Cisco Nexus 3000 Series NX-OS Security Command Reference

Priortize PACL over SUP TCAM for DHCP

This feature was introduced.

Added the hardware profile pacl priority toggle command.

6.0(2)U6(7)

hardware profile pacl priority toggle

Telnet

The error message displayed when the telnet service is not detected has changed from “telnet service not enabled” to “Telnet service is disabled.”

7.0(3)I2(1)

show telnet server

TCAM

The output has changed.

7.0(3)|2(1)

show hardware profile tcam region

TCAM

This command is being deprecated in the 7.0(3)|2(1) release.

7.0(3)|2(1)

show platform afm info tcam

Consistency Checker

Command to trigger consistency checkers on RACLS added.

6.0(2)U2(1)

show consistency-checker racl module

ACL Logging

This feature allows you to monitor flows that affect specific access control lists (ACLs)

6.0(2)U2(1)

clear logging ip access-list cache

logging level acllog

show logging ip access-list cache

show logging ip access-list status

show logging level acllog

show running-config acllog

show startup-config acllog

IPv6 DHCP Relay Agent

You can enable the IPv6 DHCP Relay Agent and view its configuration by using these command.

6.0(2)U1(2)

ipv6 dhcp relay

ipv6 dhcp relay source-interface

show ipv6 dhcp relay

clear ipv6 dhcp relay statistics

AAA accounting log

You can enable logging of all commands (including show comands). The show accounting log command includes show commands in the command output.

5.0(3)U5(1e)

terminal log-all

show accounting log

Syslog Thresholds for System Resources

This feature was introduced.

5.0(3)U3(2)

hardware profile tcam syslog-threshold

DHCP Relay

Added support for Option 82 information to be in encoded string format.

5.0(3)U3(2)

ip dhcp relay information option

IPv6 Support

This feature was introduced.

Updated the hardware profile tcam region command.

5.0(3)U3(1)

hardware profile tcam region

ipv6 access-list

ipv6 address

ipv6 dhcp relay source-interface

ipv6 verify unicast source reachable-via

Address Resolution Protocol (ARP) ACLs for Control plane policing (CoPP)

The following commands were added to include support for CoPP ACLs:

• arp access-lists
• deny (ARP)
• permit (ARP)
• show arp access-lists

5.0(3)U2(2)

arp access-list

deny (ARP)

permit (ARP)

show arp access-lists

Access Control List (ACL) ternary content addressable memory (TCAM) regions

The following commands were introduced to to change the size of ACL ternary content addressable memory (TCAM) regions:

• hardware profile tcam region
• show hardware profile tcam region

5.0(3)U2(1)

hardware profile tcam region

show consistency-checker racl module

Address Resolution Protocol (ARP) ACLs for Control plane policing (CoPP)

The following commands were updated to include support for CoPP ACLs:

• deny (IPv4)
• permit (IPv4)

5.0(3)U2(1)

deny (IPv4)

permit (IPv4)

Access control list (ACL)

This feature was introduced.

You can configure ACLs for incoming or outgoing traffic, IPv4 and MAC access lists, or VLAN ACLs.

5.0(3)U1(1)

action

clear access-list counters

deny (IPv4)

ip access-group

ip access-list

ip port access-group

mac port access-group

match

permit (IPv4)

permit interface

permit vlan

remark

resequence

vlan access-map

vlan filter

show access-lists

show ip access-lists

show running-config acllog

show startup-config aclmgr

show vlan access-list

show vlan access-map

show vlan filter

ACLs on VTY

This feature was introduced.

You can configure an access class to restrict incoming or outgoing traffic on a virtual terminal line (VTY).

5.0(3)U1(1)

access-class

ip access-class

Dynamic Host Configuration Protocol (DHCP) Snooping

This feature was introduced.

You can configure DHCP snooping on switches and VLANs.

5.0(3)U1(1)

clear ip dhcp snooping binding

clear ip dhcp snooping statistics

feature dhcp

ip dhcp packet strict-validation

ip dhcp relay information option

ip dhcp snooping information option

ip dhcp snooping trust

ip dhcp snooping verify mac-address

ip dhcp snooping vlan

ip source binding

show ip dhcp snooping

show ip dhcp snooping binding

show ip dhcp snooping statistics

show running-config dhcp

show startup-config dhcp

Dynamic ARP Inspection (DAI)

This feature was introduced.

You can configure dynamic Address Resolution Protocol (ARP) inspection (DAI) on a Cisco NX-OS switch.

5.0(3)U1(1)

clear ip arp

clear ip arp inspection log

clear ip arp inspection statistics vlan

ip arp event-history errors

ip arp inspection log-buffer

ip arp inspection validate

ip arp inspection vlan

ip arp inspection trust

show ip arp

show ip arp inspection

show ip arp inspection interfaces

show ip arp inspection log

show ip arp inspection statistics

show ip arp inspection vlan

show running-config arp

show startup-config arp

Remote Authentication Dial-In User Service (RADIUS)

This feature was introduced.

You can configure RADIUS server parameters, the shared secret key, and the number of retransmissions to RADIUS servers.

5.0(3)U1(1)

aaa group server radius

deadtime

radius-server deadtime

radius-server directed-request

radius-server host

radius-server key

radius-server retransmit

radius-server timeout

server

show aaa groups

show radius-server

show running-config radius

Secure Shell (SSH)

This feature was introduced.

You can configure a SSH session using IPv4 or IPv6, or create a SSH server key.

5.0(3)U1(1)

ssh6

ssh

ssh key

ssh server enable

show running-config security

show ssh key

show ssh server

show startup-config security

Telnet

This feature was introduced.

You can configure an IPv4 or IPv6 Telnet session and enable a Telnet server.

5.0(3)U1(1)

telnet6

telnet

telnet server enable

show telnet server

Terminal Access Controller Access-Control System Plus (TACACS+)

This feature was introduced.

You can configure the TACACS+ server parameters, enable a secret password for a privilege level, and create user accounts.

5.0(3)U1(1)

deadtime

enable

enable secret

feature privilege

feature tacacs+

server

tacacs-server deadtime

tacacs-server directed-request

tacacs-server host

tacacs-server key

tacacs-server timeout

username

show privilege

show tacacs-server

show user-account

show users

Authentication, authorization, and accounting (AAA)

This feature was introduced.

You can configure AAA authentication methods, authorization methods, accounting methods, Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) authentication, or RADIUS server groups.

5.0(3)U1(1)

aaa accounting default

aaa authentication login default

aaa authentication login error-enable

aaa authentication login mschap enable

aaa authorization commands default

aaa authorization config-commands default

aaa group server radius

aaa user default-role

show aaa accounting

show aaa authentication

show aaa authorization

show aaa groups

show aaa user

show access-lists

show accounting log

show running-config aaa

show startup-config aaa

User roles

This feature was introduced.

You can create user roles or user role feature groups.

5.0(3)U1(1)

description (user role)

feature (user role feature group)

hardware profile tcam syslog-threshold

permit vsan

role feature-group name

role name

rule

vlan policy deny

vsan policy deny

show role

show role feature

show role feature-group

show user-account

show users

Virtual forwarding and routing (VRF)

This feature was introduced.

You can configure VRF, VRF-lite features, and the IP features for a VRF.

5.0(3)U1(1)

permit vrf

vrf policy deny

use-vrf

System Management

This feature was introduced.

5.0(3)U1(1)

show logging ip access-list cache

Unicast Routing

This feature was introduced.

5.0(3)U1(1)

ip verify unicast source reachable-via