvQ2VydEVucm9sbC9BcGFybmElMjBDQS5jcmwwMKAuoCyGKmZpbGU6Ly9cXHNzZS0wOFxDZXJ0RW5yb2xsXEFwYXJuYSUyMENBLmNybDCBigYIKwYBBQUHAQEEfjB8MDsGCCsGAQUFBzAChi9odHRwOi8vc3NlLTA4L0NlcnRFbnJvbGwvc3NlLTA4X0FwYXJuYSUyMENBLmNydDA9BggrBgEFBQcwAoYxZmlsZTovL1xcc3NlLTA4XENlcnRFbnJvbGxcc3NlLTA4X0FwYXJuYSUyMENBLmNydDANBgkqhkiG9w0BAQUFAANBADbGBGsbe7GNLh9xeOTWBNbm24U69ZSuDDcOcUZUUTgrpnTqVpPyejtsyflwE36cIZu4WsExREqxbTk8ycx7V5o=-----END CERTIFICATE-----This example shows how to import a certificate and key pair in a Public-Key Cryptography Standards (PKCS) #12 format file:
switch# configure terminalwitch(config)# crypto ca import admin-ca pkcs12 bootflash:adminid.p12 nbv123
Related Commands
crypto ca lookup
To specify the cert-store to be used for certificate authentication, use the crypto ca lookup command.
crypto ca lookup {local | remote | both}
Syntax Description
Defaults
Local
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
If you plan to configure a remote cert-store, you must set up an LDAP server in a remote device and make sure that the CA certificates that are used for authentication are loaded to the Active Directory.
This command does not require a license.
Examples
This example shows how to specify the remote cert-store for certificate authentication:
switch(config)# crypto ca lookup remote
Related Commands
crypto ca remote ldap crl-refresh-time
To configure the refresh time to update the certificate revocation list (CRL) from the remote cert-store, use the crypto ca remote ldap crl-refresh-time command.
crypto ca remote ldap crl-refresh-time hours
Syntax Description
hours
Refresh time value in hours. The range is from 0 to 744 hours. If you enter 0, the refresh routine runs once.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must configure a remote cert-store and the LDAP server group.
This command does not require a license.
Examples
This example shows how to configure the refresh time to update the CRL from the remote cert-store:
switch(config)# crypto ca remote ldap crl-refresh-time 10
Related Commands
crypto ca remote ldap server-group
To configure the Lightweight Directory Access Protocol (LDAP) server group to be used while communicating with LDAP, use the crypto ca remote ldap server-group command.
crypto ca remote ldap server-group group-name
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must configure a remote cert-store.
This command does not require a license.
Examples
This example shows how to configure the LDAP server group to be used while communicating with LDAP:
switch(config)# crypto ca remote ldap server-group group1Related Commands
crypto ca test verify
To verify a certificate file, use the crypto ca test verify command.
crypto ca test verify certificate-file
Syntax Description
certificate-file
Certificate filename in the form bootflash:filename. The filename is case sensitive.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
Use this command to verify the specified certificate in the PEM format by using the trusted CAs configured and by consulting the certificate revocation list (CRL), if needed, as indicated by the revocation checking configuration.
This command does not require a license.
Examples
This example shows how to verify a certificate file:
switch(config)# crypto ca test verify bootflash:id1.pem
verify status oode:0verify error msg:
Note The verify status code value of 0 indicates that the verification is successful.
Related Commands
crypto ca trustpoint
To create a trustpoint certificate authority (CA) that the device should trust and enter trustpoint configuration mode, use the crypto ca trustpoint command. To remove the trustpoint, use the no form of this command.
crypto ca trustpoint trustpoint-label
no crypto ca trustpoint trustpoint-label
Syntax Description
trustpoint-label
Name of the trustpoint. The name is alphanumeric, case sensitive, and has a maximum of 64 characters.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
Trustpoints have the following characteristics:
•A trustpoint corresponds to a single CA, which a Cisco NX-OS device trusts for peer certificate verification for any application.
•A CA must be explicitly associated to a trustpoint using the crypto ca authenticate command.
•A Cisco NX-OS device can have many trustpoints and all applications on the device can trust a peer certificate issued by any of the trustpoint CAs.
•A trustpoint is not restricted to a specific application.
