Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x - Index [Cisco Nexus 7000 Series Switches]

Contents
8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W -

Index

8
802.1X
authenticator PAEs 1
configuration process 1
configuring 1
configuring AAA accounting methods 1
configuring AAA authentication methods 1
configuring on member ports 1
controlling on interfaces 1
default settings 1
description 1 2
disabling authentication 1
disabling feature 1
enabling feature 1
enabling global periodic reauthentication 1
enabling MAC authentication bypass 1
enabling mulitple hosts mode 1
enabling periodic reauthentication on interfaces 1
enabling single host mode 1
example configuration 1
guidelines 1
interoperating with NAC LPIP 1
licensing requirements 1
limitations 1
MAC authenication bypass 1
monitoring 1
multiple host support 1
prerequisites 1
resetting global settings to default values 1
resetting interface settings to default values 1
setting global maximum retransmission retry count 1
setting interface maximum retransmission retry count 1
single host support 1
supported topologies 1
verifying configuration 1
virtualization support 1
802.1X authentication
authorization states for ports 1
changing global timers 1
changing timers on interfaces 1
enabling RADIUS accounting 1
initiation 1
manually initializing 1
802.1X reauthentication
setting maximum retry count on interfaces 1
802.1X supplicants
manually reauthenticating 1

A
AAA
accounting 1
authentication 1
authorization 1
benefits 1
configuring 1
configuring authentication methods for 802.1X 1
configuring console login authentication 1
configuring default login authentication 1
configuring for Cisco TrustSec 1
configuring nonseed device for Cisco TrustSec 1
configuring seed device for Cisco TrustSec 1
default settings 1
description 1 2
disabling fallback to local authentication 1
enabling CHAP authentication 1
enabling MSCHAP authentication 1
enabling MSCHAP V2 authentication 1
example configurations 1
guidelines 1
licensing requirements 1
limitations 1
monitoring LDAP servers 1
monitoring TACACS+ servers 1
prerequisites 1
Process for configuring 1
user login process 1
verifying configurations 1
virtualization support 1
AAA accounting
clearing logs 1
configuring default methods 1
configuring methods for 802.1X 1
monitoring logs 1
AAA authentication
enabling default user roles 1
enabling login authentication failure messages 1
enabling methods for EAPoDUP 1
AAA authorization
configuring on LDAP servers 1
configuring on TACACS+ servers 1
AAA protocols
RADIUS 1
TACACS+ 1
AAA server groups
description 1
AAA servers
FreeRADIUS VSA format 1
specifying SNMPv3 parameters 1 2
specifying user roles 1
specifying user roles in VSAs 1
AAA services
configuration options 1
remote 1
security 1
AAA timers
description 1
access control lists 1
description 1
order of application 1
See also ARP ACLs 1
See also IP ACLs 1
See also MAC ACLs 1
See also policy-based ACLs 1
See also port ACLs 1
See also router ACLs 1
See also VLAN ACLs 1
types of 1
accounting
description 1
VDC support 1
ACL capture
disabling 1
enabling 1
ACL capture session
configuring 1
ACL with capture session ACEs
applying to an interface 1
ACLs
VLAN 1
ACS servers
configuring one-time passwords 1
AES password encryption feature
description 1 2
enabling 1 2 3
application posture tokens. 1
See APTs 1
APTs
description 1
predefinded tokens 1
ARP ACLs
description 1
priority of ARP ACLs and DHCP snooping entries 1
ARP inspection 1
See dynamic ARP inspection 1
audit servers
description 1
authentication
802.1X 1
Cisco TrustSec 1
configuring for Cisco TrustSec 1
description 1
methods 1
user logins 1
authentication servers
description 1
authentication, authorization, and accounting 1
See AAA 1
authenticator PAEs
creating on an interface 1
description 1
removing from an interface 1
authorization
description 1
user logins 1
verifying commands 1

B
BGP
using with Unicast RPF 1
broadcast storms. 1
See traffic storm control 1

C
CA trust points
creating associations for PKI 1
CAs
authenticating 1
configuring 1
deleting certificates 1
description 1
displaying configuration 1
enrollment using cut-and-paste 1
example configuration 1
example of downloading certificate 1
generating identity certificate requests 1
identity 1
installing identity certificates 1
multiple 1
multiple trust points 1
peer certificates 1
purpose 1
cert-store
configuring for certificate authentication 1
certificate authorities. 1
See CAs 1
certificate mapping filters
configuring 1
certificate revocation checking
configuring methods 1
certificate revocation lists 1
See CRLs 1
certificates
example of revoking 1
CFS
enabling RADIUS distribution 1
RADIUS 1
TACACS+ support 1
Challenge Handshake Authentication Protocol 1
changed information
description 1
CHAP
enabling authentication 1
Cisco
vendor ID 1 2
Cisco Fabric Services. 1
See CFS 1
Cisco TrustSec
architecture 1
authorization 1
configuring 1
configuring AAA on nonseed device 1
configuring AAA on seed device 1
configuring device credentials 1
configuring pause frame encryption and decryption on interfaces 1
default values 1
description 1 2
enabling 1
enabling (example) 1
environment data download 1
example configurations 1
guidelines 1
IEEE 802.1AE support 1
licensing 1
limitations 1
manually configuring SXP 1
policy acquisition 1
prerequisites 1
RADIUS relay 1
SGACLs 1 2
SGTs 1
verifying configuration 1
virtualization support 1
Cisco TrustSec authentication
802.1X role selection description 1
configuration process 1
configuring 1 2
configuring in manual mode 1
description 1 2
EAP-FAST enhancements 1
manual mode configuration examples 1
summary 1
Cisco TrustSec authorization 1
configuration process 1
configuring 1
Cisco TrustSec device credentials
description 1
Cisco TrustSec device identities
description 1
Cisco TrustSec environment data
download 1
Cisco TrustSec policies
example enforcement configuration 1 2 3
Cisco TrustSec seed devices
description 1 2
example configuration 1
Cisco TrustSec user credentials
description 1
cisco-av-pair
specifying AAA user parameters 1 2
class maps
configuring for CoPP 1
clearing statistics
CoPP 1
clientless endpoint devices
allowing 1
command authorization 1
See TACACS+ command authorization 1
command verification
example configuration 1
commands
disabing authorization verification 1
enabing authorization verification 1
configuration status
CoPP 1
console login
configuring AAA authentication 1
control plane class maps
example configurations 1
verifying the configuration 1
control plane policy maps
example configurations 1
verifying the configuration 1
control plane protection
CoPP 1
packet types 1
control plane protection, classification 1
control plane protection, CoPP
rate controlling mechanisms 1
CoPP 1
changing or reapplying the default policy 1
clearing statistics 1
configuration status 1
configuring 1
configuring class maps 1
configuring policy maps 1
control plane protection 1
control plane protection, classification 1
copying the best practice policy 1
default policies 1
default settings 1
description 1
example configurations 1 2
feature history 1
guidelines 1
information about 1
licensing 1
limitations 1
monitoring 1
MQC 1
restrictions for management interfaces 1
using to enable a VTY access class 1
verifying the configuration 1
virtualization support 1
CoPP policy maps
configuring 1
CRLs
configuring 1
description 1
downloading 1
generating 1
importing example 1
publishing 1
CTS 1
See Cisco TrustSec 1

