Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 4.2 - Index [Cisco Nexus 7000 Series Switches]

Contents
8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V -

Index

8
802.1X
authenticator PAEs 1
configuration process 2
configuring 3
configuring AAA accounting methods 4
configuring AAA authentication methods 5
controlling on interfaces 6
default settings 7
description 1 2
disabling authentication 9
disabling feature 10
enabling feature 11
enabling global periodic reauthentication 12
enabling MAC authentication bypass 13
enabling mulitple hosts mode 14
enabling periodic reauthentication on interfaces 15
enabling single host mode 16
example configuration 17
guidelines 18
interoperating with NAC LPIP 19
licensing requirements 20
limitations 21
MAC authenication bypass 22
monitoring 23
multiple host support 24
prerequisites 25
resetting global settings to default values 26
resetting interface settings to default values 27
setting global maximum retransmission retry count 28
setting interface maximum retransmission retry count 29
single host support 30
supported topologies 31
verifying configuration 32
virtualization support 33
802.1X authentication
authorization states for ports 1
changing global timers 2
changing timers on interfaces 3
enabling RADIUS accounting 4
initiation 5
manually initializing 6
802.1X reauthentication
setting maximum retry count on interfaces 1
802.1X supplicants
manually reauthenticating 1

A
AAA
accounting 1
authentication 2
authorization 3
benefits 4
configuring 5
configuring authentication methods for 802.1X 6
configuring console login authentication 7
configuring default login authentication 8
configuring for Cisco TrustSec 9
configuring nonseed device for Cisco TrustSec 10
configuring seed device for Cisco TrustSec 11
default settings 12
description 1 2
enabling MSCHAP authentication 14
enabling MSCHAP V2 authentication 15
example configuration 16
guidelines 17
licensing requirements 18
limitations 19
monitoring TACACS+ servers 20
prerequisites 21
Process for configuring 22
user login process 23
verifying configurations 24
virtualization support 25
AAA accounting
clearing logs 1
configuring default methods 2
configuring methods for 802.1X 3
monitoring logs 4
AAA authentication
enabling default user roles 1
enabling login authentication failure messages 2
enabling methods for EAPoDUP 3
AAA protocols
RADIUS 1
TACACS+ 2
AAA server groups
description 1
AAA servers
FreeRADIUS VSA format 1
specifying SNMPv3 parameters 1 2
specifying user roles 3
specifying user roles in VSAs 4
AAA services
configuration options 1
remote 2
security 3
AAA timers
description 1
access control lists
description 1
order of application 2
See also ARP ACLs 3
See also IP ACLs 4
See also MAC ACLs 5
See also policy-based ACLs 6
See also port ACLs 7
See also router ACLs 8
See also VLAN ACLs 9
types of 10
accounting
description 1
VDC support 2
application posture tokens.
See APTs 1
APTs
description 1
predefinded tokens 2
ARP ACLs
description 1
priority of ARP ACLs and DHCP snooping entries 2
ARP inspection
See dynamic ARP inspection 1
audit servers
description 1
authentication
802.1X 1
Cisco TrustSec 2
configuring for Cisco TrustSec 3
description 4
methods 5
user logins 6
authentication servers
description 1
authentication, authorization, and accounting
See AAA 1
authenticator PAEs
creating on an interface 1
description 2
removing from an interface 3
authorization
description 1
user logins 2
verifying commands 3

B
BGP
using with Unicast RPF 1
broadcast storms.
See traffic storm control 1

C
CA trust points
creating associations for PKI 1
CAs
authenticating 1
configuring 2
deleting certificates 3
description 4
displaying configuration 5
enrollment using cut-and-paste 6
example configuration 7
example of downloading certificate 8
generating identity certificaterequests 9
identity 10
installing identity certificates 11
multiple 12
multiple trust points 13
peer certificates 14
purpose 15
certificate authorities.
See CAs 1
certificate revocation checking
configuring methods 1
certificate revocation lists
See CRLs 1
certificates
example of revoking 1
CFS
enabling RADIUS distribution 1
RADIUS 2
TACACS+ support 3
changed information
description 1
Cisco
vendor ID 1 2
Cisco Fabric Services.
See CFS 1
Cisco TrustSec
architecture 1
authorization 2
configuring 3
configuring AAA on nonseed device 4
configuring AAA on seed device 5
configuring device credentials 6
default values 7
description 1 2
enabling 9
enabling (example) 10
environment data download 11
example configurations 12
guidelines 13
IEEE 802.1AE support 14
licensing 15
limitations 16
manually configuring SXP 17
policy acquisition 18
prerequisites 19
RADIUS relay 20
SGACLs 1 2
SGTs 22
verifying configuration 23
virtualization support 24
Cisco TrustSec authentication
802.1X role selection description 1
configuration process 2
configuring 1 2
configuring in manual mode 4
description 1 2
EAP-FAST enhancements 6
manual mode configuration examples 7
summary 8
Cisco TrustSec authorization
configuration process 1
configuring 2
Cisco TrustSec device credentials
description 1
Cisco TrustSec device identities
description 1
Cisco TrustSec environment data
download 1
Cisco TrustSec policies
example enforcement configuration 1 2 3
Cisco TrustSec seed devices
description 1 2
example configuration 2
Cisco TrustSec user credentials
description 1
cisco-av-pair
specifying AAA user parameters 1 2
class maps
configuring for CoPP 1
clientless endpoint devices
allowing 1
command authorization
See TACACS+ command authorization 1
command verification
example configuration 1
commands
disabing authorization verification 1
enabing authorization verification 2
console login
configuring AAA authentication 1
control plane class maps
example configurations 1
verifying the configuration 2
control plane policy maps
example configurations 1
verifying the configuration 2
control plane protection
classification 1
description 2
packet types 3
rate controlling mechanisms 4
CoPP
configuring 1
configuring class maps 2
configuring policy maps 3
default policies 4
default settings 5
description 1 2
example configurations 1 2
guidelines 8
licensing 9
limitations 10
MQC 11
restrictions for management interfaces 12
using to enable a VTY access class 13
verifying the configuration 14
virtualization support 15
CoPP policy maps
configuring 1
CRLs
configuring 1
description 2
downloading 3
generating 4
importing example 5
publishing 6
CTS
See Cisco TrustSec 1