•The Cisco NX-OS device can optionally enroll with a trustpoint CA to get an indemnity certificate for itself.
You do not need to designate one or more trustpoints to an application. Any application should be able to use any certificate issued by any trustpoint as long as the certificate satisfies the application requirement.
You do not need more than one identity certificate from a trustpoint or more than one key pair associated to a trustpoint. A CA certifies a given identity (name) only once and does not issue multiple certificates with the same subject name. If you need more than one identity certificate for a CA, define another trustpoint for the same CA, associate another key pair to it, and have it certified if the CA allows multiple certificates with the same subject name.
Note Before using the no crypto ca trustpoint command to remove the trustpoint, you must first delete the identity certificate and CA certificate (or certificate chain) and then disassociate the RSA key pair from the trustpoint. The device enforces this sequence of actions to prevent the accidental removal of the trustpoint with the certificates.
This command does not require a license.
Examples
This example shows how to declare a trustpoint CA that the device should trust and enter trustpoint configuration mode:
switch#
configure terminalswitch(config)# crypto ca trustpoint admin-ca
switch(config-trustpoint)#This example shows how to remove the trustpoint CA:
switch#
configure terminalswitch(config)# no crypto ca trustpoint admin-ca
Related Commands
crypto certificatemap mapname
To create a filter map, use the crypto certificatemap mapname command.
crypto certificatemap mapname map-name
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must configure a cert-store for certificate authentication.
This command does not require a license.
Examples
This example shows how to create a new filter map:
switch(config)# crypto certificatemap mapname filtermap1Related Commands
Command Descriptionfilter
Configures one or more certificate mapping filters within the filter map.
show crypto certificatemap
Displays the certificate mapping filters.
crypto cert ssh-authorize
To configure a certificate mapping filter for the SSH protocol, use the crypto cert ssh-authorize command.
crypto cert ssh-authorize [default | issuer-CAname] [map map-name1 [map-name2]]
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must create a filter map.
This command does not require a license.
Examples
This example shows how to configure a certificate mapping filter for the SSH protocol:
switch(config)# crypto cert ssh-authorize default map filtermap1Related Commands
delete ca-certificate
To delete certificate authority certificates, use the delete ca-certificate command.
delete ca-certificate
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Trustpoint configuration
Command History
Usage Guidelines
This command deletes the CA certificate or certificate chain corresponding to the trustpoint CA. As a result, the trustpoint CA is no longer trusted. If there is an identity certificate form the CA, you must delete it before you can delete the CA certificate. This prevents the accidental deletion of a CA certificate when you have not yet deleted the identity certificate obtained from that CA. Deleting the CA certificate may be necessary when you no longer want to trust the CA because the CA is compromised or the CA certificate has expired.
Note The trustpoint configuration, certificates, and key pair configurations are persistent only after saving to the startup configuration. Deletions become persistent only after you save the running configuration to the startup configuration.
Enter the copy running-config startup-config command to make the certificate and key pair deletions persistent.
This command does not require a license.
Examples
This example shows how to delete a certificate authority certificate:
switch# configure terminal
switch(config)# crypto ca trustpoint admin-ca
switch(config-trustpoint)# delete ca-certificate
Related Commands
Command Descriptiondelete certificate
Deletes the identity certificate.
delete crl
Deletes the CRL from the trustpoint.
cts device-id
To configure a Cisco TrustSec device identifier, use the cts device-id command.
cts device-id device-id password [7] password
Syntax Description
Defaults
No Cisco TrustSec device identifier
Clear text passwordCommand Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
The Cisco TrustSec device identifier name must be unique in your Cisco TrustSec network cloud.
This command requires the Advanced Services license.
Examples
This example shows how to configure a Cisco TrustSec device identifier:
switch# configure terminalswtich(config)# cts device-id DeviceA password Cisco321Related Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts credentials
Displays the Cisco TrustSec credentials information.
cts dot1x
To enable Cisco TrustSec authentication on an interface and enter Cisco TrustSec 802.1X configuration mode, use the cts dot1x command. To revert to the default, use the no form of this command.
cts dot1x
no cts dot1x
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
This command is not supported for F1 Series modules.
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.
This command requires the Advanced Services license.