D
DAI
default settings 1
description 1
guidelines 1
interoperating with NAC LPIP 1
limitations 1
deafult settings
port security 1
default setting
traffic storm control 1
default settings
802.1X 1
AAA 1
CoPP 1
DAI 1
DHCP 1
FIPS 1
IP ACLs 1
IP Source Guard 1
keychain management 1
LDAP 1
MAC ACLs 1
NAC 1
password encryption 1
PKI 1
RADIUS 1
rate limits 1
RBAC 1
SCP server 1
SFTP server 1
SSH 1
TACACS+ 1
Telnet 1
user accounts 1
VACLs 1
denial-of-service attacks
IP address spoofing, mitigating 1
deny ACE support
configuring 1
device roles
description for 802.1X 1
DHCP
default settings 1
description 1
enabling or disabling 1
guidelines 1
limitations 1
verifying configuration 1
virtualization support 1
DHCP binding database 1
See DHCP snooping binding database 1
DHCP Option 82
description 1 2
DHCP relay agent
enabling or disabling 1
enabling or disabling Option 82 1
enabling or disabling subnet broadcast support on a Layer 3 Interface 1
enabling or disabling VRF support 1
message exchange process 1
Option 82 1
VRF support 1
DHCP server addresses
configuring 1
DHCP smart relay
enabling or disabling globally 1
enabling or disabling on a Layer 3 interface 1
DHCP smart relay agent
description 1
DHCP snooping
binding database 1
description 1
enabling or disabling globally 1
enabling or disabling on a VLAN 1
example configurations 1
in a vPC environment 1
interoperating with NAC LPIP 1
message exchange process 1
Option 82 1
overview 1
DHCP snooping binding database 1
described 1
description 1
entries 1
See DHCP snooping binding database 1
DHCP snooping binding entries
synchronizing 1
digital certificates
configuring 1
description 1 2
exporting 1
importing 1
peers 1
purpose 1
DoS attacks
Unicast RPF, deploying 1
dynamic ARP inspection
ARP cache poisoning 1
ARP requests 1
ARP spoofing attack 1
description 1
DHCP snooping binding database 1
function of 1
interface trust states 1
logging of dropped packets 1
network security issues and interface trust states 1
priority of ARP ACLs and DHCP snooping entries 1
Dynamic Host Configuration Protocol 1
See DHCP 1

E
EAP
relaying NAC messages 1
EAP over UDP. 1
See EAPoUDP 1
EAPoUDP
changing global EAPoUDP maximum retry values 1
changing maximum retry values for interfaces 1
changing UDP ports 1
clearing sessions 1
description 1
disabling 1
encapsulation for NAC 1
manually initializing sessions 1
resetting global values to defaults 1
resetting interface values to defaults 1
EAPoUDP timers
changing globally 1
configuring interfaces 1
EAPoUPD
enabling 1
enabling default AAA authentication methods 1
enabling logging 1
endpoint devices
description 1
examples
AAA configurations 1
DHCP snooping configurations 1
password encryption configurations 1
SSH configurations 1
Extensible Authentication Protocol. 1
See EAP 1

F
feature groups
creating for roles 1
feature history
CoPP 1
Federal Information Processing Standards. 1
See FIPS 1
FIPS
configuration example 1
default settings 1
description 1
disabling 1
enabling 1
guidelines 1
limitations 1
RADIUS keywrap 1
self-tests 1
FreeRADIUS
VSA format for role attributes 1 2

G
Galois/Counter Mode. 1
See GCM 1
GCM
Cisco TrustSec SAP encryption 1
GCM authentication. 1
See GMAC 1
GMAC
Cisco TrustSec SAP authentication 1
guidelines
CoPP 1
DAI 1
DHCP 1
IP ACLs 1
keychain management 1
LDAP 1
MAC ACLs 1
port security 1
RADIUS 1
TACACS+ 1
traffic storm control 1
VACLs 1

H
hold timers
description 1
hostnames
configuring for PKI 1

I
identity certificates
deleting for PKI 1
generating requests 1
installing 1
identity policies
configuring 1
description 1
identity profile entries
configuring 1
identity profiles
description 1
IDs
Cisco vendor ID 1 2
interface
configuring as trusted or untrusted 1
interface policies
changing in roles 1
IP ACLs
applying as a Router ACL 1
configuring 1
default settings 1
description 1 2
guidelines 1
licensing 1
limitations 1
prerequisites 1
verifying configuration 1
virtualization support 1
IP device tracking
clearing information 1
configuring 1
description 1
IP devices
configuring tracking for NAC 1
IP domain names
configuring for PKI 1
IP Source Guard
default settings 1
description 1 2 3

K
key chain
end-time 1
lifetime 1
start-time 1
keychain management
default settings 1
description 1 2
guidelines 1
limitations 1
keys
TACACS+ 1

