Table Of Contents
L Commands
This chapter describes the Cisco NX-OS security commands that begin with L.
ldap-server deadtime
To configure the deadtime interval for all Lightweight Directory Access Protocol (LDAP) servers, use the ldap-server deadtime command. The deadtime interval specifies the time that the Cisco NX-OS device waits, after declaring that an LDAP server is dead, before sending out a test packet to determine if the server is now alive. To remove the global deadtime interval configuration, use the no form of this command.
ldap-server deadtime minutes
no ldap-server deadtime minutes
Syntax Description
Defaults
0 minutes
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable LDAP.
When the dead-time interval is 0 minutes, LDAP servers are not marked as dead even if they are not responding.
This command does not require a license.
Examples
This example shows how to configure the global deadtime interval for LDAP servers:
switch# config tswitch(config)# ldap-server deadtime 5Related Commands
Command Descriptionfeature ldap
Enables LDAP.
show ldap-server
Displays the LDAP server configuration.
ldap-server host
To configure Lightweight Directory Access Protocol (LDAP) server host parameters, use the ldap-server host command. To revert to the defaults, use the no form of this command.
ldap-server host {ipv4-address | ipv6-address | host-name}
[enable-ssl]
[port tcp-port [timeout seconds]]
[rootDN root-name [password password] [port tcp-port [timeout seconds] | [timeout seconds]]]
[test rootDN root-name [idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]]]
[timeout seconds]no ldap-server host {ipv4-address | ipv6-address | host-name}
[enable-ssl]
[port tcp-port [timeout seconds]]
[rootDN root-name [password password] [port tcp-port [timeout seconds] | [timeout seconds]]]
[test rootDN root-name [idle-time minutes | password password [idle-time minutes] | username name [password password [idle-time minutes]]]]
[timeout seconds]Syntax Description
Defaults
Server monitoring: Disabled
TCP port: The global value or 389 if a global value is not configured
Timeout: The global value or 5 seconds if a global value is not configured
Idle time: 60 minutes
Test username: test
Test password: CiscoCommand Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable LDAP and obtain the IPv4 or IPv6 address or hostname for the remote LDAP server.
If you plan to enable the SSL protocol, make sure that the LDAP server certificate is manually configured on the Cisco NX-OS device.
By default, when you configure an LDAP server IP address or hostname on the Cisco NX-OS device, the LDAP server is added to the default LDAP server group. You can also add the LDAP server to another LDAP server group.
The timeout interval value specified for an LDAP server overrides the global timeout interval value specified for all LDAP servers.
This command does not require a license.
Examples
This example shows how to configure the IPv6 address for an LDAP server:
switch# config tswitch(config)# ldap-server host 10.10.2.2 timeout 20This example shows how to configure the parameters for LDAP server monitoring:
switch# config tswitch(config)# ldap-server host 10.10.1.1 test rootDN root1 username user1 password Ur2Gd2BH idle-time 3Related Commands
Command Descriptionfeature ldap
Enables LDAP.
show ldap-server
Displays the LDAP server configuration.
ldap-server port
To configure a global Lightweight Directory Access Protocol (LDAP) server port through which clients initiate TCP connections, use the ldap-server port command. To remove the LDAP server port configuration, use the no form of this command.
ldap-server port tcp-port
no ldap-server port tcp-port
Syntax Description
Defaults
TCP port 389
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable LDAP.
This command does not require a license.
Examples
This example shows how to configure a global TCP port for LDAP messages:
switch# config tswitch(config)# ldap-server port 2Related Commands
Command Descriptionfeature ldap
Enables LDAP.
show ldap-server
Displays the LDAP server configuration.
ldap-server timeout
To configure a global timeout interval that determines how long the Cisco NX-OS device waits for responses from all Lightweight Directory Access Protocol (LDAP) servers before declaring a timeout failure, use the ldap-server timeout command. To remove the global timeout configuration, use the no form of this command.
ldap-server timeout seconds
no ldap-server timeout seconds
Syntax Description
Defaults
5 seconds
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable LDAP.
This command does not require a license.
Examples
This example shows how to configure the global timeout interval for LDAP servers:
switch# config tswitch(config)# ldap-server timeout 10Related Commands
Command Descriptionfeature ldap
Enables LDAP.
show ldap-server
Displays the LDAP server configuration.
ldap search-map
To configure a Lightweight Directory Access Protocol (LDAP) search map to send a search query to the LDAP server, use the ldap search-map command. To disable the search map, use the no form of this command.
ldap search-map map-name
no ldap search-map map-name
Syntax Description
map-name
Name of the LDAP search map. The name is alphanumeric, case sensitive, and has a maximum of 128 characters.
Defaults
Disabled
Command Modes
Global configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
To use this command, you must enable LDAP.
This command does not require a license.
Examples
This example shows how to configure an LDAP search map:
switch# config tswitch(config)# ldap search-map map1Related Commands
logging drop threshold
To configure the threshold value for dropped packets and generate a syslog if the drop count exceeds the configured threshold in a policy map for Control Plane Policing (CoPP), use the logging drop threshold command.
logging drop threshold [drop-count [level syslog-level]]
Syntax Description
drop-count
Drop count. The range is from 1 to 80000000000.
level
(Optional) Specifies the syslog level.
syslog-level
Syslog level. The range is from 1 to 7.
Defaults
Syslog level 4
Command Modes
config-pmap-c
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
Ensure that you are in the default VDC.
Ensure that you have configured the IP ACLs if you want to use ACE hit counters in the class maps.
This command does not require a license.
Examples
This example shows how to configure the threshold value for dropped packets and generate a syslog if the drop count exceeds the configured threshold in a policy map for CoPP:
switch# config tswitch(config)# policy-map type control-plane ClassMapA
switch(config-pmap)# class ClassMapA
switch(config-pmap-c)# police cir 52000
switch(config-pmap-c)# police cir 52000 bc 2000
switch(config-pmap-c)# police cir 5000 conform transmit exceed drop violate set1 dscp3 dscp4 table1 pir-markdown-map
switch(config-pmap-c)# police cir 52000 pir 78000 be 2000
switch(config-pmap-c)# logging drop threshold 1800 level 2
switch(config-pmap-c)#Related Commands
Command Descriptionpolicy-map type control-plane
Configures a control plane policy map and enters policy map configuration mode.
lt
To specify a less-than group member for an IP port object group, use the lt command. A less-than group member matches port numbers that are less than (and not equal to) the port number specified in the entry. To remove a greater-than group member from port object group, use the no form of this command.
[sequence-number] lt port-number
no {sequence-number | lt port-number}
Syntax Description
Defaults
None
Command Modes
IP port object group configuration
Supported User Rolesnetwork-admin
vdc-adminCommand History
Usage Guidelines
IP port object groups are not directional. Whether a lt command matches a source or destination port or whether it applies to inbound or outbound traffic depends upon how you use the object group in an ACL.
This command does not require a license.
Examples
This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 1 through port 49151:
switch# config tswitch(config)# object-group ip port port-group-05switch(config-port-ogroup)# lt 49152Related Commands