Table Of Contents
S Commands
sap modelist
sap pmk
send-lifetime
server
service dhcp
service-policy input
set cos
set dscp (policy map class)
set precedence (policy map class)
source-interface
ssh
ssh key
ssh server enable
ssh6
statistics per-entry
storm-control level
switchport port-security
switchport port-security aging time
switchport port-security aging type
switchport port-security mac-address
switchport port-security mac-address sticky
switchport port-security maximum
switchport port-security violation
S Commands
This chapter describes the Cisco NX-OS security commands that begin with S, except for show commands, which are in Chapter 2, "Show Commands."
sap modelist
To configure the Cisco TrustSec Security Association Protocol (SAP) operation mode, use the sap modelist command. To revert to the default, use the no form of this command.
sap modelist {gcm-encrypt | gmac | no-encap | none}
no sap modelist {gcm-encrypt | gmac | no-encap | none}
Syntax Description
gcm-encrypt
|
Specifies Galois/Counter Mode (GCM) encryption and authentication mode.
|
gmac
|
Specifies GCM authentication mode.
|
no-encap
|
Specifies no encapsulation and no security group tag (SGT) insertion.
|
none
|
Specifies the encapsulation of the SGT without authentication or encryption.
|
Defaults
gcm-encrypt
Command Modes
Cisco TrustSec 802.1X configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.
This command requires the Advanced Services license.
Examples
This example shows how to configure Cisco TrustSec SAP operation mode on an interface:
switch# configure terminal
switch(config)# interface ethernet 2/3
switch(config-if)# cts dot1x
switch(config-if-cts-dot1x)# sap modelist gmac
switch(config-if-cts-dot1x)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown
This example shows how to revert to the default Cisco TrustSec SAP operation mode on an interface:
switch# configure terminal
switch(config)# interface ethernet 2/3
switch(config-if)# cts dot1x
switch(config-if-cts-dot1x)# no sap modelist gmac
switch(config-if-cts-dot1x)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown
Related Commands
Command
|
Description
|
cts dot1x
|
Enters Cisco TrustSec 802.1X configuration mode for an interface.
|
feature cts
|
Enables the Cisco TrustSec feature.
|
show cts interface
|
Displays the Cisco TrustSec configuration for interfaces.
|
sap pmk
To manually configure the Cisco TrustSec Security Association Protocol (SAP) pairwise master key (PMK), use the sap command. To remove the SAP configuration, use the no form of this command.
sap pmk [key | use-dot1x} [modelist {gcm-encrypt | gmac | no-encap | none}]
no sap
Syntax Description
key
|
Key value. This is a hexadecimal string with an even number of characters. The maximum length is 32 characters.
|
use-dot1x
|
Specifies that the peer device does not support Cisco TrustSec 802.1X authentication or authorization but does support SAP data path encryption and authentication.
|
modelist
|
(Optional) Specifies the SAP operation mode.
|
gcm-encrypt
|
Specifies Galois/Counter Mode (GCM) encryption and authentication mode.
|
gmac
|
Specifies GCM authentication mode.
|
no-encap
|
Specifies no encapsulation and no security group tag (SGT) insertion.
|
none
|
Specifies the encapsulation of the SGT without authentication or encryption.
|
Defaults
gcm-encrypt
Command Modes
Cisco TrustSec manual configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.0(3)
|
The use-dot1x keyword was added.
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.
This command requires the Advanced Services license.
Examples
This example shows how to manually configure Cisco TrustSec SAP on an interface:
switch# configure terminal
switch(config)# interface ethernet 2/3
switch(config-if)# cts manual
switch(config-if-cts-manual)# sap pmk fedbaa modelist gmac
switch(config-if-cts-manual)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown
This example shows how to remove a manual Cisco TrustSec SAP configuration from an interface:
switch# configure terminal
switch(config)# interface ethernet 2/3
switch(config-if)# cts manual
switch(config-if-cts-manual)# no sap
switch(config-if-cts-manual)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown
Related Commands
Command
|
Description
|
cts manual
|
Enters Cisco TrustSec manual configuration mode for an interface.
|
feature cts
|
Enables the Cisco TrustSec feature.
|
show cts interface
|
Displays the Cisco TrustSec configuration for interfaces.
|
send-lifetime
To specify the time interval within which the device sends the key during key exchange with another device, use the send-lifetime command. To remove the time interval, use the no form of this command.
send-lifetime [local] start-time [duration duration-value | infinite | end-time]
Syntax Description
local
|
(Optional) Specifies that the device treats the configured times as local times. By default, the device treats the start-time and end-time arguments as UTC.
|
start-time
|
Time of day and date that the key becomes active.
For information about the values for the start-time argument, see the "Usage Guidelines" section.
|
duration duration-value
|
(Optional) Specifies the length of the lifetime in seconds. The maximum length is 2147483646 seconds (approximately 68 years).
|
infinite
|
(Optional) Specifies that the key never expires.
|
end-time
|
(Optional) Time of day and date that the key becomes inactive.
For information about valid values for the end-time argument, see the "Usage Guidelines" section.
|
Defaults
infinite
Command Modes
Key configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
This command does not require a license.
By default, the device interprets all time range rules as UTC.
By default, the time interval within which the device sends a key during key exchange with another device—the send lifetime—is infinite, which means that the key is always valid.
The start-time and end-time arguments both require time and date components, in the following format:
hour[:minute[:second]] month day year
You specify the hour in 24-hour notation. For example, in 24-hour notation, 8:00 a.m. is 8:00 and 8:00 p.m. is 20:00. The minimum valid start-time is 00:00:00 Jan 1 1970, and the maximum valid start-time is 23:59:59 Dec 31 2037.
Examples
This example shows how to create a send lifetime that begins at midnight on June 13, 2008, and ends at 11:59:59 p.m. on August 12, 2008:
switch# configure terminal
switch(config)# key chain glbp-keys
switch(config-keychain)# key 13
switch(config-keychain-key)# send-lifetime 00:00:00 Jun 13 2008 23:59:59 Aug 12 2008
switch(config-keychain-key)#
Related Commands
Command
|
Description
|
accept-lifetime
|
Configures an accept lifetime for a key.
|
key
|
Configures a key.
|
key chain
|
Configures a keychain.
|
key-string
|
Configures a key string.
|
show key chain
|
Shows keychain configuration.
|
server
To add a server to a RADIUS or TACACS+ server group, use the server command. To delete a server from a server group, use the no form of this command.
server {ipv4-address | ipv6-address | hostname}
no server {ipv4-address | ipv6-address | hostname}
Syntax Description
ipv4-address
|
Server IPv4 address in the A.B.C.D format.
|
ipv6-address
|
Server IPv6 address in the X:X:X::X format.
|
hostname
|
Server name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters.
|
Defaults
None
Command Modes
RADlUS server group configuration
TACACS+ server group configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
You can configure up to 64 servers in a server group.
Use the aaa group server radius command to enter RADIUS server group configuration mode or the aaa group server tacacs+ command to enter TACACS+ server group configuration mode.
If the server is not found, use the radius-server host command or tacacs-server host command to configure the server.
Note You must use the feature tacacs+ command before you configure TACACS+.
This command does not require a license.
Examples
This example shows how to add a server to a RADIUS server group:
switch# configure terminal
switch(config)# aaa group server radius RadServer
switch(config-radius)# server 10.10.1.1
This example shows how to delete a server from a RADIUS server group:
switch# configure terminal
switch(config)# aaa group server radius RadServer
switch(config-radius)# no server 10.10.1.1
This example shows how to add a server to a TACACS+ server group:
switch# configure terminal
switch(config)# feature tacacs+
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# server 10.10.2.2
This example shows how to delete a server from a TACACS+ server group:
switch# configure terminal
switch(config)# feature tacacs+
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# no server 10.10.2.2
Related Commands
Command
|
Description
|
aaa group server
|
Configures AAA server groups.
|
radius-server host
|
Configures a RADIUS server.
|
show radius-server groups
|
Displays RADIUS server group information.
|
show tacacs-server groups
|
Displays TACACS+ server group information.
|
feature tacacs+
|
Enables TACACS+.
|
tacacs-server host
|
Configures a TACACS+ server.
|
service dhcp
To enable the DHCP relay agent, use the service dhcp command. To disable the DHCP relay agent, use the no form of this command.
service dhcp
no service dhcp
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Global configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.2(1)
|
This command was deprecated and replaced with the ip dhcp relay command.
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
This command does not require a license.
Examples
This example shows how to globally enable DHCP snooping:
switch# configure terminal
switch(config)# service dhcp
Related Commands
Command
|
Description
|
feature dhcp
|
Enables the DHCP snooping feature on the device.
|
ip dhcp relay address
|
Configures an IP address of a DHCP server on an interface.
|
ip dhcp relay information option
|
Enables the insertion and removal of option-82 information from DHCP packets.
|
ip dhcp snooping
|
Globally enables DHCP snooping on the device.
|
show ip dhcp snooping
|
Displays general information about DHCP snooping.
|
show running-config dhcp
|
Displays DHCP snooping configuration, including IP Source Guard configuration.
|
service-policy input
To attach a control plane policy map to the control plane, use the service-policy input command. To remove a control plane policy map, use the no form of this command.
service-policy input policy-map-name
no service-policy input policy-map-name
Syntax Description
policy-map-name
|
Name of the control plane policy map.
|
Defaults
None
Command Modes
Control plane configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
You can assign only one control place policy map to the control plane. To assign a new control plane policy map to the control plane, you must remove the old control plane policy map.
This command does not require a license.
Examples
This example shows how to assign a control plane policy map to the control plane:
switch# configure terminal
switch(config)# control-plane
switch(config-cp)# service-policy input PolicyMapA
This example shows how to remove a control plane policy map from the control plane:
switch# configure terminal
switch(config)# control-plane
switch(config-cp)# no service-policy input PolicyMapA
Related Commands
Command
|
Description
|
policy-map type control-plane
|
Specifies a control plane policy map and enters policy map configuration mode.
|
show policy-map type control-plane
|
Displays configuration information for control plane policy maps.
|
set cos
To set the IEEE 802.1Q class of service (CoS) value for a control plane policy map, use the set cos command. To revert to the default, use the no form of this command.
set cos [inner] cos-value
no set cos [inner] cos-value
Syntax Description
inner
|
(Optional) Specifies inner 802.1Q in a Q-in-Q environment.
|
cos-value
|
Numerical value of CoS in the control plane policy map. The range is from 0 to 7.
|
Defaults
0
Command Modes
Policy map class configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to configure the CoS value for a control plane policy map:
switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
switch(config-pmap)# class ClassMapA
switch(config-pmap-c)# set cos 4
This example shows how to revert to the default CoS value for a control plane policy map:
switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
switch(config-pmap)# class ClassMapA
switch(config-pmap-c)# no set cos 4
Related Commands
Command
|
Description
|
class (policy map)
|
Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode.
|
policy-map type control-plane
|
Specifies a control plane policy map and enters policy map configuration mode.
|
show policy-map type control-plane
|
Displays configuration information for control plane policy maps.
|
set dscp (policy map class)
To set the differentiated services code point (DSCP) value for IPv4 and IPv6 packets in a control plane policy map, use the set dscp command. To revert to the default, use the no form of this command.
set dscp [tunnel] {dscp-value | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42
| af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | ef | default}
no set dscp [tunnel] {dscp-value | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 |
af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | ef | default}
Syntax Description
tunnel
|
(Optional) Sets DSCP in a tunnel encapsulation.
|
dscp-value
|
Numerical value of CoS in the control plane policy map. The range is from 0 to63.
|
af11
|
Specifies assured forwarding 11 DSCP (001010).
|
af12
|
Specifies assured forwarding 12 DSCP (001100).
|
af13
|
Specifies assured forwarding 13 DSCP (001110).
|
af21
|
Specifies assured forwarding 21 DSCP (010010).
|
af22
|
Specifies assured forwarding 22 DSCP (010100).
|
af23
|
Specifies assured forwarding 23 DSCP (010110).
|
af31
|
Specifies assured forwarding 31 DSCP (011010).
|
af32
|
Specifies assured forwarding 32 DSCP (011100).
|
af33
|
Specifies assured forwarding 33 DSCP (011110).
|
af41
|
Specifies assured forwarding 41 DSCP (100010).
|
af42
|
Specifies assured forwarding 42 DSCP (100100).
|
af43
|
Specifies assured forwarding 43 DSCP (100110).
|
cs1
|
Specifies class selector 1 (precedence 1) DSCP (001000).
|
cs2
|
Specifies class selector 2 (precedence 2) DSCP (010000).
|
cs3
|
Specifies class selector 3 (precedence 3) DSCP (011000).
|
cs4
|
Specifies class selector 4 (precedence 4) DSCP (100000).
|
cs5
|
Specifies class selector 5 (precedence 5) DSCP (101000).
|
cs6
|
Specifies class selector 6 (precedence 6) DSCP (110000).
|
cs7
|
Specifies class selector 7 (precedence 7) DSCP (111000).
|
ef
|
Specifies expedited forwarding DSCP (101110).
|
default
|
Specifies default DSCP (000000).
|
Defaults
default
Command Modes
Policy map class configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to configure the DSCP value for a control plane policy map:
switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
switch(config-pmap)# class ClassMapA
switch(config-pmap-c)# set dscp 4
This example shows how to revert to the default DSCP value for a control plane policy map:
switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
switch(config-pmap)# class ClassMapA
switch(config-pmap-c)# no set dscp 4
Related Commands
Command
|
Description
|
class (policy map)
|
Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode.
|
policy-map type control-plane
|
Specifies a control plane policy map and enters policy map configuration mode.
|
show policy-map type control-plane
|
Displays configuration information for control plane policy maps.
|
set precedence (policy map class)
To set the precedence value for IPv4 and IPv6 packets in a control plane policy map, use the set precedence command. To revert to the default, use the no form of this command.
set precedence [tunnel] {prec-value | critical | flash | flash-override | immediate | internet |
network | priority | routine}
no set precedence [tunnel] {prec-value | critical | flash | flash-override | immediate | internet |
network | priority | routine}
Syntax Description
tunnel
|
(Optional )Sets the precedence in a tunnel encapsulation.
|
prec-value
|
Numerical value for DSCP precedence in the control plane policy map. The range is from 0 to 7.
|
critical
|
Specifies critical precedence equal to precedence value 5.
|
flash
|
Specifies flash precedence equal to precedence value 3.
|
flash-override
|
Specifies flash override precedence equal to precedence value 4.
|
immediate
|
Specifies immediate precedence equal to precedence value 2.
|
internet
|
Specifies internet precedence equal to precedence value 6.
|
network
|
Specifies network precedence equal to precedence value 7.
|
priority
|
Specifies priority precedence equal to precedence value 1.
|
routine
|
Specifies routine precedence equal to precedence value 0.
|
Defaults
0 or routine
Command Modes
Policy map class configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
Examples
This example shows how to configure the CoS value for a control plane policy map:
switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
switch(config-pmap)# class ClassMapA
switch(config-pmap-c)# set precedence critical
This example shows how to revert to the default CoS value for a control plane policy map:
switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
switch(config-pmap)# class ClassMapA
switch(config-pmap-c)# no set precedence critical
Related Commands
Command
|
Description
|
class (policy map)
|
Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode.
|
policy-map type control-plane
|
Specifies a control plane policy map and enters policy map configuration mode.
|
show policy-map type control-plane
|
Displays configuration information for control plane policy maps.
|
source-interface
To assign a source interface for a specific RADIUS or TACACS+ server group, use the source-interface command. To revert to the default, use the no form of this command.
source-interface interface
no source-interface
Syntax Description
interface
|
Source interface. The supported interface types are ethernet, loopback, and mgmt 0.
|
Defaults
The default is the global source interface.
Command Modes
RADIUS configuration
TACACS+ configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.1(2)
|
This command was introduced.
|
Usage Guidelines
The source-interface command to override the global source interface assigned by the ip radius source-interface command or ip tacacs source-interface command.
You must use the feature tacacs+ command before you configure TACACS+.
This command does not require a license.
Examples
This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01:
switch# configure terminal
switch(config)# ip radius source-interface mgmt 0
switch(config-radius)# source-interface ethernet 2/1
Related Commands
Command
|
Description
|
feature tacacs+
|
Enables the TACACS+ feature.
|
ip radius source-interface
|
Configures the global source interface for the RADIUS groups configured on the Cisco NX-OS device.
|
ip tacacs source-interface
|
Configures the global source interface for the TACACS+ groups configured on the Cisco NX-OS device.
|
show radius-server groups
|
Displays the RADIUS server group configuration.
|
show tacacs-server groups
|
Displays the TACACS+ server group configuration.
|
ssh
To create a Secure Shell (SSH) session using IPv4 on the NX-OS device, use the ssh command.
ssh [username@]{ipv4-address | hostname} [vrf vrf-name]
Syntax Description
username
|
(Optional) Username for the SSH session. The user name is not case sensitive.
|
ipv4-address
|
IPv4 address of the remote device.
|
hostname
|
Hostname of the remote device. The hostname is case sensitive.
|
vrf vrf-name
|
(Optional) Specifies the virtual routing and forwarding (VRF) name to use for the SSH session. The VRF name is case sensitive.
|
Defaults
Default VRF
Command Modes
Any command mode
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
The NX-OS software supports SSH version 2.
To use IPv6 addressing for an SSH session, use the ssh6 command.
The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions.
This command does not require a license.
Examples
This example shows how to start an SSH session using IPv4:
switch# ssh 10.10.1.1 vrf management
The authenticity of host '10.10.1.1 (10.10.1.1)' can't be established.
RSA key fingerprint is 9b:d9:09:97:f6:40:76:89:05:15:42:6b:12:48:0f:d6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.1.1' (RSA) to the list of known hosts.
Related Commands
Command
|
Description
|
clear ssh session
|
Clears SSH sessions.
|
feature ssh
|
Enables the SSH server.
|
ssh6
|
Starts an SSH session using IPv6 addressing.
|
ssh key
To create a Secure Shell (SSH) server key for a virtual device context (VDC), use the ssh key command. To remove the SSH server key, use the no form of this command.
ssh key {dsa [force] | rsa [length [force]]}
no ssh key [dsa | rsa]
Syntax Description
dsa
|
Specifies the Digital System Algrorithm (DSA) SSH server key.
|
force
|
(Optional) Forces the replacement of an SSH key.
|
rsa
|
Specifies the Rivest, Shamir, and Adelman (RSA) public-key cryptography SSH server key.
|
length
|
(Optional) Number of bits to use when creating the SSH server key. The range is from 768 to 2048.
|
Defaults
1024-bit length
Command Modes
Global configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
The NX-OS software supports SSH version 2.
If you want to remove or replace an SSH server key, you must first disable the SSH server using the no feature ssh command.
This command does not require a license.
Examples
This example shows how to create an SSH server key using DSA:
switch# configure terminal
switch(config)# ssh key dsa
generating dsa key(1024 bits).....
This example shows how to create an SSH server key using RSA with the default key length:
switch# configure terminal
switch(config)# ssh key rsa
generating rsa key(1024 bits).....
This example shows how to create an SSH server key using RSA with a specified key length:
switch# configure terminal
switch(config)# ssh key rsa 768
generating rsa key(768 bits).....
This example shows how to replace an SSH server key using DSA with the force option:
switch# configure terminal
switch(config)# no feature ssh
switch(config)# ssh key dsa force
deleting old dsa key.....
generating dsa key(1024 bits).....
switch(config)# feature ssh
This example shows how to remove the DSA SSH server key:
switch# configure terminal
switch(config)# no feature ssh
XML interface to system may become unavailable since ssh is disabled
switch(config)# no ssh key dsa
switch(config)# feature ssh
This example shows how to remove all SSH server keys:
switch# configure terminal
switch(config)# no feature ssh
XML interface to system may become unavailable since ssh is disabled
switch(config)# no ssh key
switch(config)# feature ssh
Related Commands
Command
|
Description
|
show ssh key
|
Displays the SSH server key information.
|
feature ssh
|
Enables the SSH server.
|
ssh server enable
To enable the Secure Shell (SSH) server for a virtual device context (VDC), use the ssh server enable command. To disable the SSH server, use the no form of this command.
ssh server enable
no ssh server enable
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Global configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.1(2)
|
This command was deprecated and replaced with the feature ssh command.
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
The NX-OS software supports SSH version 2.
This command does not require a license.
Examples
This example shows how to enable the SSH server:
switch(config)# ssh server enable
This example shows how to disable the SSH server:
switch(config)# no ssh server enable
XML interface to system may become unavailable since ssh is disabled
Related Commands
Command
|
Description
|
show ssh server
|
Displays the SSH server key information.
|
ssh6
To create a Secure Shell (SSH) session using IPv6 on the NX-OS device, use the ssh6 command.
ssh6 [username@]{ipv6-address | hostname} [vrf vrf-name]
Syntax Description
username
|
(Optional) Username for the SSH session. The username is not case sensitive.
|
ipv6-address
|
IPv6 address of the remote device.
|
hostname
|
Hostname of the remote device.
|
vrf vrf-name
|
(Optional) Specifies the virtual forwarding and routing (VRF) name to use for the SSH session. The VRF name is case sensitive.
|
Defaults
Default VRF
Command Modes
Any command mode
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
The NX-OS software supports SSH version 2.
To use IPv4 addressing to start an SSH session, use the ssh command.
The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions.
This command does not require a license.
Examples
This example shows how to start an SSH session using IPv6:
switch# ssh host2 vrf management
Related Commands
Command
|
Description
|
clear ssh session
|
Clears SSH sessions.
|
ssh
|
Starts an SSH session using IPv4 addressing.
|
feature ssh
|
Enables the SSH server.
|
statistics per-entry
To start recording statistics for how many packets are permitted or denied by each entry in an IP, a MAC access control list (ACL), or a VLAN access-map entry, use the statistics per-entry command. To stop recording per-entry statistics, use the no form of this command.
statistics per-entry
no statistics per-entry
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
IP access-list configuration
IPv6 access-list configuration
MAC access-list configuration
VLAN access-map configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.0(1)
|
This command was introduced.
|
4.0(3)
|
Changed command from statistics to statistics per-entry.
|
Usage Guidelines
When the device determines that an IPv4, IPv6, MAC, or VLAN ACL applies to a packet, it tests the packet against the conditions of all entries in the ACLs. ACL entries are derived from the rules that you configure with the applicable permit and deny commands. The first matching rule determines whether the packet is permitted or denied. Enter the statistics per-entry command to start recording how many packets are permitted or denied by each entry in an ACL.
Statistics are not supported if the DHCP snooping feature is enabled.
The device does not record statistics for implicit rules. To record statistics for these rules, you must explicitly configure an identical rule for each implicit rule. For more information about implicit rules, see the following commands:
•ip access-list
•ipv6 access-list
•mac access-list
To view per-entry statistics, use the show access-lists command or the applicable following command:
•show ip access-lists
•show ipv6 access-lists
•show mac access-lists
To clear per-entry statistics, use the clear access-list counters command or the applicable following command:
•clear ip access-list counters
•clear ipv6 access-list counters
•clear mac access-list counters
•clear vlan access-list counters
This command does not require a license.
Examples
This example shows how to start recording per-entry statistics for an IPv4 ACL named ip-acl-101:
switch(config)# ip access-list ip-acl-101
switch(config-acl)# statistics per-entry
This example shows how to stop recording per-entry statistics for an IPv4 ACL named ip-acl-101:
switch(config)# ip access-list ip-acl-101
switch(config-acl)# no statistics per-entry
This example shows how to start recording per-entry statistics for the ACLs in entry 20 in a VLAN access-map named vlan-map-01:
switch(config)# vlan access-map vlan-map-01 20
switch(config-access-map)# statistics per-entry
switch(config-access-map)#
This example shows how to stop recording per-entry statistics for the ACLs in entry 20 in a VLAN access-map named vlan-map-01:
switch(config)# vlan access-map vlan-map-01 20
switch(config-access-map)# no statistics per-entry
switch(config-access-map)#
Related Commands
Command
|
Description
|
show access-lists
|
Displays all IPv4, IPv6, and MAC ACLs, or a specific ACL.
|
clear access-list counters
|
Clears per-entry statistics for all IPv4, IPv6, and MAC ACLs, or for a specific ACL.
|
storm-control level
To set the suppression level for traffic storm control, use the storm-control level command. To turn off the suppression mode or revert to the default, use the no form of this command.
storm-control {broadcast | multicast | unicast} level percentage [. fraction]
no storm-control {broadcast | multicast | unicast} level
Syntax Description
broadcast
|
Specifies the broadcast traffic.
|
multicast
|
Specifies the multicast traffic.
|
unicast
|
Specifies the unicast traffic.
|
percentage
|
Percentage of the suppression level. The range is from 0 to 100 percent.
|
. fraction
|
(Optional) Fraction of the suppression level. The range is from 0 to 99.
|
Defaults
All packets are passed
Command Modes
Interface configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
Enter the storm-control level command to enable traffic storm control on the interface, configure the traffic storm-control level, and apply the traffic storm-control level to all traffic storm-control modes that are enabled on the interface.
Only one suppression level is shared by all three suppression modes. For example, if you set the broadcast level to 30 and set the multicast level to 40, both levels are enabled and set to 40.
The period (.) is required when you enter the fractional-suppression level.