L
LAN port IP validation. 1
See LPIP 1
LDAP
authentication 1
authorization 1
configuration process 1
configuring 1
configuring global timeout intervals 1
configuring TCP ports 1
configuring the dead-time interval 1
configuring the global server port 1
default settings 1
description 1 2
disabling 1
enabling feature 1
example configurations 1
guidelines 1
licensing requirements 1
limitations 1
prerequisites 1
search maps 1
user login operation 1
verifying configuration 1
virtualization 1
VSAs 1
LDAP groups
configuring 1
LDAP search maps
configuring 1
LDAP server groups
example configuration 1
LDAP servers
configuring 1
configuring periodic monitoring 1
configuring the rootDN 1
configuring timeout intervals 1
example configuration 1
monitoring 1 2
verifying configuration 1
LDAP statistics
clearing 1
licensing
802.1X 1
AAA 1
Cisco TrustSec 1
CoPP 1
IP ACLs 1
LDAP 1
NAC 1
password encryption 1
PKI 1
RADIUS 1
rate limits 1
roles 1
SSH 1
TACACS+ 1
Telnet 1
traffic storm control 1
Unicast RPF 1
user accounts 1
limitations
CoPP 1
DAI 1
DHCP 1
IP ACLs 1
keychain management 1
LDAP 1
MAC ACLs 1
port security 1
TACACS+ 1
traffic storm control 1
VACLs 1
limitiations
RADIUS 1
local authentication
disabling fallback to 1
logging
enabling EAPoUDP 1
login
configuring default AAA authentication 1
login authentication failure messages
enabling or disabling 1
LPIP
admission triggers 1
description 1
EAPoUDP 1
exception lists 1
interoperation with other NX-OS security features 1
limitations 1 2
policy enforcement using ACLs 1
posture validation 1
posture validation methods 1

M
MAC ACLs
default settings 1
description 1 2
guidelines 1
limitations 1
virtualization support 1
MAC addresses
learning 1
MAC authentication
bypass for 802.1X 1
enabling bypass in 802.1X 1
MAC packet classification
configuring 1
description 1
management interfaces
CoPP restrictions 1
master key
configuring 1 2 3
description 1 2
Microsoft Challenge Handshake Authentication Protocol 1
See MSCHAP 1
Microsoft Challenge Handshake Authentication Protocol Version 2 1
See MSCHAP V2 1
monitoring
CoPP 1
MQC
CoPP 1
MSCHAP
enabling authentication 1
MSCHAP V2
enabling authentication 1
multicast storms. 1
See traffic storm control 1

N
NAC 1 2
configuration process 1
configuring 1
configuring IP device tracking 1
default settings 1
description 1 2
device roles 1
enabling on interfaces 1
example configuration 1
feature history 1
guidelines 1
impact of supervisor module switchovers 1
licensing 1
limitations 1
LPIP 1
prerequisites 1
See also IP device tracking 1
See also posture validation 1
timers 1
verifying configuration 1
virtualization support 1
NADs
description 1
network access devices. 1
See NADs 1
network-admin user role
description 1
network-operator user role
description 1
new information
description 1
nonrepsonsive hosts
description 1

O
object groups
configuring 1
description 1
verifying 1
one-time passwords
configuring 1

P
PACLs
applying to interfaces 1
interoperating with NAC LPIP 1 2
password encryption
configuring 1
default settings 1
description 1 2
example configurations 1
guidelines 1
licensing requirements 1
limitations 1
verifying configurations 1
virtualization support 1
passwordless file copy
configuring for SSH 1
passwords
enabling strength checking 1
strong characteristics 1
PKI
certificate revocation checking 1
configuring hostnames 1
configuring IP domain names 1
default settings 1
description 1 2
displaying configuration 1
enrollment support 1
example configuration 1
generating RSA key pairs 1
guidelines 1
licensing 1
limitations 1
SSH support 1
virtualization support 1
policing policies
default class maps 1
dense default policy 1
description 1
lenient default policy 1
moderate default policy 1
strict default policy 1
policy-based ACLs
description 1
verifying object groups 1
port ACLs
definition 1
port security
default settings 1
description 1 2
guidelines 1
interoperating with NAC LPIP 1
limitations 1
MAC address learning 1
MAC move 1
violations 1
ports
authorization states for 802.1X 1
posture validation
configuring automatic for interfaces 1
configuring global automatic 1
description 1
methods 1
posture validation servers
description 1
preventing CoPP overflow by splitting ICMP pings and ARP requests
example configuration 1
privilege level support for TACACS+ authorization
configuring 1
privilege roles
permitting or denying commands for 1

R
RADIUS
CFS support 1
clearing distribution sessions 1
committing configuration for distribution 1
configuring authentication attributes 1
configuring dead-time intervals 1
configuring global keys 1
configuring global transmission retry 1
configuring global transmission timeout interval 1
configuring servers 1
default settings 1
description 1 2
discarding temporary configuration changes 1
enabling configuration distribution 1
example configurations 1
guidelines 1
keywrap 1
licensing 1
limitations 1
network environments 1
operation 1
prerequisites 1
process for configuring 1
relay for Cisco TrustSec 1
verifying configuration 1
virtualization support 1
VSAs 1
RADIUS accounting
enabling for 802.1X authentication 1
RADIUS groups
example configurations 1
manually monitoring 1
RADIUS server groups
configuring 1
global source interfaces 1
RADIUS servers
allowing users to specify at login 1
configuring 1
configuring accounting attributes 1
configuring global periodic monitoring 1
configuring keys 1
configuring periodic monitoring 1
configuring transmission retry counts 1
configuring transmission timeout intervals 1
example configurations 1
manually monitoring 1
monitoring 1 2
verifying configuration 1
RADIUS statistics
clearing 1
rate controlling mechanisms
control plane protection, CoPP 1
rate limits
clearing statistics 1
configuration examples 1
configuring 1
default settings 1
description 1 2
guidelines 1
licensing 1
limitations 1
monitoring 1
verifying configuration 1
virtualization support 1
RBAC
default settings 1
description 1 2
example configuration 1
verifying configuration 1
RBACL
clearing statistics 1
displaying statistics 1
enabling statistics 1
RBACL logging
enabling 1
retransmit timers
description 1
revalidation timers
description 1
role
changing VRF policies 1
roles
adding rules 1
changing VLAN policies 1
changiong interface policies 1
clearing distribution sessions 1
configuration distribution to network 1
creating 1
creating feature groups 1
discarding distribution sessions 1
distributing configurations 1
enabling configuration distribution 1
example configuration 1
licensing 1
router ACLs 1
definition 1
RSA key pairs
deleting from an Cisco NX-OS device 1
exporting 1
generating for PKI 1
importing 1
RSA key-pairs
description 1
displaying configuration 1
exporting 1
importing 1
multiple 1
rules
adding to roles 1
rules. 1
See user role rules 1