D
DAI
default settings 1
description 2
guidelines 3
interoperating with NAC LPIP 4
limitations 5
deafult settings
port security 1
default setting
traffic storm control 1
default settings
802.1X 1
AAA 2
CoPP 3
DAI 4
IP ACLs 5
IP Source Guard 6
keychain management 7
MAC ACLs 8
NAC 9
PKI 10
RADIUS 11
rate limits 12
RBAC 13
SSH 14
TACACS+ 15
Telnet 16
user accounts 17
VACLs 18
denial-of-service attacks
IP address spoofing, mitigating 1
device roles
description for 802.1X 1
DHCP binding database
See DHCP snooping binding database 1
DHCP option 82
description 1
DHCP snooping
binding database 1
default settings 2
description 1 2
guidelines 4
interoperating with NAC LPIP 5
limitations 6
message exchange process 7
option 82 8
overview 9
DHCP snooping binding database
described 1
description 2
entries 3
See DHCP snooping binding database 4
digital certificates
configuring 1
description 1 2
exporting 3
importing 4
peers 5
digitalcertificates
purpose 1
DoS attacks
Unicast RPF, deploying 1
dynamic ARP inspection
ARP cache poisoning 1
ARP requests 2
ARP spoofing attack 3
description 4
DHCP snooping binding database 5
function of 6
interface trust states 7
logging of dropped packets 8
network security issues and interface trust states 9
priority of ARP ACLs and DHCP snooping entries 10
Dynamic Host Configuration Protocol snooping
See DHCP snooping 1

E
EAP
relaying NAC messages 1
EAP over UDP.
See EAPoUDP 1
EAPoUDP
changing global EAPoUDP maximum retry values 1
changing maximum retry values for interfaces 2
changing UDP ports 3
clearing sessions 4
description 5
disabling 6
encapsulation for NAC 7
manually initializing sessions 8
resetting global values to defaults 9
resetting interface values to defaults 10
EAPoUDP timers
changing globally 1
configuring interfaces 2
EAPoUPD
enabling 1
enabling default AAA authentication methods 2
enabling logging 3
endpoint devices
description 1
examples
AAA configurations 1
SSH configurations 2
Extensible Authentication Protocol.
See EAP 1

F
feature groups
creating for roles 1
FreeRADIUS
VSA format for role attributes 1 2

G
Galois/Counter Mode.
See GCM 1
GCM
Cisco TrustSec SAP encryption 1
GCM authentication.
See GMAC 1
GMAC
Cisco TrustSec SAP authentication 1
guidelines
CoPP 1
DAI 2
DHCP snooping 3
IP ACLs 4
keychain management 5
MAC ACLs 6
port security 7
RADIUS 8
TACACS+ 9
traffic storm control 10
VACLs 11

H
hold timers
description 1
hostnames
configuring for PKI 1

I
identity certificates
deleting for PKI 1
generating requests 2
installing 3
identity policies
configuring 1
description 2
identity profile entries
configuring 1
identity profiles
description 1
IDs
Cisco vendor ID 1 2
interface policies
changing in roles 1
IP ACLs
configuring 1
default settings 2
description 1 2
guidelines 4
licensing 5
limitations 6
prerequisites 7
verifying configuration 8
virtualization support 9
IP device tracking
clearing information 1
configuring 2
description 3
IP devices
configuring tracking for NAC 1
IP domain names
configuring for PKI 1
IP Source Guard
default settings 1
description 1 2 3

K
key chain
end-time 1
lifetime 2
start-time 3
keychain management
default settings 1
description 1 2
guidelines 3
limitations 4
keys
TACACS+ 1