Examples
This example shows how to enable Cisco TrustSec authentication on an interface:
switch# configure terminalswitch(config)# interface ethernet 2/3switch(config-if)# cts dot1xswitch(config-if-cts-dot1x)# exitswitch(config-if)# shutdownswitch(config-if)# no shutdownThis example shows how to disable Cisco TrustSec authentication on an interface:
switch# configure terminalswitch(config)# interface ethernet 2/3switch(config-if)# no cts dot1xswitch(config-if)# shutdownswitch(config-if)# no shutdownRelated Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts interface
Displays Cisco TrustSec configuration information for interfaces.
cts manual
To enter Cisco TrustSec manual configuration for an interface, use the cts manual command. To remove the manual configuration, use the no form of this command.
cts manual
no cts manual
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.
This command requires the Advanced Services license.
Examples
This example shows how to enter Cisco TrustSec manual configuration mode for an interface:
switch# configure terminalswitch(config)# interface etherent 2/4switch(config-if)# cts manualswitch(config-if-cts-manual)#This example shows how to remove the Cisco TrustSec manual configuration from an interface:
switch# configure terminalswitch(config)# interface etherent 2/4switch(config-if)# no cts manualswitch(config-if)# shutdownswitch(config-if)# no shutdownRelated Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts interface
Displays Cisco TrustSec configuration information for interfaces.
cts refresh role-based-policy
To refresh the Cisco TrustSec security group access control list (SGACL) policies downloaded from the Cisco Secure ACS, use the cts refresh role-based-policy command.
cts refresh role-based-policy
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Any configuration mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to enter Cisco TrustSec manual configuration mode for an interface:
switch# cts refresh role-based-policyRelated Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts role-based policy
Displays Cisco TrustSec SGACL policy configuration.
cts rekey
To rekey an interface for Cisco TrustSec policies, use the cts rekey command.
cts rekey ethernet slot/port
Syntax Description
Defaults
None
Command Modes
Any command mode
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to rekey an interface for Cisco TrustSec:
switch# cts rekey ethernet 2/3Related Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts interface
Displays Cisco TrustSec configuration information for interfaces.
cts role-based access-list
To create or specify a Cisco TrustSec security group access control list (SGACL) and enter role-based access control list configuration mode, use the cts role-based access-list command. To remove an SGACL, use the no form of this command.
cts role-based access-list list-name
no cts role-based access-list list-name
Syntax Description
list-name
Name for the SGACL. The name is alphanumeric and case-sensitive. The maximum length is 32 characters.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to create a Cisco TrustSec SGACL and enter role-based access list configuration mode:
switch# configure terminalswitch(config)# cts role-based access-list MySGACLswitch(config-rbacl)#This example shows how to remove a Cisco TrustSec SGACL:
switch# configure terminalswitch(config)# no cts role-based access-list MySGACLRelated Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts role-based access-list
Displays the Cisco TrustSec SGACL configuration.
cts role-based counters enable
To enable role-based access control list (RBACL) statistics, use the cts role-based counters enable command. To disabled RBACL statistics, use the no form of this command.
cts role-based counters enable
no cts role-based counters enable
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
To use this command, you must enable RBACL policy enforcement on the VLAN and VRF.
When you enable RBACL statistics, each policy requires one entry in the hardware. If you do not have enough space remaining in the hardware, an error message appears, and you cannot enable the statistics.
When you modify an RBACL policy, statistics for the previously assigned access control entry (ACE) are displayed, and the newly assigned ACE statistics are initialized to 0.
RBACL statistics are lost only when the Cisco NX-OS device reloads or you deliberately clear the statistics.
This command requires the Advanced Services license.
Examples
This example shows how to enable RBACL statistics:
switch# configure terminalswitch(config)# cts role-based counters enableThis example shows how to disable RBACL statistics:
switch# configure terminalswitch(config)# no cts role-based counters enableRelated Commands
cts role-based enforcement
To enable Cisco TrustSec security group access control list (SGACL) enforcement in a VLAN or Virtual Routing and Forwarding instance (VRF), use the cts role-based enforcement command. To revert to the default, use the no form of this command.
cts role-based enforcement
no cts role-based enforcement
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
VLAN configuration
VRF configurationSupported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to enable Cisco TrustSec SGACL enforcement in the default VRF:
switch# configure terminalswitch(config)# cts role-based enforcementThis example shows how to enable Cisco TrustSec SGACL enforcement in a VLAN:
switch# configure terminalswitch(config)# vlan 1switch(config-vlan)# cts role-based enforcementThis example shows how to enable Cisco TrustSec SGACL enforcement in a nondefault VRF:
switch# configure terminalswitch(config)# vrf context MyVRFswitch(config-vrf)# cts role-based enforcementThis example shows how to disable Cisco TrustSec SGACL enforcement:
switch# configure terminalswitch(config)# no cts role-based enforcementRelated Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts role-based enable
Displays the Cisco TrustSec SGACL policy enforcement configuration.
cts role-based sgt
To manually configure mapping of Cisco TrustSec security group tags (SGTs) to a security group access control list (SGACL), use the cts role-based sgt command. To remove the SGT mapping to an SGACL, use the no form of this command.
cts role-based sgt {sgt-value | any | unknown} dgt {dgt-value | unknown}
access-list list-nameno cts role-based sgt {sgt-value | any | unknown} dgt {dgt-value | unknown}
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
You must configure the SGACL before you can configure SGT mapping.
This command requires the Advanced Services license.
Examples
This example shows how to configure SGT mapping for an SGACL:
switch# configure terminalswitch(config)# cts role-based sgt 3 dgt 10 access-list MySGACLThis example shows how to remove SGT mapping for an SGACL
switch# configure terminalswitch(config)# no cts role-based sgt 3 sgt 10Related Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts role-based policy
Displays the Cisco TrustSec SGT mapping for an SGACL.
cts role-based sgt-map
To manually configure the Cisco TrustSec security group tag (SGT) mapping to IP addresses, use the cts role-based sgt-map command. To remove an SGT, use the no form of this command.
cts role-based sgt-map ipv4-address sgt-value
no cts role-based sgt-map ipv4-address
Syntax Description
Defaults
None
Command Modes
Global configuration
VLAN configuration
VRF configurationSupported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
You can use only IPv4 addressing with Cisco TrustSec.
This command requires the Advanced Services license.
Examples
This example shows how to configure mapping for a Cisco TrustSec SGT:
switch# configure terminalswitch(config)# cts role-based sgt-map 10.10.1.1 3switch(config-rbacl)#This example shows how to remove a Cisco TrustSec SGT mapping:
switch# configure terminalswitch(config)# no ccts role-based sgt-map 10.10.1.1Related Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts role-based sgt-map
Displays the Cisco TrustSec SGT mapping.
cts sgt
To configure the security group tag (SGT) for Cisco TrustSec, use the cts sgt command.
cts sgt tag
Syntax Description
tag
Local SGT for the device that is a hexadecimal value with the format 0xhhhh. The range is from 0x0 to 0xffff.
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to configure the Cisco TrustSec SGT for the device:
switch# configure terminalswitch(config)# cts sgt 0x3Related Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts environment-data
Displays the Cisco TrustSec environment data.
cts sxp connection peer
To configure a Security Group Tag (SGT) Exchange Protocol (SXP) peer connection for Cisco TrustSec, use the cts sxp connection peer command. To remove the SXP connection, use the no form of this command.
cts sxp connection peer peer-ipv4-addr [source src-ipv4-addr] password {default | none | required {password | 7 encrypted-password}} mode {speaker | listener} [vrf vrf-name]
no cts sxp connection peer peer-ipv4-addr [vrf vrf-name]
Syntax Description
Defaults
Configured default SXP password for the device
Configured default SXP source IPv4 address for the device
Default VRFCommand Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Release Modification4.1(3)
Added the 7 option to allow encrypted passwords.
4.0(1)
This command was introduced.
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
You can use only IPv4 addressing with Cisco TrustSec.
If you do not specify a source IPv4 address, you must configure a default SXP source IPv4 address using the cts sxp default source-ip command.
If you specify default as the password mode, you must configure a default SXP password using the cts sxp default password command.
This command requires the Advanced Services license.
Examples
This example shows how to configure an SXP peer connection:
switch# configure terminalswitch(config)# cts sxp connection peer 10.10.1.1 source 10.10.2.2 password default mode listenerThis example shows how to remove an SXP peer connection:
switch# configure terminalswitch(config)# no cts sxp connection peer 10.10.1.1Related Commands
cts sxp default password
To configure the default Security Group Tag (SGT) Exchange Protocol (SXP) password for the device, use the cts sxp default password command. To remove the default, use the no form of this command.
cts sxp default password {password | 7 encrypted-password}
no cts sxp default password
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Release Modification4.1(3)
Added the 7 option to allow encrypted passwords.
4.0(1)
This command was introduced.
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to configure the default SXP password for the device:
switch# configure terminalswitch(config)# cts sxp default password Cisco654This example shows how to remove the default SXP password:
switch# configure terminalswitch(config)# no cts sxp default passwordRelated Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts sxp
Displays the Cisco TrustSec SXP configuration information.
cts sxp default source-ip
To configure the default Security Group Tag (SGT) Exchange Protocol (SXP) source IPv4 address for the device, use the cts sxp default source-ip command. To revert to the default, use the no form of this command.
cts sxp default source-ip ipv4-address
no cts sxp default source-ip ipv4-address
Syntax Description
Defaults
None
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
You can use only IPv4 addressing with Cisco TrustSec.
This command requires the Advanced Services license.
Examples
This example shows how to configure the default SXP source IP address for the device:
switch# configure terminalswitch(config)# cts sxp default source-ip 10.10.3.3This example shows how to remove the default SXP source IP address:
switch# configure terminalswitch(config)# no cts sxp default source-ipRelated Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts sxp
Displays the Cisco TrustSec SXP configuration information.
cts sxp enable
To enable the Security Group Tag (SGT) Exchange Protocol (SXP) peer on a device, use the cts sxp enable command. To revert to the default, use the no form of this command.
cts sxp enable
no cts sxp enable
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
This command requires the Advanced Services license.
Examples
This example shows how to enable SXP:
switch# configure terminalswitch(config)# cts sxp enableThis example shows how to disable SXP:
switch# configure terminalswitch(config)# no cts sxp enableRelated Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts sxp
Displays the Cisco TrustSec SXP configuration information.
cts sxp reconcile-period
To configure a Security Group Tag (SGT) Exchange Protocol (SXP) reconcile period timer, use the cts sxp reconcile-period command. To revert to the default, use the no form of this command.
cts sxp reconcile-period seconds
no cts sxp reconcile-period
Syntax Description
Defaults
60 seconds (1 minute)
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
After a peer terminates an SXP connection, an internal hold down timer starts. If the peer reconnects before the internal hold down timer expires, the SXP reconcile period timer starts. While the SXP reconcile period timer is active, the Cisco NX-OS software retains the SGT mapping entries learned from the previous connection and removes invalid entries.
Note Setting the SXP reconcile period to 0 seconds disables the timer and causes all entries from the previous connection to be removed.
This command requires the Advanced Services license.
Examples
This example shows how to configure the SXP reconcile period:
switch# configure terminalswitch(config)# cts sxp reconcile-period 120This example shows how to revert to the default SXP reconcile period value:
switch# configure terminalswitch(config)# no cts sxp reconcile-periodRelated Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts sxp connection
Displays the Cisco TrustSec SXP configuration information.
cts sxp retry-period
To configure a Security Group Tag (SGT) Exchange Protocol (SXP) retry period timer, use the cts sxp retry-period command. To revert to the default, use the no form of this command.
cts sxp retry-period seconds
no cts sxp retry-period
Syntax Description
Defaults
120 seconds (2 minutes)
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
The SXP retry period determines how often the Cisco NX-OS software retries an SXP connection. When an SXP connection is not successfully set up, the Cisco NX-OS software makes a new attempt to set up the connection after the SXP retry period timer expires.
Note Setting the SXP retry period to 0 seconds disables the timer and retries are not attempted.
This command requires the Advanced Services license.
Examples
This example shows how to configure the SXP retry period:
switch# configure terminalswitch(config)# cts sxp retry-period 120This example shows how to revert to the default SXP retry period value:
switch# configure terminalswitch(config)# no cts sxp retry-periodRelated Commands
Command Descriptionfeature cts
Enables the Cisco TrustSec feature.
show cts sxp connection
Displays the Cisco TrustSec SXP peer connection information.