S
SAP
configuring modes on interfaces 1
SAP keys
regenerating on interfaces 1
SCP server
configuring 1
default settings 1
secure MAC addresses
learning 1
security
port
MAC address learning 1
Security Association Protocol. 1
See SAP 1
security group access lists 1
See SGACLs 1
security group tag 1
See SGT 1
server groups. 1
See AAA server groups 1
SFTP server
configuring 1
default settings 1
SGACL policies
clearing 1
displaying downloaded policies 1
manually configuring 1
SGACL policy enforcement
enabling on VLANs 1
enabling on VRFs 1
SGACLs
configuring 1
description 1
example manual configuration 1
example SGT mapping configuration 1 2 3
SGACLs policies
acquisition 1
refreshing downloaded policies 1
SGT Exchange Protocol 1
See SXP 1
SGTs
description 1
example mapping configuration 1 2 3
manually configuring 1
manually configuring address-to-SGACL mapping 1 2
propagation with SXP 1
SNMPv3
specifying AAA parameters 1
specifying parameters for AAA servers 1
source interfaces
RADIUS server groups 1
TACACS+ server groups 1
SPTs
description 1
predefined tokens 1
SSH 1
configuring passwordless file copy 1
default settings 1
description 1
digital certificate support 1
example configuration 1
guidelines 1
licensing 1
limitations 1
prerequisites 1
specifying keys for user accounts 1
verifying configuration 1
virtualization support 1
SSH clients
support on NX-OS devices 1
SSH hosts
clearing on NX-OS devices 1
SSH keys
deleting from the NX-OS device 1
specifying in IETF SECSH format 1
specifying in OpenSSH format 1
SSH login attempts
configuring 1
SSH servers
clearing on NX-OS devices 1
disabling on NX-OS devices 1
key-pair support 1
support on NX-OS devices 1
SSH sessions
clearing 1
starting 1
starting from boot mode 1
statistics
for RBACL 1
status-query timers
description 1
superuser role. 1
See network-admin user role 1
SXP
changing reconcile periods 1
changing retry periods 1
configuration process 1
configuring default passwords 1
configuring default source IP addresses 1
configuring manually 1
configuring peer connections 1
enabling 1
SGT propagation 1
SXP connections
example manual configuration 1
system posture tokens. 1
See SPTs 1

T
TACACS+
advantages over RADIUS 1
allowing users to specify server name at login 1
clearing active distribution sessions 1
committing configuration changes to the network 1
configuration distribution 1
configuration process 1
configuring 1
configuring global keys 1
configuring global timeout interval 1
configuring TCP ports 1
configuring the dead-time interval 1
default settings 1
description 1 2
disabling 1
discarding distribution sessions 1
enabling configuration distribution 1
enabling feature 1
example configurations 1
guidelines 1
keys 1
licensing requirements 1
limitations 1
prerequisites 1
user login operation 1
verifying command authorization 1
verifying configuration 1
virtualization 1
VSAs 1
TACACS+ command authorization
configuring 1
description 1
testing 1
TACACS+ groups
configuring 1
manually monitoring 1
TACACS+ server groups
example configuration 1
global source interfaces 1
TACACS+ servers
configuring 1
configuring global periodic monitoring 1
configuring keys 1
configuring periodic monitoring 1
configuring timeout intervals 1
example configuration 1
manually monitoring 1
monitoring 1 2
TACACS+ statistics
clearing 1
TCP ports
configuring for LDAP 1
configuring for TACACS+ 1
Telnet 1
clearing sessions on NX-OS devices 1
default settings 1
description 1
enabling server on NX-OS devices 1
guidelines 1
licensing 1
limitations 1
prerequisites 1
starting sessions to remote devices 1
verifying configuration 1
virtualization support 1
Telnet servers
support on NX-OS devices 1
time range
description 1
time ranges
absolute 1
configuring 1 2
description 1
periodic 1
verifying configuration 1
traffic storm control
default settings 1
description 1 2
example configuration 1
guidelines 1
licensing 1
limitations 1
monitoring counters 1
verifying configuration 1
virtualization support 1
trust points
description 1
multiple 1
saving configuration across reboots 1
type-6 encrypted passwords
converting back to their original states 1 2
converting existing passwords to 1 2
deleting 1 2

U
Unicast RPF
BGP attributes 1
BOOTP and 1
default settings 1
deploying 1
description 1 2
DHCP and 1
example configurations 1
FIB 1
guidelines 1
implementation 1
licensing 1
limitations 1
loose mode 1
statistics 1
strict mode 1
tunneling and 1
verifying configuration 1
virtualization support 1
unicast storms. 1
See traffic storm control 1
user accounts
configuring 1
default settings 1
description 1
example configuration 1
guidelines 1
licensing 1
password characteristics 1
verifying configuration 1
virtualization support 1
user accounts limitations 1
user logins
authentication process 1
authorization process 1
user role rules
description 1
user roles
configuring 1
defaults 1
description 1
guidelines 1
limitations 1
specifying on AAA servers 1 2
verifying configuration 1
virtualization support 1

V
VACLs
default settings 1
description 1
guidelines 1
interoperating with NAC LPIP 1
limitations 1
vdc-admin user role
description 1
vdc-operator user role
description 1
vendor-specific attributes. 1
See VSAs 1
virtualization
802.1X 1
AAA 1
Cisco TrustSec 1
CoPP 1
DAI 1
DHCP 1
LDAP 1
NAC 1
password encryption 1
RADIUS 1
rate limits 1
TACACS+ 1
traffic storm control 1
user accounts 1
user roles 1
virtualization support 1
PKI 1
virutalization
IP Source Guard 1
VLAN ACLs
definition 1
description 1
information about 1
VLAN policies
changing for roles 1
vPCs
and DHCP snooping 1
VRF policies
changing in roles 1
VSAs
format 1
protocol options 1 2 3 4
support description 1
VTY access class
enabling using CoPP 1
VTY ACL
creating 1
VTY ACLs
definition 1

