Cisco Nexus 7000 Series Security Command Reference

sak-expiry-time

To set an expiry time for a forced Secure Association Key (SAK) rekey, use the sak-expiry-time command. To reset to the default expiry time, use the no form of this command.

sak-expiry-time time

no sak-expiry-time time

Syntax Description


`time`	Time, in seconds, to force a SAK rekey. The range is 1-2592000. The default is pn-exhaust.

Command Default

The default value is pn-exhaust.

Command Modes

MACsec policy configuration (config-macsec-policy)

Command History


Release	Modification
8.2(1)	This command was introduced.

Usage Guidelines

To use this command, you should enable the MKA feature first.

Examples

This example shows how to set the SAK expiry time:

switch# configure terminal
switch(config)# macsec policy p1
switch(config-macsec-policy)# sak-expiry-time 60

Related Commands


Command	Description
cipher suite	Configures the cipher suite for encrypting traffic with MACsec.
conf-offset	Configures the confidentiality offset for MKA encryption.
feature mka	Enables the MKA feature.
key	Creates a key or enters the configuration mode of an existing key.
key chain `keychain-name`	Creates a keychain or enters the configuration mode of an existing keychain.
key-octet-string	Configures the text for a MACsec key.
key-server-priority	Configures the preference for a device to serve as the key server for MKA encryption.
macsec keychain policy	Configures the MACsec keychain policy.
macsec policy	Configures the MACsec policy.
show key chain	Displays the configuration of the specified keychain.
show macsec mka	Displays the details of MKA.
show macsec policy	Displays all the MACsec policies in the system.
show run mka	Displays the status of MKA.

sap modelist

To configure the Cisco TrustSec Security Association Protocol (SAP) operation mode, use the sap modelist command. To revert to the default, use the no form of this command.

sap modelist {gcm-encrypt | gmac | no-encap | none}

no sap modelist {gcm-encrypt | gmac | no-encap | none}

Syntax Description


gcm-encrypt	Specifies Galois/Counter Mode (GCM) encryption and authentication mode.
gmac	Specifies GCM authentication mode.
no-encap	Specifies no encapsulation and no security group tag (SGT) insertion.
none	Specifies the encapsulation of the SGT without authentication or encryption.

Command Default

gcm-encrypt

Command Modes

Cisco TrustSec 802.1X configuration

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

After using this command, you must enable and disable the interface using the shutdown /no shutdown command sequence for the configuration to take effect.

This command requires the Advanced Services license.

Examples

This example shows how to configure Cisco TrustSec SAP operation mode on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/3
switch(config-if)# cts dot1x
switch(config-if-cts-dot1x)# sap modelist gmac
switch(config-if-cts-dot1x)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown

This example shows how to revert to the default Cisco TrustSec SAP operation mode on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/3
switch(config-if)# cts dot1x
switch(config-if-cts-dot1x)# no sap modelist gmac
switch(config-if-cts-dot1x)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown

Related Commands


Command	Description
cts dot1x	Enters Cisco TrustSec 802.1X configuration mode for an interface.
feature cts	Enables the Cisco TrustSec feature.
show cts interface	Displays the Cisco TrustSec configuration for interfaces.

sap pmk

To manually configure the Cisco TrustSec Security Association Protocol (SAP) pairwise master key (PMK), use the sap pmk command. To remove the SAP configuration, use the no form of this command.

sap pmk [key | [left-zero-padded] [display encrypt] | encrypted {encrypted_pmk | use-dot1x} [modelist {gcm-encrypt | gmac | no-encap | null}]]

no sap

Syntax Description


`key`	Key value. This is a hexadecimal string with an even number of characters. The maximum length is 32 characters.
left-zero-padded	(Optional) Pads zeros to the left of the entered string if the PMK length is less than 32 bytes.
display encrypt	(Optional) Specifies that the configured PMK be displayed in AES-encrypted format in the running configuration.
encrypted encrypted_pmk	Specifies an encrypted PMK string of 64 bytes (128 hexadecimal characters).
use-dot1x	Specifies that the peer device does not support Cisco TrustSec 802.1X authentication or authorization but does support SAP data path encryption and authentication.
modelist	(Optional) Specifies the SAP operation mode.
gcm-encrypt	Specifies Galois/Counter Mode (GCM) encryption and authentication mode.
gmac	Specifies GCM authentication mode.
no-encap	Specifies no encapsulation and no security group tag (SGT) insertion.
null	Specifies the encapsulation of the SGT without authentication or encryption.

Command Default

gcm-encrypt

Command Modes

Cisco TrustSec manual configuration

Command History


Release	Modification
6.2(2)	The left-zero-padded, display encrypt and encrypted encrypted_pmk keywords and argument were added.
4.0(3)	The use-dot1x keyword was added.
4.0(1)	This command was introduced.

Usage Guidelines

This command is not supported for F1 Series modules and F2 Series modules.

To use this command, you must enable the Cisco TrustSec feature using the feature cts command.

After using this command, you must enable and disable the interface using the shutdown /no shutdown command sequence for the configuration to take effect.

This command requires the Advanced Services license.

Examples

This example shows how to manually configure Cisco TrustSec SAP on an interface:

switch# configure terminal
switch(config)# interface ethernet 2/3
switch(config-if)# cts manual
switch(config-if-cts-manual)# sap pmk fedbaa modelist gmac
switch(config-if-cts-manual)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown

This example shows how to remove a manual Cisco TrustSec SAP configuration from an interface:

switch# configure terminal
switch(config)# interface ethernet 2/3
switch(config-if)# cts manual
switch(config-if-cts-manual)# no sap
switch(config-if-cts-manual)# exit
switch(config-if)# shutdown
switch(config-if)# no shutdown

Related Commands


Command	Description
cts manual	Enters Cisco TrustSec manual configuration mode for an interface.
feature cts	Enables the Cisco TrustSec feature.
show cts interface	Displays the Cisco TrustSec configuration for interfaces.

send-lifetime

To specify the time interval within which the device sends the key during key exchange with another device, use the send-lifetime command. To remove the time interval, use the no form of this command.

send-lifetime [local] start-time [duration duration-value | infinite | end-time]

Syntax Description


local	(Optional) Specifies that the device treats the configured times as local times. By default, the device treats the start-time and end-time arguments as UTC.
`start-time`	Time of day and date that the key becomes active. For information about the values for the `start-time` argument, see the “Usage Guidelines” section.
duration `duration-value`	(Optional) Specifies the length of the lifetime in seconds. The maximum length is 2147483646 seconds (approximately 68 years).
infinite	(Optional) Specifies that the key never expires.
`end-time`	(Optional) Time of day and date that the key becomes inactive. For information about valid values for the `end-time` argument, see the “Usage Guidelines” section.

Command Default

infinite

Command Modes

Key configuration

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

By default, the device interprets all time range rules as UTC.

By default, the time interval within which the device sends a key during key exchange with another device—the send lifetime—is infinite, which means that the key is always valid.

The start-time and end-time arguments both require time and date components, in the following format:

hour [:minute [:second ]] month day year

You specify the hour in 24-hour notation. For example, in 24-hour notation, 8:00 a.m. is 8:00 and 8:00 p.m. is 20:00. The minimum valid start-time is 00:00:00 Jan 1 1970, and the maximum valid start-time is 23:59:59 Dec 31 2037.

Examples

This example shows how to create a send lifetime that begins at midnight on June 13, 2008, and ends at 11:59:59 p.m. on August 12, 2008:

switch# configure terminal
switch(config)# key chain glbp-keys
switch(config-keychain)# key 13
switch(config-keychain-key)# send-lifetime 00:00:00 Jun 13 2008 23:59:59 Aug 12 2008
switch(config-keychain-key)#

Related Commands


Command	Description
accept-lifetime	Configures an accept lifetime for a key.
key	Configures a key.
key chain	Configures a keychain.
key-string	Configures a key string.
show key chain	Displays keychain configuration.

server

To add a server to a RADIUS, TACACS+, or Lightweight Directory Access Protocol (LDAP) server group, use the server command. To delete a server from a server group, use the no form of this command.

server {ipv4-address | ipv6-address | hostname}

no server {ipv4-address | ipv6-address | hostname}

Syntax Description


`ipv4-address`	Server IPv4 address in the A.B.C.D format.
`ipv6-address`	Server IPv6 address in the X: X: X:: X format.
`hostname`	Server name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters.

Command Default

None

Command Modes

RADlUS server group configurationTACACS+ server group configurationLDAP server group configuration

Command History


Release	Modification
5.0(2)	Support for LDAP server groups was added.
4.0(1)	This command was introduced.

Usage Guidelines

You can configure up to 64 servers in a server group.

Use the aaa group server radius command to enter RADIUS server group configuration mode, the aaa group server tacacs+ command to enter TACACS+ server group configuration mode, or the aaa group server ldap command to enter LDAP server group configuration mode.

If the server is not found, use the radius-server host command, tacacs-server host command, or ldap-server host command to configure the server.

Note

You must use the feature tacacs+ command before you configure TACACS+ and the feature ldap command before you configure LDAP.

This command does not require a license.

Examples

This example shows how to add a server to a RADIUS server group:

switch# configure terminal
switch(config)# aaa group server radius RadServer
switch(config-radius)# server 10.10.1.1

This example shows how to delete a server from a RADIUS server group:

switch# configure terminal
switch(config)# aaa group server radius RadServer
switch(config-radius)# no server 10.10.1.1

This example shows how to add a server to a TACACS+ server group:

switch# configure terminal
switch(config)# feature tacacs+
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# server 10.10.2.2

This example shows how to delete a server from a TACACS+ server group:

switch# configure terminal
switch(config)# feature tacacs+
switch(config)# aaa group server tacacs+ TacServer
switch(config-tacacs+)# no server 10.10.2.2

This example shows how to add a server to an LDAP server group:

switch# configure terminal
switch(config)# feature ldap
switch(config)# aaa group server ldap LdapServer
switch(config-ldap)# server 10.10.3.3

This example shows how to delete a server from an LDAP server group:

switch# configure terminal
switch(config)# feature ldap
switch(config)# aaa group server ldap LdapServer
switch(config-ldap)# no server 10.10.3.3

Related Commands


Command	Description
aaa group server	Configures AAA server groups.
radius-server host	Configures a RADIUS server.
show ldap-server groups	Displays LDAP server group information.
show radius-server groups	Displays RADIUS server group information.
show tacacs-server groups	Displays TACACS+ server group information.
feature tacacs+	Enables TACACS+.
tacacs-server host	Configures a TACACS+ server.
feature ldap	Enables LDAP.
ldap-server host	Configures an LDAP server.

service dhcp

To enable the DHCP relay agent, use the service dhcp command. To disable the DHCP relay agent, use the no form of this command.

service dhcp

no service dhcp

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Global configuration

Command History


Release	Modification
4.2(1)	This command was deprecated and replaced with the ip dhcp relay command.
4.0(1)	This command was introduced.

Usage Guidelines

This command does not require a license.

Examples

This example shows how to globally enable DHCP snooping:

switch# configure terminal
switch(config)# service dhcp
switch(config)#

Related Commands


Command	Description
feature dhcp	Enables the DHCP snooping feature on the device.
ip dhcp relay address	Configures an IP address of a DHCP server on an interface.
ip dhcp relay information option	Enables the insertion and removal of option-82 information from DHCP packets.
ip dhcp snooping	Globally enables DHCP snooping on the device.
show ip dhcp snooping	Displays general information about DHCP snooping.
show running-config dhcp	Displays DHCP snooping configuration, including IP Source Guard configuration.

service-policy input

To attach a control plane policy map to the control plane, use the service-policy input command. To remove a control plane policy map, use the no form of this command.

service-policy input policy-map-name

no service-policy input policy-map-name

Syntax Description


`policy-map-name`	Name of the control plane policy map.

Command Default

None

Command Modes

Control plane configuration

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You can use this command only in the default virtual device context (VDC).

You can assign only one control place policy map to the control plane. To assign a new control plane policy map to the control plane, you must remove the old control plane policy map.

This command does not require a license.

Examples

This example shows how to assign a control plane policy map to the control plane:

switch# configure terminal
switch(config)# control-plane
switch(config-cp)# service-policy input PolicyMapA

This example shows how to remove a control plane policy map from the control plane:

switch# configure terminal
switch(config)# control-plane 
switch(config-cp)# no service-policy input PolicyMapA

Related Commands


Command	Description
policy-map type control-plane	Specifies a control plane policy map and enters policy map configuration mode.
show policy-map type control-plane	Displays configuration information for control plane policy maps.

set cos

To set the IEEE 802.1Q class of service (CoS) value for a control plane policy map, use the set cos command. To revert to the default, use the no form of this command.

set cos [inner] cos-value

no set cos [inner] cos-value

Syntax Description


inner	(Optional) Specifies the inner 802.1Q in a Q-in-Q environment.
`cos-value`	Numerical value of CoS in the control plane policy map. The range is from 0 to 7.

Command Default

0

Command Modes

Policy map class configuration

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to configure the CoS value for a control plane policy map:

switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
switch(config-pmap)# class ClassMapA
switch(config-pmap-c)# set cos 4

This example shows how to revert to the default CoS value for a control plane policy map:

switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
switch(config-pmap)# class ClassMapA
switch(config-pmap-c)# no set cos 4

Related Commands


Command	Description
class (policy map)	Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode.
policy-map type control-plane	Specifies a control plane policy map and enters policy map configuration mode.
show policy-map type control-plane	Displays configuration information for control plane policy maps.

set dscp (policy map class)

To set the differentiated services code point (DSCP) value for IPv4 and IPv6 packets in a control plane policy map, use the set dscp command. To revert to the default, use the no form of this command.

set dscp [tunnel] {dscp-value | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | ef | default}

no set dscp [tunnel] {dscp-value | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | ef | default}

Syntax Description


tunnel	(Optional) Sets DSCP in a tunnel encapsulation.
`dscp-value`	Numerical value of CoS in the control plane policy map. The range is from 0 to63.
af11	Specifies assured forwarding 11 DSCP (001010).
af12	Specifies assured forwarding 12 DSCP (001100).
af13	Specifies assured forwarding 13 DSCP (001110).
af21	Specifies assured forwarding 21 DSCP (010010).
af22	Specifies assured forwarding 22 DSCP (010100).
af23	Specifies assured forwarding 23 DSCP (010110).
af31	Specifies assured forwarding 31 DSCP (011010).
af32	Specifies assured forwarding 32 DSCP (011100).
af33	Specifies assured forwarding 33 DSCP (011110).
af41	Specifies assured forwarding 41 DSCP (100010).
af42	Specifies assured forwarding 42 DSCP (100100).
af43	Specifies assured forwarding 43 DSCP (100110).
cs1	Specifies class selector 1 (precedence 1) DSCP (001000).
cs2	Specifies class selector 2 (precedence 2) DSCP (010000).
cs3	Specifies class selector 3 (precedence 3) DSCP (011000).
cs4	Specifies class selector 4 (precedence 4) DSCP (100000).
cs5	Specifies class selector 5 (precedence 5) DSCP (101000).
cs6	Specifies class selector 6 (precedence 6) DSCP (110000).
cs7	Specifies class selector 7 (precedence 7) DSCP (111000).
ef	Specifies expedited forwarding DSCP (101110).
default	Specifies default DSCP (000000).

Command Default

default

Command Modes

Policy map class configuration

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to configure the DSCP value for a control plane policy map:

switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
switch(config-pmap)# class ClassMapA
switch(config-pmap-c)# set dscp 4

This example shows how to revert to the default DSCP value for a control plane policy map:

switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
switch(config-pmap)# class ClassMapA
switch(config-pmap-c)# no set dscp 4

Related Commands


Command	Description
class (policy map)	Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode.
policy-map type control-plane	Specifies a control plane policy map and enters policy map configuration mode.
show policy-map type control-plane	Displays configuration information for control plane policy maps.

set precedence (policy map class)

To set the precedence value for IPv4 and IPv6 packets in a control plane policy map, use the set precedence command. To revert to the default, use the no form of this command.

set precedence [tunnel] {prec-value | critical | flash | flash-override | immediate | internet | network | priority | routine}

no set precedence [tunnel] {prec-value | critical | flash | flash-override | immediate | internet | network | priority | routine}

Syntax Description


tunnel	(Optional) Sets the precedence in a tunnel encapsulation.
`prec-value`	Numerical value for DSCP precedence in the control plane policy map. The range is from 0 to 7.
critical	Specifies critical precedence equal to precedence value 5.
flash	Specifies flash precedence equal to precedence value 3.
flash-override	Specifies flash override precedence equal to precedence value 4.
immediate	Specifies immediate precedence equal to precedence value 2.
internet	Specifies internet precedence equal to precedence value 6.
network	Specifies network precedence equal to precedence value 7.
priority	Specifies priority precedence equal to precedence value 1.
routine	Specifies routine precedence equal to precedence value 0.

Command Default

0 or routine

Command Modes

Policy map class configuration

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

You can use this command only in the default virtual device context (VDC).

This command does not require a license.

Examples

This example shows how to configure the CoS value for a control plane policy map:

switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
switch(config-pmap)# class ClassMapA
switch(config-pmap-c)# set precedence critical

This example shows how to revert to the default CoS value for a control plane policy map:

switch# configure terminal
switch(config)# policy-map type control-plane PolicyMapA
switch(config-pmap)# class ClassMapA
switch(config-pmap-c)# no set precedence critical

Related Commands


Command	Description
class (policy map)	Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode.
policy-map type control-plane	Specifies a control plane policy map and enters policy map configuration mode.
show policy-map type control-plane	Displays configuration information for control plane policy maps.

source-interface

To assign a source interface for a specific RADIUS or TACACS+ server group, use the source-interface command. To revert to the default, use the no form of this command.

source-interface interface

no source-interface

Syntax Description


`interface`	Source interface. The supported interface types are ethernet , loopback , and mgmt 0 .

Command Default

The default is the global source interface.

Command Modes

RADIUS configurationTACACS+ configuration

Command History


Release	Modification
4.1(2)	This command was introduced.

Usage Guidelines

The source-interface command to override the global source interface assigned by the ip radius source-interface command or ip tacacs source-interface command.

You must use the feature tacacs+ command before you configure TACACS+.

This command does not require a license.

Examples

This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01:

switch# configure terminal
switch(config)# ip radius source-interface mgmt 0
switch(config-radius)# source-interface ethernet 2/1

Related Commands


Command	Description
feature tacacs+	Enables the TACACS+ feature.
ip radius source-interface	Configures the global source interface for the RADIUS groups configured on the Cisco NX-OS device.
ip tacacs source-interface	Configures the global source interface for the TACACS+ groups configured on the Cisco NX-OS device.
show radius-server groups	Displays the RADIUS server group configuration.
show tacacs-server groups	Displays the TACACS+ server group configuration.

ssh

To create a Secure Shell (SSH) session on the Cisco NX-OS device, use the ssh command.

ssh [username @] {ipv4-address | hostname} [vrf vrf-name]

Syntax Description


`username`	(Optional) Username for the SSH session. The username is not case sensitive.
`ipv4-address`	IPv4 address of the remote device.
`hostname`	Hostname of the remote device. The hostname is case sensitive.
vrf `vrf-name`	(Optional) Specifies the virtual routing and forwarding (VRF) name to use for the SSH session. The VRF name is case sensitive.

Command Default

Default VRF

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

The Cisco NX-OS software supports SSH version 2.

To use IPv6 addressing for an SSH session, use the ssh6 command.

The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions.

If you are planning to create an SSH session to a remote device from the boot mode of a Cisco NX-OS device, you must obtain the hostname for the remote device, enable the SSH server on the remote device, and ensure that the Cisco NX-OS device is loaded with only the kickstart image.

This command does not require a license.

Examples

This example shows how to start an SSH session using IPv4:

switch# ssh 10.10.1.1 vrf management

The authenticity of host '10.10.1.1 (10.10.1.1)' can't be established.
RSA key fingerprint is 9b:d9:09:97:f6:40:76:89:05:15:42:6b:12:48:0f:d6.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.10.1.1' (RSA) to the list of known hosts.
User Access Verification
Password:

This example shows how to create an SSH session to a remote device from the boot mode of the Cisco NX-OS device:

switch(boot)# ssh user1@10.10.1.1

Related Commands


Command	Description
clear ssh session	Clears SSH sessions.
copy scp:	Copies a file from the Cisco NX-OS device to a remote device using the Secure Copy Protocol (SCP).
feature ssh	Enables the SSH server.
ssh6	Starts an SSH session using IPv6 addressing.

ssh key

To create a Secure Shell (SSH) server key for a virtual device context (VDC), use the ssh key command. To remove the SSH server key, use the no form of this command.

ssh key {dsa [force] | rsa [length [force]]}

no ssh key [dsa | rsa]

Syntax Description


dsa	Specifies the Digital System Algrorithm (DSA) SSH server key.
force	(Optional) Forces the replacement of an SSH key.
rsa	Specifies the Rivest, Shamir, and Adelman (RSA) public-key cryptography SSH server key.
`length`	(Optional) Number of bits to use when creating the SSH server key. The range is from 1024 to 2048.

Command Default

1024-bit length

Command Modes

Global configuration

Command History


Release	Modification
5.1(1)	Removed support for RSA keys less than 1024 bits.
4.0(1)	This command was introduced.

Usage Guidelines

The Cisco NX-OS software supports SSH version 2.

If you want to remove or replace an SSH server key, you must first disable the SSH server using the no feature ssh command.

This command does not require a license.

Examples

This example shows how to create an SSH server key using DSA:

switch# configure terminal
switch(config)# ssh key dsa
generating dsa key(1024 bits).....
..
generated dsa key

This example shows how to create an SSH server key using RSA with the default key length:

switch# configure terminal
switch(config)# ssh key rsa
generating rsa key(1024 bits).....
.
generated rsa key

This example shows how to create an SSH server key using RSA with a specified key length:

switch# configure terminal
switch(config)# ssh key rsa 1024
generating rsa key(1024 bits).....
.
generated rsa key

This example shows how to replace an SSH server key using DSA with the force option:

switch# configure terminal
switch(config)# no feature ssh
switch(config)# ssh key dsa force
deleting old dsa key.....
generating dsa key(1024 bits).....
.
generated dsa key
switch(config)# feature ssh

This example shows how to remove the DSA SSH server key:

switch# configure terminal
switch(config)# no feature ssh
XML interface to system may become unavailable since ssh is disabled
switch(config)# no ssh key dsa
switch(config)# feature ssh

This example shows how to remove all SSH server keys:

switch# configure terminal
switch(config)# no feature ssh
XML interface to system may become unavailable since ssh is disabled
switch(config)# no ssh key 
switch(config)# feature ssh

Related Commands


Command	Description
show ssh key	Displays the SSH server key information.
feature ssh	Enables the SSH server.

ssh login-attempts

To configure the maximum number of times that a user can attempt to log in to a Secure Shell (SSH) session, use the ssh login-attempts command. To disable the configuration, use the no form of this command.

ssh login-attempts number

no ssh login-attempts

Syntax Description


`number`	Maximum number of login attempts. The range is from 1 to 10.

Command Default

3

Command Modes

Global configuration

Command History


Release	Modification
5.0(2)	This command was introduced.

Usage Guidelines

The total number of login attempts includes attempts through public-key authentication, certificate-based authentication, and password-based authentication.

This command does not require a license.

If the user exceeds the maximum number of permitted login attempts, the session disconnects.

Examples

This example shows how to configure the maximum number of times that a user can attempt to log in to an SSH session:

switch# configure terminal
switch(config)# ssh login-attempts 5

This example shows how to disable the SSH login attempt configuration:

switch# configure terminal
switch(config)# no ssh login-attempts

Related Commands


Command	Description
show running-config security all	Displays the configured maximum number of SSH login attempts.

ssh server enable

To enable the Secure Shell (SSH) server for a virtual device context (VDC), use the ssh server enable command. To disable the SSH server, use the no form of this command.

ssh server enable

no ssh server enable

Syntax Description

This command has no arguments or keywords.

Command Default

Enabled

Command Modes

Global configuration

Command History


Release	Modification
4.1(2)	This command was deprecated and replaced with the feature ssh command.
4.0(1)	This command was introduced.

Usage Guidelines

The Cisco NX-OS software supports SSH version 2.

This command does not require a license.

Examples

This example shows how to enable the SSH server:

switch# configure terminal
switch(config)# ssh server enable

This example shows how to disable the SSH server:

switch# configure terminal
switch(config)# no ssh server enable

XML interface to system may become unavailable since ssh is disabled

Related Commands


Command	Description
show ssh server	Displays the SSH server key information.

ssh6

To create a Secure Shell (SSH) session using IPv6 on the Cisco NX-OS device, use the ssh6 command.

ssh6 [username @] {ipv6-address | hostname} [vrf vrf-name]

Syntax Description


`username`	(Optional) Username for the SSH session. The username is not case sensitive.
`ipv6-address`	IPv6 address of the remote device.
`hostname`	Hostname of the remote device.
vrf `vrf-name`	(Optional) Specifies the virtual forwarding and routing (VRF) name to use for the SSH session. The VRF name is case sensitive.

Command Default

Default VRF

Command Modes

Any command mode

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

The Cisco NX-OS software supports SSH version 2.

To use IPv4 addressing to start an SSH session, use the ssh command.

The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions.

This command does not require a license.

Examples

This example shows how to start an SSH session using IPv6:

switch# ssh host2 vrf management

Related Commands


Command	Description
clear ssh session	Clears SSH sessions.
ssh	Starts an SSH session using IPv4 addressing.
feature ssh	Enables the SSH server.

statistics per-entry

To start recording statistics for how many packets are permitted or denied by each entry in an IP, a MAC access control list (ACL), or a VLAN access-map entry, use the statistics per-entry command. To stop recording per-entry statistics, use the no form of this command.

statistics per-entry

no statistics per-entry

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

IP access-list configuration

IPv6 access-list configuration

MAC access-list configuration

VLAN access-map configuration

Command History


Release	Modification
4.0(3)	Changed command from statistics to statistics per-entry .
4.0(1)	This command was introduced.

Usage Guidelines

When the device determines that an IPv4, IPv6, MAC, or VLAN ACL applies to a packet, it tests the packet against the conditions of all entries in the ACLs. ACL entries are derived from the rules that you configure with the applicable permit and deny commands. The first matching rule determines whether the packet is permitted or denied. Enter the statistics per-entry command to start recording how many packets are permitted or denied by each entry in an ACL.

Statistics are not supported if the DHCP snooping feature is enabled.

The device does not record statistics for implicit rules. To record statistics for these rules, you must explicitly configure an identical rule for each implicit rule. For more information about implicit rules, see the following commands:

ip access-list
ipv6 access-list
mac access-list

To view per-entry statistics, use the show access-lists command or the applicable following command:

show ip access-lists
show ipv6 access-lists
show mac access-lists

To clear per-entry statistics, use the clear access-list counters command or the applicable following command:

clear ip access-list counters
clear ipv6 access-list counters
clear mac access-list counters
clear vlan access-list counters

This command does not require a license.

Examples

This example shows how to start recording per-entry statistics for an IPv4 ACL named ip-acl-101:

switch(config)# ip access-list ip-acl-101
switch(config-acl)# statistics per-entry
switch(config-acl)#

This example shows how to stop recording per-entry statistics for an IPv4 ACL named ip-acl-101:

switch(config)# ip access-list ip-acl-101
switch(config-acl)# no statistics per-entry
switch(config-acl)#

This example shows how to start recording per-entry statistics for the ACLs in entry 20 in a VLAN access-map named vlan-map-01:

switch(config)# vlan access-map vlan-map-01 20
switch(config-access-map)# statistics per-entry
switch(config-access-map)#

This example shows how to stop recording per-entry statistics for the ACLs in entry 20 in a VLAN access-map named vlan-map-01:

switch(config)# vlan access-map vlan-map-01 20
switch(config-access-map)# no statistics per-entry
switch(config-access-map)#

Related Commands


Command	Description
show access-lists	Displays all IPv4, IPv6, and MAC ACLs, or a specific ACL.
clear access-list counters	Clears per-entry statistics for all IPv4, IPv6, and MAC ACLs, or for a specific ACL.

storm-control level

To set the suppression level for traffic storm control, use the storm-control level command. To turn off the suppression mode or revert to the default, use the no form of this command.

storm-control {broadcast | multicast | unicast} level percentage [. fraction]

no storm-control {broadcast | multicast | unicast} level

Syntax Description


broadcast	Specifies the broadcast traffic.
multicast	Specifies the multicast traffic.
unicast	Specifies the unicast traffic.
`percentage`	Percentage of the suppression level. The range is from 0 to 100 percent.
`. fraction`	(Optional) Fraction of the suppression level. The range is from 0 to 99.

Command Default

All packets are passed

Command Modes

Interface configuration

Command History


Release	Modification
4.0(1)	This command was introduced.

Usage Guidelines

Enter the storm-control level command to enable traffic storm control on the interface, configure the traffic storm-control level, and apply the traffic storm-control level to all traffic storm-control modes that are enabled on the interface.

Only one suppression level is shared by all three suppression modes. For example, if you set the broadcast level to 30 and set the multicast level to 40, both levels are enabled and set to 40.

The period (.) is required when you enter the fractional-suppression level.

The suppression level is a percentage of the total bandwidth. A threshold value of 100 percent means that no limit is placed on traffic. A threshold value of 0 or 0.0 (fractional) percent means that all specified traffic is blocked on a port.

Use the show interfaces counters broadcast command to display the discard count.

Use one of the follow methods to turn off suppression for the specified traffic type:

Set the level to 100 percent for the specified traffic type.
Use the no form of this command.

This command does not require a license.

Examples

This example shows how to enable suppression of broadcast traffic and set the suppression threshold level:

switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# storm-control broadcast level 30

This example shows how to disable the suppression mode for multicast traffic:

switch# configure terminal
switch(config)# interface ethernet 1/1
switch(config-if)# no storm-control multicast level

Related Commands


Command	Description
show interface	Displays the storm-control suppression counters for an interface.
show running-config	Displays the configuration of the interface.

switchport port-security

To enable port security on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security command. To remove port security configuration, use the no form of this command.

switchport port-security

no switchport port-security

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command Modes

Interface configuration

Command History


Release	Modification
4.2(1)	Support for Layer 2 port-channel interfaces was added.
4.0(1)	This command was introduced.

Usage Guidelines

Per interface, port security is disabled by default.

You must configure the interface as a Layer 2 interface by using the switchport command before you can use the switchport port-security command.

You must enable port security by using the feature port-security command before you can use the switchport port-security command.

If port security is enabled on any member port of the Layer 2 port-channel interface, the device does not allow you to disable port security on the port-channel interface. To do so, remove all secure member ports from the port-channel interface first. After disabling port security on a member port, you can add it to the port-channel interface again, as needed.

Enabling port security on an interface also enables the default method for learning secure MAC addresses, which is the dynamic method. To enable the sticky learning method, use the switchport port-security mac-address sticky command.

This command does not require a license.

Examples

This example shows how to enable port security on the Ethernet 2/1 interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# switchport port-security
switch(config-if)#

This example shows how to enable port security on the port-channel 10 interface:

switch# configure terminal
switch(config)# interface port-channel 10
switch(config-if)# switchport port-security
switch(config-if)#

Related Commands


Command	Description
feature port-security	Enables port security globally.
show port-security	Shows information about port security.
switchport port-security aging time	Configures the aging time for dynamically learned, secure MAC addresses.
switchport port-security aging type	Configures the aging type for dynamically learned, secure MAC addresses.
switchport port-security mac-address	Configures a static MAC address.
switchport port-security mac-address sticky	Enables the sticky method for learning secure MAC addresses.
switchport port-security maximum	Configures an interface or a VLAN maximum for secured MAC addresses on an interface.
switchport port-security violation	Configures the security violation action for an interface.

switchport port-security aging type

To configure the aging type for dynamically learned, secure MAC addresses, use the switchport port-security aging type command. To return to the default aging type, which is absolute aging, use the no form of this command.

switchport port-security aging type {absolute | inactivity}

no switchport port-security aging type {absolute | inactivity}

Syntax Description


absolute	Specifies that the dynamically learned, secure MAC addresses age is based on how long ago the device learned the address.
inactivity	Specifies that the dynamically learned, secure MAC addresses age is based on how long ago the device last received traffic from the MAC address on the current interface.

Command Default

absolute

Command Modes

Interface configuration

Command History


Release	Modification
4.2(1)	Support for Layer 2 port-channel interfaces was added.
4.0(1)	This command was introduced.

Usage Guidelines

The default aging type is absolute aging.

You must enable port security by using the feature port-security command before you can use the switchport port-security aging type command.

Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.

This command does not require a license.

Examples

This example shows how to configure the aging type to be “inactivity” on the Ethernet 2/1 interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# switchport port-security aging type inactivity
switch(config-if)#

Related Commands


Command	Description
feature port-security	Enables port security globally.
show port-security	Shows information about port security.
switchport port-security	Configures a Layer 2 interface for port security.
switchport port-security aging time	Configures the aging time for dynamically learned, secure MAC addresses.
switchport port-security mac-address	Configures a static MAC address.
switchport port-security mac-address sticky	Enables the sticky method for learning secure MAC addresses.
switchport port-security maximum	Configures an interface or a VLAN maximum for secured MAC addresses on an interface.
switchport port-security violation	Configures the security violation action for an interface.

switchport port-security mac-address

To configure a static, secure MAC address on an interface, use the switchport port-security mac-address command. To remove a static, secure MAC address from an interface, use the no form of this command.

switchport port-security mac-address address [vlan vlan-ID]

no switchport port-security mac-address address [vlan vlan-ID]

Syntax Description


`address`	MAC address that you want to specify as a static, secure MAC address on the current interface.
vlan `vlan-ID`	(Optional) Specifies the VLAN on which traffic from the MAC address is permitted. Valid VLAN IDs are from 1 to 4096.

Command Default

None

Command Modes

Interface configuration

Command History


Release	Modification
4.2(1)	Support for Layer 2 port-channel interfaces was added.
4.0(1)	This command was introduced.

Usage Guidelines

There are no default static, secure MAC addresses.

You must enable port security by using the feature port-security command before you can use the switchport port-security mac-address command.

Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.

This command does not require a license.

Examples

This example shows how to configure 0019.D2D0.00AE as a static, secure MAC address on the Ethernet 2/1 interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# switchport port-security mac-address 0019.D2D0.00AE
switch(config-if)#

Related Commands


Command	Description
feature port-security	Enables port security globally.
show port-security	Shows information about port security.
switchport port-security	Configures a Layer 2 interface for port security.
switchport port-security aging time	Configures the aging time for dynamically learned, secure MAC addresses.
switchport port-security aging type	Configures the aging type for dynamically learned, secure MAC addresses.
switchport port-security mac-address sticky	Enables the sticky method for learning secure MAC addresses.
switchport port-security maximum	Configures an interface or a VLAN maximum for secured MAC addresses on an interface.
switchport port-security violation	Configures the security violation action for an interface.

switchport port-security mac-address sticky

To enable the sticky method for learning secure MAC addresses on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security mac-address sticky command. To disable the sticky method and return to the dynamic method, use the no form of this command.

switchport port-security mac-address sticky

no switchport port-security mac-address sticky

Syntax Description

This command has no arguments or keywords.

Command Default

The sticky method of secure MAC address learning is disabled by default.

Command Modes

Interface configuration

Command History


Release	Modification
4.2(1)	Support for Layer 2 port-channel interfaces was added.
4.0(1)	This command was introduced.

Usage Guidelines

You must enable port security by using the feature port-security command before you can use the switchport port-security mac-address sticky command.

Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.

This command does not require a license.

Examples

This example shows how to enable the sticky method of learning secure MAC addresses on the Ethernet 2/1 interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# switchport port-security mac-address sticky
switch(config-if)#

Related Commands


Command	Description
feature port-security	Enables port security globally.
show port-security	Shows information about port security.
switchport port-security	Enables port security on a Layer 2 interface.
switchport port-security aging time	Configures the aging time for dynamically learned, secure MAC addresses.
switchport port-security aging type	Configures the aging type for dynamically learned, secure MAC addresses.
switchport port-security mac-address	Configures a static MAC address.
switchport port-security maximum	Configures an interface or a VLAN maximum for secured MAC addresses on an interface.
switchport port-security violation	Configures the security violation action for an interface.

switchport port-security maximum

To configure the interface maximum or a VLAN maximum of secure MAC addresses on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security maximum command. To remove port security configuration, use the no form of this command.

switchport port-security maximum number [vlan vlan-ID]

no switchport port-security maximum number [vlan vlan-ID]

Syntax Description


maximum `number`	Specifies the maximum number of secure MAC addresses. See the “Usage Guidelines” section for information about valid values for the `number` argument.
vlan `vlan-ID`	(Optional) Specifies the VLAN that the maximum applies to. If you omit the vlan keyword, the maximum is applied as an interface maximum.

Command Default

None

Command Modes

Interface configuration

Command History


Release	Modification
4.2(1)	Support for Layer 2 port-channel interfaces was added.
4.0(1)	This command was introduced.

Usage Guidelines

The default interface maximum is one secure MAC address.

Enabling port security on an interface also enables the default method for learning secure MAC addresses, which is the dynamic method. To enable the sticky learning method, use the switchport port-security mac-address sticky command.

You must enable port security by using the feature port-security command before you can use the switchport port-security maximum command.

Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.

There is no default VLAN maximum.

There is a system-wide, nonconfigurable maximum of 4096 secure MAC addresses.

This command does not require a license.

Maximums for Access Ports and Trunk Ports

For an interface used as an access port, we recommend that you use the default interface maximum of one secure MAC address.

For an interface used as a trunk port, set the interface maximum to a number that reflects the actual number of hosts that could use the interface.

Interface Maximums, VLAN Maximums, and the Device Maximum

The sum of all VLAN maximums that you configure on an interface cannot exceed the interface maximum. For example, if you configure a trunk-port interface with an interface maximum of 10 secure MAC addresses and a VLAN maximum of 5 secure MAC addresses for VLAN 1, the largest maximum number of secure MAC addresses that you can configure for VLAN 2 is also 5. If you tried to configure a maximum of 6 secure MAC addresses for VLAN 2, the device would not accept the command.

Examples

This example shows how to configure an interface maximum of 10 secure MAC addresses on the Ethernet 2/1 interface:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# switchport port-security maximum 10
switch(config-if)#

Related Commands


Command	Description
feature port-security	Enables port security globally.
show port-security	Shows information about port security.
switchport port-security	Enables port security on a Layer 2 interface.
switchport port-security aging time	Configures the aging time for dynamically learned, secure MAC addresses.
switchport port-security aging type	Configures the aging type for dynamically learned, secure MAC addresses.
switchport port-security mac-address	Configures a static MAC address.
switchport port-security mac-address sticky	Enables the sticky method for learning secure MAC addresses.
switchport port-security violation	Configures the security violation action for an interface.

switchport port-security violation

To configure the action that the device takes when a security violation event occurs on an interface, use the switchport port-security violation command. To remove the port security violation action configuration, use the no form of this command.

switchport port-security violation {protect | restrict | shutdown}

no switchport port-security violation {protect | restrict | shutdown}

Syntax Description


protect	Specifies that the device does not raise security violations when a packet would normally trigger a security violation event. Instead, the address that triggered the security violation is learned but any traffic from the address is dropped. Further address learning stops.
restrict	Specifies that the device drops ingress traffic from any nonsecure MAC addresses. Address learning continues until 100 security violations have occurred on the interface. Traffic from addresses learned after the first security violation is dropped. After 100 security violations occur, the device disables learning on the interface and drops all ingress traffic from nonsecure MAC addresses. In addition, the device generates an SNMP trap for each security violation.
shutdown	Specifies that the device shuts down the interface if it receives a packet triggering a security violation. The interface is error disabled. This action is the default. After you reenable the interface, it retains its port security configuration, including its secure MAC addresses.

Command Default

None

Command Modes

Interface configuration

Command History


Release	Modification
4.2(1)	Support for Layer 2 port-channel interfaces was added.
4.0(1)	This command was introduced.

Usage Guidelines

The default security violation action is to shut down the interface.

You must enable port security by using the feature port-security command before you can use the switchport port-security violation command.

Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.

Port security triggers security violations when either of the two following events occur:

Ingress traffic arrives at an interface from a nonsecure MAC address and learning the address would exceed the applicable maximum number of secure MAC addresses.

When an interface has both a VLAN maximum and an interface maximum configured, a violation occurs when either maximum is exceeded. For example, consider the following on a single interface configured with port security:

- VLAN 1 has a maximum of 5 addresses
- The interface has a maximum of 10 addresses

The device detects a violation when any of the following occurs:

- The device has learned five addresses for VLAN 1 and inbound traffic from a sixth address arrives at the interface in VLAN 1.
- The device has learned 10 addresses on the interface and inbound traffic from an 11th address arrives at the interface.
Ingress traffic from a secure MAC address arrives at a different interface in the same VLAN as the interface on which the address is secured.

Note

After a secure MAC address is configured or learned on one secure port, the sequence of events that occurs when port security detects that secure MAC address on a different port in the same VLAN is known as a MAC move violation.

When a security violation occurs, the device takes the action specified by the port security configuration of the applicable interface. The possible actions are as follows:

Shutdown—Shuts down the interface that received the packet triggering the violation. The interface is error disabled. This action is the default. After you reenable the interface, it retains its port security configuration, including its secure MAC addresses.

You can use the errdisable global configuration command to configure the device to reenable the interface automatically if a shutdown occurs, or you can manually reenable the interface by entering the shutdown and no shut down interface configuration commands.

Restrict—Drops ingress traffic from any nonsecure MAC addresses. Address learning continues until 100 security violations have occurred on the interface. Traffic from addresses learned after the first security violation is dropped.

After 100 security violations occur, the device disables learning on the interface and drops all ingress traffic from nonsecure MAC addresses. In addition, the device generates an SNMP trap for each security violation.

Protect—Prevents further violations from occurring. The address that triggered the security violation is learned but any traffic from the address is dropped. Further address learning stops.

If a violation occurs because ingress traffic from a secure MAC address arrives at a different interface than the interface on which the address is secure, the device applies the action on the interface that received the traffic.

This command does not require a license.

Examples

This example shows how to configure an interface to respond to a security violation event with the protect action:

switch# configure terminal
switch(config)# interface ethernet 2/1
switch(config-if)# switchport port-security violation protect
switch(config-if)#

Related Commands


Command	Description
feature port-security	Enables port security globally.
show port-security	Shows information about port security.
switchport port-security	Enables port security on a Layer 2 interface.
switchport port-security aging time	Configures the aging time for dynamically learned, secure MAC addresses.
switchport port-security aging type	Configures the aging type for dynamically learned, secure MAC addresses.
switchport port-security mac-address	Configures a static MAC address.
switchport port-security mac-address sticky	Enables the sticky method for learning secure MAC addresses.
switchport port-security maximum	Configures an interface or a VLAN maximum for secured MAC addresses on an interface.

Bias-Free Language

Results

Chapter: S Commands

S Commands

sak-expiry-time

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

sap modelist

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

sap pmk

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

send-lifetime

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

server

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

service dhcp

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

service-policy input

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

set cos

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

set dscp (policy map class)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

set precedence (policy map class)

Syntax Description

Command Default