The suppression level is a percentage of the total bandwidth. A threshold value of 100 percent means that no limit is placed on traffic. A threshold value of 0 or 0.0 (fractional) percent means that all specified traffic is blocked on a port.
Use the show interfaces counters broadcast command to display the discard count.
Use one of the follow methods to turn off suppression for the specified traffic type:
•Set the level to 100 percent for the specified traffic type.
•Use the no form of this command.
This command does not require a license.
Examples
This example shows how to enable suppression of broadcast traffic and set the suppression threshold level:
switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# storm-control broadcast level 30
This example shows how to disable the suppression mode for multicast traffic:
switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# no storm-control multicast level
Related Commands
Command
|
Description
|
show interface
|
Displays the storm-control suppression counters for an interface.
|
show running-config
|
Displays the configuration of the interface.
|
switchport port-security
To enable port security on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security command. To remove port security configuration, use the no form of this command.
switchport port-security
no switchport port-security
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Interface configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.2(1)
|
Support for Layer 2 port-channel interfaces was added.
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
Per interface, port security is disabled by default.
You must configure the interface as a Layer 2 interface by using the switchport command before you can use the switchport port-security command.
You must enable port security by using the feature port-security command before you can use the switchport port-security command.
If port security is enabled on any member port of the Layer 2 port-channel interface, the device does not allow you to disable port security on the port-channel interface. To do so, remove all secure member ports from the port-channel interface first. After disabling port security on a member port, you can add it to the port-channel interface again, as needed.
Enabling port security on an interface also enables the default method for learning secure MAC addresses, which is the dynamic method. To enable the sticky learning method, use the switchport port-security mac-address sticky command.
This command does not require a license.
Examples
This example shows how to enable port security on the Ethernet 2/1 interface:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# switchport port-security
This example shows how to enable port security on the port-channel 10 interface:
switch# configure terminal
switch(config)# interface port-channel 10
switch(config-if)# switchport port-security
Related Commands
Command
|
Description
|
feature port-security
|
Enables port security globally.
|
show port-security
|
Shows information about port security.
|
switchport port-security aging time
|
Configures the aging time for dynamically learned, secure MAC addresses.
|
switchport port-security aging type
|
Configures the aging type for dynamically learned, secure MAC addresses.
|
switchport port-security mac-address
|
Configures a static MAC address.
|
switchport port-security mac-address sticky
|
Enables the sticky method for learning secure MAC addresses.
|
switchport port-security maximum
|
Configures an interface or a VLAN maximum for secured MAC addresses on an interface.
|
switchport port-security violation
|
Configures the security violation action for an interface.
|
switchport port-security aging time
To configure the aging time for dynamically learned, secure MAC addresses, use the switchport port-security aging time command. To return to the default aging time of 1440 minutes, use the no form of this command.
switchport port-security aging time minutes
no switchport port-security aging time minutes
Syntax Description
minutes
|
Length of time that a dynamically learned, secure MAC address must age before the device drops the address. Valid values are from 1 to 1440.
|
Defaults
None
Command Modes
Interface configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.2(1)
|
Support for Layer 2 port-channel interfaces was added.
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
The default aging time is 1440 minutes.
You must enable port security by using the feature port-security command before you can use the switchport port-security aging time command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
This command does not require a license.
Examples
This example shows how to configure an aging time of 120 minutes on the Ethernet 2/1 interface:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# switchport port-security aging time 120
Related Commands
Command
|
Description
|
feature port-security
|
Enables port security globally.
|
show port-security
|
Shows information about port security.
|
switchport port-security
|
Enables port security on a Layer 2 interface.
|
switchport port-security aging type
|
Configures the aging type for dynamically learned, secure MAC addresses.
|
switchport port-security mac-address
|
Configures a static MAC address.
|
switchport port-security mac-address sticky
|
Enables the sticky method for learning secure MAC addresses.
|
switchport port-security maximum
|
Configures an interface or a VLAN maximum for secured MAC addresses on an interface.
|
switchport port-security violation
|
Configures the security violation action for an interface.
|
switchport port-security aging type
To configure the aging type for dynamically learned, secure MAC addresses, use the switchport port-security aging type command. To return to the default aging type, which is absolute aging, use the no form of this command.
switchport port-security aging type {absolute | inactivity}
no switchport port-security aging type {absolute | inactivity}
Syntax Description
absolute
|
Specifies that the dynamically learned, secure MAC addresses age is based on how long ago the device learned the address.
|
inactivity
|
Specifies that the dynamically learned, secure MAC addresses age is based on how long ago the device last received traffic from the MAC address on the current interface.
|
Defaults
absolute
Command Modes
Interface configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.2(1)
|
Support for Layer 2 port-channel interfaces was added.
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
The default aging type is absolute aging.
You must enable port security by using the feature port-security command before you can use the switchport port-security aging type command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
This command does not require a license.