W
whole ACL capture session
applying to an interface 1

	Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x
	Index
Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x Preface New and Changed Information Overview Configuring FIPS Configuring AAA Configuring RADIUS Configuring TACACS+ Configuring LDAP Configuring SSH and Telnet Configuring PKI Configuring User Accounts and RBAC Configuring 802.1X Configuring NAC Configuring Cisco TrustSec Configuring IP ACLs Configuring MAC ACLs Configuring VLAN ACLs Configuring Port Security Configuring DHCP Configuring Dynamic ARP Inspection Configuring IP Source Guard Configuring Password Encryption Configuring Keychain Management Configuring Traffic Storm Control Configuring Unicast RPF Configuring Control Plane Policing Configuring Rate Limits Index	Download the complete book Cisco Nexus 7000 Series NX-OS Security Configuration Guide, Release 6.x (PDF - 11 MB) Feedback Contents 8 - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W - Index 8 802.1X authenticator PAEs 1 configuration process 1 configuring 1 configuring AAA accounting methods 1 configuring AAA authentication methods 1 configuring on member ports 1 controlling on interfaces 1 default settings 1 description 1 2 disabling authentication 1 disabling feature 1 enabling feature 1 enabling global periodic reauthentication 1 enabling MAC authentication bypass 1 enabling mulitple hosts mode 1 enabling periodic reauthentication on interfaces 1 enabling single host mode 1 example configuration 1 guidelines 1 interoperating with NAC LPIP 1 licensing requirements 1 limitations 1 MAC authenication bypass 1 monitoring 1 multiple host support 1 prerequisites 1 resetting global settings to default values 1 resetting interface settings to default values 1 setting global maximum retransmission retry count 1 setting interface maximum retransmission retry count 1 single host support 1 supported topologies 1 verifying configuration 1 virtualization support 1 802.1X authentication authorization states for ports 1 changing global timers 1 changing timers on interfaces 1 enabling RADIUS accounting 1 initiation 1 manually initializing 1 802.1X reauthentication setting maximum retry count on interfaces 1 802.1X supplicants manually reauthenticating 1 A AAA accounting 1 authentication 1 authorization 1 benefits 1 configuring 1 configuring authentication methods for 802.1X 1 configuring console login authentication 1 configuring default login authentication 1 configuring for Cisco TrustSec 1 configuring nonseed device for Cisco TrustSec 1 configuring seed device for Cisco TrustSec 1 default settings 1 description 1 2 disabling fallback to local authentication 1 enabling CHAP authentication 1 enabling MSCHAP authentication 1 enabling MSCHAP V2 authentication 1 example configurations 1 guidelines 1 licensing requirements 1 limitations 1 monitoring LDAP servers 1 monitoring TACACS+ servers 1 prerequisites 1 Process for configuring 1 user login process 1 verifying configurations 1 virtualization support 1 AAA accounting clearing logs 1 configuring default methods 1 configuring methods for 802.1X 1 monitoring logs 1 AAA authentication enabling default user roles 1 enabling login authentication failure messages 1 enabling methods for EAPoDUP 1 AAA authorization configuring on LDAP servers 1 configuring on TACACS+ servers 1 AAA protocols RADIUS 1 TACACS+ 1 AAA server groups description 1 AAA servers FreeRADIUS VSA format 1 specifying SNMPv3 parameters 1 2 specifying user roles 1 specifying user roles in VSAs 1 AAA services configuration options 1 remote 1 security 1 AAA timers description 1 access control lists 1 description 1 order of application 1 See also ARP ACLs 1 See also IP ACLs 1 See also MAC ACLs 1 See also policy-based ACLs 1 See also port ACLs 1 See also router ACLs 1 See also VLAN ACLs 1 types of 1 accounting description 1 VDC support 1 ACL capture disabling 1 enabling 1 ACL capture session configuring 1 ACL with capture session ACEs applying to an interface 1 ACLs VLAN 1 ACS servers configuring one-time passwords 1 AES password encryption feature description 1 2 enabling 1 2 3 application posture tokens. 1 See APTs 1 APTs description 1 predefinded tokens 1 ARP ACLs description 1 priority of ARP ACLs and DHCP snooping entries 1 ARP inspection 1 See dynamic ARP inspection 1 audit servers description 1 authentication 802.1X 1 Cisco TrustSec 1 configuring for Cisco TrustSec 1 description 1 methods 1 user logins 1 authentication servers description 1 authentication, authorization, and accounting 1 See AAA 1 authenticator PAEs creating on an interface 1 description 1 removing from an interface 1 authorization description 1 user logins 1 verifying commands 1 B BGP using with Unicast RPF 1 broadcast storms. 1 See traffic storm control 1 C CA trust points creating associations for PKI 1 CAs authenticating 1 configuring 1 deleting certificates 1 description 1 displaying configuration 1 enrollment using cut-and-paste 1 example configuration 1 example of downloading certificate 1 generating identity certificate requests 1 identity 1 installing identity certificates 1 multiple 1 multiple trust points 1 peer certificates 1 purpose 1 cert-store configuring for certificate authentication 1 certificate authorities. 1 See CAs 1 certificate mapping filters configuring 1 certificate revocation checking configuring methods 1 certificate revocation lists 1 See CRLs 1 certificates example of revoking 1 CFS enabling RADIUS distribution 1 RADIUS 1 TACACS+ support 1 Challenge Handshake Authentication Protocol 1 changed information description 1 CHAP enabling authentication 1 Cisco vendor ID 1 2 Cisco Fabric Services. 