The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To set an expiry time for a forced Secure Association Key (SAK) rekey, use the sak-expiry-time command. To reset to the default expiry time, use the no form of this command.
sak-expiry-time time
no sak-expiry-time time
time |
Time, in seconds, to force a SAK rekey. The range is 1-2592000. The default is pn-exhaust. |
The default value is pn-exhaust.
Release |
Modification |
---|---|
8.2(1) |
This command was introduced. |
To use this command, you should enable the MKA feature first.
This example shows how to set the SAK expiry time:
switch# configure terminal switch(config)# macsec policy p1 switch(config-macsec-policy)# sak-expiry-time 60
Command |
Description |
---|---|
cipher suite |
Configures the cipher suite for encrypting traffic with MACsec. |
conf-offset |
Configures the confidentiality offset for MKA encryption. |
feature mka |
Enables the MKA feature. |
key |
Creates a key or enters the configuration mode of an existing key. |
key chain keychain-name |
Creates a keychain or enters the configuration mode of an existing keychain. |
key-octet-string |
Configures the text for a MACsec key. |
key-server-priority |
Configures the preference for a device to serve as the key server for MKA encryption. |
macsec keychain policy |
Configures the MACsec keychain policy. |
macsec policy |
Configures the MACsec policy. |
show key chain |
Displays the configuration of the specified keychain. |
show macsec mka |
Displays the details of MKA. |
show macsec policy |
Displays all the MACsec policies in the system. |
show run mka |
Displays the status of MKA. |
To configure the Cisco TrustSec Security Association Protocol (SAP) operation mode, use the sap modelist command. To revert to the default, use the no form of this command.
sap modelist { gcm-encrypt | gmac | no-encap | none }
no sap modelist { gcm-encrypt | gmac | no-encap | none }
gcm-encrypt |
Specifies Galois/Counter Mode (GCM) encryption and authentication mode. |
gmac |
Specifies GCM authentication mode. |
no-encap |
Specifies no encapsulation and no security group tag (SGT) insertion. |
none |
Specifies the encapsulation of the SGT without authentication or encryption. |
gcm-encrypt
Cisco TrustSec 802.1X configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.
This command requires the Advanced Services license.
This example shows how to configure Cisco TrustSec SAP operation mode on an interface:
switch# configure terminal switch(config)# interface ethernet 2/3 switch(config-if)# cts dot1x switch(config-if-cts-dot1x)# sap modelist gmac switch(config-if-cts-dot1x)# exit switch(config-if)# shutdown switch(config-if)# no shutdown
This example shows how to revert to the default Cisco TrustSec SAP operation mode on an interface:
switch# configure terminal switch(config)# interface ethernet 2/3 switch(config-if)# cts dot1x switch(config-if-cts-dot1x)# no sap modelist gmac switch(config-if-cts-dot1x)# exit switch(config-if)# shutdown switch(config-if)# no shutdown
Command |
Description |
---|---|
cts dot1x |
Enters Cisco TrustSec 802.1X configuration mode for an interface. |
feature cts |
Enables the Cisco TrustSec feature. |
show cts interface |
Displays the Cisco TrustSec configuration for interfaces. |
To manually configure the Cisco TrustSec Security Association Protocol (SAP) pairwise master key (PMK), use the sap pmk command. To remove the SAP configuration, use the no form of this command.
sap pmk [ key | [left-zero-padded] [ display encrypt ] | encrypted { encrypted_pmk | use-dot1x } [ modelist { gcm-encrypt | gmac | no-encap | null } ] ]
no sap
key |
Key value. This is a hexadecimal string with an even number of characters. The maximum length is 32 characters. |
left-zero-padded |
(Optional) Pads zeros to the left of the entered string if the PMK length is less than 32 bytes. |
display encrypt |
(Optional) Specifies that the configured PMK be displayed in AES-encrypted format in the running configuration. |
encrypted encrypted_pmk |
Specifies an encrypted PMK string of 64 bytes (128 hexadecimal characters). |
use-dot1x |
Specifies that the peer device does not support Cisco TrustSec 802.1X authentication or authorization but does support SAP data path encryption and authentication. |
modelist |
(Optional) Specifies the SAP operation mode. |
gcm-encrypt |
Specifies Galois/Counter Mode (GCM) encryption and authentication mode. |
gmac |
Specifies GCM authentication mode. |
no-encap |
Specifies no encapsulation and no security group tag (SGT) insertion. |
null |
Specifies the encapsulation of the SGT without authentication or encryption. |
gcm-encrypt
Cisco TrustSec manual configuration
Release |
Modification |
---|---|
6.2(2) |
The left-zero-padded, display encrypt and encrypted encrypted_pmk keywords and argument were added. |
4.0(3) |
The use-dot1x keyword was added. |
4.0(1) |
This command was introduced. |
This command is not supported for F1 Series modules and F2 Series modules.
To use this command, you must enable the Cisco TrustSec feature using the feature cts command.
After using this command, you must enable and disable the interface using the shutdown/no shutdown command sequence for the configuration to take effect.
This command requires the Advanced Services license.
This example shows how to manually configure Cisco TrustSec SAP on an interface:
switch# configure terminal switch(config)# interface ethernet 2/3 switch(config-if)# cts manual switch(config-if-cts-manual)# sap pmk fedbaa modelist gmac switch(config-if-cts-manual)# exit switch(config-if)# shutdown switch(config-if)# no shutdown
This example shows how to remove a manual Cisco TrustSec SAP configuration from an interface:
switch# configure terminal switch(config)# interface ethernet 2/3 switch(config-if)# cts manual switch(config-if-cts-manual)# no sap switch(config-if-cts-manual)# exit switch(config-if)# shutdown switch(config-if)# no shutdown
Command |
Description |
---|---|
cts manual |
Enters Cisco TrustSec manual configuration mode for an interface. |
feature cts |
Enables the Cisco TrustSec feature. |
show cts interface |
Displays the Cisco TrustSec configuration for interfaces. |
To specify the time interval within which the device sends the key during key exchange with another device, use the send-lifetime command. To remove the time interval, use the no form of this command.
send-lifetime [local] start-time [ duration duration-value | infinite | end-time ]
local |
(Optional) Specifies that the device treats the configured times as local times. By default, the device treats the start-time and end-time arguments as UTC. |
start-time |
Time of day and date that the key becomes active. For information about the values for the start-time argument, see the “Usage Guidelines” section. |
duration duration-value |
(Optional) Specifies the length of the lifetime in seconds. The maximum length is 2147483646 seconds (approximately 68 years). |
infinite |
(Optional) Specifies that the key never expires. |
end-time |
(Optional) Time of day and date that the key becomes inactive. For information about valid values for the end-time argument, see the “Usage Guidelines” section. |
infinite
Key configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
This command does not require a license.
By default, the device interprets all time range rules as UTC.
By default, the time interval within which the device sends a key during key exchange with another device—the send lifetime—is infinite, which means that the key is always valid.
The start-time and end-time arguments both require time and date components, in the following format:
hour[:minute[:second]] month day year
You specify the hour in 24-hour notation. For example, in 24-hour notation, 8:00 a.m. is 8:00 and 8:00 p.m. is 20:00. The minimum valid start-time is 00:00:00 Jan 1 1970, and the maximum valid start-time is 23:59:59 Dec 31 2037.
This example shows how to create a send lifetime that begins at midnight on June 13, 2008, and ends at 11:59:59 p.m. on August 12, 2008:
switch# configure terminal switch(config)# key chain glbp-keys switch(config-keychain)# key 13 switch(config-keychain-key)# send-lifetime 00:00:00 Jun 13 2008 23:59:59 Aug 12 2008 switch(config-keychain-key)#
Command |
Description |
---|---|
accept-lifetime |
Configures an accept lifetime for a key. |
key |
Configures a key. |
key chain |
Configures a keychain. |
key-string |
Configures a key string. |
show key chain |
Displays keychain configuration. |
To add a server to a RADIUS, TACACS+, or Lightweight Directory Access Protocol (LDAP) server group, use the server command. To delete a server from a server group, use the no form of this command.
server { ipv4-address | ipv6-address | hostname }
no server { ipv4-address | ipv6-address | hostname }
ipv4-address |
Server IPv4 address in the A.B.C.D format. |
ipv6-address |
Server IPv6 address in the X:X:X::X format. |
hostname |
Server name. The name is alphanumeric, case sensitive, and has a maximum of 256 characters. |
None
RADlUS server group configurationTACACS+ server group configurationLDAP server group configuration
Release |
Modification |
---|---|
5.0(2) |
Support for LDAP server groups was added. |
4.0(1) |
This command was introduced. |
You can configure up to 64 servers in a server group.
Use the aaa group server radius command to enter RADIUS server group configuration mode, the aaa group server tacacs+ command to enter TACACS+ server group configuration mode, or the aaa group server ldap command to enter LDAP server group configuration mode.
If the server is not found, use the radius-server host command, tacacs-server host command, or ldap-server host command to configure the server.
Note | You must use the feature tacacs+ command before you configure TACACS+ and the feature ldap command before you configure LDAP. |
This command does not require a license.
This example shows how to add a server to a RADIUS server group:
switch# configure terminal switch(config)# aaa group server radius RadServer switch(config-radius)# server 10.10.1.1
This example shows how to delete a server from a RADIUS server group:
switch# configure terminal switch(config)# aaa group server radius RadServer switch(config-radius)# no server 10.10.1.1
This example shows how to add a server to a TACACS+ server group:
switch# configure terminal switch(config)# feature tacacs+ switch(config)# aaa group server tacacs+ TacServer switch(config-tacacs+)# server 10.10.2.2
This example shows how to delete a server from a TACACS+ server group:
switch# configure terminal switch(config)# feature tacacs+ switch(config)# aaa group server tacacs+ TacServer switch(config-tacacs+)# no server 10.10.2.2
This example shows how to add a server to an LDAP server group:
switch# configure terminal switch(config)# feature ldap switch(config)# aaa group server ldap LdapServer switch(config-ldap)# server 10.10.3.3
This example shows how to delete a server from an LDAP server group:
switch# configure terminal switch(config)# feature ldap switch(config)# aaa group server ldap LdapServer switch(config-ldap)# no server 10.10.3.3
Command |
Description |
---|---|
aaa group server |
Configures AAA server groups. |
radius-server host |
Configures a RADIUS server. |
show ldap-server groups |
Displays LDAP server group information. |
show radius-server groups |
Displays RADIUS server group information. |
show tacacs-server groups |
Displays TACACS+ server group information. |
feature tacacs+ |
Enables TACACS+. |
tacacs-server host |
Configures a TACACS+ server. |
feature ldap |
Enables LDAP. |
ldap-server host |
Configures an LDAP server. |
To enable the DHCP relay agent, use the service dhcp command. To disable the DHCP relay agent, use the no form of this command.
service dhcp
no service dhcp
This command has no arguments or keywords.
None
Global configuration
Release |
Modification |
---|---|
4.2(1) |
This command was deprecated and replaced with the ip dhcp relay command. |
4.0(1) |
This command was introduced. |
This command does not require a license.
This example shows how to globally enable DHCP snooping:
switch# configure terminal switch(config)# service dhcp switch(config)#
Command |
Description |
---|---|
feature dhcp |
Enables the DHCP snooping feature on the device. |
ip dhcp relay address |
Configures an IP address of a DHCP server on an interface. |
ip dhcp relay information option |
Enables the insertion and removal of option-82 information from DHCP packets. |
ip dhcp snooping |
Globally enables DHCP snooping on the device. |
show ip dhcp snooping |
Displays general information about DHCP snooping. |
show running-config dhcp |
Displays DHCP snooping configuration, including IP Source Guard configuration. |
To attach a control plane policy map to the control plane, use the service-policy input command. To remove a control plane policy map, use the no form of this command.
service-policy input policy-map-name
no service-policy input policy-map-name
policy-map-name |
Name of the control plane policy map. |
None
Control plane configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You can use this command only in the default virtual device context (VDC).
You can assign only one control place policy map to the control plane. To assign a new control plane policy map to the control plane, you must remove the old control plane policy map.
This command does not require a license.
This example shows how to assign a control plane policy map to the control plane:
switch# configure terminal switch(config)# control-plane switch(config-cp)# service-policy input PolicyMapA
This example shows how to remove a control plane policy map from the control plane:
switch# configure terminal switch(config)# control-plane switch(config-cp)# no service-policy input PolicyMapA
Command |
Description |
---|---|
policy-map type control-plane |
Specifies a control plane policy map and enters policy map configuration mode. |
show policy-map type control-plane |
Displays configuration information for control plane policy maps. |
To set the IEEE 802.1Q class of service (CoS) value for a control plane policy map, use the set cos command. To revert to the default, use the no form of this command.
set cos [inner] cos-value
no set cos [inner] cos-value
inner |
(Optional) Specifies the inner 802.1Q in a Q-in-Q environment. |
cos-value |
Numerical value of CoS in the control plane policy map. The range is from 0 to 7. |
0
Policy map class configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
This example shows how to configure the CoS value for a control plane policy map:
switch# configure terminal switch(config)# policy-map type control-plane PolicyMapA switch(config-pmap)# class ClassMapA switch(config-pmap-c)# set cos 4
This example shows how to revert to the default CoS value for a control plane policy map:
switch# configure terminal switch(config)# policy-map type control-plane PolicyMapA switch(config-pmap)# class ClassMapA switch(config-pmap-c)# no set cos 4
Command |
Description |
---|---|
class (policy map) |
Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode. |
policy-map type control-plane |
Specifies a control plane policy map and enters policy map configuration mode. |
show policy-map type control-plane |
Displays configuration information for control plane policy maps. |
To set the differentiated services code point (DSCP) value for IPv4 and IPv6 packets in a control plane policy map, use the set dscp command. To revert to the default, use the no form of this command.
set dscp [tunnel] { dscp-value | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | ef | default }
no set dscp [tunnel] { dscp-value | af11 | af12 | af13 | af21 | af22 | af23 | af31 | af32 | af33 | af41 | af42 | af43 | cs1 | cs2 | cs3 | cs4 | cs5 | cs6 | cs7 | ef | default }
tunnel |
(Optional) Sets DSCP in a tunnel encapsulation. |
dscp-value |
Numerical value of CoS in the control plane policy map. The range is from 0 to63. |
af11 |
Specifies assured forwarding 11 DSCP (001010). |
af12 |
Specifies assured forwarding 12 DSCP (001100). |
af13 |
Specifies assured forwarding 13 DSCP (001110). |
af21 |
Specifies assured forwarding 21 DSCP (010010). |
af22 |
Specifies assured forwarding 22 DSCP (010100). |
af23 |
Specifies assured forwarding 23 DSCP (010110). |
af31 |
Specifies assured forwarding 31 DSCP (011010). |
af32 |
Specifies assured forwarding 32 DSCP (011100). |
af33 |
Specifies assured forwarding 33 DSCP (011110). |
af41 |
Specifies assured forwarding 41 DSCP (100010). |
af42 |
Specifies assured forwarding 42 DSCP (100100). |
af43 |
Specifies assured forwarding 43 DSCP (100110). |
cs1 |
Specifies class selector 1 (precedence 1) DSCP (001000). |
cs2 |
Specifies class selector 2 (precedence 2) DSCP (010000). |
cs3 |
Specifies class selector 3 (precedence 3) DSCP (011000). |
cs4 |
Specifies class selector 4 (precedence 4) DSCP (100000). |
cs5 |
Specifies class selector 5 (precedence 5) DSCP (101000). |
cs6 |
Specifies class selector 6 (precedence 6) DSCP (110000). |
cs7 |
Specifies class selector 7 (precedence 7) DSCP (111000). |
ef |
Specifies expedited forwarding DSCP (101110). |
default |
Specifies default DSCP (000000). |
default
Policy map class configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
This example shows how to configure the DSCP value for a control plane policy map:
switch# configure terminal switch(config)# policy-map type control-plane PolicyMapA switch(config-pmap)# class ClassMapA switch(config-pmap-c)# set dscp 4
This example shows how to revert to the default DSCP value for a control plane policy map:
switch# configure terminal switch(config)# policy-map type control-plane PolicyMapA switch(config-pmap)# class ClassMapA switch(config-pmap-c)# no set dscp 4
Command |
Description |
---|---|
class (policy map) |
Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode. |
policy-map type control-plane |
Specifies a control plane policy map and enters policy map configuration mode. |
show policy-map type control-plane |
Displays configuration information for control plane policy maps. |
To set the precedence value for IPv4 and IPv6 packets in a control plane policy map, use the set precedence command. To revert to the default, use the no form of this command.
set precedence [tunnel] { prec-value | critical | flash | flash-override | immediate | internet | network | priority | routine }
no set precedence [tunnel] { prec-value | critical | flash | flash-override | immediate | internet | network | priority | routine }
tunnel |
(Optional) Sets the precedence in a tunnel encapsulation. |
prec-value |
Numerical value for DSCP precedence in the control plane policy map. The range is from 0 to 7. |
critical |
Specifies critical precedence equal to precedence value 5. |
flash |
Specifies flash precedence equal to precedence value 3. |
flash-override |
Specifies flash override precedence equal to precedence value 4. |
immediate |
Specifies immediate precedence equal to precedence value 2. |
internet |
Specifies internet precedence equal to precedence value 6. |
network |
Specifies network precedence equal to precedence value 7. |
priority |
Specifies priority precedence equal to precedence value 1. |
routine |
Specifies routine precedence equal to precedence value 0. |
0 or routine
Policy map class configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You can use this command only in the default virtual device context (VDC).
This command does not require a license.
This example shows how to configure the CoS value for a control plane policy map:
switch# configure terminal switch(config)# policy-map type control-plane PolicyMapA switch(config-pmap)# class ClassMapA switch(config-pmap-c)# set precedence critical
This example shows how to revert to the default CoS value for a control plane policy map:
switch# configure terminal switch(config)# policy-map type control-plane PolicyMapA switch(config-pmap)# class ClassMapA switch(config-pmap-c)# no set precedence critical
Command |
Description |
---|---|
class (policy map) |
Specifies a control plane class map for a control plane policy map and enters policy map class configuration mode. |
policy-map type control-plane |
Specifies a control plane policy map and enters policy map configuration mode. |
show policy-map type control-plane |
Displays configuration information for control plane policy maps. |
To assign a source interface for a specific RADIUS or TACACS+ server group, use the source-interface command. To revert to the default, use the no form of this command.
source-interface interface
no source-interface
interface |
Source interface. The supported interface types are ethernet, loopback, and mgmt 0. |
The default is the global source interface.
RADIUS configurationTACACS+ configuration
Release |
Modification |
---|---|
4.1(2) |
This command was introduced. |
The source-interface command to override the global source interface assigned by the ip radius source-interface command or ip tacacs source-interface command.
You must use the feature tacacs+ command before you configure TACACS+.
This command does not require a license.
This example shows how to enter IP access list configuration mode for an IPv4 ACL named ip-acl-01:
switch# configure terminal switch(config)# ip radius source-interface mgmt 0 switch(config-radius)# source-interface ethernet 2/1
Command |
Description |
---|---|
feature tacacs+ |
Enables the TACACS+ feature. |
ip radius source-interface |
Configures the global source interface for the RADIUS groups configured on the Cisco NX-OS device. |
ip tacacs source-interface |
Configures the global source interface for the TACACS+ groups configured on the Cisco NX-OS device. |
show radius-server groups |
Displays the RADIUS server group configuration. |
show tacacs-server groups |
Displays the TACACS+ server group configuration. |
To create a Secure Shell (SSH) session on the Cisco NX-OS device, use the ssh command.
ssh [ username @ ] { ipv4-address | hostname } [ vrf vrf-name ]
username |
(Optional) Username for the SSH session. The username is not case sensitive. |
ipv4-address |
IPv4 address of the remote device. |
hostname |
Hostname of the remote device. The hostname is case sensitive. |
vrfvrf-name |
(Optional) Specifies the virtual routing and forwarding (VRF) name to use for the SSH session. The VRF name is case sensitive. |
Default VRF
Any command mode
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
The Cisco NX-OS software supports SSH version 2.
To use IPv6 addressing for an SSH session, use the ssh6 command.
The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions.
If you are planning to create an SSH session to a remote device from the boot mode of a Cisco NX-OS device, you must obtain the hostname for the remote device, enable the SSH server on the remote device, and ensure that the Cisco NX-OS device is loaded with only the kickstart image.
This command does not require a license.
This example shows how to start an SSH session using IPv4:
switch# ssh 10.10.1.1 vrf management The authenticity of host '10.10.1.1 (10.10.1.1)' can't be established. RSA key fingerprint is 9b:d9:09:97:f6:40:76:89:05:15:42:6b:12:48:0f:d6. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.10.1.1' (RSA) to the list of known hosts. User Access Verification Password:
This example shows how to create an SSH session to a remote device from the boot mode of the Cisco NX-OS device:
switch(boot)# ssh user1@10.10.1.1
Command |
Description |
---|---|
clear ssh session |
Clears SSH sessions. |
copy scp: |
Copies a file from the Cisco NX-OS device to a remote device using the Secure Copy Protocol (SCP). |
feature ssh |
Enables the SSH server. |
ssh6 |
Starts an SSH session using IPv6 addressing. |
To create a Secure Shell (SSH) server key for a virtual device context (VDC), use the ssh key command. To remove the SSH server key, use the no form of this command.
ssh key { dsa [force] | rsa [ length [force] ] }
no ssh key [ dsa | rsa ]
dsa |
Specifies the Digital System Algrorithm (DSA) SSH server key. |
force |
(Optional) Forces the replacement of an SSH key. |
rsa |
Specifies the Rivest, Shamir, and Adelman (RSA) public-key cryptography SSH server key. |
length |
(Optional) Number of bits to use when creating the SSH server key. The range is from 1024 to 2048. |
1024-bit length
Global configuration
Release |
Modification |
---|---|
5.1(1) |
Removed support for RSA keys less than 1024 bits. |
4.0(1) |
This command was introduced. |
The Cisco NX-OS software supports SSH version 2.
If you want to remove or replace an SSH server key, you must first disable the SSH server using the no feature ssh command.
This command does not require a license.
This example shows how to create an SSH server key using DSA:
switch# configure terminal switch(config)# ssh key dsa generating dsa key(1024 bits)..... .. generated dsa key
This example shows how to create an SSH server key using RSA with the default key length:
switch# configure terminal switch(config)# ssh key rsa generating rsa key(1024 bits)..... . generated rsa key
This example shows how to create an SSH server key using RSA with a specified key length:
switch# configure terminal switch(config)# ssh key rsa 1024 generating rsa key(1024 bits)..... . generated rsa key
This example shows how to replace an SSH server key using DSA with the force option:
switch# configure terminal switch(config)# no feature ssh switch(config)# ssh key dsa force deleting old dsa key..... generating dsa key(1024 bits)..... . generated dsa key switch(config)# feature ssh
This example shows how to remove the DSA SSH server key:
switch# configure terminal switch(config)# no feature ssh XML interface to system may become unavailable since ssh is disabled switch(config)# no ssh key dsa switch(config)# feature ssh
This example shows how to remove all SSH server keys:
switch# configure terminal switch(config)# no feature ssh XML interface to system may become unavailable since ssh is disabled switch(config)# no ssh key switch(config)# feature ssh
Command |
Description |
---|---|
show ssh key |
Displays the SSH server key information. |
feature ssh |
Enables the SSH server. |
To configure the maximum number of times that a user can attempt to log in to a Secure Shell (SSH) session, use the ssh login-attempts command. To disable the configuration, use the no form of this command.
ssh login-attempts number
no ssh login-attempts
number |
Maximum number of login attempts. The range is from 1 to 10. |
3
Global configuration
Release |
Modification |
---|---|
5.0(2) |
This command was introduced. |
The total number of login attempts includes attempts through public-key authentication, certificate-based authentication, and password-based authentication.
This command does not require a license.
If the user exceeds the maximum number of permitted login attempts, the session disconnects.
This example shows how to configure the maximum number of times that a user can attempt to log in to an SSH session:
switch# configure terminal switch(config)# ssh login-attempts 5
This example shows how to disable the SSH login attempt configuration:
switch# configure terminal switch(config)# no ssh login-attempts
Command |
Description |
---|---|
show running-config security all |
Displays the configured maximum number of SSH login attempts. |
To enable the Secure Shell (SSH) server for a virtual device context (VDC), use the ssh server enable command. To disable the SSH server, use the no form of this command.
ssh server enable
no ssh server enable
This command has no arguments or keywords.
Enabled
Global configuration
Release |
Modification |
---|---|
4.1(2) |
This command was deprecated and replaced with the feature ssh command. |
4.0(1) |
This command was introduced. |
The Cisco NX-OS software supports SSH version 2.
This command does not require a license.
This example shows how to enable the SSH server:
switch# configure terminal switch(config)# ssh server enable
This example shows how to disable the SSH server:
switch# configure terminal switch(config)# no ssh server enable XML interface to system may become unavailable since ssh is disabled
Command |
Description |
---|---|
show ssh server |
Displays the SSH server key information. |
To create a Secure Shell (SSH) session using IPv6 on the Cisco NX-OS device, use the ssh6 command.
ssh6 [ username @ ] { ipv6-address | hostname } [ vrf vrf-name ]
username |
(Optional) Username for the SSH session. The username is not case sensitive. |
ipv6-address |
IPv6 address of the remote device. |
hostname |
Hostname of the remote device. |
vrfvrf-name |
(Optional) Specifies the virtual forwarding and routing (VRF) name to use for the SSH session. The VRF name is case sensitive. |
Default VRF
Any command mode
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
The Cisco NX-OS software supports SSH version 2.
To use IPv4 addressing to start an SSH session, use the ssh command.
The Cisco NX-OS software supports a maximum of 60 concurrent SSH and Telnet sessions.
This command does not require a license.
This example shows how to start an SSH session using IPv6:
switch# ssh host2 vrf management
Command |
Description |
---|---|
clear ssh session |
Clears SSH sessions. |
ssh |
Starts an SSH session using IPv4 addressing. |
feature ssh |
Enables the SSH server. |
To start recording statistics for how many packets are permitted or denied by each entry in an IP, a MAC access control list (ACL), or a VLAN access-map entry, use the statistics per-entry command. To stop recording per-entry statistics, use the no form of this command.
statistics per-entry
no statistics per-entry
This command has no arguments or keywords.
None
IP access-list configuration
IPv6 access-list configuration
MAC access-list configuration
VLAN access-map configuration
Release |
Modification |
---|---|
4.0(3) |
Changed command from statistics to statistics per-entry. |
4.0(1) |
This command was introduced. |
When the device determines that an IPv4, IPv6, MAC, or VLAN ACL applies to a packet, it tests the packet against the conditions of all entries in the ACLs. ACL entries are derived from the rules that you configure with the applicable permit and deny commands. The first matching rule determines whether the packet is permitted or denied. Enter the statistics per-entry command to start recording how many packets are permitted or denied by each entry in an ACL.
Statistics are not supported if the DHCP snooping feature is enabled.
The device does not record statistics for implicit rules. To record statistics for these rules, you must explicitly configure an identical rule for each implicit rule. For more information about implicit rules, see the following commands:
To view per-entry statistics, use the show access-lists command or the applicable following command:
To clear per-entry statistics, use the clear access-list counters command or the applicable following command:
This command does not require a license.
This example shows how to start recording per-entry statistics for an IPv4 ACL named ip-acl-101:
switch(config)# ip access-list ip-acl-101 switch(config-acl)# statistics per-entry switch(config-acl)#
This example shows how to stop recording per-entry statistics for an IPv4 ACL named ip-acl-101:
switch(config)# ip access-list ip-acl-101 switch(config-acl)# no statistics per-entry switch(config-acl)#
This example shows how to start recording per-entry statistics for the ACLs in entry 20 in a VLAN access-map named vlan-map-01:
switch(config)# vlan access-map vlan-map-01 20 switch(config-access-map)# statistics per-entry switch(config-access-map)#
This example shows how to stop recording per-entry statistics for the ACLs in entry 20 in a VLAN access-map named vlan-map-01:
switch(config)# vlan access-map vlan-map-01 20 switch(config-access-map)# no statistics per-entry switch(config-access-map)#
Command |
Description |
---|---|
show access-lists |
Displays all IPv4, IPv6, and MAC ACLs, or a specific ACL. |
clear access-list counters |
Clears per-entry statistics for all IPv4, IPv6, and MAC ACLs, or for a specific ACL. |
To set the suppression level for traffic storm control, use the storm-control level command. To turn off the suppression mode or revert to the default, use the no form of this command.
storm-control { broadcast | multicast | unicast } level percentage [ . fraction ]
no storm-control { broadcast | multicast | unicast } level
broadcast |
Specifies the broadcast traffic. |
multicast |
Specifies the multicast traffic. |
unicast |
Specifies the unicast traffic. |
percentage |
Percentage of the suppression level. The range is from 0 to 100 percent. |
. fraction |
(Optional) Fraction of the suppression level. The range is from 0 to 99. |
All packets are passed
Interface configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Enter the storm-control level command to enable traffic storm control on the interface, configure the traffic storm-control level, and apply the traffic storm-control level to all traffic storm-control modes that are enabled on the interface.
Only one suppression level is shared by all three suppression modes. For example, if you set the broadcast level to 30 and set the multicast level to 40, both levels are enabled and set to 40.
The period (.) is required when you enter the fractional-suppression level.
The suppression level is a percentage of the total bandwidth. A threshold value of 100 percent means that no limit is placed on traffic. A threshold value of 0 or 0.0 (fractional) percent means that all specified traffic is blocked on a port.
Use the show interfaces counters broadcast command to display the discard count.
Use one of the follow methods to turn off suppression for the specified traffic type:
This command does not require a license.
This example shows how to enable suppression of broadcast traffic and set the suppression threshold level:
switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# storm-control broadcast level 30
This example shows how to disable the suppression mode for multicast traffic:
switch# configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# no storm-control multicast level
Command |
Description |
---|---|
show interface |
Displays the storm-control suppression counters for an interface. |
show running-config |
Displays the configuration of the interface. |
To enable port security on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security command. To remove port security configuration, use the no form of this command.
switchport port-security
no switchport port-security
This command has no arguments or keywords.
None
Interface configuration
Release |
Modification |
---|---|
4.2(1) |
Support for Layer 2 port-channel interfaces was added. |
4.0(1) |
This command was introduced. |
Per interface, port security is disabled by default.
You must configure the interface as a Layer 2 interface by using the switchport command before you can use the switchport port-security command.
You must enable port security by using the feature port-security command before you can use the switchport port-security command.
If port security is enabled on any member port of the Layer 2 port-channel interface, the device does not allow you to disable port security on the port-channel interface. To do so, remove all secure member ports from the port-channel interface first. After disabling port security on a member port, you can add it to the port-channel interface again, as needed.
Enabling port security on an interface also enables the default method for learning secure MAC addresses, which is the dynamic method. To enable the sticky learning method, use the switchport port-security mac-address sticky command.
This command does not require a license.
This example shows how to enable port security on the Ethernet 2/1 interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# switchport port-security switch(config-if)#
This example shows how to enable port security on the port-channel 10 interface:
switch# configure terminal switch(config)# interface port-channel 10 switch(config-if)# switchport port-security switch(config-if)#
Command |
Description |
---|---|
feature port-security |
Enables port security globally. |
show port-security |
Shows information about port security. |
switchport port-security aging time |
Configures the aging time for dynamically learned, secure MAC addresses. |
switchport port-security aging type |
Configures the aging type for dynamically learned, secure MAC addresses. |
switchport port-security mac-address |
Configures a static MAC address. |
switchport port-security mac-address sticky |
Enables the sticky method for learning secure MAC addresses. |
switchport port-security maximum |
Configures an interface or a VLAN maximum for secured MAC addresses on an interface. |
switchport port-security violation |
Configures the security violation action for an interface. |
To configure the aging type for dynamically learned, secure MAC addresses, use the switchport port-security aging type command. To return to the default aging type, which is absolute aging, use the no form of this command.
switchport port-security aging type { absolute | inactivity }
no switchport port-security aging type { absolute | inactivity }
absolute |
Specifies that the dynamically learned, secure MAC addresses age is based on how long ago the device learned the address. |
inactivity |
Specifies that the dynamically learned, secure MAC addresses age is based on how long ago the device last received traffic from the MAC address on the current interface. |
absolute
Interface configuration
Release |
Modification |
---|---|
4.2(1) |
Support for Layer 2 port-channel interfaces was added. |
4.0(1) |
This command was introduced. |
The default aging type is absolute aging.
You must enable port security by using the feature port-security command before you can use the switchport port-security aging type command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
This command does not require a license.
This example shows how to configure the aging type to be “inactivity” on the Ethernet 2/1 interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# switchport port-security aging type inactivity switch(config-if)#
Command |
Description |
---|---|
feature port-security |
Enables port security globally. |
show port-security |
Shows information about port security. |
switchport port-security |
Configures a Layer 2 interface for port security. |
switchport port-security aging time |
Configures the aging time for dynamically learned, secure MAC addresses. |
switchport port-security mac-address |
Configures a static MAC address. |
switchport port-security mac-address sticky |
Enables the sticky method for learning secure MAC addresses. |
switchport port-security maximum |
Configures an interface or a VLAN maximum for secured MAC addresses on an interface. |
switchport port-security violation |
Configures the security violation action for an interface. |
To configure a static, secure MAC address on an interface, use the switchport port-security mac-address command. To remove a static, secure MAC address from an interface, use the no form of this command.
switchport port-security mac-address address [ vlan vlan-ID ]
no switchport port-security mac-address address [ vlan vlan-ID ]
address |
MAC address that you want to specify as a static, secure MAC address on the current interface. |
vlan vlan-ID |
(Optional) Specifies the VLAN on which traffic from the MAC address is permitted. Valid VLAN IDs are from 1 to 4096. |
None
Interface configuration
Release |
Modification |
---|---|
4.2(1) |
Support for Layer 2 port-channel interfaces was added. |
4.0(1) |
This command was introduced. |
There are no default static, secure MAC addresses.
You must enable port security by using the feature port-security command before you can use the switchport port-security mac-address command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
This command does not require a license.
This example shows how to configure 0019.D2D0.00AE as a static, secure MAC address on the Ethernet 2/1 interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# switchport port-security mac-address 0019.D2D0.00AE switch(config-if)#
Command |
Description |
---|---|
feature port-security |
Enables port security globally. |
show port-security |
Shows information about port security. |
switchport port-security |
Configures a Layer 2 interface for port security. |
switchport port-security aging time |
Configures the aging time for dynamically learned, secure MAC addresses. |
switchport port-security aging type |
Configures the aging type for dynamically learned, secure MAC addresses. |
switchport port-security mac-address sticky |
Enables the sticky method for learning secure MAC addresses. |
switchport port-security maximum |
Configures an interface or a VLAN maximum for secured MAC addresses on an interface. |
switchport port-security violation |
Configures the security violation action for an interface. |
To enable the sticky method for learning secure MAC addresses on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security mac-address sticky command. To disable the sticky method and return to the dynamic method, use the no form of this command.
switchport port-security mac-address sticky
no switchport port-security mac-address sticky
This command has no arguments or keywords.
The sticky method of secure MAC address learning is disabled by default.
Interface configuration
Release |
Modification |
---|---|
4.2(1) |
Support for Layer 2 port-channel interfaces was added. |
4.0(1) |
This command was introduced. |
You must enable port security by using the feature port-security command before you can use the switchport port-security mac-address sticky command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
This command does not require a license.
This example shows how to enable the sticky method of learning secure MAC addresses on the Ethernet 2/1 interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# switchport port-security mac-address sticky switch(config-if)#
Command |
Description |
---|---|
feature port-security |
Enables port security globally. |
show port-security |
Shows information about port security. |
switchport port-security |
Enables port security on a Layer 2 interface. |
switchport port-security aging time |
Configures the aging time for dynamically learned, secure MAC addresses. |
switchport port-security aging type |
Configures the aging type for dynamically learned, secure MAC addresses. |
switchport port-security mac-address |
Configures a static MAC address. |
switchport port-security maximum |
Configures an interface or a VLAN maximum for secured MAC addresses on an interface. |
switchport port-security violation |
Configures the security violation action for an interface. |
To configure the interface maximum or a VLAN maximum of secure MAC addresses on a Layer 2 Ethernet interface or Layer 2 port-channel interface, use the switchport port-security maximum command. To remove port security configuration, use the no form of this command.
switchport port-security maximum number [ vlan vlan-ID ]
no switchport port-security maximum number [ vlan vlan-ID ]
maximum number |
Specifies the maximum number of secure MAC addresses. See the “Usage Guidelines” section for information about valid values for the number argument. |
vlan vlan-ID |
(Optional) Specifies the VLAN that the maximum applies to. If you omit the vlan keyword, the maximum is applied as an interface maximum. |
None
Interface configuration
Release |
Modification |
---|---|
4.2(1) |
Support for Layer 2 port-channel interfaces was added. |
4.0(1) |
This command was introduced. |
The default interface maximum is one secure MAC address.
Enabling port security on an interface also enables the default method for learning secure MAC addresses, which is the dynamic method. To enable the sticky learning method, use the switchport port-security mac-address sticky command.
You must enable port security by using the feature port-security command before you can use the switchport port-security maximum command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
There is no default VLAN maximum.
There is a system-wide, nonconfigurable maximum of 4096 secure MAC addresses.
This command does not require a license.
Maximums for Access Ports and Trunk Ports
For an interface used as an access port, we recommend that you use the default interface maximum of one secure MAC address.
For an interface used as a trunk port, set the interface maximum to a number that reflects the actual number of hosts that could use the interface.
Interface Maximums, VLAN Maximums, and the Device Maximum
The sum of all VLAN maximums that you configure on an interface cannot exceed the interface maximum. For example, if you configure a trunk-port interface with an interface maximum of 10 secure MAC addresses and a VLAN maximum of 5 secure MAC addresses for VLAN 1, the largest maximum number of secure MAC addresses that you can configure for VLAN 2 is also 5. If you tried to configure a maximum of 6 secure MAC addresses for VLAN 2, the device would not accept the command.
This example shows how to configure an interface maximum of 10 secure MAC addresses on the Ethernet 2/1 interface:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# switchport port-security maximum 10 switch(config-if)#
Command |
Description |
---|---|
feature port-security |
Enables port security globally. |
show port-security |
Shows information about port security. |
switchport port-security |
Enables port security on a Layer 2 interface. |
switchport port-security aging time |
Configures the aging time for dynamically learned, secure MAC addresses. |
switchport port-security aging type |
Configures the aging type for dynamically learned, secure MAC addresses. |
switchport port-security mac-address |
Configures a static MAC address. |
switchport port-security mac-address sticky |
Enables the sticky method for learning secure MAC addresses. |
switchport port-security violation |
Configures the security violation action for an interface. |
To configure the action that the device takes when a security violation event occurs on an interface, use the switchport port-security violation command. To remove the port security violation action configuration, use the no form of this command.
switchport port-security violation { protect | restrict | shutdown }
no switchport port-security violation { protect | restrict | shutdown }
protect |
Specifies that the device does not raise security violations when a packet would normally trigger a security violation event. Instead, the address that triggered the security violation is learned but any traffic from the address is dropped. Further address learning stops. |
restrict |
Specifies that the device drops ingress traffic from any nonsecure MAC addresses. Address learning continues until 100 security violations have occurred on the interface. Traffic from addresses learned after the first security violation is dropped. After 100 security violations occur, the device disables learning on the interface and drops all ingress traffic from nonsecure MAC addresses. In addition, the device generates an SNMP trap for each security violation. |
shutdown |
Specifies that the device shuts down the interface if it receives a packet triggering a security violation. The interface is error disabled. This action is the default. After you reenable the interface, it retains its port security configuration, including its secure MAC addresses. |
None
Interface configuration
Release |
Modification |
---|---|
4.2(1) |
Support for Layer 2 port-channel interfaces was added. |
4.0(1) |
This command was introduced. |
The default security violation action is to shut down the interface.
You must enable port security by using the feature port-security command before you can use the switchport port-security violation command.
Before using this command, you must use the switchport command to configure the interface to operate as a Layer 2 interface.
Port security triggers security violations when either of the two following events occur:
When an interface has both a VLAN maximum and an interface maximum configured, a violation occurs when either maximum is exceeded. For example, consider the following on a single interface configured with port security:
The device detects a violation when any of the following occurs:
Note | After a secure MAC address is configured or learned on one secure port, the sequence of events that occurs when port security detects that secure MAC address on a different port in the same VLAN is known as a MAC move violation. |
When a security violation occurs, the device takes the action specified by the port security configuration of the applicable interface. The possible actions are as follows:
You can use the errdisable global configuration command to configure the device to reenable the interface automatically if a shutdown occurs, or you can manually reenable the interface by entering the shutdown and no shut down interface configuration commands.
After 100 security violations occur, the device disables learning on the interface and drops all ingress traffic from nonsecure MAC addresses. In addition, the device generates an SNMP trap for each security violation.
If a violation occurs because ingress traffic from a secure MAC address arrives at a different interface than the interface on which the address is secure, the device applies the action on the interface that received the traffic.
This command does not require a license.
This example shows how to configure an interface to respond to a security violation event with the protect action:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# switchport port-security violation protect switch(config-if)#
Command |
Description |
---|---|
feature port-security |
Enables port security globally. |
show port-security |
Shows information about port security. |
switchport port-security |
Enables port security on a Layer 2 interface. |
switchport port-security aging time |
Configures the aging time for dynamically learned, secure MAC addresses. |
switchport port-security aging type |
Configures the aging type for dynamically learned, secure MAC addresses. |
switchport port-security mac-address |
Configures a static MAC address. |
switchport port-security mac-address sticky |
Enables the sticky method for learning secure MAC addresses. |
switchport port-security maximum |
Configures an interface or a VLAN maximum for secured MAC addresses on an interface. |