Security Configuration Examples

This chapter provides examples for configuring security features.

Configuration Example for FIPS

The following example shows how to enable FIPS mode:

config terminal
fips mode enable
show fips status
exit
copy running-config startup-config
reload

Configuration Examples for AAA

The following example shows how to configure AAA:

aaa authentication login default group radius 
aaa authentication login console group radius 
aaa accounting default group radius

Configuration Example for RADIUS

The following example shows how to configure RADIUS:

radius-server key 7 "ToIkLhPpG" 
radius-server host 10.10.1.1 key 7 "ShMoMhTl" authentication accounting 
aaa group server radius RadServer
    server 10.10.1.1

Configuration Examples for TACACS+

The following example shows how to configure a TACACS+ server host and server group:

feature tacacs+ 
tacacs-server key 7 "ToIkLhPpG" 
tacacs-server host 10.10.2.2 key 7 "ShMoMhTl" 
aaa group server tacacs+ TacServer
    server 10.10.2.2

The following example shows how to configure and use command authorization verification:

switch# terminal verify-only
switch# show interface ethernet 7/2 brief
%Success
switch# terminal no verify-only
switch# show interface ethernet 7/2 brief

--------------------------------------------------------------------------------
Ethernet      VLAN   Type Mode   Status  Reason                   Speed     Port
Interface                                                                   Ch #
--------------------------------------------------------------------------------
Eth7/2        1      eth  access down    SFP not inserted           auto(D) --

The following example shows how to enable the cumulative privilege of roles, configure a secret password for privilege level 2, and configure user3 for privilege level 2 authorization:

switch# configure terminal
switch(config)# feature privilege
switch(config)# enable secret def456 priv-lvl 2
switch(config)# username user3 priv-lvl 2
switch(config)# show privilege
User name: user3
Current privilege level: -2
Feature privilege: Enabled
switch(config)# copy running-config startup-config
switch(config)# exit

The following example shows how to change user3 from the priv-2 role to the priv-15 role. After entering the enable 15 command, the user is prompted to enter the password that was configured by the administrator using the enable secret command. Privilege level 15 gives this user network-admin privileges under the enable mode.

User Access Verification
login: user3
Password: ******
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright ©) 2002-2009, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
switch#
switch# enable 15
Password: def456
Cisco Nexus Operating System (NX-OS) Software
TAC support: http://www.cisco.com/tac
Copyright ©) 2002-2009, Cisco Systems, Inc. All rights reserved.
The copyrights to certain works contained in this software are
owned by other third parties and used and distributed under
license. Certain components of this software are licensed under
the GNU General Public License (GPL) version 2.0 or the GNU
Lesser General Public License (LGPL) Version 2.1. A copy of each
such license is available at
http://www.opensource.org/licenses/gpl-2.0.php and
http://www.opensource.org/licenses/lgpl-2.1.php
switch-enable#

The following example shows how to permit all users with roles priv-5 and above to execute the pwd command:

switch# configure terminal
switch(config)# role name priv-5
switch(config-role)# rule 1 permit command pwd

The following example shows how to deny the show running-config command to all users with roles below priv-5. First, you must remove the permission to execute this command from the priv-0 role; then you must permit the command at role priv-5 so that users with roles priv-5 and above have permission to run the command.

switch# configure terminal
switch(config)# role name priv-0
switch(config-role)# rule 2 deny command show running-config
switch(config-role)# exit
switch(config)# role name priv-5
switch(config-role)# rule 3 permit command show running-config
switch(config-role)# exit

Configuration Example for SSH

The following example shows how to configure SSH with an OpenSSH key:

Procedure
Step 1   Disable the SSH server.

Example:
switch# configure terminal      
switch(config)# no feature ssh
Step 2   Generate an SSH server key.

Example:
      
switch(config)# ssh key rsa      
generating rsa key(1024 bits)......
generated rsa key
Step 3   Enable the SSH server.

Example:
switch(config)# feature ssh
Step 4   Display the SSH server key.

Example:
switch(config)# show ssh key      
rsa Keys generated:Sat Sep 29 00:10:39 2007

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvWhEBsF55oaPHNDBnpXOTw6+/OdHoLJZKr
+MZm99n2U0ChzZG4svRWmHuJY4PeDWl0e5yE3g3EO3pjDDmt923siNiv5aSga60K36lr39
HmXL6VgpRVn1XQFiBwn4na+H1d3Q0hDt+uWEA0tka2uOtXlDhliEmn4HVXOjGhFhoNE=

bitcount:1024
fingerprint:
51:6d:de:1c:c3:29:50:88:df:cc:95:f0:15:5d:9a:df
**************************************
could not retrieve dsa key information
**************************************
Step 5   Specify the SSH public key in OpenSSH format.

Example:
switch(config)# username User1 sshkey ssh-rsa      
AAAAB3NzaC1yc2EAAAABIwAAAIEAy19oF6QaZl9G+3f1XswK3OiW4H7YyUyuA50r
v7gsEPjhOBYmsi6PAVKui1nIf/DQhum+lJNqJP/eLowb7ubO+lVKRXFY/G+lJNIQ
W3g9igG30c6k6+XVn+NjnI1B7ihvpVh7dLddMOXwOnXHYshXmSiH3UD/vKyziEh5
4Tplx8=
Step 6   Save the configuration.

Example:
switch(config)# copy running-config startup-config

Configuration Example for SSH Passwordless File Copy

The following example shows how to copy files from a Cisco NX-OS device to a secure copy (SCP) or secure FTP (SFTP) server without a password:

Procedure
Step 1   Generate the SSH public and private keys and store them in the home directory of the Cisco NX-OS device for the specified user.

Example:
switch# configure terminal      
switch(config)# username admin keypair generate rsa      
generating rsa key(1024 bits)......
generated rsa key
Step 2   Display the public key for the specified user.

Example:
switch(config)# show username admin keypair      

**************************************

rsa Keys generated: Thu Jul  9 11:10:29 2009

ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAxWmjJT+oQhIcvnrMbx2BmD0P8boZElTfJ
Fx9fexWp6rOiztlwODtehnjadWc6A+DE2DvYNvqsrU9TBypYDPQkR/+Y6cKubyFW
VxSBG/NHztQc3+QC1zdkIxGNJbEHyFoajzNEO8LLOVFIMCZ2Td7gxUGRZc+fbq
S33GZsCAX6v0=

bitcount:262144
fingerprint:
8d:44:ee:6c:ca:0b:44:95:36:d0:7d:f2:b5:78:74:7d
**************************************

could not retrieve dsa key information
**************************************
Step 3   Export the public and private keys from the home directory of the Cisco NX-OS device to the specified bootflash directory.

Example:
switch(config)# username admin keypair export bootflash:key_rsa rsa      
Enter Passphrase:
switch(config)# dir
.
.
.
        951     Jul 09 11:13:59 2009  key_rsa
        221     Jul 09 11:14:00 2009  key_rsa.pub
.
.
Step 4   After copying these two files to another Cisco NX-OS device using the copy scp or copy sftp command, import them to the home directory of the Cisco NX-OS device.

Example:
switch(config)# username admin keypair import bootflash:key_rsa rsa      
Enter Passphrase:
switch(config)# show username admin keypair
**************************************

rsa Keys generated: Thu Jul  9 11:10:29 2009

ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAxWmjJT+oQhIcvnrMbx2BmD0P8boZElTfJ
Fx9fexWp6rOiztlwODtehnjadWc6A+DE2DvYNvqsrU9TBypYDPQkR/+Y6cKubyFW
VxSBG/NHztQc3+QC1zdkIxGNJbEHyFoajzNEO8LLOVFIMCZ2Td7gxUGRZc+fbq
S33GZsCAX6v0=

bitcount:262144
fingerprint:
8d:44:ee:6c:ca:0b:44:95:36:d0:7d:f2:b5:78:74:7d
**************************************

could not retrieve dsa key information
**************************************
switch(config)#
Step 5   On the SCP or SFTP server, append the public key stored in key_rsa.pub to the authorized_keys file.

Example:
$ cat key_rsa.pub >> $HOME/.ssh/ authorized_keys

You can now copy files from the Cisco NX-OS device to the server without a password using standard SSH and SCP commands.
Step 6   (Optional)Repeat this procedure for the DSA keys.

Configuration Examples for PKI

This section shows examples of the tasks that you can use to configure certificates and CRLs on Cisco NX-OS devices using a Microsoft Windows Certificate server.


Note

You can use any type of certificate server to generate digital certificates. You are not limited to using the Microsoft Windows Certificate server.

Configuring Certificates on a Cisco NX-OS Device

To configure certificates on a Cisco NX-OS device, follow these steps:

Procedure
Step 1   Configure the device FQDN. 
switch# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
switch(config)# hostname Device-1
Device-1(config)#
Step 2   Configure the DNS domain name for the device. 
Device-1(config)# ip domain-name cisco.com
Step 3   Create a trust point. 
Device-1(config)# crypto ca trustpoint myCA
Device-1(config-trustpoint)# exit
Device-1(config)# show crypto ca trustpoints
trustpoint: myCA; key:
revokation methods:  crl
Step 4   Create an RSA key pair for the device. 
Device-1(config)# crypto key generate rsa label myKey exportable modulus 1024
Device-1(config)# show crypto key mypubkey rsa
key label: myKey
key size: 1024
exportable: yes
Step 5   Associate the RSA key pair to the trust point. 
Device-1(config)# crypto ca trustpoint myCA
Device-1(config-trustpoint)# rsakeypair myKey
Device-1(config-trustpoint)# exit
Device-1(config)# show crypto ca trustpoints
trustpoint: myCA; key: myKey
revokation methods:  crl
Step 6   Download the CA certificate from the Microsoft Certificate Service web interface.
Step 7   Authenticate the CA that you want to enroll to the trust point. 
Device-1(config)# crypto ca authenticate myCA
input (cut & paste) CA certificate (chain) in PEM format;
end the input with a line containing only END OF INPUT :
-----BEGIN CERTIFICATE-----
MIIC4jCCAoygAwIBAgIQBWDSiay0GZRPSRIljK0ZejANBgkqhkiG9w0BAQUFADCB
kDEgMB4GCSqGSIb3DQEJARYRYW1hbmRrZUBjaXNjby5jb20xCzAJBgNVBAYTAklO
MRIwEAYDVQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJhbmdhbG9yZTEOMAwGA1UE
ChMFQ2lzY28xEzARBgNVBAsTCm5ldHN0b3JhZ2UxEjAQBgNVBAMTCUFwYXJuYSBD
QTAeFw0wNTA1MDMyMjQ2MzdaFw0wNzA1MDMyMjU1MTdaMIGQMSAwHgYJKoZIhvcN
AQkBFhFhbWFuZGtlQGNpc2NvLmNvbTELMAkGA1UEBhMCSU4xEjAQBgNVBAgTCUth
cm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQ4wDAYDVQQKEwVDaXNjbzETMBEG
A1UECxMKbmV0c3RvcmFnZTESMBAGA1UEAxMJQXBhcm5hIENBMFwwDQYJKoZIhvcN
AQEBBQADSwAwSAJBAMW/7b3+DXJPANBsIHHzluNccNM87ypyzwuoSNZXOMpeRXXI
OzyBAgiXT2ASFuUOwQ1iDM8rO/41jf8RxvYKvysCAwEAAaOBvzCBvDALBgNVHQ8E
BAMCAcYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUJyjyRoMbrCNMRU2OyRhQ
GgsWbHEwawYDVR0fBGQwYjAuoCygKoYoaHR0cDovL3NzZS0wOC9DZXJ0RW5yb2xs
L0FwYXJuYSUyMENBLmNybDAwoC6gLIYqZmlsZTovL1xcc3NlLTA4XENlcnRFbnJv
bGxcQXBhcm5hJTIwQ0EuY3JsMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEB
BQUAA0EAHv6UQ+8nE399Tww+KaGr0g0NIJaqNgLh0AFcT0rEyuyt/WYGPzksF9Ea
NBG7E0oN66zex0EOEfG1Vs6mXp1//w==
-----END CERTIFICATE-----
END OF INPUT
Fingerprint(s): MD5 Fingerprint=65:84:9A:27:D5:71:03:33:9C:12:23:92:38:6F:78:12
Do you accept this certificate? [yes/no]:y

Device-1(config)# show crypto ca certificates
Trustpoint: myCA
CA certificate 0:
subject= /emailAddress=admin@yourcompany.com/C=IN/ST=Karnataka/
L=Bangalore/O=Yourcompany/OU=netstorage/CN=Aparna CA
issuer= /emailAddress=admin@yourcompany.com/C=IN/ST=Karnataka/
L=Bangalore/O=Yourcompany/OU=netstorage/CN=Aparna CA
serial=0560D289ACB419944F4912258CAD197A
notBefore=May  3 22:46:37 2005 GMT
notAfter=May  3 22:55:17 2007 GMT
MD5 Fingerprint=65:84:9A:27:D5:71:03:33:9C:12:23:92:38:6F:78:12
purposes: sslserver sslclient ike
Step 8   Generate a request certificate to use to enroll with a trust point. 
Device-1(config)# crypto ca enroll myCA
 Create the certificate request ..
 Create a challenge password. You will need to verbally provide this
  password to the CA Administrator in order to revoke your certificate.
  For security reasons your password will not be saved in the configuration.
  Please make a note of it.
  Password: nbv123
 The subject name in the certificate will be: Device-1.cisco.com
 Include the switch serial number in the subject name? [yes/no]: no
 Include an IP address in the subject name [yes/no]: yes
ip address: 10.10.1.1
 The certificate request will be displayed...
-----BEGIN CERTIFICATE REQUEST-----
MIIBqzCCARQCAQAwHDEaMBgGA1UEAxMRVmVnYXMtMS5jaXNjby5jb20wgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAL8Y1UAJ2NC7jUJ1DVaSMqNIgJ2kt8rl4lKY
0JC6ManNy4qxk8VeMXZSiLJ4JgTzKWdxbLDkTTysnjuCXGvjb+wj0hEhv/y51T9y
P2NJJ8ornqShrvFZgC7ysN/PyMwKcgzhbVpj+rargZvHtGJ91XTq4WoVkSCzXv8S
VqyH0vEvAgMBAAGgTzAVBgkqhkiG9w0BCQcxCBMGbmJ2MTIzMDYGCSqGSIb3DQEJ
DjEpMCcwJQYDVR0RAQH/BBswGYIRVmVnYXMtMS5jaXNjby5jb22HBKwWH6IwDQYJ
KoZIhvcNAQEEBQADgYEAkT60KER6Qo8nj0sDXZVHSfJZh6K6JtDz3Gkd99GlFWgt
PftrNcWUE/pw6HayfQl2T3ecgNwel2d15133YBF2bktExiI6Ul88nTOjglXMjja8
8a23bNDpNsM8rklwA6hWkrVL8NUZEFJxqbjfngPNTZacJCUS6ZqKCMetbKytUx0=
-----END CERTIFICATE REQUEST-----
Step 9   Request an identity certificate from the Microsoft Certificate Service web interface.
Step 10   Import the identity certificate. 
Device-1(config)# crypto ca import myCA certificate
input (cut & paste) certificate in PEM format:
-----BEGIN CERTIFICATE-----
MIIEADCCA6qgAwIBAgIKCjOOoQAAAAAAdDANBgkqhkiG9w0BAQUFADCBkDEgMB4G
CSqGSIb3DQEJARYRYW1hbmRrZUBjaXNjby5jb20xCzAJBgNVBAYTAklOMRIwEAYD
VQQIEwlLYXJuYXRha2ExEjAQBgNVBAcTCUJhbmdhbG9yZTEOMAwGA1UEChMFQ2lz
Y28xEzARBgNVBAsTCm5ldHN0b3JhZ2UxEjAQBgNVBAMTCUFwYXJuYSBDQTAeFw0w
NTExMTIwMzAyNDBaFw0wNjExMTIwMzEyNDBaMBwxGjAYBgNVBAMTEVZlZ2FzLTEu
Y2lzY28uY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/GNVACdjQu41C
dQ1WkjKjSICdpLfK5eJSmNCQujGpzcuKsZPFXjF2UoiyeCYE8ylncWyw5E08rJ47
glxr42/sI9IRIb/8udU/cj9jSSfKK56koa7xWYAu8rDfz8jMCnIM4W1aY/q2q4Gb
x7RifdV06uFqFZEgs17/Elash9LxLwIDAQABo4ICEzCCAg8wJQYDVR0RAQH/BBsw
GYIRVmVnYXMtMS5jaXNjby5jb22HBKwWH6IwHQYDVR0OBBYEFKCLi+2sspWEfgrR
bhWmlVyo9jngMIHMBgNVHSMEgcQwgcGAFCco8kaDG6wjTEVNjskYUBoLFmxxoYGW
pIGTMIGQMSAwHgYJKoZIhvcNAQkBFhFhbWFuZGtlQGNpc2NvLmNvbTELMAkGA1UE
BhMCSU4xEjAQBgNVBAgTCUthcm5hdGFrYTESMBAGA1UEBxMJQmFuZ2Fsb3JlMQ4w
DAYDVQQKEwVDaXNjbzETMBEGA1UECxMKbmV0c3RvcmFnZTESMBAGA1UEAxMJQXBh
cm5hIENBghAFYNKJrLQZlE9JEiWMrRl6MGsGA1UdHwRkMGIwLqAsoCqGKGh0dHA6
Ly9zc2UtMDgvQ2VydEVucm9sbC9BcGFybmElMjBDQS5jcmwwMKAuoCyGKmZpbGU6
Ly9cXHNzZS0wOFxDZXJ0RW5yb2xsXEFwYXJuYSUyMENBLmNybDCBigYIKwYBBQUH
AQEEfjB8MDsGCCsGAQUFBzAChi9odHRwOi8vc3NlLTA4L0NlcnRFbnJvbGwvc3Nl
LTA4X0FwYXJuYSUyMENBLmNydDA9BggrBgEFBQcwAoYxZmlsZTovL1xcc3NlLTA4
XENlcnRFbnJvbGxcc3NlLTA4X0FwYXJuYSUyMENBLmNydDANBgkqhkiG9w0BAQUF
AANBADbGBGsbe7GNLh9xeOTWBNbm24U69ZSuDDcOcUZUUTgrpnTqVpPyejtsyflw
E36cIZu4WsExREqxbTk8ycx7V5o=
-----END CERTIFICATE-----
Device-1(config)# exit
Device-1#
Step 11   Verify the certificate configuration.
Step 12   Save the certificate configuration to the startup configuration.

Downloading a CA Certificate

To download a CA certificate from the Microsoft Certificate Services web interface, follow these steps:

Procedure
Step 1   From the Microsoft Certificate Services web interface, click Retrieve the CA certificate or certificate revocation task and click Next.

Step 2   From the display list, choose the CA certificate file to download from the displayed list. Then click Base 64 encoded and click Download CA certificate.
Step 3   Click Open in the File Download dialog box.
Step 4   In the Certificate dialog box, click Copy to File and click OK.
Step 5   From the Certificate Export Wizard dialog box, choose the Base-64 encoded X.509 (CER) and click Next.

Step 6   In the File name: text box on the Certificate Export Wizard dialog box, enter the destination file name and click Next.
Step 7   In the Certificate Export Wizard dialog box, click Finish.
Step 8   Enter the Microsoft Windows type command to display the CA certificate stored in Base-64 (PEM) format.

Requesting an Identity Certificate

To request an identify certificate from a Microsoft Certificate server using a PKCS#12 certificate signing request (CRS), follow these steps:

Procedure
Step 1   From the Microsoft Certificate Services web interface, click Request a certificate and click Next.
Step 2   Click Advanced request and click Next.
Step 3   Click Submit a certificate request using a base64 encoded PKCS#10 file or a renewal request using a base64 encoded PKCS#7 file and click Next.
Step 4   In the Saved Request text box, paste the base64 PKCS#10 certificate request and click Next. The certificate request is copied from the Cisco NX-OS device console.
Step 5   Wait one or two days until the certificate is issued by the CA administrator.
Step 6   Note that the CA administrator approves the certificate request.
Step 7   From the Microsoft Certificate Services web interface, click Check on a pending certificate and click Next.

Step 8   Choose the certificate request that you want to check and click Next.
Step 9   Click Base 64 encoded and click Download CA certificate.
Step 10   In the File Download dialog box, click Open.
Step 11   In the Certificate box, click Details tab and click Copy to File.... In the Certificate Export Dialog box, click Base-64 encoded X.509 (.CER), and click Next.
Step 12   In the File name: text box on the Certificate Export Wizard dialog box, enter the destination file name and click Next.

Step 13   Click Finish.

Step 14   Enter the Microsoft Windows type command to display the identity certificate in base64-encoded format.

Revoking a Certificate

To revoke a certificate using the Microsoft CA administrator program, follow these steps:

Procedure
Step 1   From the Certification Authority tree, click Issued Certificates folder. From the list, right-click the certificate that you want to revoke.
Step 2   Choose All Tasks > Revoke Certificate.
Step 3   From the Reason code drop-down list, choose a reason for the revocation and click Yes.
Step 4   Click the Revoked Certificates folder to list and verify the certificate revocation.

Generating and Publishing the CRL

To generate and publish the CRL using the Microsoft CA administrator program, follow these steps:

Procedure
Step 1   From the Certification Authority screen, choose Action > All Tasks > Publish.
Step 2   In the Certificate Revocation List dialog box, click Yes to publish the latest CRL.

Downloading the CRL

To download the CRL from the Microsoft CA website, follow these steps:

Procedure
Step 1   From the Microsoft Certificate Services web interface, click Retrieve the CA certificate or certificate revocation list and click Next.

Step 2   Click Download latest certificate revocation list.
Step 3   In the File Download dialog box, click Save.
Step 4   In the Save As dialog box, enter the destination file name and click Save.
Step 5   Enter the Microsoft Windows type command to display the CRL.

Importing the CRL

To import the CRL to the trust point corresponding to the CA, follow these steps:

Procedure
Step 1   Copy the CRL file to the Cisco NX-OS device bootflash.

Example:
Device-1# copy tftp:apranaCA.crl bootflash:aparnaCA.crl
Step 2   Configure the CRL.

Example:
Device-1# configure terminal
Device-1(config)# crypto ca crl request myCA bootflash:aparnaCA.crl
Device-1(config)#
Step 3   Display the contents of the CRL.

Example:
Device-1(config)# show crypto ca crl myCA
Trustpoint: myCA
CRL:
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: /emailAddress=admin@yourcompany.com/C=IN/ST=Karnatak
Yourcompany/OU=netstorage/CN=Aparna CA
        Last Update: Nov 12 04:36:04 2005 GMT
        Next Update: Nov 19 16:56:04 2005 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
            keyid:27:28:F2:46:83:1B:AC:23:4C:45:4D:8E:C9:18:50:1
            1.3.6.1.4.1.311.21.1:
                ...
Revoked Certificates:
    Serial Number: 611B09A1000000000002
        Revocation Date: Aug 16 21:52:19 2005 GMT
Serial Number: 4CDE464E000000000003
        Revocation Date: Aug 16 21:52:29 2005 GMT
    Serial Number: 4CFC2B42000000000004
        Revocation Date: Aug 16 21:52:41 2005 GMT
    Serial Number: 6C699EC2000000000005
        Revocation Date: Aug 16 21:52:52 2005 GMT
    Serial Number: 6CCF7DDC000000000006
        Revocation Date: Jun  8 00:12:04 2005 GMT
    Serial Number: 70CC4FFF000000000007
        Revocation Date: Aug 16 21:53:15 2005 GMT
    Serial Number: 4D9B1116000000000008
        Revocation Date: Aug 16 21:53:15 2005 GMT
    Serial Number: 52A80230000000000009
        Revocation Date: Jun 27 23:47:06 2005 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
            CA Compromise
Serial Number: 5349AD4600000000000A
        Revocation Date: Jun 27 23:47:22 2005 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
            CA Compromise
Serial Number: 53BD173C00000000000B
        Revocation Date: Jul  4 18:04:01 2005 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
            Certificate Hold
Serial Number: 591E7ACE00000000000C
        Revocation Date: Aug 16 21:53:15 2005 GMT
    Serial Number: 5D3FD52E00000000000D
        Revocation Date: Jun 29 22:07:25 2005 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
            Key Compromise
Serial Number: 5DAB771300000000000E
        Revocation Date: Jul 14 00:33:56 2005 GMT
    Serial Number: 5DAE53CD00000000000F
        Revocation Date: Aug 16 21:53:15 2005 GMT
    Serial Number: 5DB140D3000000000010
        Revocation Date: Aug 16 21:53:15 2005 GMT
    Serial Number: 5E2D7C1B000000000011
        Revocation Date: Jul  6 21:12:10 2005 GMT
        CRL entry extensions:
            X509v3 CRL Reason Code:
            Cessation Of Operation
Serial Number: 16DB4F8F000000000012
        Revocation Date: Aug 16 21:53:15 2005 GMT
    Serial Number: 261C3924000000000013
        Revocation Date: Aug 16 21:53:15 2005 GMT
    Serial Number: 262B5202000000000014
        Revocation Date: Jul 14 00:33:10 2005 GMT
    Serial Number: 2634C7F2000000000015
        Revocation Date: Jul 14 00:32:45 2005 GMT
    Serial Number: 2635B000000000000016
        Revocation Date: Jul 14 00:31:51 2005 GMT
    Serial Number: 26485040000000000017
        Revocation Date: Jul 14 00:32:25 2005 GMT
    Serial Number: 2A276357000000000018
Revocation Date: Aug 16 21:53:15 2005 GMT
    Serial Number: 3F88CBF7000000000019
        Revocation Date: Aug 16 21:53:15 2005 GMT
    Serial Number: 6E4B5F5F00000000001A
        Revocation Date: Aug 16 21:53:15 2005 GMT
    Serial Number: 725B89D800000000001B
        Revocation Date: Aug 16 21:53:15 2005 GMT
    Serial Number: 735A887800000000001C
        Revocation Date: Aug 16 21:53:15 2005 GMT
    Serial Number: 148511C700000000001D
        Revocation Date: Aug 16 21:53:15 2005 GMT
    Serial Number: 14A7170100000000001E
        Revocation Date: Aug 16 21:53:15 2005 GMT
    Serial Number: 14FC45B500000000001F
        Revocation Date: Aug 17 18:30:42 2005 GMT
    Serial Number: 486CE80B000000000020
        Revocation Date: Aug 17 18:30:43 2005 GMT
    Serial Number: 4CA4A3AA000000000021
        Revocation Date: Aug 17 18:30:43 2005 GMT
    Serial Number: 1AA55C8E00000000002F
        Revocation Date: Sep  5 17:07:06 2005 GMT
    Serial Number: 3F0845DD00000000003F
        Revocation Date: Sep  8 20:24:32 2005 GMT
    Serial Number: 3F619B7E000000000042
        Revocation Date: Sep  8 21:40:48 2005 GMT
    Serial Number: 6313C463000000000052
        Revocation Date: Sep 19 17:37:18 2005 GMT
    Serial Number: 7C3861E3000000000060
        Revocation Date: Sep 20 17:52:56 2005 GMT
    Serial Number: 7C6EE351000000000061
        Revocation Date: Sep 20 18:52:30 2005 GMT
    Serial Number: 0A338EA1000000000074   <-- Revoked identity certificate
        Revocation Date: Nov 12 04:34:42 2005 GMT
    Signature Algorithm: sha1WithRSAEncryption
        0b:cb:dd:43:0a:b8:62:1e:80:95:06:6f:4d:ab:0c:d8:8e:32:
        44:8e:a7:94:97:af:02:b9:a6:9c:14:fd:eb:90:cf:18:c9:96:
        29:bb:57:37:d9:1f:d5:bd:4e:9a:4b:18:2b:00:2f:d2:6e:c1:
        1a:9f:1a:49:b7:9c:58:24:d7:72
Note   

The identity certificate for the device that was revoked (serial number 0A338EA1000000000074) is listed at the end.

Configuration Examples for User Accounts and RBAC

The following example shows how to configure a user role:

role name User-role-A
  rule 3 permit read-write feature l2nac
  rule 2 permit read-write feature dot1x
  rule 1 deny command clear *

The following example shows how to create a user role that can configure an interface to enable and show HSRP and show GLBP:

role name iftest
	  rule 1 permit command config t; interface *; hsrp *
	  rule 2 permit read-write feature hsrp
	  rule 3 permit read feature glbp

In the above example, rule 1 allows you to configure HSRP on an interface, rule 2 allows you to configure the config hsrp commands and enable the exec-level show and debug commands for HSRP, and rule 3 allows you to enable the exec-level show and debug glbp commands.

The following example shows how to configure a user role that can configure only a specific interface:

role name Int_Eth2-3_only
  rule 1 permit command configure terminal; interface *
  interface policy deny
    permit interface Ethernet2/3

The following example shows how to configure a user role feature group:

role feature-group name Security-features
  feature radius
  feature tacacs
  feature dot1x
  feature aaa
  feature l2nac
  feature acl
  feature access-list

The following example shows how to configure a user account:

username user1 password A1s2D4f5 role User-role-A

Configuration Example for 802.1X

The following example shows how to configure 802.1X:

feature dot1x 
aaa authentication dot1x default group rad2 
interface Ethernet2/1
  dot1x port-control auto

Note

Repeat the dot1x port-control auto command for all interfaces that require 802.1X authentication.

Configuration Example for NAC

The following example shows how to configure NAC:

feature eou 
aaa authentication eou default group radius 
mac access-list macacl-01
  10 permit any any 0x100 
interface Ethernet8/1
  mac access-group macacl-01

Configuration Examples for Cisco TrustSec

This section provides configuration examples for Cisco TrustSec.

Enabling Cisco TrustSec

The following example shows how to enable Cisco TrustSec:

feature dot1x 
feature cts 
cts device-id device1 password Cisco321

Configuring AAA for Cisco TrustSec on a Seed Cisco NX-OS Device

The following example shows how to configure AAA for Cisco TrustSec on the seed Cisco NX-OS device:

radius-server host 10.10.1.1 key Cisco123 pac
aaa group server radius Rad1
  server 10.10.1.1
  use-vrf management 
aaa authentication dot1x default group Rad1 
aaa authorization cts default group Rad1

Enabling Cisco TrustSec Authentication on an Interface

The following example shows how to enable Cisco TrustSec authentication with a clear text password on an interface:

interface ethernet 2/1
  cts dot1x 
  shutdown 
  no shutdown

Configuring Cisco TrustSec Authentication in Manual Mode

The following example shows how to configure Cisco TrustSec authentication in manual mode static policy on an interface:

interface ethernet 2/1
  cts manual 
    sap pmk abcdef modelist gmac 
    policy static sgt 0x20

The following example shows how to configure Cisco TrustSec authentication in manual mode dynamic policy on an interface:

interface ethernet 2/2
  cts manual 
    policy dynamic identity device2

Configuring Cisco TrustSec Role-Based Policy Enforcement for the default VRF

The following example shows how to enable Cisco TrustSec role-based policy enforcement for the default VRF:

cts role-based enforcement

Configuring Cisco TrustSec Role-Based Policy Enforcement for a Nondefault VRF

The following example shows how to enable Cisco TrustSec role-based policy enforcement for a nondefault VRF:

vrf context test
  cts role-based enforcement

Configuring Cisco TrustSec Role-Based Policy Enforcement for a VLAN

The following example shows how to enable Cisco TrustSec role-based policy enforcement for a VLAN:

vlan 10
  cts role-based enforcement

Configuring IPv4 Address to SGACL SGT Mapping for the Default VRF

The following example shows how to manually configure IPv4 address to SGACL SGT mapping for Cisco TrustSec role-based policies for the default VRF:

cts role-based sgt-map 10.1.1.1 20

Configuring IPv4 Address to SGACL SGT Mapping for a Nondefault VRF

The following example shows how to manually configure IPv4 address to SGACL SGT mapping for Cisco TrustSec role-based policies for a nondefault VRF:

vrf context test
  cts role-based sgt-map 30.1.1.1 30

Configuring IPv4 Address to SGACL SGT Mapping for a VLAN

The following example shows how to manually configure IPv4 address to SGACL SGT mapping for Cisco TrustSec role-based policies for a VLAN:

vlan 10 
  cts role-based sgt-map 20.1.1.1 20

Manually Configuring Cisco TrustSec SGACLs

The following example shows how to manually configure Cisco TrustSec SGACLs:

cts role-based access-list abcd
  permit icmp 
cts role-based sgt 10 dgt 20 access-list abcd

The following example shows how to enable RBACL logging:

cts role-based access-list RBACL1
deny tcp src eq 1111 dest eq 2222 log
cts role-based sgt 10 dgt 20 access-list RBACL1
cts role-based sgt-map 1.1.1.1 10
cts role-based sgt-map 1.1.1.2 20
The above configuration generates the following ACLLOG syslog: 
%ACLLOG-6-ACLLOG_FLOW_INTERVAL: SGT: 10, Source IP: 1.1.1.1, Destination IP: 1.1.1.2, Source Port: 1111, Destination Port: 2222, Source Interface: Ethernet4/1, Protocol: tcp, Hit-count = 2

Note

The ACLLOG syslog does not contain the destination group tag (DGT) information of the matched RBACL policy. You can find this information by looking up the IP-SGT mapping of the destination IP address in the log message and then entering the show cts role-based sgt-map command.

The following example shows how to enable and display RBACL statistics:

cts role-based counters enable
show cts role-based counters sgt 10 dgt 20

RBACL policy counters enabled
sgt: 10 dgt: 20 [180]
rbacl test1:
deny tcp src eq 1111 dest eq 2222   [75]
deny tcp src eq 2222 dest eq 3333   [25]
rbacl test2:
deny udp src eq 1111 dest eq 2222   [30]
deny udp src eq 2222 dest eq 3333   [50]

Manually Configuring SXP Peer Connections

This figure shows an example of SXP peer connections over the default VRF.
Figure 1. Example SXP Peer Connections

The following example shows how to configure the SXP peer connections on SwitchA: 

feature cts
cts role-based enforcement 
cts sxp enable 
cts sxp connection peer 10.20.2.2 password required A2BsxpPW mode listener 
cts sxp connection peer 10.30.3.3 password required A2CsxpPW mode listener

The following example shows how to configure the SXP peer connection on SwitchB: 

feature cts 
cts role-based enforcement 
cts sxp enable 
cts sxp connection peer 10.10.1.1 password required A2BsxpPW mode speaker

The following example shows how to configure the SXP peer connection on SwitchC: 

feature cts
cts role-based enforcement
cts sxp enable
cts sxp connection peer 10.10.1.1 password required A2CsxpPW mode speaker

Configuration Examples for IP ACLs

The following example shows how to create an IPv4 ACL named acl-01 and apply it as a port ACL to Ethernet interface 2/1, which is a Layer 2 interface:

ip access-list acl-01
  permit ip 192.168.2.0/24 any 
interface ethernet 2/1
  ip port access-group acl-01 in

The following example shows how to create an IPv6 ACL named acl-120 and apply it as a router ACL to Ethernet interface 2/3, which is a Layer 3 interface:

ipv6 access-list acl-120
  permit tcp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64
  permit udp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64
  permit tcp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64
  permit udp 2001:0db8:69f2::/48 2001:0db8:be03:2112::/64 
interface ethernet 2/3
  ipv6 traffic-filter acl-120 in

The following example shows how to create a VTY ACL named single-source and apply it on input IP traffic over the VTY line. This ACL allows all TCP traffic through and drops all other IP traffic:

ip access-list single-source
		permit tcp 192.168.7.5/24 any
		exit
		line vty
		ip access-class single-source in
		show ip access-lists

The following example shows how to enable ACL capture in the default VDC and configure a destination for ACL capture packets:

hardware access-list capture
		monitor session 1 type acl-capture
		destination interface ethernet 2/1
		no shut
		exit
		show ip access-lists capture session 1

The following example shows how to enable a capture session for an ACL's access control entries (ACEs) and then apply the ACL to an interface:

ip access-list acl1
		permit tcp any any capture session 1
		exit
		interface ethernet 1/11
		ip access-group acl1 in
		no shut
		show running-config aclmgr

The following example shows how to apply an ACL with capture session access control entries (ACEs) to a VLAN:

vlan access-map acl-vlan-first
		match ip address acl-ipv4-first
		match mac address acl-mac-first
		action foward
		statistics per-entry
		vlan filter acl-vlan-first vlan-list 1
		show running-config vlan 1

The following example shows how to enable a capture session for the whole ACL and then apply the ACL to an interface:

ip access-list acl2
		capture session 2
		exit
		interface ethernet 7/1
		ip access-group acl1 in
		no shut
		show running-config aclmgr

Configuration Example for MAC ACLs

The following example shows how to create a MAC ACL named acl-mac-01 and apply it to Ethernet interface 2/1, which is a Layer 2 interface in this example:

mac access-list acl-mac-01
  permit 00c0.4f00.0000 0000.00ff.ffff any 
interface ethernet 2/1
  mac port access-group acl-mac-01

Configuration Example for VACLs

The following example shows how to configure a VACL to forward traffic permitted by a MAC ACL named acl-mac-01 and how to apply the VACL to VLANs 50 through 82.

conf t 
vlan access-map acl-mac-map
  match mac address acl-mac-01
  action forward 
vlan filter acl-mac-map vlan-list 50-82

Configuration Example for Port Security

The following example shows a port security configuration for the Ethernet 2/1 interface with VLAN and interface maximums for secure addresses. In this example, the interface is a trunk port. Additionally, the violation action is set to Restrict.

feature port-security 
interface Ethernet 2/1
  switchport
  switchport port-security
  switchport port-security maximum 10
  switchport port-security maximum 7 vlan 10
  switchport port-security maximum 3 vlan 20
  switchport port-security violation restrict

Configuration Examples for DHCP

This example shows how to enable DHCP snooping on two VLANs, with Option 82 support enabled and Ethernet interface 2/5 trusted because the DHCP server is connected to that interface:

feature dhcp 
ip dhcp snooping 
ip dhcp snooping info option

interface Ethernet 2/5
  ip dhcp snooping trust 
ip dhcp snooping vlan 1 
ip dhcp snooping vlan 50

This example shows how to enable the DHCP relay agent and configure the DHCP server IP address for Ethernet interface 2/3, where the DHCP server IP address is 10.132.7.120 and the DHCP server is in the VRF named red:

feature dhcp 
ip dhcp snooping 
ip dhcp relay 
ip dhcp relay information option
ip dhcp relay information option vpn

interface Ethernet 2/3
  ip dhcp relay address 10.132.7.120 use-vrf red

This example shows how to enable and use the DHCP smart relay agent. In this example, the switch forwards the DHCP broadcast packets received on Ethernet interface 2/2 to the DHCP server (10.55.11.3), inserting 192.168.100.1 in the giaddr field. If the DHCP server has a pool configured for the 192.168.100.0/24 network, it responds. If the server does not respond, the switch sends two more requests using 192.168.100.1 in the giaddr field. If the switch still does not receive a response, it starts using 172.16.31.254 in the giaddr field instead.

feature dhcp
ip dhcp snooping
ip dhcp relay
ip dhcp smart-relay global

interface Ethernet 2/2
		ip address 192.168.100.1/24
		ip address 172.16.31.254/24 secondary
		ip dhcp relay address 10.55.11.3

Configuration Examples for DAI

Example 1 Two Devices Support DAI

These procedures show how to configure DAI when two devices support DAI.

This figure shows the network configuration for this example. Host 1 is connected to device A, and Host 2 is connected to device B. Both devices are running DAI on VLAN 1 where the hosts are located. A DHCP server is connected to device A. Both hosts acquire their IP addresses from the same DHCP server. Device A has the bindings for Host 1 and Host 2, and device B has the binding for Host 2. Device A Ethernet interface 2/3 is connected to the device B Ethernet interface 1/4.
Figure 2. Two Devices Supporting DAI

DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically-assigned IP addresses.


  • This configuration does not work if the DHCP server is moved from device A to a different location.

  • To ensure that this configuration does not compromise security, configure Ethernet interface 2/3 on device A and Ethernet interface 1/4 on device B as trusted.

Configuring Device A

To enable DAI and configure Ethernet interface 2/3 on device A as trusted, follow these steps:

Procedure
Step 1   While logged into device A, verify the connection between device A and device B.

Example:
switchA# show cdp neighbors 
Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater,
                  V - VoIP-Phone, D - Remotely-Managed-Device,
                  s - Supports-STP-Dispute 
Device ID              Local Intrfce   Hldtme  Capability  Platform      Port ID 
switchB                Ethernet2/3     177     R S I    WS-C2960-24TC Ethernet1/4 
switchA#
Step 2   Enable DAI on VLAN 1 and verify the configuration.

Example:
switchA# config t 
switchA(config)# ip arp inspection vlan 1 
switchA(config)# show ip arp inspection vlan 1 
Source Mac Validation      : Disabled 
Destination Mac Validation : Disabled 
IP Address Validation      : Disabled 
Vlan : 1 
----------- 
Configuration   : Enabled 
Operation State : Active 
switchA(config)#
Step 3   Configure Ethernet interface 2/3 as trusted.

Example:
switchA(config)# interface ethernet 2/3 
switchA(config-if)# ip arp inspection trust 
switchA(config-if)# exit 
switchA(config)# exit 
switchA# show ip arp inspection interface ethernet 2/3
 Interface        Trust State    Rate (pps)    Burst Interval
 -------------    -----------    ----------    --------------
 Ethernet2/3      Trusted           15             5
Step 4   Verify the bindings.

Example:
switchA# show ip dhcp snooping binding 
MacAddress         IpAddress        LeaseSec  Type           VLAN  Interface 
-----------------  ---------------  --------  -------------  ----  ------------- 
00:60:0b:00:12:89  10.0.0.1         0         dhcp-snooping  1     Ethernet2/3 
switchA#
Step 5   Check the statistics before and after DAI processes any packets.

Example:
switchA# show ip arp inspection statistics vlan 1 
Vlan : 1 
----------- 
ARP Req Forwarded  = 0 
ARP Res Forwarded  = 0 
ARP Req Dropped    = 0 
ARP Res Dropped    = 0 
DHCP Drops         = 0 
DHCP Permits       = 0 
SMAC Fails-ARP Req = 0 
SMAC Fails-ARP Res = 0 
DMAC Fails-ARP Res = 0 
IP Fails-ARP Req   = 0 
IP Fails-ARP Res   = 0 
switchA#

If Host 1 sends out two ARP requests with an IP address of 10.0.0.1 and a MAC address of 0002.0002.0002, both requests are permitted, shown as follows:

switchA# show ip arp inspection statistics vlan 1 
Vlan : 1 
----------- 
ARP Req Forwarded  = 2 
ARP Res Forwarded  = 0 
ARP Req Dropped    = 0 
ARP Res Dropped    = 0 
DHCP Drops         = 0 
DHCP Permits       = 2 
SMAC Fails-ARP Req = 0 
SMAC Fails-ARP Res = 0 
DMAC Fails-ARP Res = 0 
IP Fails-ARP Req   = 0 
IP Fails-ARP Res   = 0

If Host 1 tries to send an ARP request with an IP address of 10.0.0.3, the packet is dropped and an error message is logged.

00:12:08: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Ethernet2/3, vlan 1.([0002.0002.0002/10.0.0.3/0000.0000.0000/0.0.0.0/02:42:35 UTC Fri Jul 13 2008])

The statistics display as follows:

switchA# show ip arp inspection statistics vlan 1 
switchA# 
Vlan : 1 
----------- 
ARP Req Forwarded  = 2 
ARP Res Forwarded  = 0 
ARP Req Dropped    = 2 
ARP Res Dropped    = 0 
DHCP Drops         = 2 
DHCP Permits       = 2 
SMAC Fails-ARP Req = 0 
SMAC Fails-ARP Res = 0 
DMAC Fails-ARP Res = 0 
IP Fails-ARP Req   = 0 
IP Fails-ARP Res   = 0 
switchA#

Configuring Device B

To enable DAI and configure Ethernet interface 1/4 on device B as trusted, follow these steps:

Procedure
Step 1   While logged into device B, verify the connection between device B and device A.

Example:
switchB# show cdp neighbors 
Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater,
                  V - VoIP-Phone, D - Remotely-Managed-Device,
                  s - Supports-STP-Dispute 
Device ID              Local Intrfce   Hldtme  Capability  Platform      Port ID 
switchA                Ethernet1/4     120     R S I    WS-C2960-24TC Ethernet2/3 
switchB#
Step 2   Enable DAI on VLAN 1, and verify the configuration.

Example:
switchB# config t 
switchB(config)# ip arp inspection vlan 1 
switchB(config)# show ip arp inspection vlan 1 
Source Mac Validation      : Disabled 
Destination Mac Validation : Disabled 
IP Address Validation      : Disabled 
Vlan : 1 
----------- 
Configuration   : Enabled 
Operation State : Active 
switchB(config)#
Step 3   Configure Ethernet interface 1/4 as trusted.

Example:
switchB(config)# interface ethernet 1/4 
switchB(config-if)# ip arp inspection trust 
switchB(config-if)# exit 
switchB(config)# exit 
switchB# show ip arp inspection interface ethernet 1/4
 Interface        Trust State    Rate (pps)    Burst Interval
 -------------    -----------    ----------    --------------
 Ethernet1/4      Trusted           15             5 
switchB#
Step 4   Verify the list of DHCP snooping bindings.

Example:
switchB# show ip dhcp snooping binding 
MacAddress         IpAddress        LeaseSec  Type           VLAN  Interface 
-----------------  ---------------  --------  -------------  ----  ------------- 
00:01:00:01:00:01  10.0.0.2         4995      dhcp-snooping  1     Ethernet1/4 
switchB#
Step 5   Check the statistics before and after DAI processes any packets.

Example:
switchB# show ip arp inspection statistics vlan 1 
Vlan : 1 
----------- 
ARP Req Forwarded  = 0 
ARP Res Forwarded  = 0 
ARP Req Dropped    = 0 
ARP Res Dropped    = 0 
DHCP Drops         = 0 
DHCP Permits       = 0 
SMAC Fails-ARP Req = 0 
SMAC Fails-ARP Res = 0 
DMAC Fails-ARP Res = 0 
IP Fails-ARP Req   = 0 
IP Fails-ARP Res   = 0 
switchB#

If Host 2 sends out an ARP request with the IP address 10.0.0.2 and the MAC address 0001.0001.0001, the packet is forwarded and the statistics are updated.

switchB# show ip arp inspection statistics vlan 1 
Vlan : 1 
----------- 
ARP Req Forwarded  = 1 
ARP Res Forwarded  = 0 
ARP Req Dropped    = 0 
ARP Res Dropped    = 0 
DHCP Drops         = 0 
DHCP Permits       = 1 
SMAC Fails-ARP Req = 0 
SMAC Fails-ARP Res = 0 
DMAC Fails-ARP Res = 0 
IP Fails-ARP Req   = 0 
IP Fails-ARP Res   = 0 
switchB#

If Host 2 attempts to send an ARP request with the IP address 10.0.0.1, DAI drops the request and logs the following system message:

00:18:08: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Ethernet1/4, vlan 1.([0001.0001.0001/10.0.0.1/0000.0000.0000/0.0.0.0/01:53:21 UTC Fri Jun 13 2008])

The statistics display as follows:

switchB# show ip arp inspection statistics vlan 1 
Vlan : 1 
----------- 
ARP Req Forwarded  = 1 
ARP Res Forwarded  = 0 
ARP Req Dropped    = 1 
ARP Res Dropped    = 0 
DHCP Drops         = 1 
DHCP Permits       = 1 
SMAC Fails-ARP Req = 0 
SMAC Fails-ARP Res = 0 
DMAC Fails-ARP Res = 0 
IP Fails-ARP Req   = 0 
IP Fails-ARP Res   = 0 
switchB#

Example 2 One Device Supports DAI

This procedure shows how to configure DAI when the second device involved in the network configuration does not support DAI or DHCP snooping.

Device B, shown in this figure does not support DAI or DHCP snooping; therefore, configuring Ethernet interface 2/3 on device A as trusted creates a security hole because both device A and Host 1 could be attacked by either device B or Host 2.

To prevent this possibility, you must configure Ethernet interface 2/3 on device A as untrusted. To permit ARP packets from Host 2, you must set up an ARP ACL and apply it to VLAN 1. If the IP address of Host 2 is not static, which would make it impossible to accurately configure the ARP ACL on device A, you must separate device A from device B at Layer 3 and use a router to route packets between them.
Figure 3. One Device Supporting DAI

Procedure
Step 1   Configure the access list to permit the IP address 10.0.0.1 and the MAC address 0001.0001.0001, and verify the configuration.

Example:
switchA# config t 
switchA(config)# arp access-list H2 
switchA(config-arp-acl)# permit ip host 10.0.0.1 mac host 0001.0001.0001 
switchA(config-arp-acl)# exit 
switchA(config)# show arp access-lists H2 
ARP access list H2 
10 permit ip host 1.1.1.1 mac host 0001.0001.0001 
switchA(config)#
Step 2   Apply the ACL to VLAN 1, and verify the configuration.

Example:
switchA(config)# ip arp inspection filter H2 vlan 1 
switchA(config)# show ip arp inspection vlan 1 
Source Mac Validation      : Disabled 
Destination Mac Validation : Disabled 
IP Address Validation      : Disabled 
Vlan : 200 
----------- 
Configuration    : Enabled 
Operation State  : Active 
ACL Match/Static : H2 / No
Step 3   Configure Ethernet interface 2/3 as untrusted, and verify the configuration.
Note   

By default, the interface is untrusted.


Example:
switchA(config)# interface ethernet 2/3 
switchA(config-if)# no ip arp inspection trust 
switchA(config-if)# exit 
switchA# show ip arp inspection interface ethernet 2/3 
switchA#

The show ip arp inspection interface command has no output because the interface has the default configuration, which includes an untrusted state.

When Host 2 sends 5 ARP requests through Ethernet interface 2/3 on device A and a "get" is permitted by device A, the statistics are updated.

switchA# show ip arp inspection statistics vlan 1 
Vlan : 1 
----------- 
ARP Req Forwarded  = 5 
ARP Res Forwarded  = 0 
ARP Req Dropped    = 0 
ARP Res Dropped    = 0 
DHCP Drops         = 0 
DHCP Permits       = 0 
SMAC Fails-ARP Req = 0 
SMAC Fails-ARP Res = 0 
DMAC Fails-ARP Res = 0 
IP Fails-ARP Req   = 0 
IP Fails-ARP Res   = 0 
switchA#

Configuration Example for IP Source Guard

This example shows how to create a static IP source entry and then how to enable IP Source Guard on an interface.

ip source binding 10.5.22.17 001f.28bd.0013 vlan 100 interface ethernet 2/3 
interface ethernet 2/3
  no shutdown
  ip verify source dhcp-snooping-vlan

Configuration Examples for Password Encryption

The following example shows how to create a master key, enable the AES password encryption feature, and configure a type-6 encrypted password for a TACACS+ application:

key config-key ascii
  New Master Key:
  Retype Master Key:
configure terminal
feature password encryption aes
show encryption service stat
		Encryption service is enabled.
  Master Encryption Key is configured.
  Type-6 encryption is being used.
feature tacacs+
tacacs-server key Cisco123
show running-config tacacs+
  feature tacacs+
  logging level tacacs 5
  tacacs-server key 6 "JDYkqyIFWeBvzpljSfWmRZrmRSRE8syxKlOSjP9RCCkFinZbJI3GD5c6rckJR/Qju2PKLmOewbheAA=="

Configuration Example for Keychain Management

This example shows how to configure a keychain named glbp keys. Each key text string is encrypted. Each key has longer accept lifetimes than send lifetimes, to help prevent lost communications by accidentally configuring a time in which there are no active keys.

key chain glbp-keys
  key 0
    key-string 7 zqdest
    accept-lifetime 00:00:00 Jun 01 2008 23:59:59 Sep 12 2008
    send-lifetime 00:00:00 Jun 01 2008 23:59:59 Aug 12 2008
  key 1
    key-string 7 uaeqdyito
    accept-lifetime 00:00:00 Aug 12 2008 23:59:59 Dec 12 2008
    send-lifetime 00:00:00 Sep 12 2008 23:59:59 Nov 12 2008
  key 2
    key-string 7 eekgsdyd
    accept-lifetime 00:00:00 Nov 12 2008 23:59:59 Mar 12 2009
    send-lifetime 00:00:00 Dec 12 2008 23:59:59 Feb 12 2009

Configuration Example for Traffic Storm Control

The following example shows how to configure traffic storm control:

interface Ethernet1/1 
  storm-control broadcast level 40 
  storm-control multicast level 40 
  storm-control unicast level 40

Configuration Examples for Unicast RPF

The following example shows how to configure loose Unicast RFP for IPv4 packets: 

interface Ethernet2/3
  ip address 172.23.231.240/23
  ip verify unicast source reachable-via any

The following example shows how to configure strict Unicast RFP for IPv4 packets: 

interface Ethernet2/2
  ip address 172.23.231.240/23
  ip verify unicast source reachable-via rx

The following example shows how to configure loose Unicast RFP for IPv6 packets: 

interface Ethernet2/1
  ipv6 address 2001:0DB8:c18:1::3/64
  ipv6 verify unicast source reachable-via any

The following example shows how to configure strict Unicast RFP for IPv6 packets: 

interface Ethernet2/4
  ipv6 address 2001:0DB8:c18:1::3/64
  ipv6 verify unicast source reachable-via rx

Configuration Examples for CoPP

This section includes example CoPP configurations.

CoPP Configuration Example

The following example shows how to configure CoPP using IP ACLs and MAC ACLs: 

configure terminal
ip access-list copp-system-p-acl-igmp 
permit igmp any 10.0.0.0/24

ip access-list copp-system-p-acl-msdp
permit tcp any any eq 639

mac access-list copp-system-p-acl-arp
permit any any 0x0806

ip access-list copp-system-p-acl-tacas 
permit udp any any eq 49

ip access-list copp-system-p-acl-gre
permit 47 any any

ip access-list copp-system-p-acl-ntp
permit udp any 10.0.1.1/23 eq 123

ip access-list copp-system-p-acl-icmp 
permit icmp any any

class-map type control-plane match-any copp-system-p-class-critical
match access-group name copp-system-p-acl-igmp
match access-group name copp-system-p-acl-msdp

class-map type control-plane match-any copp-system-p-class-important
match access-group name copp-system-p-acl-gre

class-map type control-plane match-any copp-system-p-class-normal
match access-group name copp-system-p-acl-icmp
match exception ip icmp redirect
match exception ip icmp unreachable
match exception ip option
match redirect arp-inspect
match redirect dhcp-snoop

policy-map type control-plane copp-system-p-policy

class copp-system-p-class-critical
police cir 2000 kbps bc 1500 bytes pir 3000 kbps be 1500 bytes conform 
    transmit exceed transmit violate drop

class copp-system-p-class-important
police cir 1000 kbps bc 1500 bytes pir 1500 kbps be 1500 bytes conform 
    transmit exceed transmit violate drop

class copp-system-p-class-normal
police cir 400 kbps bc 1500 bytes pir 600 kbps be 1500 bytes conform 
    transmit exceed transmit violate drop

class class-default
police cir 200 kbps bc 1500 bytes pir 300 kbps be 1500 bytes conform 
    transmit exceed transmit violate drop

control-plane
service-policy input copp-system-p-policy

Changing or Reapplying the Default CoPP Policy Using the Setup Utility

The following example shows how to change or reapply the default CoPP policy using the setup utility.


Note

Beginning with Cisco NX-OS Release 5.2, you can change or reapply the default CoPP policy using the copp profile command.

 
switch# setup

         ---- Basic System Configuration Dialog VDC: 1 ----

This setup utility will guide you through the basic configuration of
the system. Setup configures only enough connectivity for management
of the system.


*Note: setup is mainly used for configuring the system initially,
when no configuration is present. So setup always assumes system
defaults and not the current system configuration values.


Press Enter at anytime to skip a dialog. Use ctrl-c at anytime
to skip the remaining dialogs.

Would you like to enter the basic configuration dialog (yes/no): yes

Do you want to enforce secure password standard (yes/no)[y]: <CR>

  Create another login account (yes/no) [n]: n

  Configure read-only SNMP community string (yes/no) [n]: n

  Configure read-write SNMP community string (yes/no) [n]: n

  Enter the switch name : <CR>

  Enable license grace period? (yes/no) [n]: n

  Continue with Out-of-band (mgmt0) management configuration? (yes/no) [y]: n

  Configure the default gateway? (yes/no) [y]: n

  Configure advanced IP options? (yes/no) [n]: <CR>

  Enable the telnet service? (yes/no) [n]: y

  Enable the ssh service? (yes/no) [y]: <CR>

    Type of ssh key you would like to generate (dsa/rsa) : <CR>

  Configure the ntp server? (yes/no) [n]: n

  Configure default interface layer (L3/L2) [L3]: <CR>

  Configure default switchport interface state (shut/noshut) [shut]: <CR>

  Configure best practices CoPP profile (strict/moderate/lenient/skip) [strict]: strict

  Configure CMP processor on current sup (slot 6)? (yes/no) [y]: n

  Configure CMP processor on redundant sup (slot 5)? (yes/no) [y]: n

The following configuration will be applied:
  password strength-check
  no license grace-period
  no telnet server enable
  no system default switchport
  system default switchport shutdown
  policy-map type control-plane copp-system-p-policy

Would you like to edit the configuration? (yes/no) [n]: <CR>

Use this configuration and save it? (yes/no) [y]: y

switch#

Preventing CoPP Overflow by Splitting ICMP Pings and ARP Requests

Some servers use ICMP pings and ARP requests to the default gateway to verify that the active NIC still has access to the aggregation switch. As a result, if the CoPP values are exceeded, CoPP starts dropping traffic for all networks. One malfunctioning server can send out thousands of ICMP pings and ARP requests, causing all servers in one aggregation block to lose their active NIC and start swapping NICs.

If your server is configured as such, you can minimize the CoPP overflow by splitting the ICMP pings and ARP requests based on subnets or groups of subnets. Then if a server malfunctions and overflows CoPP, the supervisor answers the ICMP pings and ARP requests only on some subnetworks.

The last entry in the class map or policy map should identify all of the ICMP pings and ARP requests in the networks that are not specified. If these counters increase, it means that a new network was added that was not specified in the existing ACLs for ICMP and ARP. In this case, you would need to update the ACLs related to ICMP and ARP.


Note

Per the default CoPP, ICMP pings fall under copp-system-p-class-monitoring, and ARP requests fall under copp-system-p-class-normal.

The following example shows how to prevent CoPP overflow by splitting ICMP and ARP requests.

First, add the new ACLs that identify the networks you want to group together based on the findings of the investigations of the applications:

arp access-list copp-arp-1
statistics per-entry
10 permit ip 10.1.1.0 255.255.255.0 mac any
20 permit ip 10.1.2.0 255.255.255.0 mac any
30 permit ip 10.1.3.0 255.255.255.0 mac any
arp access-list copp-arp-2
statistics per-entry
10 permit ip 10.2.1.0 255.255.255.0 mac any
20 permit ip 10.2.2.0 255.255.255.0 mac any
30 permit ip 10.2.3.0 255.255.255.0 mac any
arp access-list copp-arp-3
statistics per-entry
10 permit ip 10.3.1.0 255.255.255.0 mac any
20 permit ip 10.3.2.0 255.255.255.0 mac any
30 permit ip 10.3.3.0 255.255.255.0 mac any
...
arp access-list copp-arp-10
10 permit ip any any mac any

ip access-list copp-icmp-1
statistics per-entry
10 permit icmp 10.2.1.0 255.255.255.0 any 
20 permit icmp 10.2.2.0 255.255.255.0 any
30 permit icmp 10.2.3.0 255.255.255.0 any  
ip access-list copp-icmp-2
statistics per-entry
10 permit icmp 10.3.1.0 255.255.255.0 any 
10 permit icmp 10.3.2.0 255.255.255.0 any 
10 permit icmp 10.3.3.0 255.255.255.0 any 
ip access-list copp-icmp-3
statistics per-entry
10 permit icmp 10.4.1.0 255.255.255.0 any 
10 permit icmp 10.4.2.0 255.255.255.0 any 
10 permit icmp 10.4.3.0 255.255.255.0 any 
...
ip access-list copp-icmp-10
10 permit icmp any any

Add these ACLs to the new class maps for CoPP:

class-map type control-plane match-any copp-cm-arp-1
	match access-group name copp-arp-1
class-map type control-plane match-any copp-cm-arp-2
	match access-group name copp-arp-2
class-map type control-plane match-any copp-cm-arp-3
	match access-group name copp-arp-3
...
class-map type control-plane match-any copp-cm-arp-10
	match access-group name copp-arp-10# class-map type control-plane match-any copp-cm-icmp-1
	match access-group name copp-icmp-1
class-map type control-plane match-any copp-cm-icmp-2
	match access-group name copp-icmp-2
class-map type control-plane match-any copp-cm-icmp-3
	match access-group name copp-icmp-3
...
class-map type control-plane match-any copp-cm-icmp-10
	match access-group name copp-icmp-10

Modify the CoPP policy map by adding new policies with the above created class maps:

policy-map type control-plane copp-system-p-policy 
class copp-cm-icmp-1
      police cir X kbps bc X ms conform transmit violate drop 
class copp-cm-icmp-2
      police cir X kbps bc X ms conform transmit violate drop 
class copp-cm-icmp-3
      police cir X kbps bc X ms conform transmit violate drop 
class copp-cm-icmp-4
      police cir X kbps bc X ms conform transmit violate drop 
class copp-cm-icmp-10
      police cir X kbps bc X ms conform transmit violate drop
class copp-cm-arp-1
      police cir X kbps bc X ms conform transmit violate drop 
class copp-cm-arp-2
      police cir X kbps bc X ms conform transmit violate drop 
class copp-cm-arp-3
      police cir X kbps bc X ms conform transmit violate drop 
class copp-cm-arp-4
      police cir X kbps bc X ms conform transmit violate drop 
class copp-cm-arp-10
      police cir X kbps bc X ms conform transmit violate drop

Delete ICMP and ARP from the existing class maps:

class-map type control-plane match-any copp-system-p-class-normal
no match protocol arp

class-map type control-plane match-any copp-system-p-class-monitoring
no match access-grp name copp-system-p-acl-icmp

Configuration Examples for Rate Limits

The following example shows how to configure rate limits:

switch(config)#	hardware rate-limiter layer-3 control 20000 
switch(config)# hardware rate-limiter copy 40000

The following example shows how to configure rate limits globally on the device for packets that reach the supervisor module:

switch(config)#	rate-limit cpu direction both pps 1000 action log
switch(config)# show system internal pktmgr internal control sw-rate-limit
inband pps global threshold 1000  outband pps global threshold 1000