1 See CFS 1 Cisco TrustSec architecture 1 authorization 1 configuring 1 configuring AAA on nonseed device 1 configuring AAA on seed device 1 configuring device credentials 1 configuring pause frame encryption and decryption on interfaces 1 default values 1 description 1 2 enabling 1 enabling (example) 1 environment data download 1 example configurations 1 guidelines 1 IEEE 802.1AE support 1 licensing 1 limitations 1 manually configuring SXP 1 policy acquisition 1 prerequisites 1 RADIUS relay 1 SGACLs 1 2 SGTs 1 verifying configuration 1 virtualization support 1 Cisco TrustSec authentication 802.1X role selection description 1 configuration process 1 configuring 1 2 configuring in manual mode 1 description 1 2 EAP-FAST enhancements 1 manual mode configuration examples 1 summary 1 Cisco TrustSec authorization 1 configuration process 1 configuring 1 Cisco TrustSec device credentials description 1 Cisco TrustSec device identities description 1 Cisco TrustSec environment data download 1 Cisco TrustSec policies example enforcement configuration 1 2 3 Cisco TrustSec seed devices description 1 2 example configuration 1 Cisco TrustSec user credentials description 1 cisco-av-pair specifying AAA user parameters 1 2 class maps configuring for CoPP 1 clearing statistics CoPP 1 clientless endpoint devices allowing 1 command authorization 1 See TACACS+ command authorization 1 command verification example configuration 1 commands disabing authorization verification 1 enabing authorization verification 1 configuration status CoPP 1 console login configuring AAA authentication 1 control plane class maps example configurations 1 verifying the configuration 1 control plane policy maps example configurations 1 verifying the configuration 1 control plane protection CoPP 1 packet types 1 control plane protection, classification 1 control plane protection, CoPP rate controlling mechanisms 1 CoPP 1 changing or reapplying the default policy 1 clearing statistics 1 configuration status 1 configuring 1 configuring class maps 1 configuring policy maps 1 control plane protection 1 control plane protection, classification 1 copying the best practice policy 1 default policies 1 default settings 1 description 1 example configurations 1 2 feature history 1 guidelines 1 information about 1 licensing 1 limitations 1 monitoring 1 MQC 1 restrictions for management interfaces 1 using to enable a VTY access class 1 verifying the configuration 1 virtualization support 1 CoPP policy maps configuring 1 CRLs configuring 1 description 1 downloading 1 generating 1 importing example 1 publishing 1 CTS 1 See Cisco TrustSec 1 D DAI default settings 1 description 1 guidelines 1 interoperating with NAC LPIP 1 limitations 1 deafult settings port security 1 default setting traffic storm control 1 default settings 802.1X 1 AAA 1 CoPP 1 DAI 1 DHCP 1 FIPS 1 IP ACLs 1 IP Source Guard 1 keychain management 1 LDAP 1 MAC ACLs 1 NAC 1 password encryption 1 PKI 1 RADIUS 1 rate limits 1 RBAC 1 SCP server 1 SFTP server 1 SSH 1 TACACS+ 1 Telnet 1 user accounts 1 VACLs 1 denial-of-service attacks IP address spoofing, mitigating 1 deny ACE support configuring 1 device roles description for 802.1X 1 DHCP default settings 1 description 1 enabling or disabling 1 guidelines 1 limitations 1 verifying configuration 1 virtualization support 1 DHCP binding database 1 See DHCP snooping binding database 1 DHCP Option 82 description 1 2 DHCP relay agent enabling or disabling 1 enabling or disabling Option 82 1 enabling or disabling subnet broadcast support on a Layer 3 Interface 1 enabling or disabling VRF support 1 message exchange process 1 Option 82 1 VRF support 1 DHCP server addresses configuring 1 DHCP smart relay enabling or disabling globally 1 enabling or disabling on a Layer 3 interface 1 DHCP smart relay agent description 1 DHCP snooping binding database 1 description 1 enabling or disabling globally 1 enabling or disabling on a VLAN 1 example configurations 1 in a vPC environment 1 interoperating with NAC LPIP 1 message exchange process 1 Option 82 1 overview 1 DHCP snooping binding database 1 described 1 description 1 entries 1 See DHCP snooping binding database 1 DHCP snooping binding entries synchronizing 1 digital certificates configuring 1 description 1 2 exporting 1 importing 1 peers 1 purpose 1 DoS attacks Unicast RPF, deploying 1 dynamic ARP inspection ARP cache poisoning 1 ARP requests 1 ARP spoofing attack 1 description 1 DHCP snooping binding database 1 function of 1 interface trust states 1 logging of dropped packets 1 network security issues and interface trust states 1 priority of ARP ACLs and DHCP snooping entries 1 Dynamic Host Configuration Protocol 1 See DHCP 1 E EAP relaying NAC messages 1 EAP over UDP. 1 See EAPoUDP 1 EAPoUDP changing global EAPoUDP maximum retry values 1 changing maximum retry values for interfaces 1 changing UDP ports 1 clearing sessions 1 description 1 disabling 1 encapsulation for NAC 1 manually initializing sessions 1 resetting global values to defaults 1 resetting interface values to defaults 1 EAPoUDP timers changing globally 1 configuring interfaces 1 EAPoUPD enabling 1 enabling default AAA authentication methods 1 enabling logging 1 endpoint devices description 1 examples AAA configurations 1 DHCP snooping configurations 1 password encryption configurations 1 SSH configurations 1 Extensible Authentication Protocol. 1 See EAP 1 F feature groups creating for roles 1 feature history CoPP 1 Federal Information Processing Standards. 1 See FIPS 1 FIPS configuration example 1 default settings 1 description 1 disabling 1 enabling 1 guidelines 1 limitations 1 RADIUS keywrap 1 self-tests 1 FreeRADIUS VSA format for role attributes 1 2 G Galois/Counter Mode. 1 See GCM 1 GCM Cisco TrustSec SAP encryption 1 GCM authentication. 1 See GMAC 1 GMAC Cisco TrustSec SAP authentication 1 guidelines CoPP 1 DAI 1 DHCP 1 IP ACLs 1 keychain management 1 LDAP 1 MAC ACLs 1 port security 1 RADIUS 1 TACACS+ 1 traffic storm control 1 VACLs 1 H hold timers description 1 hostnames configuring for PKI 1 I identity certificates deleting for PKI 1 generating requests 1 installing 1 identity policies configuring 1 description 1 identity profile entries configuring 1 identity profiles description 1 IDs Cisco vendor ID 1 2 interface configuring as trusted or untrusted 1 interface policies changing in roles 1 IP ACLs applying as a Router ACL 1 configuring 1 default settings 1 description 1 2 guidelines 1 licensing 1 limitations 1 prerequisites 1 verifying configuration 1 virtualization support 1 IP device tracking clearing information 1 configuring 1 description 1 IP devices configuring tracking for NAC 1 IP domain names configuring for PKI 1 IP Source Guard default settings 1 description 1 2 3 K key chain end-time 1 lifetime 1 start-time 1 keychain management default settings 1 description 1 2 guidelines 1 limitations 1 keys TACACS+ 1 L LAN port IP validation. 1 See LPIP 1 LDAP authentication 1 authorization 1 configuration process 1 configuring 1 configuring global timeout intervals 1 configuring TCP ports 1 configuring the dead-time interval 1 configuring the global server port 1 default settings 1 description 1 2 disabling 1 enabling feature 1 example configurations 1 guidelines 1 licensing requirements 1 limitations 1 prerequisites 1 search maps 1 user login operation 1 verifying configuration 1 virtualization 1 VSAs 1 LDAP groups configuring 1 LDAP search maps configuring 1 LDAP server groups example configuration 1 LDAP servers configuring 1 configuring periodic monitoring 1 configuring the rootDN 1 configuring timeout intervals 1 example configuration 1 monitoring 1 2 verifying configuration 1 LDAP statistics clearing 1 licensing 802.1X 1 AAA 1 Cisco TrustSec 1 CoPP 1 IP ACLs 1 LDAP 1 NAC 1 password encryption 1 PKI 1 RADIUS 1 rate limits 1 roles 1 SSH 1 TACACS+ 1 Telnet 1 traffic storm control 1 Unicast RPF 1 user accounts 1 limitations CoPP 1 DAI 1 DHCP 1 IP ACLs 1 keychain management 1 LDAP 1 MAC ACLs 1 port security 1 TACACS+ 1 traffic storm control 1 VACLs 1 limitiations RADIUS 1 local authentication disabling fallback to 1 logging enabling EAPoUDP 1 login configuring default AAA authentication 1 login authentication failure messages enabling or disabling 1 LPIP admission triggers 1 description 1 EAPoUDP 1 exception lists 1 interoperation with other NX-OS security features 1 limitations 1 2 policy enforcement using ACLs 1 posture validation 1 posture validation methods 1 M MAC ACLs default settings 1 description 1 2 guidelines 1 limitations 1 virtualization support 1 MAC addresses learning 1 MAC authentication bypass for 802.1X 1 enabling bypass in 802.1X 1 MAC packet classification configuring 1 description 1 management interfaces CoPP restrictions 1 master key configuring 1 2 3 description 1 2 Microsoft Challenge Handshake Authentication Protocol 1 See MSCHAP 1 Microsoft Challenge Handshake Authentication Protocol Version 2 1 See MSCHAP V2 1 monitoring CoPP 1 MQC CoPP 1 MSCHAP enabling authentication 1 MSCHAP V2 enabling authentication 1 multicast storms. 1 See traffic storm control 1 N NAC 1 2 configuration process 1 configuring 1 configuring IP device tracking 1 default settings 1 description 1 2 device roles 1 enabling on interfaces 1 example configuration 1 feature history 1 guidelines 1 impact of supervisor module switchovers 1 licensing 1 limitations 1 LPIP 1 prerequisites 1 See also IP device tracking 1 See also posture validation 1 timers 1 verifying configuration 1 virtualization support 1 NADs description 1 network access devices. 1 See NADs 1 network-admin user role description 1 network-operator user role description 1 new information description 1 nonrepsonsive hosts description 1 O object groups configuring 1 description 1 verifying 1 one-time passwords configuring 1 P PACLs applying to interfaces 1 interoperating with NAC LPIP 1 2 password encryption configuring 1 default settings 1 description 1 2 example configurations 1 guidelines 1 licensing requirements 1 limitations 1 verifying configurations 1 virtualization support 1 passwordless file copy configuring for SSH 1 passwords enabling strength checking 1 strong characteristics 1 PKI certificate revocation checking 1 configuring hostnames 1 configuring IP domain names 1 default settings 1 description 1 2 displaying configuration 1 enrollment support 1 example configuration 1 generating RSA key pairs 1 guidelines 1 licensing 1 limitations 1 SSH support 1 virtualization support 1 policing policies default class maps 1 dense default policy 1 description 1 lenient default policy 1 moderate default policy 1 strict default policy 1 policy-based ACLs description 1 verifying object groups 1 port ACLs definition 1 port security default settings 1 description 1 2 guidelines 1 interoperating with NAC LPIP 1 limitations 1 MAC address learning 1 MAC move 1 violations 1 ports authorization states for 802.1X 1 posture validation configuring automatic for interfaces 1 configuring global automatic 1 description 1 methods 1 posture validation servers description 1 preventing CoPP overflow by splitting ICMP pings and ARP requests example configuration 1 privilege level support for TACACS+ authorization configuring 1 privilege roles permitting or denying commands for 1 R RADIUS CFS support 1 clearing distribution sessions 1 committing configuration for distribution 1 configuring authentication attributes 1 configuring dead-time intervals 1 configuring global keys 1 configuring global transmission retry 1 configuring global transmission timeout interval 1 configuring servers 1 default settings 1 description 1 2 discarding temporary configuration changes 1 enabling configuration distribution 1 example configurations 1 guidelines 1 keywrap 1 licensing 1 limitations 1 network environments 1 operation 1 prerequisites 1 process for configuring 1 relay for Cisco TrustSec 1 verifying configuration 1 virtualization support 1 VSAs 1 RADIUS accounting enabling for 802.1X authentication 1 RADIUS groups example configurations 1 manually monitoring 1 RADIUS server groups configuring 1 global source interfaces 1 RADIUS servers allowing users to specify at login 1 configuring 1 configuring accounting attributes 1 configuring global periodic monitoring 1 configuring keys 1 configuring periodic monitoring 1 configuring transmission retry counts 1 configuring transmission timeout intervals 1 example configurations 1 manually monitoring 1 monitoring 1 2 verifying configuration 1 RADIUS statistics clearing 1 rate controlling mechanisms control plane protection, CoPP 1 rate limits clearing statistics 1 configuration examples 1 configuring 1 default settings 1 description 1 2 guidelines 1 licensing 1 limitations 1 monitoring 1 verifying configuration 1 virtualization support 1 RBAC default settings 1 description 1 2 example configuration 1 verifying configuration 1 RBACL clearing statistics 1 displaying statistics 1 enabling statistics 1 RBACL logging enabling 1 retransmit timers description 1 revalidation timers description 1 role changing VRF policies 1 roles adding rules 1 changing VLAN policies 1 changiong interface policies 1 clearing distribution sessions 1 configuration distribution to network 1 creating 1 creating feature groups 1 discarding distribution sessions 1 distributing configurations 1 enabling configuration distribution 1 example configuration 1 licensing 1 router ACLs 1 definition 1 RSA key pairs deleting from an Cisco NX-OS device 1 exporting 1 generating for PKI 1 importing 1 RSA key-pairs description 1 displaying configuration 1 exporting 1 importing 1 multiple 1 rules adding to roles 1 rules. 1 See user role rules 1 S SAP configuring modes on interfaces 1 SAP keys regenerating on interfaces 1 SCP server configuring 1 default settings 1 secure MAC addresses learning 1 security port MAC address learning 1 Security Association Protocol. 1 See SAP 1 security group access lists 1 See SGACLs 1 security group tag 1 See SGT 1 server groups. 1 See AAA server groups 1 SFTP server configuring 1 default settings 1 SGACL policies clearing 1 displaying downloaded policies 1 manually configuring 1 SGACL policy enforcement enabling on VLANs 1 enabling on VRFs 1 SGACLs configuring 1 description 1 example manual configuration 1 example SGT mapping configuration 1 2 3 SGACLs policies acquisition 1 refreshing downloaded policies 1 SGT Exchange Protocol 1 See SXP 1 SGTs description 1 example mapping configuration 1 2 3 manually configuring 1 manually configuring address-to-SGACL mapping 1 2 propagation with SXP 1 SNMPv3 specifying AAA parameters 1 specifying parameters for AAA servers 1 source interfaces RADIUS server groups 1 TACACS+ server groups 1 SPTs description 1 predefined tokens 1 SSH 1 configuring passwordless file copy 1 default settings 1 description 1 digital certificate support 1 example configuration 1 guidelines 1 licensing 1 limitations 1 prerequisites 1 specifying keys for user accounts 1 verifying configuration 1 virtualization support 1 SSH clients support on NX-OS devices 1 SSH hosts clearing on NX-OS devices 1 SSH keys deleting from the NX-OS device 1 specifying in IETF SECSH format 1 specifying in OpenSSH format 1 SSH login attempts configuring 1 SSH servers clearing on NX-OS devices 1 disabling on NX-OS devices 1 key-pair support 1 support on NX-OS devices 1 SSH sessions clearing 1 starting 1 starting from boot mode 1 statistics for RBACL 1 status-query timers description 1 superuser role. 1 See network-admin user role 1 SXP changing reconcile periods 1 changing retry periods 1 configuration process 1 configuring default passwords 1 configuring default source IP addresses 1 configuring manually 1 configuring peer connections 1 enabling 1 SGT propagation 1 SXP connections example manual configuration 1 system posture tokens. 1 See SPTs 1 T TACACS+ advantages over RADIUS 1 allowing users to specify server name at login 1 clearing active distribution sessions 1 committing configuration changes to the network 1 configuration distribution 1 configuration process 1 configuring 1 configuring global keys 1 configuring global timeout interval 1 configuring TCP ports 1 configuring the dead-time interval 1 default settings 1 description 1 2 disabling 1 discarding distribution sessions 1 enabling configuration distribution 1 enabling feature 1 example configurations 1 guidelines 1 keys 1 licensing requirements 1 limitations 1 prerequisites 1 user login operation 1 verifying command authorization 1 verifying configuration 1 virtualization 1 VSAs 1 TACACS+ command authorization configuring 1 description 1 testing 1 TACACS+ groups configuring 1 manually monitoring 1 TACACS+ server groups example configuration 1 global source interfaces 1 TACACS+ servers configuring 1 configuring global periodic monitoring 1 configuring keys 1 configuring periodic monitoring 1 configuring timeout intervals 1 example configuration 1 manually monitoring 1 monitoring 1 2 TACACS+ statistics clearing 1 TCP ports configuring for LDAP 1 configuring for TACACS+ 1 Telnet 1 clearing sessions on NX-OS devices 1 default settings 1 description 1 enabling server on NX-OS devices 1 guidelines 1 licensing 1 limitations 1 prerequisites 1 starting sessions to remote devices 1 verifying configuration 1 virtualization support 1 Telnet servers support on NX-OS devices 1 time range description 1 time ranges absolute 1 configuring 1 2 description 1 periodic 1 verifying configuration 1 traffic storm control default settings 1 description 1 2 example configuration 1 guidelines 1 licensing 1 limitations 1 monitoring counters 1 verifying configuration 1 virtualization support 1 trust points description 1 multiple 1 saving configuration across reboots 1 type-6 encrypted passwords converting back to their original states 1 2 converting existing passwords to 1 2 deleting 1 2 U Unicast RPF BGP attributes 1 BOOTP and 1 default settings 1 deploying 1 description 1 2 DHCP and 1 example configurations 1 FIB 1 guidelines 1 implementation 1 licensing 1 limitations 1 loose mode 1 statistics 1 strict mode 1 tunneling and 1 verifying configuration 1 virtualization support 1 unicast storms. 1 See traffic storm control 1 user accounts configuring 1 default settings 1 description 1 example configuration 1 guidelines 1 licensing 1 password characteristics 1 verifying configuration 1 virtualization support 1 user accounts limitations 1 user logins authentication process 1 authorization process 1 user role rules description 1 user roles configuring 1 defaults 1 description 1 guidelines 1 limitations 1 specifying on AAA servers 1 2 verifying configuration 1 virtualization support 1 V VACLs default settings 1 description 1 guidelines 1 interoperating with NAC LPIP 1 limitations 1 vdc-admin user role description 1 vdc-operator user role description 1 vendor-specific attributes. 1 See VSAs 1 virtualization 802.1X 1 AAA 1 Cisco TrustSec 1 CoPP 1 DAI 1 DHCP 1 LDAP 1 NAC 1 password encryption 1 RADIUS 1 rate limits 1 TACACS+ 1 traffic storm control 1 user accounts 1 user roles 1 virtualization support 1 PKI 1 virutalization IP Source Guard 1 VLAN ACLs definition 1 description 1 information about 1 VLAN policies changing for roles 1 vPCs and DHCP snooping 1 VRF policies changing in roles 1 VSAs format 1 protocol options 1 2 3 4 support description 1 VTY access class enabling using CoPP 1 VTY ACL creating 1 VTY ACLs definition 1 W whole ACL capture session applying to an interface 1
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks