R Commands
This chapter describes the Cisco NX-OS security commands that begin with R.
radius-server deadtime
To configure the dead-time interval for all RADIUS servers on a Cisco Nexus 5000 Series switch, use the radius-server deadtime command. To revert to the default, use the no form of this command.
radius-server deadtime minutes
no radius-server deadtime minutes
Syntax Description
Number of minutes for the dead-time interval. The range is from 1 to 1440 minutes. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
The dead-time interval is the number of minutes before the switch checks a RADIUS server that was previously unresponsive.
Note When the idle time interval is 0 minutes, periodic RADIUS server monitoring is not performed.
Examples
This example shows how to configure the global dead-time interval for all RADIUS servers to perform periodic monitoring:
This example shows how to revert to the default for the global dead-time interval for all RADIUS servers and disable periodic server monitoring:
Related Commands
|
|
---|---|
radius-server directed-request
To allow users to send authentication requests to a specific RADIUS server when logging in, use the radius-server directed request command. To revert to the default, use the no form of this command.
radius-server directed-request
no radius-server directed-request
Syntax Description
Command Default
Sends the authentication request to the configured RADIUS server group.
Command Modes
Command History
|
|
Usage Guidelines
You can specify the username @ vrfname : hostname during login, where vrfname is the VRF to use and hostname is the name of a configured RADIUS server. The username is sent to the RADIUS server for authentication.
Examples
This example shows how to allow users to send authentication requests to a specific RADIUS server when logging in:
This example shows how to disallow users to send authentication requests to a specific RADIUS server when logging in:
Related Commands
|
|
---|---|
radius-server host
To configure RADIUS server parameters, use the radius-server host command. To revert to the default, use the no form of this command.
radius-server host { hostname | ipv4-address | ipv6-address }
[ key [ 0 | 7 ] shared-secret [ pac ]] [ accounting ]
[ acct-port port-number ] [ auth-port port-number ] [ authentication ] [ retransmit count ]
[ test { idle-time time | password password | username name }]
[ timeout seconds [ retransmit count ]]
no radius-server host { hostname | ipv4-address | ipv6-address }
[ key [ 0 | 7 ] shared-secret [ pac ]] [ accounting ]
[ acct-port port-number ] [ auth-port port-number ] [ authentication ] [ retransmit count ]
[ test { idle-time time | password password | username name }]
[ timeout seconds [ retransmit count ]]
Syntax Description
Command Default
Accounting port: 1813
Authentication port: 1812
Accounting: enabled
Authentication: enabled
Retransmission count: 1
Idle-time: 0
Server monitoring: disabled
Timeout: 5 seconds
Test username: test
Test password: test
Command Modes
Command History
|
|
Usage Guidelines
When the idle time interval is 0 minutes, periodic RADIUS server monitoring is not performed.
Examples
This example shows how to configure RADIUS server authentication and accounting parameters:
Related Commands
|
|
---|---|
radius-server key
To configure a RADIUS shared secret key, use the radius-server key command. To remove a configured shared secret, use the no form of this command.
radius-server key [ 0 | 7 ] shared-secret
no radius-server key [ 0 | 7 ] shared-secret
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
You must configure the RADIUS preshared key to authenticate the switch to the RADIUS server. The length of the key is restricted to 65 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global key to be used for all RADIUS server configurations on the switch. You can override this global key assignment by using the key keyword in the radius-server host command.
Examples
This example shows how to provide various scenarios to configure RADIUS authentication:
Related Commands
|
|
---|---|
radius-server retransmit
To specify the number of times that the switch should try a request with a RADIUS server, use the radius-server retransmit command. To revert to the default, use the no form of this command.
radius-server retransmit count
no radius-server retransmit count
Syntax Description
Number of times that the switch tries to connect to a RADIUS server before reverting to local authentication. The range is from 1 to 5 times. |
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to configure the number of retransmissions to RADIUS servers:
This example shows how to revert to the default number of retransmissions to RADIUS servers:
Related Commands
|
|
---|---|
radius-server timeout
To specify the time between retransmissions to the RADIUS servers, use the radius-server timeout command. To revert to the default, use the no form of this command.
no radius-server timeout seconds
Syntax Description
Number of seconds between retransmissions to the RADIUS server. The range is from 1 to 60 seconds. |
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to configure the timeout interval:
This example shows how to revert to the default interval:
Related Commands
|
|
---|---|
range
To specify a range of ports as a group member in an IP port object group, use the range command. To remove a port range group member from port object group, use the no form of this command.
[ sequence-number ] range starting-port-number ending-port-number
no { sequence-number | range starting-port-number ending-port-number }
Syntax Description
Defaults
Command Modes
IP port object group configuration
Command History
|
|
Usage Guidelines
IP port object groups are not directional. Whether a range command matches a source or destination port or whether it applies to inbound or outbound traffic depends upon how you use the object group in an ACL.
Examples
This example shows how to configure an IP port object group named port-group-05 with a group member that matches traffic sent to or from port 137 through port 139:
Related Commands
remark
To enter a comment into an IPv4 or MAC access control list (ACL), use the remark command. To remove a remark command, use the no form of this command.
[ sequence-number ] remark remark
no { sequence-number | remark remark }
Syntax Description
Command Default
Command Modes
IPv4 ACL configuration mode
MAC ACL configuration mode
Command History
|
|
Usage Guidelines
The remark argument can be up to 100 characters. If you enter more than 100 characters for the remark argument, the switch accepts the first 100 characters and drops any additional characters.
Examples
This example shows how to create a remark in an IPv4 ACL and display the results:
Related Commands
|
|
---|---|
resequence
To reassign sequence numbers to all rules in an access control list (ACL) or a time range, use the resequence command.
resequence [ ip | ipv6 | mac ] access-list access-list-name starting-number increment
resequence time-range time-range-name starting-number increment
Syntax Description
Sequence number for the first rule in the ACL or time range. |
|
Number that the switch adds to each subsequent sequence number. |
Command Default
Command Modes
Command History
|
|
Usage Guidelines
The resequence command allows you to reassign sequence numbers to the rules of an ACL or time range. The new sequence number for the first rule is determined by the starting-number argument. Each additional rule receives a new sequence number determined by the increment argument. If the highest sequence number would exceed the maximum possible sequence number, then no sequencing occurs and the following message appears:
Examples
This example shows how to resequence an IPv4 ACL named ip-acl-01 with a starting sequence number of 100 and an increment of 10, using the show ip access-lists command to verify sequence numbering before and after the use of the resequence command:
Related Commands
|
|
---|---|
role feature-group name
To create or specify a user role feature group and enter user role feature group configuration mode, use the role feature-group name command. To delete a user role feature group, use the no form of this command.
role feature-group name group-name
no role feature-group name group-name
Syntax Description
User role feature group name. The group-name has a maximum length of 32 characters and is a case-sensitive, alphanumeric character string. |
Command Default
Command Modes
Command History
|
|
Examples
This example shows how to create a user role feature group and enter user role feature group configuration mode:
This example shows how to remove a user role feature group:
Related Commands
|
|
---|---|
Specifies or creates a user role feature group and enters user role feature group configuration mode. |
|
role name
To create or specify a user role and enter user role configuration mode, use the role name command. To delete a user role, use the no form of this command.
role name { role-name | default-role | privilege-role }
no role name { role-name | default-role | privilege-role }
Syntax Description
User role name. The role-name has a maximum length of 16 characters and is a case-sensitive, alphanumeric character string. |
|
Command Default
Command Modes
Command History
|
|
Usage Guidelines
A Cisco Nexus 5000 Series switch provides the following default user roles:
- Network Administrator—Complete read-and-write access to the entire switch
- Complete read access to the entire switch
You cannot change or remove the default user roles.
To view the privilege level roles, you must enable the cumulative privilege of roles for command authorization on TACACS+ servers using the feature privilege command. Privilege roles inherit the permissions of lower level privilege roles.
Examples
This example shows how to create a user role and enter user role configuration mode:
This example shows how to create a privilege 1 user role and enter user role configuration mode:
This example shows how to remove a user role:
Related Commands
|
|
---|---|
Enables cumulative privilege of roles for command authorization on TACACS+ servers. |
|
rollback running-config
To rollback a running configuration, use the rollback running-config command.
rollback running-config { checkpoint checkpoint-name | file { bootflash: | volatile: }[ // server ][ directory / ][ filename ] [ atomic ] [ verbose ]}
Syntax Description
Note There can be no spaces in the filesystem://server/directory/filename string. Individual elements of this string are separated by colons (:) and slashes (/).
Command Default
Command Modes
Command History
|
|
---|---|
Usage Guidelines
You can roll back to a checkpoint name or file. Before you roll back, you can view the differences between the source and destination checkpoints that reference the current or saved configurations using the show diff rollback-patch command.
A rollback to a specified checkpoint restores the active configuration of the system to the checkpointed configuration.
A rollback to files on bootflash is supported only on files that are created using the checkpoint checkpoint_name command and not on any other type of ASCII file.
Note If you make a configuration change during an atomic rollback, the rollback will fail. You must manually correct the error and then run the rollback command.
Examples
This example shows how to roll back the running configuration to a checkpoint, named chkpnt-1, in verbose mode:
This example shows how to roll back the running configuration to a checkpoint configuration file named chkpnt_configSep9-1.txt in the bootflash storage system:
Related Commands
rule
To configure rules for a user role, use the rule command. To delete a rule, use the no form of this command.
rule number { deny | permit } { command command-string | { read | read-write } [ feature feature-name | feature-group group-name ]}
Syntax Description
Command Default
Command Modes
Command History
|
|
Usage Guidelines
You can configure up to 256 rules for each role.
The rule number that you specify determines the order in which the rules are applied. Rules are applied in descending order. For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.
Deny rules cannot be added to any privilege roles, except the privilege 0 (priv-0) role.
Examples
This example shows how to add rules to a user role:
This example shows how to add rules to a user role with privilege 0:
This example shows how to remove a rule from a user role:
Related Commands
|
|
---|---|
Creates or specifies a user role name and enters user role configuration mode. |
|