Examples
This example shows how to configure the aging type to be "inactivity" on the Ethernet 2/1 interface:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# switchport port-security aging type inactivity
Related Commands
Command
|
Description
|
feature port-security
|
Enables port security globally.
|
show port-security
|
Shows information about port security.
|
switchport port-security
|
Configures a Layer 2 interface for port security.
|
switchport port-security aging time
|
Configures the aging time for dynamically learned, secure MAC addresses.
|
switchport port-security mac-address
|
Configures a static MAC address.
|
switchport port-security mac-address sticky
|
Enables the sticky method for learning secure MAC addresses.
|
switchport port-security maximum
|
Configures an interface or a VLAN maximum for secured MAC addresses on an interface.
|
switchport port-security violation
|
Configures the security violation action for an interface.
|
switchport port-security mac-address
To configure a static, secure MAC address on an interface, use the switchport port-security mac-address command. To remove a static, secure MAC address from an interface, use the no form of this command.
switchport port-security mac-address address [vlan vlan-ID]
no switchport port-security mac-address address [vlan vlan-ID]
Syntax Description
address
|
MAC address that you want to specify as a static, secure MAC address on the current interface.
|
vlan vlan-ID
|
(Optional) Specifies the VLAN on which traffic from the MAC address is permitted. Valid VLAN IDs are from 1 to 4096.
|
Defaults
None
Command Modes
Interface configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.2(1)
|
Support for Layer 2 port-channel interfaces was added.
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
There are no default static, secure MAC addresses.
You must enable port security by using the feature port-security command before you can use the switchport port-security mac-address command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
This command does not require a license.
Examples
This example shows how to configure 0019.D2D0.00AE as a static, secure MAC address on the Ethernet 2/1 interface:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# switchport port-security mac-address 0019.D2D0.00AE
Related Commands
Command
|
Description
|
feature port-security
|
Enables port security globally.
|
show port-security
|
Shows information about port security.
|
switchport port-security
|
Configures a Layer 2 interface for port security.
|
switchport port-security aging time
|
Configures the aging time for dynamically learned, secure MAC addresses.
|
switchport port-security aging type
|
Configures the aging type for dynamically learned, secure MAC addresses.
|
switchport port-security mac-address sticky
|
Enables the sticky method for learning secure MAC addresses.
|
switchport port-security maximum
|
Configures an interface or a VLAN maximum for secured MAC addresses on an interface.
|
switchport port-security violation
|
Configures the security violation action for an interface.
|
switchport port-security mac-address sticky
To enable the sticky method for learning secure MAC addresses on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security mac-address sticky command. To disable the sticky method and return to the dynamic method, use the no form of this command.
switchport port-security mac-address sticky
no switchport port-security mac-address sticky
Syntax Description
This command has no arguments or keywords.
Defaults
The sticky method of secure MAC address learning is disabled by default.
Command Modes
Interface configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.2(1)
|
Support for Layer 2 port-channel interfaces was added.
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
You must enable port security by using the feature port-security command before you can use the switchport port-security mac-address sticky command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
This command does not require a license.
Examples
This example shows how to enable the sticky method of learning secure MAC addresses on the Ethernet 2/1 interface:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# switchport port-security mac-address sticky
Related Commands
Command
|
Description
|
feature port-security
|
Enables port security globally.
|
show port-security
|
Shows information about port security.
|
switchport port-security
|
Enables port security on a Layer 2 interface.
|
switchport port-security aging time
|
Configures the aging time for dynamically learned, secure MAC addresses.
|
switchport port-security aging type
|
Configures the aging type for dynamically learned, secure MAC addresses.
|
switchport port-security mac-address
|
Configures a static MAC address.
|
switchport port-security maximum
|
Configures an interface or a VLAN maximum for secured MAC addresses on an interface.
|
switchport port-security violation
|
Configures the security violation action for an interface.
|
switchport port-security maximum
To configure the interface maximum or a VLAN maximum of secure MAC addresses on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security maximum command. To remove port security configuration, use the no form of this command.
switchport port-security maximum number [vlan vlan-ID]
no switchport port-security maximum number [vlan vlan-ID]
Syntax Description
maximum number
|
Specifies the maximum number of secure MAC addresses. See the "Usage Guidelines" section for information about valid values for the number argument.
|
vlan vlan-ID
|
(Optional) Specifies the VLAN that the maximum applies to. If you omit the vlan keyword, the maximum is applied as an interface maximum.
|
Defaults
None
Command Modes
Interface configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.2(1)
|
Support for Layer 2 port-channel interfaces was added.
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
The default interface maximum is one secure MAC address.
Enabling port security on an interface also enables the default method for learning secure MAC addresses, which is the dynamic method. To enable the sticky learning method, use the switchport port-security mac-address sticky command.
You must enable port security by using the feature port-security command before you can use the switchport port-security maximum command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
There is no default VLAN maximum.
There is a system-wide, nonconfigurable maximum of 4096 secure MAC addresses.
This command does not require a license.
Maximums for Access Ports and Trunk Ports
For an interface used as an access port, we recommend that you use the default interface maximum of one secure MAC address.
For an interface used as a trunk port, set the interface maximum to a number that reflects the actual number of hosts that could use the interface.
Interface Maximums, VLAN Maximums, and the Device Maximum
The sum of all VLAN maximums that you configure on an interface cannot exceed the interface maximum. For example, if you configure a trunk-port interface with an interface maximum of 10 secure MAC addresses and a VLAN maximum of 5 secure MAC addresses for VLAN 1, the largest maximum number of secure MAC addresses that you can configure for VLAN 2 is also 5. If you tried to configure a maximum of 6 secure MAC addresses for VLAN 2, the device would not accept the command.
Examples
This example shows how to configure an interface maximum of 10 secure MAC addresses on the Ethernet 2/1 interface:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# switchport port-security maximum 10
Related Commands
Command
|
Description
|
feature port-security
|
Enables port security globally.
|
show port-security
|
Shows information about port security.
|
switchport port-security
|
Enables port security on a Layer 2 interface.
|
switchport port-security aging time
|
Configures the aging time for dynamically learned, secure MAC addresses.
|
switchport port-security aging type
|
Configures the aging type for dynamically learned, secure MAC addresses.
|
switchport port-security mac-address
|
Configures a static MAC address.
|
switchport port-security mac-address sticky
|
Enables the sticky method for learning secure MAC addresses.
|
switchport port-security violation
|
Configures the security violation action for an interface.
|
switchport port-security violation
To configure the action that the device takes when a security violation event occurs on an interface, use the switchport port-security violation command. To remove the port security violation action configuration, use the no form of this command.
switchport port-security violation {protect | restrict | shutdown}
no switchport port-security violation {protect | restrict | shutdown}
Syntax Description
protect
|
Specifies that the device does not raise security violations when a packet would normally trigger a security violation event. Instead, the address that triggered the security violation is learned but any traffic from the address is dropped. Further address learning stops.
|
restrict
|
Specifies that the device drops ingress traffic from any nonsecure MAC addresses. Address learning continues until 100 security violations have occurred on the interface. Traffic from addresses learned after the first security violation is dropped.
After 100 security violations occur, the device disables learning on the interface and drops all ingress traffic from nonsecure MAC addresses. In addition, the device generates an SNMP trap for each security violation.
|
shutdown
|
Specifies that the device shuts down the interface if it receives a packet triggering a security violation. The interface is error disabled. This action is the default. After you reenable the interface, it retains its port security configuration, including its secure MAC addresses.
|
Defaults
None
Command Modes
Interface configuration
Supported User Roles
network-admin
vdc-admin
Command History
Release
|
Modification
|
4.2(1)
|
Support for Layer 2 port-channel interfaces was added.
|
4.0(1)
|
This command was introduced.
|
Usage Guidelines
The default security violation action is to shut down the interface.
You must enable port security by using the feature port-security command before you can use the switchport port-security violation command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
Port security triggers security violations when either of the two following events occur:
•Ingress traffic arrives at an interface from a nonsecure MAC address and learning the address would exceed the applicable maximum number of secure MAC addresses.
When an interface has both a VLAN maximum and an interface maximum configured, a violation occurs when either maximum is exceeded. For example, consider the following on a single interface configured with port security:
–VLAN 1 has a maximum of 5 addresses
–The interface has a maximum of 10 addresses
The device detects a violation when any of the following occurs:
–The device has learned five addresses for VLAN 1 and inbound traffic from a sixth address arrives at the interface in VLAN 1.
–The device has learned 10 addresses on the interface and inbound traffic from an 11th address arrives at the interface.
•Ingress traffic from a secure MAC address arrives at a different interface in the same VLAN as the interface on which the address is secured.
Note After a secure MAC address is configured or learned on one secure port, the sequence of events that occurs when port security detects that secure MAC address on a different port in the same VLAN is known as a MAC move violation.
When a security violation occurs, the device takes the action specified by the port security configuration of the applicable interface. The possible actions are as follows:
•Shutdown—Shuts down the interface that received the packet triggering the violation. The interface is error disabled. This action is the default. After you reenable the interface, it retains its port security configuration, including its secure MAC addresses.
You can use the errdisable global configuration command to configure the device to reenable the interface automatically if a shutdown occurs, or you can manually reenable the interface by entering the shutdown and no shut down interface configuration commands.
•Restrict—Drops ingress traffic from any nonsecure MAC addresses. Address learning continues until 100 security violations have occurred on the interface. Traffic from addresses learned after the first security violation is dropped.
After 100 security violations occur, the device disables learning on the interface and drops all ingress traffic from nonsecure MAC addresses. In addition, the device generates an SNMP trap for each security violation.
•Protect—Prevents further violations from occurring. The address that triggered the security violation is learned but any traffic from the address is dropped. Further address learning stops.
If a violation occurs because ingress traffic from a secure MAC address arrives at a different interface than the interface on which the address is secure, the device applies the action on the interface that received the traffic.
This command does not require a license.
Examples
This example shows how to configure an interface to respond to a security violation event with the protect action:
switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# switchport port-security violation protect
Related Commands
Command
|
Description
|
feature port-security
|
Enables port security globally.
|
show port-security
|
Shows information about port security.
|
switchport port-security
|
Enables port security on a Layer 2 interface.
|
switchport port-security aging time
|
Configures the aging time for dynamically learned, secure MAC addresses.
|
switchport port-security aging type
|
Configures the aging type for dynamically learned, secure MAC addresses.
|
switchport port-security mac-address
|
Configures a static MAC address.
|
switchport port-security mac-address sticky
|
Enables the sticky method for learning secure MAC addresses.
|
switchport port-security maximum
|
Configures an interface or a VLAN maximum for secured MAC addresses on an interface.
|