L
LAN port IP validation.
See LPIP 1
licensing
802.1X 1
AAA 2
Cisco TrustSec 3
CoPP 4
IP ACLs 5
NAC 6
PKI 7
RADIUS 8
rate limits 9
roles 10
SSH 11
TACACS+ 12
Telnet 13
traffic storm control 14
Unicast RPF 15
user accounts 16
limitations
CoPP 1
DAI 2
DHCP snooping 3
IP ACLs 4
keychain management 5
MAC ACLs 6
port security 7
TACACS+ 8
traffic storm control 9
VACLs 10
limitiations
RADIUS 1
logging
enabling EAPoUDP 1
login
configuring default AAA authentication 1
login authentication failure messages
enabling or disabling 1
LPIP
admission triggers 1
description 2
EAPoUDP 3
exception lists 4
interoperation with other NX-OS security features 5
limitations 1 2
policy enforcement using ACLs 7
posture validation 8
posture validation methods 9

M
MAC ACLs
default settings 1
description 1 2
guidelines 3
limitations 4
virtualization support 5
MAC authentication
bypass for 802.1X 1
enabling bypass in 802.1X 2
MAC packet classification
configuring 1
description 2
management interfaces
CoPP restrictions 1
Microsoft Challenge Handshake Authentication Protocol
See MSCHAP 1
Microsoft Challenge Handshake Authentication Protocol Version 2
See MSCHAP V2 1
MQC
CoPP 1
MSCHAP
enabling authentication 1
MSCHAP V2
enabling authentication 1
multicast storms.
See traffic storm control 1

N
NAC
configuration process 1
configuring 2
configuring IP device tracking 3
default settings 4
description 1 2
device roles 6
enabling on interfaces 7
example configuration 8
feature history 9
guidelines 10
impact of supervisor module switchovers 11
licensing 12
limitations 13
LPIP 14
prerequisites 15
See also IP device tracking 16
See also posture validation 17
timers 18
verifying configuration 19
virtualization support 20
NADs
description 1
network access devices.
See NADs 1
network-admin user role
description 1
network-operator user role
description 1
new information
description 1
nonrepsonsive hosts
description 1

O
object groups
configuring 1
description 2
verifying 3

P
PACLs
applying to interfaces 1
interoperating with NAC LPIP 1 2
passwords
enabling strength checking 1
strong characteristics 2
PKI
certificate revocation checking 1
configuring hostnames 2
configuring IP domain names 3
default settings 4
description 1 2
displaying configuration 6
enrollment support 7
example configuration 8
generating RSA key pairs 9
guidelines 10
licensing 11
limitations 12
SSH support 13
virtualization support 14
policing policies
default class maps 1
description 2
lenient default policy 3
moderate default policy 4
strict default policy 5
policy-based ACLs
description 1
verifying object groups 2
port ACLs
definition 1
port security
default settings 1
description 1 2
guidelines 3
interoperating with NAC LPIP 4
limitations 5
MAC move 6
violations 7
ports
authorization states for 802.1X 1
posture validation
configuring automatic for interfaces 1
configuring global automatic 2
description 3
methods 4
posture validation servers
description 1
preventing CoPP overflow by splitting ICMP pings and ARP requests
example configuration 1

R
RADIUS
CFS support 1
clearing distribution sessions 2
committing configuration for distribution 3
configuring authentication attributes 4
configuring dead-time intervals 5
configuring global keys 6
configuring global transmission retry 7
configuring global transmission timeout interval 8
configuring servers 9
default settings 10
description 1 2
discarding temporary configuration changes 12
enabling configuration distribution 13
example configurations 14
guidelines 15
licensing 16
limitations 17
network environments 18
operation 19
prerequisites 20
process for configuring 21
relay for Cisco TrustSec 22
verifying configuration 23
virtualization support 24
VSAs 25
RADIUS accounting
enabling for 802.1X authentication 1
RADIUS groups
example configurations 1
manually monitoring 2
RADIUS server groups
configuring 1
global source interfaces 2
RADIUS servers
allowing users to specify at login 1
configuring 2
configuring accounting attributes 3
configuring keys 4
configuring periodic monitoring 5
configuring transmission retry counts 6
configuring transmission timeout intervals 7
example configurations 8
manually monitoring 9
monitoring 1 2
verifying configuration 11
RADIUS statistics
clearing 1
rate limits
clearing statistics 1
configuration examples 2
configuring 3
default settings 4
description 1 2
guidelines 6
licensing 7
limitations 8
monitoring 9
verifying configuration 10
virtualization support 11
RBAC
default settings 1
description 1 2
example configuration 3
verifying configuration 4
retransmit timers
description 1
revalidation timers
description 1
role
changing VRF policies 1
roles
adding rules 1
changing VLAN policies 2
changiong interface policies 3
clearing distribution sessions 4
configuration distribution to network 5
creating 6
creating feature groups 7
discarding distribution sessions 8
distributing configurations 9
enabling configuration distribution 10
example configuration 11
licensing 12
router ACLs
definition 1
RSA key pairs
deleting from an Cisco NX-OS device 1
exporting 2
generating for PKI 3
importing 4
RSA key-pairs
description 1
displaying configuration 2
exporting 3
importing 4
multiple 5
rules
adding to roles 1
rules.
See user role rules 1

S
SAP
configuring modes on interfaces 1
SAP keys
regenerating on interfaces 1
Security Association Protocol.
See SAP 1
security group access lists
See SGACLs 1
security group tag
See SGT 1
server groups.
See AAA server groups 1
SGACL policies
clearing 1
displaying downloaded policies 2
manually configuring 3
SGACL policy enforcement
enabling on VLANs 1
enabling on VRFs 2
SGACLs
configuring 1
description 2
example manual configuration 3
example SGT mapping configuration 1 2 3
SGACLs policies
acquisition 1
refreshing downloaded policies 2
SGT Exchange Protocol
See SXP 1
SGTs
description 1
example mapping configuration 1 2 3
manually configuring 3
manually configuring address-to-SGACL mapping 1 2
propagation with SXP 5
SNMPv3
specifying AAA parameters 1
specifying parameters for AAA servers 2
source interfaces
RADIUS server groups 1
TACACS+ server groups 2
SPTs
description 1
predefined tokens 2
SSH
default settings 1
description 2
digital certificate support 3
example configuration 4
guidelines 5
licensing 6
limitations 7
prerequisites 8
specifying keys for user accounts 9
verifying configuration 10
virtualization support 11
SSH clients
support on NX-OS devices 1
SSH hosts
clearing on NX-OS devices 1
SSH keys
deleting from the NX-OS device 1
specifying in IETF SECSH format 2
specifying in OpenSSH format 3
SSH servers
clearing on NX-OS devices 1
disabling on NX-OS devices 2
key-pair support 3
support on NX-OS devices 4
SSH sessions
clearing 1
starting 2
status-query timers
description 1
superuser role.
See network-admin user role 1
SXP
changing reconcile periods 1
changing retry periods 2
configuration process 3
configuring default passwords 4
configuring default source IP addresses 5
configuring manually 6
configuring peer connections 7
enabling 8
SGT propagation 9
SXP connections
example manual configuration 1
system posture tokens.
See SPTs 1

T
TACACS+
advantages over RADIUS 1
allowing users to specify server name at login 2
clearing active distribution sessions 3
committing configuration changes to the network 4
configuration distribution 5
configuration process 6
configuring 7
configuring global keys 8
configuring global timeout intervals 9
configuring TCP ports 10
configuring the dead-time interval 11
default settings 12
description 1 2
disabling 14
discarding distribution sessions 15
enabling configuration distribution 16
enabling feature 17
example configurations 18
guidelines 19
keys 20
licensing requirements 21
limitations 22
prerequisites 23
user login operation 24
verifying command authorization 25
verifying configuration 26
virtualization 27
VSAs 28
TACACS+ servers
configuring 1
TACACS+ command authorization
configuring 1
description 2
testing 3
TACACS+ groups
configuring 1
manually monitoring 2
TACACS+ server groups
example configuration 1
global source interfaces 2
TACACS+ servers
configuring keys 1
configuring periodic monitoring 2
configuring timeout intervals 3
example configuration 4
manually monitoring 5
monitoring 1 2
TACACS+ statistics
clearing 1
TCP ports
configuring for TACACS+ 1
Telnet
clearing sessions on NX-OS devices 1
default settings 2
description 3
enabling server on NX-OS devices 4
guidelines 5
licensing 6
limitations 7
prerequisites 8
starting sessions to remote devices 9
verifying configuration 10
virtualization support 11
Telnet servers
support on NX-OS devices 1
time range
description 1
time ranges
absolute 1
configuring 1 2
description 3
periodic 4
verifying configuration 5
traffic storm control
default settings 1
description 1 2
example configuration 3
guidelines 4
licensing 5
limitations 6
monitoring counters 7
verifying configuration 8
virtualization support 9
trust points
description 1
multiple 2
saving configuration across reboots 3

U
Unicast RPF
BGP attributes 1
BOOTP and 2
default settings 3
deploying 4
description 1 2
DHCP and 6
example configurations 7
FIB 8
guidelines 9
implementation 10
licensing 11
limitations 12
loose mode 13
statistics 14
strict mode 15
tunneling and 16
verifying configuration 17
virtualization support 18
unicast storms.
See traffic storm control 1
user accounts
configuring 1
default settings 2
description 3
example configuration 4
guidelines 5
licensing 6
password characteristics 7
verifying configuration 8
virtualization support 9
user accounts limitations 1
user logins
authentication process 1
authorization process 2
user role rules
description 1
user roles
configuring 1
defaults 2
description 3
guidelines 4
limitations 5
specifying on AAA servers 1 2
verifying configuration 7
virtualization support 8

V
VACLs
default settings 1
description 2
guidelines 3
interoperating with NAC LPIP 4
limitations 5
vdc-admin user role
description 1
vdc-operator user role
description 1
vendor-specific attributes.
See VSAs 1
virtualization
802.1X 1
AAA 2
Cisco TrustSec 3
CoPP 4
DAI 5
NAC 6
RADIUS 7
rate limits 8
TACACS+ 9
traffic storm control 10
user accounts 11
user roles 12
virtualization support
PKI 1
virutalization
IP Source Guard 1
VLAN ACLs
definition 1
description 2
VLAN policies
changing for roles 1
VRF policies
changing in roles 1
VSAs
format 1
protocol options 1 2 3
support description 3
VTY access class
enabling using CoPP 1

	Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 4.2
	Index
Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 4.2 Preface New and Changed Information Overview Configuring AAA Configuring RADIUS Configuring TACACS+ Configuring SSH and Telnet Configuring PKI Configuring User Accounts and RBAC Configuring 802.1X Configuring NAC Configuring Cisco TrustSec Configuring IP ACLs Configuring MAC ACLs Configuring VLAN ACLs Configuring Port Security Configuring DHCP Snooping Configuring Dynamic ARP Inspection Configuring IP Source Guard Configuring Keychain Management Configuring Traffic Storm Control Configuring Unicast RPF Configuring Control Plane Policing Configuring Rate Limits Index	Download the complete book Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_4.2.pdf (PDF - 8 MB) Feedback Contents 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - Index 8 802.1X authenticator PAEs 1 configuration process 2 configuring 3 configuring AAA accounting methods 4 configuring AAA authentication methods 5 controlling on interfaces 6 default settings 7 description 1 2 disabling authentication 9 disabling feature 10 enabling feature 11 enabling global periodic reauthentication 12 enabling MAC authentication bypass 13 enabling mulitple hosts mode 14 enabling periodic reauthentication on interfaces 15 enabling single host mode 16 example configuration 17 guidelines 18 interoperating with NAC LPIP 19 licensing requirements 20 limitations 21 MAC authenication bypass 22 monitoring 23 multiple host support 24 prerequisites 25 resetting global settings to default values 26 resetting interface settings to default values 27 setting global maximum retransmission retry count 28 setting interface maximum retransmission retry count 29 single host support 30 supported topologies 31 verifying configuration 32 virtualization support 33 802.1X authentication authorization states for ports 1 changing global timers 2 changing timers on interfaces 3 enabling RADIUS accounting 4 initiation 5 manually initializing 6 802.1X reauthentication setting maximum retry count on interfaces 1 802.1X supplicants manually reauthenticating 1 A AAA accounting 1 authentication 2 authorization 3 benefits 4 configuring 5 configuring authentication methods for 802.1X 6 configuring console login authentication 7 configuring default login authentication 8 configuring for Cisco TrustSec 9 configuring nonseed device for Cisco TrustSec 10 configuring seed device for Cisco TrustSec 11 default settings 12 description 1 2 enabling MSCHAP authentication 14 enabling MSCHAP V2 authentication 15 example configuration 16 guidelines 17 licensing requirements 18 limitations 19 monitoring TACACS+ servers 20 prerequisites 21 Process for configuring 22 user login process 23 verifying configurations 24 virtualization support 25 AAA accounting clearing logs 1 configuring default methods 2 configuring methods for 802.1X 3 monitoring logs 4 AAA authentication enabling default user roles 1 enabling login authentication failure messages 2 enabling methods for EAPoDUP 3 AAA protocols RADIUS 1 TACACS+ 2 AAA server groups description 1 AAA servers FreeRADIUS VSA format 1 specifying SNMPv3 parameters 1 2 specifying user roles 3 specifying user roles in VSAs 4 AAA services configuration options 1 remote 2 security 3 AAA timers description 1 access control lists description 1 order of application 2 See also ARP ACLs 3 See also IP ACLs 4 See also MAC ACLs 5 See also policy-based ACLs 6 See also port ACLs 7 See also router ACLs 8 See also VLAN ACLs 9 types of 10 accounting description 1 VDC support 2 application posture tokens. See APTs 1 APTs description 1 predefinded tokens 2 ARP ACLs description 1 priority of ARP ACLs and DHCP snooping entries 2 ARP inspection See dynamic ARP inspection 1 audit servers description 1 authentication 802.1X 1 Cisco TrustSec 2 configuring for Cisco TrustSec 3 description 4 methods 5 user logins 6 authentication servers description 1 authentication, authorization, and accounting See AAA 1 authenticator PAEs creating on an interface 1 description 2 removing from an interface 3 authorization description 1 user logins 2 verifying commands 3 B BGP using with Unicast RPF 1 broadcast storms. See traffic storm control 1 C CA trust points creating associations for PKI 1 CAs authenticating 1 configuring 2 deleting certificates 3 description 4 displaying configuration 5 enrollment using cut-and-paste 6 example configuration 7 example of downloading certificate 8 generating identity certificaterequests 9 identity 10 installing identity certificates 11 multiple 12 multiple trust points 13 peer certificates 14 purpose 15 certificate authorities. See CAs 1 certificate revocation checking configuring methods 1 certificate revocation lists See CRLs 1 certificates example of revoking 1 CFS enabling RADIUS distribution 1 RADIUS 2 TACACS+ support 3 changed information description 1 Cisco vendor ID 1 2 Cisco Fabric Services. See CFS 1 Cisco TrustSec architecture 1 authorization 2 configuring 3 configuring AAA on nonseed device 4 configuring AAA on seed device 5 configuring device credentials 6 default values 7 description 1 2 enabling 9 enabling (example) 10 environment data download 11 example configurations 12 guidelines 13 IEEE 802.1AE support 14 licensing 15 limitations 16 manually configuring SXP 17 policy acquisition 18 prerequisites 19 RADIUS relay 20 SGACLs 1 2 SGTs 22 verifying configuration 23 virtualization support 24 Cisco TrustSec authentication 802.1X role selection description 1 configuration process 2 configuring 1 2 configuring in manual mode 4 description 1 2 EAP-FAST enhancements 6 manual mode configuration examples 7 summary 8 Cisco TrustSec authorization configuration process 1 configuring 2 Cisco TrustSec device credentials description 1 Cisco TrustSec device identities description 1 Cisco TrustSec environment data download 1 Cisco TrustSec policies example enforcement configuration 1 2 3 Cisco TrustSec seed devices description 1 2 example configuration 2 Cisco TrustSec user credentials description 1 cisco-av-pair specifying AAA user parameters 1 2 class maps configuring for CoPP 1 clientless endpoint devices allowing 1 command authorization See TACACS+ command authorization 1 command verification example configuration 1 commands disabing authorization verification 1 enabing authorization verification 2 console login configuring AAA authentication 1 control plane class maps example configurations 1 verifying the configuration 2 control plane policy maps example configurations 1 verifying the configuration 2 control plane protection classification 1 description 2 packet types 3 rate controlling mechanisms 4 CoPP configuring 1 configuring class maps 2 configuring policy maps 3 default policies 4 default settings 5 description 1 2 example configurations 1 2 guidelines 8 licensing 9 limitations 10 MQC 11 restrictions for management interfaces 12 using to enable a VTY access class 13 verifying the configuration 14 virtualization support 15 CoPP policy maps configuring 1 CRLs configuring 1 description 2 downloading 3 generating 4 importing example 5 publishing 6 CTS See Cisco TrustSec 1 D DAI default settings 1 description 2 guidelines 3 interoperating with NAC LPIP 4 limitations 5 deafult settings port security 1 default setting traffic storm control 1 default settings 802.1X 1 AAA 2 CoPP 3 DAI 4 IP ACLs 5 IP Source Guard 6 keychain management 7 MAC ACLs 8 NAC 9 PKI 10 RADIUS 11 rate limits 12 RBAC 13 SSH 14 TACACS+ 15 Telnet 16 user accounts 17 VACLs 18 denial-of-service attacks IP address spoofing, mitigating 1 device roles description for 802.1X 1 DHCP binding database See DHCP snooping binding database 1 DHCP option 82 description 1 DHCP snooping binding database 1 default settings 2 description 1 2 guidelines 4 interoperating with NAC LPIP 5 limitations 6 message exchange process 7 option 82 8 overview 9 DHCP snooping binding database described 1 description 2 entries 3 See DHCP snooping binding database 4 digital certificates configuring 1 description 1 2 exporting 3 importing 4 peers 5 digitalcertificates purpose 1 DoS attacks Unicast RPF, deploying 1 dynamic ARP inspection ARP cache poisoning 1 ARP requests 2 ARP spoofing attack 3 description 4 DHCP snooping binding database 5 function of 6 interface trust states 7 logging of dropped packets 8 network security issues and interface trust states 9 priority of ARP ACLs and DHCP snooping entries 10 Dynamic Host Configuration Protocol snooping See DHCP snooping 1 E EAP relaying NAC messages 1 EAP over UDP. See EAPoUDP 1 EAPoUDP changing global EAPoUDP maximum retry values 1 changing maximum retry values for interfaces 2 changing UDP ports 3 clearing sessions 4 description 5 disabling 6 encapsulation for NAC 7 manually initializing sessions 8 resetting global values to defaults 9 resetting interface values to defaults 10 EAPoUDP timers changing globally 1 configuring interfaces 2 EAPoUPD enabling 1 enabling default AAA authentication methods 2 enabling logging 3 endpoint devices description 1 examples AAA configurations 1 SSH configurations 2 Extensible Authentication Protocol. See EAP 1 F feature groups creating for roles 1 FreeRADIUS VSA format for role attributes 1 2 G Galois/Counter Mode. See GCM 1 GCM Cisco TrustSec SAP encryption 1 GCM authentication. See GMAC 1 GMAC Cisco TrustSec SAP authentication 1 guidelines CoPP 1 DAI 2 DHCP snooping 3 IP ACLs 4 keychain management 5 MAC ACLs 6 port security 7 RADIUS 8 TACACS+ 9 traffic storm control 10 VACLs 11 H hold timers description 1 hostnames configuring for PKI 1 I identity certificates deleting for PKI 1 generating requests 2 installing 3 identity policies configuring 1 description 2 identity profile entries configuring 1 identity profiles description 1 IDs Cisco vendor ID 1 2 interface policies changing in roles 1 IP ACLs configuring 1 default settings 2 description 1 2 guidelines 4 licensing 5 limitations 6 prerequisites 7 verifying configuration 8 virtualization support 9 IP device tracking clearing information 1 configuring 2 description 3 IP devices configuring tracking for NAC 1 IP domain names configuring for PKI 1 IP Source Guard default settings 1 description 1 2 3 K key chain end-time 1 lifetime 2 start-time 3 keychain management default settings 1 description 1 2 guidelines 3 limitations 4 keys TACACS+ 1 L LAN port IP validation. See LPIP 1 licensing 802.1X 1 AAA 2 Cisco TrustSec 3 CoPP 4 IP ACLs 5 NAC 6 PKI 7 RADIUS 8 rate limits 9 roles 10 SSH 11 TACACS+ 12 Telnet 13 traffic storm control 14 Unicast RPF 15 user accounts 16 limitations CoPP 1 DAI 2 DHCP snooping 3 IP ACLs 4 keychain management 5 MAC ACLs 6 port security 7 TACACS+ 8 traffic storm control 9 VACLs 10 limitiations RADIUS 1 logging enabling EAPoUDP 1 login configuring default AAA authentication 1 login authentication failure messages enabling or disabling 1 LPIP admission triggers 1 description 2 EAPoUDP 3 exception lists 4 interoperation with other NX-OS security features 5 limitations 1 2 policy enforcement using ACLs 7 posture validation 8 posture validation methods 9 M MAC ACLs default settings 1 description 1 2 guidelines 3 limitations 4 virtualization support 5 MAC authentication bypass for 802.1X 1 enabling bypass in 802.1X 2 MAC packet classification configuring 1 description 2 management interfaces CoPP restrictions 1 Microsoft Challenge Handshake Authentication Protocol See MSCHAP 1 Microsoft Challenge Handshake Authentication Protocol Version 2 See MSCHAP V2 1 MQC CoPP 1 MSCHAP enabling authentication 1 MSCHAP V2 enabling authentication 1 multicast storms. See traffic storm control 1 N NAC configuration process 1 configuring 2 configuring IP device tracking 3 default settings 4 description 1 2 device roles 6 enabling on interfaces 7 example configuration 8 feature history 9 guidelines 10 impact of supervisor module switchovers 11 licensing 12 limitations 13 LPIP 14 prerequisites 15 See also IP device tracking 16 See also posture validation 17 timers 18 verifying configuration 19 virtualization support 20 NADs description 1 network access devices. See NADs 1 network-admin user role description 1 network-operator user role description 1 new information description 1 nonrepsonsive hosts description 1 O object groups configuring 1 description 2 verifying 3 P PACLs applying to interfaces 1 interoperating with NAC LPIP 1 2 passwords enabling strength checking 1 strong characteristics 2 PKI certificate revocation checking 1 configuring hostnames 2 configuring IP domain names 3 default settings 4 description 1 2 displaying configuration 6 enrollment support 7 example configuration 8 generating RSA key pairs 9 guidelines 10 licensing 11 limitations 12 SSH support 13 virtualization support 14 policing policies default class maps 1 description 2 lenient default policy 3 moderate default policy 4 strict default policy 5 policy-based ACLs description 1 verifying object groups 2 port ACLs definition 1 port security default settings 1 description 1 2 guidelines 3 interoperating with NAC LPIP 4 limitations 5 MAC move 6 violations 7 ports authorization states for 802.1X 1 posture validation configuring automatic for interfaces 1 configuring global automatic 2 description 3 methods 4 posture validation servers description 1 preventing CoPP overflow by splitting ICMP pings and ARP requests example configuration 1 R RADIUS CFS support 1 clearing distribution sessions 2 committing configuration for distribution 3 configuring authentication attributes 4 configuring dead-time intervals 5 configuring global keys 6 configuring global transmission retry 7 configuring global transmission timeout interval 8 configuring servers 9 default settings 10 description 1 2 discarding temporary configuration changes 12 enabling configuration distribution 13 example configurations 14 guidelines 15 licensing 16 limitations 17 network environments 18 operation 19 prerequisites 20 process for configuring 21 relay for Cisco TrustSec 22 verifying configuration 23 virtualization support 24 VSAs 25 RADIUS accounting enabling for 802.1X authentication 1 RADIUS groups example configurations 1 manually monitoring 2 RADIUS server groups configuring 1 global source interfaces 2 RADIUS servers allowing users to specify at login 1 configuring 2 configuring accounting attributes 3 configuring keys 4 configuring periodic monitoring 5 configuring transmission retry counts 6 configuring transmission timeout intervals 7 example configurations 8 manually monitoring 9 monitoring 1 2 verifying configuration 11 RADIUS statistics clearing 1 rate limits clearing statistics 1 configuration examples 2 configuring 3 default settings 4 description 1 2 guidelines 6 licensing 7 limitations 8 monitoring 9 verifying configuration 10 virtualization support 11 RBAC default settings 1 description 1 2 example configuration 3 verifying configuration 4 retransmit timers description 1 revalidation timers description 1 role changing VRF policies 1 roles adding rules 1 changing VLAN policies 2 changiong interface policies 3 clearing distribution sessions 4 configuration distribution to network 5 creating 6 creating feature groups 7 discarding distribution sessions 8 distributing configurations 9 enabling configuration distribution 10 example configuration 11 licensing 12 router ACLs definition 1 RSA key pairs deleting from an Cisco NX-OS device 1 exporting 2 generating for PKI 3 importing 4 RSA key-pairs description 1 displaying configuration 2 exporting 3 importing 4 multiple 5 rules adding to roles 1 rules. See user role rules 1 S SAP configuring modes on interfaces 1 SAP keys regenerating on interfaces 1 Security Association Protocol. See SAP 1 security group access lists See SGACLs 1 security group tag See SGT 1 server groups. See AAA server groups 1 SGACL policies clearing 1 displaying downloaded policies 2 manually configuring 3 SGACL policy enforcement enabling on VLANs 1 enabling on VRFs 2 SGACLs configuring 1 description 2 example manual configuration 3 example SGT mapping configuration 1 2 3 SGACLs policies acquisition 1 refreshing downloaded policies 2 SGT Exchange Protocol See SXP 1 SGTs description 1 example mapping configuration 1 2 3 manually configuring 3 manually configuring address-to-SGACL mapping 1 2 propagation with SXP 5 SNMPv3 specifying AAA parameters 1 specifying parameters for AAA servers 2 source interfaces RADIUS server groups 1 TACACS+ server groups 2 SPTs description 1 predefined tokens 2 SSH default settings 1 description 2 digital certificate support 3 example configuration 4 guidelines 5 licensing 6 limitations 7 prerequisites 8 specifying keys for user accounts 9 verifying configuration 10 virtualization support 11 SSH clients support on NX-OS devices 1 SSH hosts clearing on NX-OS devices 1 SSH keys deleting from the NX-OS device 1 specifying in IETF SECSH format 2 specifying in OpenSSH format 3 SSH servers clearing on NX-OS devices 1 disabling on NX-OS devices 2 key-pair support 3 support on NX-OS devices 4 SSH sessions clearing 1 starting 2 status-query timers description 1 superuser role. See network-admin user role 1 SXP changing reconcile periods 1 changing retry periods 2 configuration process 3 configuring default passwords 4 configuring default source IP addresses 5 configuring manually 6 configuring peer connections 7 enabling 8 SGT propagation 9 SXP connections example manual configuration 1 system posture tokens. See SPTs 1 T TACACS+ advantages over RADIUS 1 allowing users to specify server name at login 2 clearing active distribution sessions 3 committing configuration changes to the network 4 configuration distribution 5 configuration process 6 configuring 7 configuring global keys 8 configuring global timeout intervals 9 configuring TCP ports 10 configuring the dead-time interval 11 default settings 12 description 1 2 disabling 14 discarding distribution sessions 15 enabling configuration distribution 16 enabling feature 17 example configurations 18 guidelines 19 keys 20 licensing requirements 21 limitations 22 prerequisites 23 user login operation 24 verifying command authorization 25 verifying configuration 26 virtualization 27 VSAs 28 TACACS+ servers configuring 1 TACACS+ command authorization configuring 1 description 2 testing 3 TACACS+ groups configuring 1 manually monitoring 2 TACACS+ server groups example configuration 1 global source interfaces 2 TACACS+ servers configuring keys 1 configuring periodic monitoring 2 configuring timeout intervals 3 example configuration 4 manually monitoring 5 monitoring 1 2 TACACS+ statistics clearing 1 TCP ports configuring for TACACS+ 1 Telnet clearing sessions on NX-OS devices 1 default settings 2 description 3 enabling server on NX-OS devices 4 guidelines 5 licensing 6 limitations 7 prerequisites 8 starting sessions to remote devices 9 verifying configuration 10 virtualization support 11 Telnet servers support on NX-OS devices 1 time range description 1 time ranges absolute 1 configuring 1 2 description 3 periodic 4 verifying configuration 5 traffic storm control default settings 1 description 1 2 example configuration 3 guidelines 4 licensing 5 limitations 6 monitoring counters 7 verifying configuration 8 virtualization support 9 trust points description 1 multiple 2 saving configuration across reboots 3 U Unicast RPF BGP attributes 1 BOOTP and 2 default settings 3 deploying 4 description 1 2 DHCP and 6 example configurations 7 FIB 8 guidelines 9 implementation 10 licensing 11 limitations 12 loose mode 13 statistics 14 strict mode 15 tunneling and 16 verifying configuration 17 virtualization support 18 unicast storms. See traffic storm control 1 user accounts configuring 1 default settings 2 description 3 example configuration 4 guidelines 5 licensing 6 password characteristics 7 verifying configuration 8 virtualization support 9 user accounts limitations 1 user logins authentication process 1 authorization process 2 user role rules description 1 user roles configuring 1 defaults 2 description 3 guidelines 4 limitations 5 specifying on AAA servers 1 2 verifying configuration 7 virtualization support 8 V VACLs default settings 1 description 2 guidelines 3 interoperating with NAC LPIP 4 limitations 5 vdc-admin user role description 1 vdc-operator user role description 1 vendor-specific attributes. See VSAs 1 virtualization 802.1X 1 AAA 2 Cisco TrustSec 3 CoPP 4 DAI 5 NAC 6 RADIUS 7 rate limits 8 TACACS+ 9 traffic storm control 10 user accounts 11 user roles 12 virtualization support PKI 1 virutalization IP Source Guard 1 VLAN ACLs definition 1 description 2 VLAN policies changing for roles 1 VRF policies changing in roles 1 VSAs format 1 protocol options 1 2 3 support description 3 VTY access class enabling using CoPP 1
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks