Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x Americas Headquarters

Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release

7.x

First Published: January 30, 2014

Last Modified: December 22, 2014

Americas Headquarters

Cisco Systems, Inc.

170 West Tasman Drive

San Jose, CA 95134-1706

USA http://www.cisco.com

Tel: 408 526-4000

800 553-NETS (6387)

Fax: 408 527-0883

Text Part Number: OL-30921-01

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,

INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,

EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH

THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,

CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright

©

1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.

CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT

LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS

HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http:// www.cisco.com/go/trademarks

. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

©

2014 Cisco Systems, Inc. All rights reserved.

C O N T E N T S

P r e f a c e

C H A P T E R 1

C H A P T E R 2

C H A P T E R 3

OL-30921-01

Preface xix

Audience

xix

Document Conventions

xix

Related Documentation for Cisco Nexus 5600 Series NX-OS Software

xxi

Documentation Feedback

xxii

Obtaining Documentation and Submitting a Service Request

xxii

New and Changed Information 1

New and Changed Information

1

Overview

3

Authentication, Authorization, and Accounting

3

RADIUS and TACACS+ Security Protocols

4

SSH and Telnet

4

IP ACLs

4

Configuring Authentication, Authorization, and Accounting

7

Information About AAA

7

AAA Security Services

7

Benefits of Using AAA

8

Remote AAA Services

8

AAA Server Groups

8

AAA Service Configuration Options

9

Authentication and Authorization Process for User Logins

10

Prerequisites for Remote AAA

11

Guidelines and Limitations for AAA

12

Default AAA Settings

12

Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x iii

Contents

C H A P T E R 4

Configuring AAA

12

Configuring Console Login Authentication Methods

12

Configuring Default Login Authentication Methods

14

Enabling Login Authentication Failure Messages

14

Configuring AAA Command Authorization

15

Configuring Console Authorization Commands

17

Enabling MSCHAP Authentication

18

Configuring AAA Accounting Default Methods

19

Using AAA Server VSAs

20

VSAs

20

VSA Format

20

Specifying Switch User Roles and SNMPv3 Parameters on AAA Servers

21

Secure Login Enhancements

21

Configuring Login Parameters

21

Configuration Examples for Login Parameters

22

Configuring Login Block Per User

23

Configuration Examples for Login Block Per User

24

Restricting Sessions Per User—Per User Per Login

25

Configuring Passphrase Length

25

Configuring Passphrase Time Values

26

Locking User Accounts

29

Logging Invalid Usernames

29

Changing Password

30

Enabling the Password Prompt for User Name

31

Support over SHA-256 Algorithm for Verifying OS Integrity

32

Configuring Share Key Value for using RADIUS/TACACS+

32

Monitoring and Clearing the Local AAA Accounting Log

33

Verifying the AAA Configuration

33

Configuration Examples for AAA

33

Configuring RADIUS

35

Information About RADIUS

35

RADIUS Network Environments

35

Information About RADIUS Operations

36

RADIUS Server Monitoring

36

iv

Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x

OL-30921-01

Contents

C H A P T E R 5

OL-30921-01

Vendor-Specific Attributes

37

Prerequisites for RADIUS

38

Guidelines and Limitations for RADIUS

38

Default Settings for RADIUS

38

Configuring RADIUS Servers

39

Configuring RADIUS Server Hosts

39

Configuring RADIUS Global Preshared Keys

40

Configuring RADIUS Server Preshared Keys

41

Configuring RADIUS Server Groups

42

Configuring the Global Source Interface for RADIUS Server Groups

43

Allowing Users to Specify a RADIUS Server at Login

44

Configuring the Global RADIUS Transmission Retry Count and Timeout Interval

44

Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server

45

Configuring Accounting and Authentication Attributes for RADIUS Servers

46

Configuring Periodic RADIUS Server Monitoring

47

Configuring the Dead-Time Interval

48

Manually Monitoring RADIUS Servers or Groups

49

Verifying the RADIUS Configuration

50

Displaying RADIUS Server Statistics

50

Clearing RADIUS Server Statistics

50

Configuration Examples for RADIUS

51

Configuring TACACS+

53

Information About Configuring TACACS+

53

TACACS+ Advantages

53

User Login with TACACS+

54

Default TACACS+ Server Encryption Type and Preshared Key

55

Command Authorization Support for TACACS+ Servers

55

TACACS+ Server Monitoring

55

Prerequisites for TACACS+

56

Guidelines and Limitations for TACACS+

56

Default Settings for TACACS+

56

Configuring TACACS+

57

TACACS+ Server Configuration Process

57

Enabling TACACS+

57

Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x v

Contents

C H A P T E R 6

Configuring TACACS+ Server Hosts

58

Configuring TACACS+ Global Preshared Keys

58

Configuring TACACS+ Server Preshared Keys

59

Configuring TACACS+ Server Groups

60

Configuring the Global Source Interface for TACACS+ Server Groups

61

Specifying a TACACS+ Server at Login

62

Configuring AAA Authorization on TACACS+ Servers

63

Configuring Command Authorization on TACACS+ Servers

64

Testing Command Authorization on TACACS+ Servers

65

Enabling and Disabling Command Authorization Verification

66

Configuring Privilege Level Support for Authorization on TACACS+ Servers

66

Permitting or Denying Commands for Users of Privilege Roles

68

Configuring the Global TACACS+ Timeout Interval

69

Configuring the Timeout Interval for a Server

69

Configuring TCP Ports

70

Configuring Periodic TACACS+ Server Monitoring

71

Configuring the Dead-Time Interval

72

Manually Monitoring TACACS+ Servers or Groups

72

Disabling TACACS+

73

Displaying TACACS+ Statistics

73

Verifying the TACACS+ Configuration

74

Configuration Examples for TACACS+

74

Configuring SSH and Telnet 75

Information About SSH and Telnet

75

SSH Server

75

SSH Client

75

SSH Server Keys

76

Telnet Server

76

Guidelines and Limitations for SSH

76

Default Settings for SSH

76

Configuring SSH

77

Generating SSH Server Keys

77

Specifying the SSH Public Keys for User Accounts

78

Specifying the SSH Public Keys in Open SSH Format

78

vi


OL-30921-01

Contents

C H A P T E R 7

OL-30921-01

Specifying the SSH Public Keys in IETF SECSH Format

78

Specifying the SSH Public Keys in PEM-Formatted Public Key Certificate Form

79

Starting SSH Sessions to Remote Devices

80

Clearing SSH Hosts

80

Disabling the SSH Server

80

Deleting SSH Server Keys

81

Clearing SSH Sessions

81

Configuration Examples for SSH

82

Configuring Telnet

83

Enabling the Telnet Server

83

Reenabling the Telnet Server

83

Starting Telnet Sessions to Remote Devices

83

Clearing Telnet Sessions

84

Verifying the SSH and Telnet Configuration

84

Configuring 802.1X

87

Information About 802.1X

87

Device Roles

87

Authentication Initiation and Message Exchange

89

Authenticator PAE Status for Interfaces

90

Ports in Authorized and Unauthorized States

90

MAC Authentication Bypass

91

802.1X and Port Security

92

Dynamic VLAN Assignment based on MAC-Based Authentication (MAB)

93

VLAN Assignment from RADIUS

93

Single Host and Multiple Hosts Support

93

Supported Topologies

94

Licensing Requirements for 802.1X

95

Prerequisites for 802.1X

95

802.1X Guidelines and Limitations

95

Default Settings for 802.1X

96

Configuring 802.1X

97

Process for Configuring 802.1X

97

Enabling the 802.1X Feature

98

Configuring AAA Authentication Methods for 802.1X

98

Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x vii

Contents

C H A P T E R 8

Controlling 802.1X Authentication on an Interface

99

Configuring 802.1X Authentication on Member Ports

101

Creating or Removing an Authenticator PAE on an Interface

103

Enabling Periodic Reauthentication for an Interface

104

Manually Reauthenticating Supplicants

105

Manually Initializing 802.1X Authentication

106

Changing 802.1X Authentication Timers for an Interface

106

Enabling Single Host or Multiple Hosts Mode

109

Enabling MAC Authentication Bypass

109

Disabling 802.1X Authentication on the Cisco NX-OS Device

110

Disabling the 802.1X Feature

111

Setting the Maximum Authenticator-to-Supplicant Frame Retransmission Retry Count for an Interface

112

Enabling RADIUS Accounting for 802.1X Authentication

113

Configuring AAA Accounting Methods for 802.1X

114

Setting the Maximum Reauthentication Retry Count on an Interface

115

Configuring Guest VLAN

116

Verifying the 802.1X Configuration

116

Monitoring 802.1X

117

Configuration Example for 802.1X

117

Additional References for 802.1X

118

Feature History for 802.1X

119

Configuring Cisco TrustSec

121

Information About Cisco TrustSec

121

Cisco TrustSec Architecture

121

Authentication

123

Cisco TrustSec and Authentication

123

Cisco TrustSec Enhancements to EAP-FAST

124

802.1X Role Selection

125

Cisco TrustSec Authentication Summary

125

Device Identities

126

Device Credentials

126

User Credentials

126

SGACLs and SGTs

126

viii


OL-30921-01

Contents

OL-30921-01

Determining the Source Security Group

128

Determining the Destination Security Group

128

SXP for SGT Propagation Across Legacy Access Networks

128

Authorization and Policy Acquisition

129

Environment Data Download

130

RADIUS Relay Functionality

130

Licensing Requirements for Cisco TrustSec

131

Prerequisites for Cisco TrustSec

131

Guidelines and Limitations for Cisco TrustSec

131

Default Settings for Cisco TrustSec Parameters

132

Configuring Cisco TrustSec

133

Enabling the Cisco TrustSec Feature

133

Configuring Cisco TrustSec Device Credentials

134

Configuring AAA for Cisco TrustSec

135

Configuring AAA on the Cisco TrustSec Cisco NX-OS Devices

135

Configuring AAA on Cisco TrustSec Nonseed Cisco NX-OS Devices

137

Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path Security

138

Cisco TrustSec Configuration Process for Cisco TrustSec Authentication and Authorization

138

Enabling Cisco TrustSec Authentication

139

Configuring Data-Path Replay Protection for Cisco TrustSec on Interfaces

141

Configuring SAP Operation Modes for Cisco TrustSec on Interfaces

142

Configuring SGT Propagation for Cisco TrustSec on Interfaces

144

Regenerating SAP Keys on an Interface

146

Configuring Cisco TrustSec Authentication in Manual Mode

146

Configuring Pause Frame Encryption or Decryption for Cisco TrustSec on Interfaces

148

Configuring SGACL Policies

150

SGACL Policy Configuration Process

150

Enabling SGACL Policy Enforcement on VLANs

151

Enabling SGACL Policy Enforcement on VRF Instances

152

Manually Configuring Cisco TrustSec SGTs

153

Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VLAN

154

Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VRF Instance

155

Manually Configuring SGACL Policies

156

Displaying the Downloaded SGACL Policies

158

Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x ix

Contents

C H A P T E R 9

Refreshing the Downloaded SGACL Policies

159

Enabling Statistics for RBACL

159

Clearing Cisco TrustSec SGACL Policies

160

Manually Configuring SXP

161

Cisco TrustSec SXP Configuration Process

161

Enabling Cisco TrustSec SXP

162

Configuring Cisco TrustSec SXP Peer Connections

163

Configuring the Default SXP Password

164

Configuring the Default SXP Source IPv4 Address

165

Changing the SXP Reconcile Period

166

Changing the SXP Retry Period

167

Verifying the Cisco TrustSec Configuration

168

Configuration Examples for Cisco TrustSec

169

Enabling Cisco TrustSec

169

Configuring AAA for Cisco TrustSec on a Cisco NX-OS Device

170

Enabling Cisco TrustSec Authentication on an Interface

170

Configuring Cisco TrustSec Authentication in Manual Mode

170

Configuring Cisco TrustSec Role-Based Policy Enforcement for the Default VRF

Instance

170

Configuring Cisco TrustSec Role-Based Policy Enforcement for a Nondefault VRF

171

Configuring Cisco TrustSec Role-Based Policy Enforcement for a VLAN

171

Configuring IPv4 Address to SGACL SGT Mapping for the Default VRF Instance

171

Configuring IPv4 Address to SGACL SGT Mapping for a Nondefault VRF Instance

171

Configuring IPv4 Address to SGACL SGT Mapping for a VLAN

171

Manually Configuring Cisco TrustSec SGACLs

172

Manually Configuring SXP Peer Connections

172

Additional References for Cisco TrustSec

173

Feature History for Cisco TrustSec

173

Configuring Access Control Lists

175

Information About ACLs

175

IP ACL Types and Applications

175

Application Order

176

Rules

177

Source and Destination

177

x


OL-30921-01

Contents

OL-30921-01

Protocols

177

Implicit Rules

177

Additional Filtering Options

177

Sequence Numbers

178

Logical Operators and Logical Operation Units

179

ACL Resource Management

179

Statistics and ACLs

180

Licensing Requirements for ACLs

181

Prerequisites for ACLs

181

Guidelines and Limitations for ACLs

181

Default ACL Settings

182

Configuring IP ACLs

183

Creating an IP ACL

183

Changing an IP ACL

184

Removing an IP ACL

185

Changing Sequence Numbers in an IP ACL

186

Configuring ACLs with Logging

186

Applying an IP ACL to mgmt0

187

Applying an IP ACL as a Router ACL

188

Applying an IP ACL as a Port ACL

189

Verifying IP ACL Configurations

190

Monitoring and Clearing IP ACL Statistics

190

Configuring MAC ACLs

191

Creating a MAC ACL

191

Changing a MAC ACL

192

Removing a MAC ACL

193

Changing Sequence Numbers in a MAC ACL

193

Applying a MAC ACL as a Port ACL

194

Verifying MAC ACL Configurations

194

Displaying and Clearing MAC ACL Statistics

195

Example Configuration for MAC ACLs

195

Information About VLAN ACLs

195

VACLs and Access Maps

195

VACLs and Actions

196

Statistics

196

Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x xi

Contents

C H A P T E R 1 0

Configuring VACLs

196

Creating or Changing a VACL

196

Removing a VACL

197

Applying a VACL to a VLAN

198

Verifying the VACL Configuration

198

Displaying and Clearing VACL Statistics

198

Configuration Examples for VACL

199

Configuring ACLs on Virtual Terminal Lines

199

Verifying ACLs on VTY Lines

200

Configuration Examples for ACLs on VTY Lines

201

Configuring the ACL Resource Usage Threshold

202

Configuring Port Security 203

Information About Port Security

203

Secure MAC Address Learning

204

Static Method

204

Dynamic Method

204

Sticky Method

204

Dynamic Address Aging

205

Secure MAC Address Maximums

205

Security Violations and Actions

206

Port Type Changes

208

Licensing Requirements for Port Security

208

Prerequisites for Port Security

208

Guidelines and Limitations for Port Security

209

Guidelines and Limitations for Port Security on vPCs

209

Default Settings for Port Security

210

Configuring Port Security

210

Enabling or Disabling Port Security Globally

210

Enabling or Disabling Port Security on a Layer 2 Interface

211

Enabling or Disabling Sticky MAC Address Learning

212

Adding a Static Secure MAC Address on an Interface

213

Removing a Static Secure MAC Address on an Interface

214

Removing a Dynamic Secure MAC Address

215

Configuring a Maximum Number of MAC Addresses

216

xii


OL-30921-01

Contents

C H A P T E R 1 1

OL-30921-01

Configuring an Address Aging Type and Time

217

Configuring a Security Violation Action

219

Verifying the Port Security Configuration

220

Displaying Secure MAC Addresses

220

Configuration Example for Port Security

220

Configuration Example of Port Security in a vPC Domain

221

Additional References for Port Security

221

Configuring DHCP Snooping 223

Information About DHCP Snooping

224

Feature Enabled and Globally Enabled

224

Trusted and Untrusted Sources

225

DHCP Snooping Binding Database

225

DHCP Snooping Option 82 Data Insertion

225

DHCP Snooping in a vPC Environment

227

Synchronizing DHCP Snooping Binding Entries

227

Packet Validation

228

Information About the DHCP Relay Agent

228

DHCP Relay Agent

228

VRF Support for the DHCP Relay Agent

229

DHCP Relay Binding Database

229

Information about the DHCPv6 Relay Agent

230

DHCPv6 Relay Agent

230

VRF Support for the DHCPv6 Relay Agent

230

Information About the Lightweight DHCPv6 Relay Agent

230

Lightweight DHCPv6 Relay Agent

230

LDRA for VLANs and Interfaces

230

Guidelines and Limitations for Lightweight DHCPv6 Relay Agent

231

vIP HSRP Enhancement

231

Guidelines and Limitations for DHCP Snooping

231

Guidelines and Limitations for the vIP HSRP Enhancement

232

Default Settings for DHCP Snooping

233

Configuring DHCP Snooping

233

Minimum DHCP Snooping Configuration

233

Enabling or Disabling the DHCP Snooping Feature

234

Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x xiii

Contents

C H A P T E R 1 2

Enabling or Disabling DHCP Snooping Globally

235

Enabling or Disabling DHCP Snooping on a VLAN

235

Enabling or Disabling Option 82 Data Insertion and Removal

236

Enabling or Disabling Strict DHCP Packet Validation

237

Configuring an Interface as Trusted or Untrusted

238

Enabling or Disabling the DHCP Relay Agent

239

Enabling or Disabling Option 82 for the DHCP Relay Agent

240

Enabling or Disabling VRF Support for the DHCP Relay Agent

241

Enabling or Disabling Subnet Broadcast Support for the DHCP Relay Agent on a Layer 3

Interface

242

Creating a DHCP Static Binding

243

Configuring the DHCPv6 Relay Agent

244

Enabling or Disabling the DHCPv6 Relay Agent

244

Enabling or Disabling VRF Support for the DHCPv6 Relay Agent

245

Configuring the DHCPv6 Relay Source Interface

246

Configuring Lightweight DHCPv6 Relay Agent

247

Configuring Lightweight DHCPv6 Relay Agent for an Interface

247

Configuring Lightweight DHCPv6 Relay Agent for a VLAN

248

Enabling DHCP Relay Agent using VIP Address

249

Verifying the DHCP Snooping Configuration

250

Displaying DHCP Bindings

250

Displaying and Clearing LDRA Information

250

Clearing the DHCP Snooping Binding Database

254

Clearing DHCP Relay Statistics

255

Clearing DHCPv6 Relay Statistics

255

Monitoring DHCP

255

Configuration Examples for DHCP Snooping

255

Configuration Examples for LDRA

256

Configuring Dynamic ARP Inspection

257

Information About DAI

257

ARP

257

ARP Spoofing Attacks

258

DAI and ARP Spoofing Attacks

258

Interface Trust States and Network Security

259

xiv


OL-30921-01

Contents

C H A P T E R 1 3

OL-30921-01

Prioritizing ARP ACLs and DHCP Snooping Entries

260

Logging DAI Packets

261

Licensing Requirements for DAI

261

Prerequisites for DAI

262

Guidelines and Limitations for DAI

262

Default Settings for DAI

263

Configuring DAI

263

Enabling or Disabling DAI on VLANs

263

Configuring the DAI Trust State of a Layer 2 Interface

264

Applying ARP ACLs to VLANs for DAI Filtering

265

Enabling or Disabling Additional Validation

266

Configuring the DAI Logging Buffer Size

267

Configuring DAI Log Filtering

268

Verifying the DAI Configuration

269

Monitoring and Clearing DAI Statistics

269

Configuration Examples for DAI

270

Example 1-Two Devices Support DAI

270

Configuring Device A

270

Configuring Device B

273

Configuring ARP ACLs

275

Session Manager Support for ARP ACLs

275

Creating an ARP ACL

275

Changing an ARP ACL

276

Removing an ARP ACL

277

Changing Sequence Numbers in an ARP ACL

278

Verifying the ARP ACL Configuration

279

Configuring IP Source Guard

281

Information About IP Source Guard

281

Licensing Requirements for IP Source Guard

282

Prerequisites for IP Source Guard

282

Guidelines and Limitations for IP Source Guard

282

Default Settings for IP Source Guard

282

Configuring IP Source Guard

283

Enabling or Disabling IP Source Guard on a Layer 2 Interface

283

Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x xv

Contents

C H A P T E R 1 4

C H A P T E R 1 5

Adding or Removing a Static IP Source Entry

284

Displaying IP Source Guard Bindings

285

Configuration Example for IP Source Guard

285

Additional References for IP Source Guard

285

Configuring Control Plane Policing

287

Information About CoPP

287

Control Plane Protection

289

Control Plane Packet Types

289

Classification for CoPP

289

Rate Controlling Mechanisms

289

CoPP Extended Rate

290

CoPP Class Maps

290

CoPP Policy Templates

293

Default CoPP Policy

293

Scaled Layer 2 CoPP Policy

294

Scaled Layer 3 CoPP Policy

295

Customizable CoPP Policy

296

CoPP and the Management Interface

297

Licensing Requirements for CoPP

297

Guidelines and Limitations for CoPP

298

Default Settings for CoPP

298

Configuring CoPP

299

Applying a CoPP Policy to the Switch

299

Modifying the Customized CoPP Policy

300

Configuring CoPP Extended Rate

300

Verifying the CoPP Configuration

301

Displaying the CoPP Configuration Status

302

Monitoring CoPP

302

Monitoring CoPP with SNMP

303

Clearing the CoPP Statistics

303

Additional References for CoPP

303

Configuring TCAM Carving

305

Information About TCAM Carving

305

xvi


OL-30921-01

Contents

Information About User-Defined Templates

305

Creating a User-Defined Template

308

Modifying a User Defined Template

308

Committing a User-Defined Template

308

Deleting a Template

309

Verifying the TCAM Carving Configuration

310

OL-30921-01

Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x xvii

Contents xviii


OL-30921-01

Preface

The Preface contains the following sections:

•

Audience, page xix

•

Document Conventions, page xix

•

Related Documentation for Cisco Nexus 5600 Series NX-OS Software, page xxi

•

Documentation Feedback, page xxii

•

Obtaining Documentation and Submitting a Service Request, page xxii

Audience

This publication is for network administrators who configure and maintain Cisco Nexus devices and Cisco

Nexus 2000 Series Fabric Extenders.

Document Conventions

Note

As part of our constant endeavor to remodel our documents to meet our customers' requirements, we have modified the manner in which we document configuration tasks. As a result of this, you may find a deviation in the style used to describe these tasks, with the newly included sections of the document following the new format.

Command descriptions use the following conventions:

Convention bold

Description

Bold text indicates the commands and keywords that you enter literally as shown.

Italic

Italic text indicates arguments for which the user supplies the values.

[x] Square brackets enclose an optional element (keyword or argument).

Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x xix OL-30921-01

Preface

Document Conventions

Convention

[x | y]

{x | y}

[x {y | z}] variable string

Description

Square brackets enclosing keywords or arguments separated by a vertical bar indicate an optional choice.

Braces enclosing keywords or arguments separated by a vertical bar indicate a required choice.

Nested set of square brackets or braces indicate optional or required choices within optional or required elements. Braces and a vertical bar within square brackets indicate a required choice within an optional element.

Indicates a variable for which you supply values, in context where italics cannot be used.

A nonquoted set of characters. Do not use quotation marks around the string or the string will include the quotation marks.

Examples use the following conventions:

Convention

screen font

Description

Terminal sessions and information the switch displays are in screen font.

boldface screen font

italic screen font

Information you must enter is in boldface screen font.

Arguments for which you supply values are in italic screen font.

< >

[ ]

!, #

Nonprinting characters, such as passwords, are in angle brackets.

Default responses to system prompts are in square brackets.

An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.

This document uses the following conventions:

Note

Means reader take note. Notes contain helpful suggestions or references to material not covered in the manual.

Caution

Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

xx


OL-30921-01

Preface

Related Documentation for Cisco Nexus 5600 Series NX-OS Software

Related Documentation for Cisco Nexus 5600 Series NX-OS

Software

The entire Cisco NX-OS 5600 Series documentation set is available at the following URL: http://www.cisco.com/c/en/us/support/switches/nexus-5000-series-switches/ tsd-products-support-series-home.html

Release Notes

The release notes are available at the following URL: http://www.cisco.com/c/en/us/support/switches/nexus-5000-series-switches/products-release-notes-list.html

Configuration Guides

These guides are available at the following URL: http://www.cisco.com/c/en/us/support/switches/nexus-5000-series-switches/ products-installation-and-configuration-guides-list.html

The documents in this category include:

• Cisco Nexus 5600 Series NX-OS Adapter-FEX Configuration Guide

• Cisco Nexus 5600 Series NX-OS FabricPath Configuration Guide

• Cisco Nexus 5600 Series NX-OS Fibre Channel over Ethernet Configuration Guide

• Cisco Nexus 5600 Series NX-OS Fundamentals Configuration Guide

• Cisco Nexus 5600 Series NX-OS Interfaces Configuration Guide

• Cisco Nexus 5600 Series NX-OS Layer 2 Switching Configuration Guide

• Cisco Nexus 5600 Series NX-OS Multicast Routing Configuration Guide

• Cisco Nexus 5600 Series NX-OS Quality of Service Configuration Guide

• Cisco Nexus 5600 Series NX-OS SAN Switching Configuration Guide

• Cisco Nexus 5600 Series NX-OS Security Configuration Guide

• Cisco Nexus 5600 Series NX-OS System Management Configuration Guide

• Cisco Nexus 5600 Series NX-OS Unicast Routing Configuration Guide

Licensing Guide

The License and Copyright Information for Cisco NX-OS Software is available at http://www.cisco.com/en/

US/docs/switches/datacenter/sw/4_0/nx-os/license_agreement/nx-ossw_lisns.html

.

Command References

These guides are available at the following URL: http://www.cisco.com/c/en/us/support/switches/nexus-5000-series-switches/ products-command-reference-list.html

Cisco Nexus 5600 Series NX-OS Security Configuration Guide, Release 7.x xxi OL-30921-01

Preface

Documentation Feedback

The documents in this category include:

• Cisco Nexus 5600 Series NX-OS Fabric Extender Command Reference

• Cisco Nexus 5600 Series NX-OS FabricPath Command Reference

• Cisco Nexus 5600 Series NX-OS Fibre Channel Command Reference

• Cisco Nexus 5600 Series NX-OS Fundamentals Command Reference

• Cisco Nexus 5600 Series NX-OS Interfaces Command Reference

• Cisco Nexus 5600 Series NX-OS Layer 2 Interfaces Command Reference

• Cisco Nexus 5600 Series NX-OS Multicast Routing Command Reference

• Cisco Nexus 5600 Series NX-OS QoS Command Reference

• Cisco Nexus 5600 Series NX-OS Security Command Reference

• Cisco Nexus 5600 Series NX-OS System Management Command Reference

• Cisco Nexus 5600 Series NX-OS TrustSec Command Reference

• Cisco Nexus 5600 Series NX-OS Unicast Routing Command Reference

• Cisco Nexus 5600 Series NX-OS Virtual Port Channel Command Reference

Error and System Messages

The Cisco Nexus 5600 Series NX-OS System Message Guide is available at http://www.cisco.com/en/US/docs/ switches/datacenter/nexus5500/sw/system_messages/reference/sl_nxos_book.html

.

Troubleshooting Guide

The Cisco Nexus 5600 Series NX-OS Troubleshooting Guide is available at http://www.cisco.com/c/en/us/ support/switches/nexus-5000-series-switches/products-troubleshooting-guides-list.html

.

Documentation Feedback

To provide technical feedback on this document, or to report an error or omission, please send your comments to: [email protected]

.

We appreciate your feedback.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What's New in Cisco Product Documentation .

To receive new and revised Cisco technical content directly to your desktop, you can subscribe to the What's

New in Cisco Product Documentation RSS feed . RSS feeds are a free service.

xxii


OL-30921-01

C H A P T E R

1

New and Changed Information

This chapter contains the following sections:

•

New and Changed Information, page 1


The following table provides an overview of the significant changes made to this configuration guide. The table does not provide an exhaustive list of all changes made to this guide or all new features in a particular release.

Table 1: New and Changed Information

Feature

Lightweight DHCPv6

Relay Agent

Description Release

Added the support for the Lightweight

DHCPv6 Relay Agent.

7.3(0)N1(1)

Login Block Per User Added support for login block per user.

7.3(0)N1(1)

Where Documented

Configuring DHCP

Snooping

Configuring

Authentication,

Authorization, and

Accounting

Dynamic ARP

Inspection

Enhancement

Cisco TrustSec

7.1(0)N1(1)

The Cisco TrustSec security architecture builds secure networks by establishing clouds of trusted network devices.

7.0(1)N1(1)

Configuring Cisco

TrustSec, on page 121


1 OL-30921-01



2


OL-30921-01

C H A P T E R

2

Overview

The Cisco NX-OS software supports security features that can protect your network against degradation or failure and also against data loss or compromise resulting from intentional attacks and from unintended but damaging mistakes by well-meaning network users.

•

Authentication, Authorization, and Accounting, page 3

•

RADIUS and TACACS+ Security Protocols, page 4

•

SSH and Telnet, page 4

•

IP ACLs, page 4

Authentication, Authorization, and Accounting

Authentication, authorization, and accounting (AAA) is an architectural framework for configuring a set of three independent security functions in a consistent, modular manner.

Authentication

Provides the method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol that you select, encryption. Authentication is the way a user is identified prior to being allowed access to the network and network services. You configure AAA authentication by defining a named list of authentication methods and then applying that list to various interfaces.

Authorization

Provides the method for remote access control, including one-time authorization or authorization for each service, per-user account list and profile, user group support, and support of IP, IPX, ARA, and

Telnet.

Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights, with the appropriate user. AAA authorization works by assembling a set of attributes that describe what the user is authorized to perform.

These attributes are compared with the information contained in a database for a given user, and the result is returned to AAA to determine the user’s actual capabilities and restrictions.


3 OL-30921-01

Overview

RADIUS and TACACS+ Security Protocols

Accounting

Provides the method for collecting and sending security server information used for billing, auditing, and reporting, such as user identities, start and stop times, executed commands (such as PPP), number of packets, and number of bytes. Accounting enables you to track the services that users are accessing, as well as the amount of network resources that they are consuming.

Note

You can configure authentication outside of AAA. However, you must configure AAA if you want to use

RADIUS or TACACS+, or if you want to configure a backup authentication method.

RADIUS and TACACS+ Security Protocols

AAA uses security protocols to administer its security functions. If your router or access server is acting as a network access server, AAA is the means through which you establish communication between your network access server and your RADIUS or TACACS+ security server.

The chapters in this guide describe how to configure the following security server protocols:

RADIUS

A distributed client/server system implemented through AAA that secures networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco routers and send authentication requests to a central RADIUS server that contains all user authentication and network service access information.

TACACS+

A security application implemented through AAA that provides a centralized validation of users who are attempting to gain access to a router or network access server. TACACS+ services are maintained in a database on a TACACS+ daemon running, typically, on a UNIX or Windows NT workstation.

TACACS+ provides for separate and modular authentication, authorization, and accounting facilities.

SSH and Telnet

You can use the Secure Shell (SSH) server to enable an SSH client to make a secure, encrypted connection to a Cisco NX-OS device. SSH uses strong encryption for authentication. The SSH server in the Cisco NX-OS software can interoperate with publicly and commercially available SSH clients.

The SSH client in the Cisco NX-OS software works with publicly and commercially available SSH servers.

The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site and then passes the keystrokes from one device to the other. Telnet can accept either an IP address or a domain name as the remote device address.

IP ACLs

IP ACLs are ordered sets of rules that you can use to filter traffic based on IPv4 information in the Layer 3 header of packets. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When

4


OL-30921-01

Overview

IP ACLs

the Cisco NX-OS software determines that an IP ACL applies to a packet, it tests the packet against the conditions of all rules. The first match determines whether a packet is permitted or denied, or if there is no match, the Cisco NX-OS software applies the applicable default rule. The Cisco NX-OS software continues processing packets that are permitted and drops packets that are denied.

OL-30921-01


5

IP ACLs

Overview

6


OL-30921-01

C H A P T E R

3

Configuring Authentication, Authorization, and

Accounting


•

Information About AAA, page 7

•

Prerequisites for Remote AAA, page 11

•

Guidelines and Limitations for AAA, page 12

•

Default AAA Settings, page 12

•

Configuring AAA, page 12

•

Monitoring and Clearing the Local AAA Accounting Log , page 33

•

Verifying the AAA Configuration, page 33

•

Configuration Examples for AAA, page 33

Information About AAA

AAA Security Services

The authentication, authorization, and accounting (AAA) features allows you to verify the identity of, grant access to, and track the actions of users who manage Cisco Nexus devices. The Cisco Nexus device supports

Remote Access Dial-In User Service (RADIUS) or Terminal Access Controller Access Control device Plus

(TACACS+) protocols.

Based on the user ID and password that you provide, the switches perform local authentication or authorization using the local database or remote authentication or authorization using one or more AAA servers. A preshared secret key provides security for communication between the switch and AAA servers. You can configure a common secret key for all AAA servers or for only a specific AAA server.

AAA security provides the following services:

• Authentication—Identifies users, including login and password dialog, challenge and response, messaging support, and, encryption depending on the security protocol that you select.


7 OL-30921-01


Benefits of Using AAA

• Authorization—Provides access control.

Authorization to access a Cisco Nexus device is provided by attributes that are downloaded from AAA servers. Remote security servers, such as RADIUS and TACACS+, authorize users for specific rights by associating attribute-value (AV) pairs, which define those rights with the appropriate user.

• Accounting—Provides the method for collecting information, logging the information locally, and sending the information to the AAA server for billing, auditing, and reporting.

Note

The Cisco NX-OS software supports authentication, authorization, and accounting independently. For example, you can configure authentication and authorization without configuring accounting.

Benefits of Using AAA

AAA provides the following benefits:

• Increased flexibility and control of access configuration

• Scalability

• Standardized authentication methods, such as RADIUS and TACACS+

• Multiple backup devices

Remote AAA Services

Remote AAA services provided through RADIUS and TACACS+ protocols have the following advantages over local AAA services:

• User password lists for each switch in the fabric are easier to manage.

• AAA servers are already deployed widely across enterprises and can be easily used for AAA services.

• The accounting log for all switches in the fabric can be centrally managed.

• User attributes for each switch in the fabric are easier to manage than using the local databases on the switches.

AAA Server Groups

You can specify remote AAA servers for authentication, authorization, and accounting using server groups.

A server group is a set of remote AAA servers that implement the same AAA protocol. A server group provides for failover servers if a remote AAA server fails to respond. If the first remote server in the group fails to respond, the next remote server in the group is tried until one of the servers sends a response. If all the AAA servers in the server group fail to respond, that server group option is considered a failure. If required, you can specify multiple server groups. If a switch encounters errors from the servers in the first group, it tries the servers in the next server group.

8


OL-30921-01


AAA Service Configuration Options

AAA Service Configuration Options

On Cisco Nexus devices, you can have separate AAA configurations for the following services:

• User Telnet or Secure Shell (SSH) login authentication

• Console login authentication

• User management session accounting

The following table lists the CLI commands for each AAA service configuration option.

Table 2: AAA Service Configuration Commands

AAA Service Configuration Option

Telnet or SSH login

Console login

User session accounting

Related Command aaa authentication login default aaa authentication login console aaa accounting default

You can specify the following authentication methods for the AAA services:

• RADIUS server groups—Uses the global pool of RADIUS servers for authentication.

• Specified server groups—Uses specified RADIUS or TACACS+ server groups for authentication.

• Local—Uses the local username or password database for authentication.

• None—Uses only the username.

Note

If the method is for all RADIUS servers, instead of a specific server group, the Cisco Nexus devices choose the RADIUS server from the global pool of configured RADIUS servers in the order of configuration.

Servers from this global pool are the servers that can be selectively configured in a RADIUS server group on the Cisco Nexus devices.

The following table describes the AAA authentication methods that you can configure for the AAA services.

Table 3: AAA Authentication Methods for AAA Services

AAA Service

Console login authentication

User login authentication

User management session accounting

AAA Methods

Server groups, local, and none

Server groups, local, and none

Server groups and local

OL-30921-01


9


Authentication and Authorization Process for User Logins

Note

For console login authentication, user login authentication, and user management session accounting, the

Cisco Nexus devices try each option in the order specified. The local option is the default method when other configured options fail.

Authentication and Authorization Process for User Logins

The authentication and authorization process for user login is as occurs:

• When you log in to the required Cisco Nexus device, you can use the Telnet, SSH, Fabric Manager or

Device Manager, or console login options.

• When you have configured the AAA server groups using the server group authentication method, the

Cisco Nexus device sends an authentication request to the first AAA server in the group as follows:

If the AAA server fails to respond, then the next AAA server is tried and so on until the remote server responds to the authentication request.

If all AAA servers in the server group fail to respond, the servers in the next server group are tried.

If all configured methods fail, the local database is used for authentication.

• If a Cisco Nexus device successfully authenticates you through a remote AAA server, the following conditions apply:

If the AAA server protocol is RADIUS, user roles specified in the cisco-av-pair attribute are downloaded with an authentication response.

If the AAA server protocol is TACACS+, another request is sent to the same server to get the user roles specified as custom attributes for the shell.

• If your username and password are successfully authenticated locally, the Cisco Nexus device logs you in and assigns you the roles configured in the local database.

10


OL-30921-01


Prerequisites for Remote AAA

The following figure shows a flowchart of the authentication and authorization process.

Figure 1: Authentication and Authorization Flow for User Login

Note

This figure is applicable only to username password SSH authentication. It does not apply to public key

SSH authentication. All username password SSH authentication goes through AAA.

In the figure, "No more servers left" means that there is no response from any server within this server group.

Prerequisites for Remote AAA

Remote AAA servers have the following prerequisites:

• At least one RADIUS or TACACS+ server must be IP reachable.

• The Cisco Nexus device is configured as a client of the AAA servers.


11 OL-30921-01


Guidelines and Limitations for AAA

• The preshared secret key is configured on the Cisco Nexus device and on the remote AAA servers.

• The remote server responds to AAA requests from the Cisco Nexus device.

Guidelines and Limitations for AAA

The Cisco Nexus devices do not support all numeric usernames, whether created with TACACS+ or RADIUS, or created locally. If an all numeric username exists on an AAA server and is entered during a login, the Cisco

Nexus device still logs in the user.

Caution

You should not create user accounts with usernames that are all numeric.

Default AAA Settings

The following table lists the default settings for AAA parameters.

Table 4: Default AAA Parameters

Parameters

Console authentication method

Default authentication method

Login authentication failure messages

MSCHAP authentication

Default accounting method

Accounting log display length

Default

local local

Disabled

Disabled local

250 KB

Configuring AAA

Configuring Console Login Authentication Methods

The authentication methods include the following:

• Global pool of RADIUS servers

• Named subset of RADIUS or TACACS+ servers

• Local database on the Cisco Nexus device.

12


OL-30921-01


Configuring Console Login Authentication Methods

• Username only none

The default method is local.

Note

The group radius and group server-name forms of the aaa authentication command are used for a set of previously defined RADIUS servers. Use the radius server-host command to configure the host servers. Use the aaa group server radius command to create a named group of servers.

Before you configure console login authentication methods, configure RADIUS or TACACS+ server groups as needed.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Command or Action

switch# configure terminal

Purpose

Enters global configuration mode.

switch(config)# aaa

authentication login console

{group group-list [none] | local

| none}

Configures login authentication methods for the console.

The group-list argument consists of a space-delimited list of group names. The group names are the following:

• radius —Uses the global pool of RADIUS servers for authentication.

• named-group —Uses a named subset of TACACS+ or

RADIUS servers for authentication.

switch(config)# exit switch# show aaa

authentication

switch# copy running-config

startup-config

The local method uses the local database for authentication.

The none method uses the username only.

The default console login method is local, which is used when no methods are configured or when all of the configured methods fail to respond.

Exits global configuration mode.

(Optional)

Displays the configuration of the console login authentication methods.

(Optional)

Copies the running configuration to the startup configuration.

This example shows how to configure authentication methods for the console login: switch#

configure terminal

switch(config)#

aaa authentication login console group radius

switch(config)#

exit

switch#

show aaa authentication

switch#

copy running-config startup-config

OL-30921-01


13


Configuring Default Login Authentication Methods

Configuring Default Login Authentication Methods


Before you configure default login authentication methods, configure RADIUS or TACACS+ server groups as needed.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5



Purpose


switch(config)# aaa

authentication login default

{group group-list [none] | local

| none}

Configures the default authentication methods.


• radius —Uses the global pool of RADIUS servers for authentication.



The local method uses the local database for authentication.


The default login method is local , which is used when no methods are configured or when all of the configured methods do not respond.

Exits configuration mode.

switch(config)# exit switch# show aaa authentication (Optional)

Displays the configuration of the default login authentication methods.


startup-config

(Optional)


Enabling Login Authentication Failure Messages

When you log in, the login is processed by the local user database if the remote AAA servers do not respond.

If you have enabled the displaying of login failure messages, the following message is displayed:

Remote AAA servers unreachable; local authentication done.

Remote AAA servers unreachable; local authentication failed.

14


OL-30921-01


Configuring AAA Command Authorization

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


switch# configure terminal switch(config)# aaa authentication login

error-enable

Enables login authentication failure messages.

The default is disabled.

switch(config)# exit Exits configuration mode.

switch# show aaa authentication switch# copy running-config

startup-config

Purpose


(Optional)

Displays the login failure message configuration.

(Optional)



When a TACACS+ server authorization method is configured, you can authorize every command that a user executes with the TACACS+ server which includes all EXEC mode commands and all configuration mode commands.

The authorization methods include the following:

• Group—TACACS+ server group

• Local—Local role-based authorization

• None—No authorization is performed

The default method is Local.

Note

Authorization on the console session is not supported on the Cisco Nexus 5000 platform. It is supported on the Cisco Nexus 5500 platform, release 6.x onwards.

Before You Begin

You must enable TACACS+ before configuring AAA command authorization.

OL-30921-01


15



Procedure

Step 1

Command or Action configure terminal

Purpose


Step 2

Example:

switch# configure terminal switch(config)#

aaa authorization {commands |

config-commands} {default} {{[group

group-name] | [ local]} | {[group group-name] |

[ none]}}

Example:

switch(config)# aaa authorization config-commands default group tac1

Configures authorization parameters.

Use the commands keyword to authorize EXEC mode commandes.

Use the config-commands keyword to authorize configuration mode commands.

Use the group, local, or none keywords to identify the authorization method.

Example:

switch# aaa authorization commands default group tac1

The following example shows how to authorize EXEC mode commands with TACACS+ server group tac1: switch#

aaa authorization commands default group tac1

The following example shows how to authorize configuration mode commands with TACACS+ server group

tac1: switch(config)#

aaa authorization config-commands default group tac1

The following example shows how to authorize configuration mode commands with TACACS+ server group

tac1:

• If the server is reachable, the command is allowed or not allowed based on the server response.

• If there is an error reaching the server, the command is authorized based on the user's local role.

switch(config)#

aaa authorization config-commands default group tac1 local

The followng example shows how to authorize configuration mode commands with TACACS+ server group

tac1:

• If the server is reachable, the command is allowed or not allowed based on the server response.

• If there is an error reaching the server, allow the command regardless of the local role.

switch#

aaa authorization commands default group tac1 none

The following example shows how to authorize EXEC mode commands regardless of the local role: switch#

aaa authorization commands default none

16


OL-30921-01


Configuring Console Authorization Commands

The following example shows how to authorize EXEC mode commands using the local role for authorization: switch#

aaa authorization commands default local

Configuring Console Authorization Commands

The authorization methods include the following:

• Named subset of TACACS+ servers

• Local database on the Cisco Nexus device.

• Username only none


Before you configure console authorization commands, configure TACACS+ server groups as needed.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5



Purpose


switch(config)# aaa authorization

commands console {group

group-list [none] | local | none}

Configures authorization for the console.

The group-list argument consists of a space-delimited list of group name. The group name is:

• named-group —Uses a named subset of TACACS+ servers for authorization.

The local method uses the local database for authorization.


The default console authorization is local, which is used when no methods are configured or when all of the configured methods fail to respond.

switch(config)# exit Exits global configuration mode.

switch# show aaa authorization (Optional)

Displays the configuration of the console authorization commands.


startup-config

(Optional)


This example shows how to configure the console authorization commands: switch#


switch(config)#

aaa authorization commands console group tacacs+

switch(config)#

exit

OL-30921-01


17


Enabling MSCHAP Authentication

switch#

show aaa authorization

switch#


Enabling MSCHAP Authentication

Microsoft Challenge Handshake Authentication Protocol (MSCHAP) is the Microsoft version of CHAP. You can use MSCHAP for user logins to a Cisco Nexus device through a remote authentication server (RADIUS or TACACS+).

By default, the Cisco Nexus device uses Password Authentication Protocol (PAP) authentication between the switch and the remote server. If you enable MSCHAP, you must configure your RADIUS server to recognize the MSCHAP vendor-specific attributes (VSAs).

The following table describes the RADIUS VSAs required for MSCHAP.

Table 5: MSCHAP RADIUS VSAs

Vendor-ID Number

311

Vendor-Type Number

11

VSA

MSCHAP-Challenge

211 11 MSCHAP-Response

Description

Contains the challenge sent by an AAA server to an MSCHAP user. It can be used in both

Access-Request and

Access-Challenge packets.

Contains the response value provided by an

MSCHAP user in response to the challenge.

It is only used in

Access-Request packets.

Procedure

Step 1

Step 2

Step 3

Step 4



Purpose


switch(config)# aaa authentication login

mschap enable

Enables MS-CHAP authentication. The default is disabled.

switch(config)# exit switch# show aaa authentication login

mschap


(Optional)

Displays the MS-CHAP configuration.

18


OL-30921-01


Configuring AAA Accounting Default Methods

Step 5



startup-config

Purpose

(Optional)


Configuring AAA Accounting Default Methods

The Cisco Nexus device supports TACACS+ and RADIUS methods for accounting. The switches report user activity to TACACS+ or RADIUS security servers in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the AAA server.

When you activate AAA accounting, the Cisco Nexus device reports these attributes as accounting records, which are then stored in an accounting log on the security server.

You can create default method lists defining specific accounting methods, which include the following:.

• RADIUS server group—Uses the global pool of RADIUS servers for accounting.

• Specified server group—Uses a specified RADIUS or TACACS+ server group for accounting.

• Local—Uses the local username or password database for accounting.

Note

If you have configured server groups and the server groups do not respond, by default, the local database is used for authentication.


Before you configure AAA accounting default methods, configure RADIUS or TACACS+ server groups as needed.

Procedure

Step 1

Step 2



Purpose


switch(config)# aaa accounting

default {group group-list |

local}

Configures the default accounting method. One or more server group names can be specified in a space-separated list.


• radius —Uses the global pool of RADIUS servers for accounting.


RADIUS servers for accounting.

OL-30921-01


19


Using AAA Server VSAs

Step 3

Step 4

Step 5

Command or Action Purpose

The local method uses the local database for accounting.

The default method is local, which is used when no server groups are configured or when all the configured server group do not respond.


switch(config)# exit switch# show aaa accounting (Optional)

Displays the configuration AAA accounting default methods.


startup-config

(Optional)


Using AAA Server VSAs

VSAs

You can use vendor-specific attributes (VSAs) to specify the Cisco Nexus device user roles and SNMPv3 parameters on AAA servers.

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating VSAs between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor

ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format: protocol : attribute seperator value *

The protocol is a Cisco attribute for a particular type of authorization, separator is an equal sign (=) for mandatory attributes, and an asterisk (* ) indicates optional attributes.

When you use RADIUS servers for authentication on a Cisco Nexus device, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, with authentication results.

This authorization information is specified through VSAs.

VSA Format

The following VSA protocol options are supported by the Cisco Nexus device:

• Shell— Used in access-accept packets to provide user profile information.

• Accounting—Used in accounting-request packets. If a value contains any white spaces, put it within double quotation marks.

The following attributes are supported by the Cisco Nexus device:

• roles—Lists all the roles assigned to the user. The value field is a string that stores the list of group names delimited by white space.

20


OL-30921-01


Secure Login Enhancements

• accountinginfo—Stores additional accounting information in addition to the attributes covered by a standard RADIUS accounting protocol. This attribute is sent only in the VSA portion of the

Account-Request frames from the RADIUS client on the switch, and it can only be used with the accounting protocol-related PDUs.

Specifying Switch User Roles and SNMPv3 Parameters on AAA Servers

You can use the VSA cisco-av-pair on AAA servers to specify user role mapping for the Cisco Nexus device using this format: shell:roles="roleA roleB

…"

If you do not specify the role option in the cisco-av-pair attribute, the default user role is network-operator.

Note

For information on Cisco Unified Wireless Network TACACS+ configurations and to change the user roles, see Cisco Unified Wireless Network TACACS+ Configuration .

You can also specify your SNMPv3 authentication and privacy protocol attributes as follows: shell:roles="roleA roleB..." snmpv3:auth=SHA priv=AES-128

The SNMPv3 authentication protocol options are SHA and MD5. The privacy protocol options are AES-128 and DES. If you do not specify these options in the cisco-av-pair attribute, MD5 and DES are the default authentication protocols.

For additional information, see the Configuring User Accounts and RBAC chapter in the System Management

Configuration Guide for your Cisco Nexus device.


The following secure login enhancements are supported in Cisco NX-OS:

Configuring Login Parameters

Use this task to configure your Cisco NX-OS device for login parameters that help detect suspected DoS attacks and slow down dictionary attacks.

All login parameters are disabled by default. You must enter the login block-for command, which enables default login functionality, before using any other login commands. After the login block-for command is enabled, the following default is enforced:

• All login attempts made through Telnet or SSH are denied during the quiet period; that is, no ACLs are exempt from the login period until the login quiet-mode access-class command is entered.

OL-30921-01


21



Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


Purpose


Example:

Switch# configure terminal

[no] login block-for seconds attempts

tries within seconds

Configures your Cisco NX-OS device for login parameters that help provide DoS detection.

Example:

Note

This command must be issued before any other login command can be used.

Switch(config)# login block-for 100 attempts 2 within 100

[no] login quiet-mode access-class

{acl-name | acl-number}

Example:

Switch(config)# login quiet-mode access-class myacl

(Optional) Although this command is optional, it is recommended that it be configured to specify an ACL that is to be applied to the device when the device switches to quiet mode. When the device is in quiet mode, all login requests are denied and the only available connection is through the console.

exit

Exits to privileged EXEC mode.

Example:

Switch(config)# exit

show login failures

Example:

Switch# show login

Displays login parameters.

• failures --Displays information related only to failed login attempts.

Configuration Examples for Login Parameters

Setting Login Parameters Example

The following example shows how to configure your switch to enter a 100 second quiet period if 15 failed login attempts is exceeded within 100 seconds; all login requests are denied during the quiet period except hosts from the ACL "myacl."

Switch(config)#

login block-for 100 attempts 15 within 100

Switch(config)#

login quiet-mode access-class myacl

22


OL-30921-01



Showing Login Parameters Example

The following sample output from the show login command verifies that no login parameters have been specified:

Switch#

show login

No Quiet-Mode access list has been configured, default ACL will be applied.

Switch is enabled to watch for login Attacks.

If more than 2 login failures occur in 45 seconds or less, logins will be disabled for 70 seconds.

Switch presently in Normal-Mode.

Current Watch Window remaining time 10 seconds.

Present login failure count 0.

The following sample output from the show login failures command shows all failed login attempts on the switch:

Switch#


Information about last 20 login failures with the device.

--------------------------------------------------------------------------------

Username

TimeStamp

Line Source Appname

-------------------------------------------------------------------------------admin pts/0 bgl-ads-728.cisco.com

login

Wed Jun 10 04:56:16 2015 admin pts/0 bgl-ads-728.cisco.com

login

Wed Jun 10 04:56:19 2015

--------------------------------------------------------------------------------

The following sample output from the show login failures command verifies that no information is presently logged:

Switch#


*** No logged failed login attempts with the device.***

Configuring Login Block Per User

The Login Block Per User feature helps detect suspected Denial of Service (DoS) attacks and to slow down dictionary attacks. This feature is applicable only for local users. Use this task to configure login parameters to block an user after failed login attempts.

Procedure

Step 1


Purpose


Step 2

Example:

switch# configure terminal

aaa authentication rejected attempts in seconds

ban seconds

Configures login parameters to block an user.

Note

Use the no aaa authentication

rejected command to revert to the default login parameters.

OL-30921-01


23



Step 3

Step 4

Step 5

Step 6


Example:

switch(config)# aaa authentication rejected 3 in 20 ban 300

exit

Example:

switch(config)# exit

show running config


(Optional) Displays the login parameters.

Example:

switch# show running config

show aaa local user blocked

(Optional) Displays the blocked local users.

Example:

switch# show aaa local user blocked

clear aaa local user blocked {username user |

all}

(Optional) Clears the blocked local users.

• all–Clears all the blocked local users.

Example:

switch# clear aaa local user blocked username testuser

Configuration Examples for Login Block Per User

Setting Parameters for Login Block Per User

The following example shows how to configure the login parameters to block a user for 300 seconds when five login attempts fail within a period of 60 seconds: switch(config)#

aaa authentication rejected 5 in 60 ban 300

Showing Login Parameters

The following example shows the login parameters configured for a switch: switch#

show run | i rejected

aaa authentication rejected 5 in 60 ban 300

24


OL-30921-01



Showing Blocked Local Users

The following example shows the blocked local users: switch#

show aaa local user blocked

Local-user State testuser Watched (till 11:34:42 IST Feb 5 2015)

Clearing Blocked Local Users

The following example shows how to clear the blocked local user testuser: switch#

clear aaa local user blocked username testuser

Restricting Sessions Per User—Per User Per Login

Use this task to restrict the maximum sessions per user.

Procedure

Step 1

Step 2

Step 3


Purpose


Example:


[no] user max-logins max-logins

Example:

Switch(config)# user max-logins 1

exit

Restricts the maximum sessions per user. The range is from 1 to 7. If you set the maximum login limit as 1, then only one session (telnet/SSH) is allowed per user.


Example:


Configuring Passphrase Length

Use this task to configure the maximum and minimum passphrase length.

OL-30921-01


25



Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


Example:

switch(config)# no userpassphrase max-length

exit

Purpose


Example:


userpassphrase {{min-length value |

max-length value} | min-length value

max-length value}

Configures the user passphrase length. The range of minimum passphrase length values are from

8 to 127. The range of maximum passphrase length values are from 80 to 127. The default minimum passphrase length is 8 and the default maximum passphrase length is 127.

Example:

switch(config)# userpassphrase max-length 127

no userpassphrase {min-length | max-length

| length}

Resets the passphrase length configuration to the default configuration.


Example:


show userpassphrase {min-length |

max-length | length}

Displays the maximum and minimum user passphrase length.

Example:

switch# show userpassphrase length

Configuring Passphrase Time Values

You can configure the following passphrase time values for a user:

• Lifetime – Life time of a passphrase in days. After the passphrase expires, the user is prompted to change the passphrase upon first login.

• Gracetime – Grace time of a passphrase in days. Gracetime is the number of days of inactivity after a passphrase has expired before an account is locked.

• Warntime – Warning time of the expiry of a passphrase in days. Warntime is the number of days prior to a passphrase expiring, when a user is warned that the user's passphrase is about to expire.

26


OL-30921-01



The default time values are 99999 days for lifetime, 14 days for warntime, and 3 days for gracetime.

The value 99999 indicates that a user's passphrase never expires by default.

Note

By default, an extra configuration is added to the running configuration for every user except 'admin'. This indicates a user's passphrase time values. By default, the extra configuration displays the default passphrase time values for users.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


Purpose


Example:


username username passphrase {{lifetime |

warntime | gracetime} time-value | {lifetime

time-value warntime time-value gracetime

time-value}}

Configures passphrase time values for a user.

Note that this step can be performed only by a network-admin.

Example:

switch(config)# username test-user passphrase lifetime 990

no username username passphrase {lifetime |

warntime | gracetime | timevalues}

Example:

(Optional)

Resets passphrase time value to default values for a user.


switch(config)# no username test-user passphrase lifetime

userpassphrase {default-lifetime |

default-warntime | default-gracetime}

time-value

(Optional)

Updates default passphrase time values.


Example:

switch(config)# userpassphrase default-lifetime 990

no userpassphrase {default-lifetime |

default-warntime | default-gracetime

timevalue}

Example:

switch(config)# no userpassphrase default-lifetime

(Optional)

Resets the configured default values to the initial default values.


OL-30921-01


27



Step 6

Step 7

Step 8

Step 9

Step 10


username username expire-userpassphrase

Example:

switch(config)# username john expire-userpassphrase

exit

Purpose

(Optional)

Sets any userpassphrase to expire immediately.

When you try to log in after a passphrase expires, you are prompted to enter and create a new password after entering the old password correctly.

Note that this step can be performed only by an admin.


Example:


show userpassphrase {default-lifetime |

default-warntime | default-gracetime |

timevalues}

Displays the passphrase time values.

Example:

switch# show userpassphrase default-lifetime

show username username passphrase

timevalues

Example:

switch# show username john passphrase timevalues

show running-config

Example:

switch# show running-config

Displays the passphrase lifetime, warning time, and grace time for a specific user.

(Optional)

Displays the configured values.

Configuring Passphrase Time Values

The following example shows how to configure passphrase time values for test-user.

switch(config)#

username test-user passphrase lifetime 365 warntime 10 gracetime 5

switch(config)#

show username test-user passphrase timevalues

Last passphrase change(Y-M-D): 2016-01-28

Passphrase lifetime: 365 days after last passphrase change

Passphrase warning time starts: 10 days before passphrase lifetime

Passphrase Gracetime ends: 5 days after passphrase lifetime switch#

show running-config

!Command: show running-config

!Time: Mon Nov 30 02:32:51 2015 version 7.3(0)N1(1) hostname switch

28


OL-30921-01



role name test username admin password 5 5$0sCUUZQm$fXdGj90e9yXv1XeuY9qResKmLGKQtn8Tj6ab4s4IcVA role network-admin username test-user password 5

5$c9Gmvm8E$aoSQ1X7vfphlJ6WeRQl3C0Py6TlpiDjhWcF6kYi4hg6 expire 1970-01-01 role network-operator

username test-user passphrase lifetime 365 warntime 10 gracetime 5

Locking User Accounts

As an admin, you can lock or unlock any user account.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


Example:


show locked-users

Purpose


Example:


[no] username username lock-user-account Locks the specified user account. Use the

no form of this command to unlock a user account.

Example:

switch(config)# username john lock-user-account

unlock locked-users

(Optional)

Unlocks all the locked user accounts.

Example:

switch(config)# unlock locked-users

exit


Displays all the locked users.

Example:

switch# show locked-users

Logging Invalid Usernames

As an admin, you can ensure non-logging or logging of invalid usernames in logs during an authentication failure. By default, invalid usernames during authentication failures are not logged. Any username that does not pass authentication is considered as an invalid username and it is not logged, because when a password

OL-30921-01


29



is entered in the username field by mistake, it can get logged. This feature can be used to mitigate the risk of logging passwords.

Procedure

Step 1


Purpose


Step 2

Step 3

Step 4

Example:


[no] aaa authentication login invalid-username-log

Example:

switch(config)# aaa authentication login invalid-username-log

Enables the logging of invalid usernames during an authentication failure. Use the no form of this command to disable the logging of invalid usernames.

exit


Example:


show aaa authentication login invalid-username-log

Displays whether logging invalid names is enabled.

Example:

switch# show aaa authentication login invalid-username-log

Changing Password

Use this task to change the password.

Procedure

Step 1

Enter global configuration mode: switch# configure terminal

Step 2

To change the password, perform one of the following:

• Authenticate with the old password and then enter the new password: switch(config)# change-password

30


OL-30921-01



Note

By default, password secure-mode is enabled. So, users must use the old password for authentication before changing the password. An admin user can disable password secure-mode by using the no password secure-mode command. This enables users to change password without authenticating with the old password by using the username username password

new_password command.

• If password secure-mode is enabled, an admin user can still use the username command to change password: switch(config)# username admin password new-password role role-name

Note

If password secure-mode is disabled, any user can use the username command to change the password.

Step 3

Exit to the privileged mode: switch(config)# exit

Step 4

Display the status of password secure-mode: switch# show password secure-mode

Changing Password

This example shows a running configuration to change the password. Replace the placeholders with relevant values for your setup.

config t change-password

Enter old password:

Enter new password:

Confirm new password: exit

Enabling the Password Prompt for User Name

Procedure

Step 1

Step 2


Purpose


Example:


[no] password prompt username

Example:

Switch(config)# password prompt username

Enables the login knob. If this command is enabled and the user enters the username command without the password option, then the password is prompted.

The password accepts hidden characters. Use the no form of this command to disable the login knob.

OL-30921-01


31



Step 3

Command or Action exit

Example:


Purpose


Support over SHA-256 Algorithm for Verifying OS Integrity

Use the show file bootflash:/ sha256sum command to display the sha256sum of the file. The sample output for this command is shown below:

Switch#

show file bootflash:/ sha256sum

abd9d40020538acc363df3d1bae7d1df16841e4903fca2c07c7898bf4f549ef5

Configuring Share Key Value for using RADIUS/TACACS+

The shared secret you configure for remote authentication and accounting must be hidden. For the radius-server

key and tacacs-server key commands, a separate command to generate encrypted shared secret can be used.

Procedure

Step 1


Purpose


Step 2

Step 3

Example:


generate type7_encrypted_secret

Example:

Switch(config)# generate type7_encrypted_secret

Configures RADIUS and TACACS shared secret with key type 7. While generating an encrypted shared secret, user input is hidden.

Note

You can generate encrypted equivalent of plain text separately and can configure the encrypted shared secret later.


exit

Example:


32


OL-30921-01


Monitoring and Clearing the Local AAA Accounting Log

Monitoring and Clearing the Local AAA Accounting Log

The Cisco Nexus device maintains a local log for the AAA accounting activity.

Procedure

Step 1

Step 2


switch# show accounting log [size]

[start-time year month day hh : mm

: ss]

Displays the accounting log contents. By default, the command output contains up to 250,000 bytes of the accounting log. You can use the size argument to limit command output. The range is from 0 to 250000 bytes. You can also specify a start time for the log output.

switch# clear accounting log (Optional)

Clears the accounting log contents.

Verifying the AAA Configuration

To display AAA information, perform one of the following tasks:

Command show aaa accounting

Purpose

Displays AAA accounting configuration.

show aaa authentication [login {error-enable |

mschap}]

Displays AAA authentication information.

show aaa authorization show aaa groups

show running-config aaa [all]

show startup-config aaa

Displays AAA authorization information.

Displays the AAA server group configuration.

Displays the AAA configuration in the running configuration.

Displays the AAA configuration in the startup configuration.

Configuration Examples for AAA

The following example shows how to configure AAA: switch(config)#

aaa authentication login default group radius

switch(config)#

aaa authentication login console group radius

switch(config)#

aaa accounting default group radius


33 OL-30921-01

Configuration Examples for AAA


34


OL-30921-01

C H A P T E R

4



•

Information About RADIUS, page 35

•

Prerequisites for RADIUS, page 38

•

Guidelines and Limitations for RADIUS, page 38

•

Default Settings for RADIUS, page 38

•

Configuring RADIUS Servers, page 39

•

Verifying the RADIUS Configuration, page 50

•

Displaying RADIUS Server Statistics, page 50

•

Clearing RADIUS Server Statistics, page 50

•

Configuration Examples for RADIUS, page 51

Information About RADIUS

The Remote Access Dial-In User Service (RADIUS) distributed client/server system allows you to secure networks against unauthorized access. In the Cisco implementation, RADIUS clients run on Cisco Nexus devices and send authentication and accounting requests to a central RADIUS server that contains all user authentication and network service access information.

RADIUS Network Environments

RADIUS can be implemented in a variety of network environments that require high levels of security while maintaining network access for remote users.

You can use RADIUS in the following network environments that require access security:

• Networks with multiple-vendor network devices, each supporting RADIUS.

For example, network devices from several vendors can use a single RADIUS server-based security database.


35 OL-30921-01


Information About RADIUS Operations

• Networks already using RADIUS.

You can add a Cisco Nexus device with RADIUS to the network. This action might be the first step when you make a transition to an AAA server.

• Networks that require resource accounting.

You can use RADIUS accounting independent of RADIUS authentication or authorization. The RADIUS accounting functions allow data to be sent at the start and end of services, indicating the amount of resources (such as time, packets, bytes, and so on) used during the session. An Internet service provider

(ISP) might use a freeware-based version of the RADIUS access control and accounting software to meet special security and billing needs.

• Networks that support authentication profiles.

Using the RADIUS server in your network, you can configure AAA authentication and set up per-user profiles. Per-user profiles enable the Cisco Nexus device to manage ports using their existing RADIUS solutions and to efficiently manage shared resources to offer different service-level agreements.

Information About RADIUS Operations

When a user attempts to log in and authenticate to a Cisco Nexus device using RADIUS, the following process occurs:

1

The user is prompted for and enters a username and password.

2

The username and encrypted password are sent over the network to the RADIUS server.

3

The user receives one of the following responses from the RADIUS server:

• ACCEPT—The user is authenticated.

• REJECT—The user is not authenticated and is prompted to reenter the username and password, or access is denied.

• CHALLENGE—A challenge is issued by the RADIUS server. The challenge collects additional data from the user.

• CHANGE PASSWORD—A request is issued by the RADIUS server, asking the user to select a new password.

The ACCEPT or REJECT response is bundled with additional data that is used for EXEC or network authorization. You must first complete RADIUS authentication before using RADIUS authorization. The additional data included with the ACCEPT or REJECT packets consists of the following:

• Services that the user can access, including Telnet, rlogin, or local-area transport (LAT) connections, and Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services.

• Connection parameters, including the host or client IPv4 or IPv6 address, access list, and user timeouts.

RADIUS Server Monitoring

An unresponsive RADIUS server can cause delay in processing of AAA requests. You can configure the switch to periodically monitor a RADIUS server to check whether it is responding (or alive) to save time in

36


OL-30921-01


Vendor-Specific Attributes

processing AAA requests. The switch marks unresponsive RADIUS servers as dead and does not send AAA requests to any dead RADIUS servers. The switch periodically monitors the dead RADIUS servers and brings them to the alive state once they respond. This process verifies that a RADIUS server is in a working state before real AAA requests are sent to the server. Whenever a RADIUS server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the switch displays an error message that a failure is taking place.

The following figure shows the different RADIUS server states:

Figure 2: RADIUS Server States

Note

The monitoring interval for alive servers and dead servers are different and can be configured by the user.

The RADIUS server monitoring is performed by sending a test authentication request to the RADIUS server.

Vendor-Specific Attributes

The Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-av-pair. The value is a string with the following format: protocol : attribute separator value *

The protocol is a Cisco attribute for a particular type of authorization, the separator is an equal sign (=) for mandatory attributes, and an asterisk (*) indicates optional attributes.

When you use RADIUS servers for authentication on a Cisco Nexus device, the RADIUS protocol directs the RADIUS server to return user attributes, such as authorization information, with authentication results.

This authorization information is specified through VSAs.

The following VSA protocol options are supported by the Cisco Nexus device:

OL-30921-01


37


Prerequisites for RADIUS

• Shell— Used in access-accept packets to provide user profile information.

• Accounting— Used in accounting-request packets. If a value contains any white spaces, you should enclose the value within double quotation marks.

The Cisco Nexus device supports the following attributes:

• roles—Lists all the roles to which the user belongs. The value field is a string that lists the role names delimited by white spaces.

• accountinginfo—Stores accounting information in addition to the attributes covered by a standard

RADIUS accounting protocol. This attribute is sent only in the VSA portion of the Account-Request frames from the RADIUS client on the switch. It can be used only with the accounting protocol data units (PDUs).

Prerequisites for RADIUS

RADIUS has the following prerequisites:

• You must obtain IPv4 or IPv6 addresses or hostnames for the RADIUS servers.

• You must obtain preshared keys from the RADIUS servers.

• Ensure that the Cisco Nexus device is configured as a RADIUS client of the AAA servers.

Guidelines and Limitations for RADIUS

RADIUS has the following configuration guidelines and limitations:

• You can configure a maximum of 64 RADIUS servers on the Cisco Nexus device.

Default Settings for RADIUS

The following table lists the default settings for RADIUS parameters.

Table 6: Default RADIUS Parameters

Parameters

Server roles

Dead timer interval

Retransmission count

Retransmission timer interval

Idle timer interval

Default

Authentication and accounting

0 minutes

1

5 seconds

0 minutes

38


OL-30921-01


Configuring RADIUS Servers

Parameters

Periodic server monitoring username

Periodic server monitoring password

Default

test test

Configuring RADIUS Servers

This section describes how to configure RADIUS servers.

Procedure

Step 1

Establish the RADIUS server connections to the Cisco Nexus device.

Step 2

Configure the preshared secret keys for the RADIUS servers.

Step 3

If needed, configure RADIUS server groups with subsets of the RADIUS servers for AAA authentication methods.

Step 4

If needed, configure any of the following optional parameters:

• Dead-time interval.

• Allow specification of a RADIUS server at login.

• Transmission retry count and timeout interval.

• Accounting and authentication attributes.

Step 5

If needed, configure periodic RADIUS server monitoring.

Configuring RADIUS Server Hosts

You must configure the IPv4 or IPv6 address or the hostname for each RADIUS server that you want to use for authentication. All RADIUS server hosts are added to the default RADIUS server group. You can configure up to 64 RADIUS servers.

Procedure

Step 1

Step 2

Step 3



Purpose


switch(config)# radius-server host

{ipv4-address | ipv6-address | host-name}

Specifies the IPv4 or IPv6 address or hostname for a RADIUS server.



39 OL-30921-01


Configuring RADIUS Global Preshared Keys

Step 4

Step 5


switch# show radius-server switch# copy running-config

startup-config

Purpose

(Optional)

Displays the RADIUS server configuration.

(Optional)

Saves the change persistently through reboots and restarts by copying the running configuration to the startup configuration.

The following example shows how to configure host 10.10.1.1 as a RADIUS server: switch#


switch(config)#

radius-server host 10.10.1.1

switch(config)#

exit

switch#


Configuring RADIUS Global Preshared Keys

You can configure preshared keys at the global level for all servers used by the Cisco Nexus device. A preshared key is a shared secret text string between the switch and the RADIUS server hosts.


Obtain the preshared key values for the remote RADIUS servers

Procedure

Step 1

Step 2

Step 3

Step 4



Purpose


switch(config)# radius-server

key [0 | 7] key-value

Specifies a preshared key for all RADIUS servers. You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key. The default format is clear text.

The maximum length is 63 characters.

By default, no preshared key is configured.

switch(config)# exit switch# show radius-server


(Optional)


Note

The preshared keys are saved in encrypted form in the running configuration. Use the show

running-config command to display the encrypted preshared keys.

40


OL-30921-01


Configuring RADIUS Server Preshared Keys

Step 5



startup-config

Purpose

(Optional)


This example shows how to configure preshared keys at the global level for all servers used by the device: switch#


switch(config)#

radius-server key 0 QsEfThUkO

switch(config)#

exit

switch#


Configuring RADIUS Server Preshared Keys

A preshared key is a shared secret text string between the Cisco Nexus device and the RADIUS server host.


Obtain the preshared key values for the remote RADIUS servers.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5



Purpose



host {ipv4-address | ipv6-address

| host-name} key [0 | 7] key-value

Specifies a preshared key for a specific RADIUS server.

You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key. The default format is clear text.

The maximum length is 63 characters.

This preshared key is used instead of the global preshared key.

switch(config)# exit switch# show radius-server switch# copy running-config

startup-config


(Optional)


Note



(Optional)


OL-30921-01


41


Configuring RADIUS Server Groups

This example shows how to configure RADIUS preshared keys: switch#


switch(config)#

radius-server host 10.10.1.1 key 0 PlIjUhYg

switch(config)#

exit

switch#

show radius-server

switch#


Configuring RADIUS Server Groups

You can specify one or more remote AAA servers for authentication using server groups. All members of a group must belong to the RADIUS protocol. The servers are tried in the same order in which you configure them.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7



Purpose


switch (config)# aaa group server

radius group-name

Creates a RADIUS server group and enters the RADIUS server group configuration submode for that group.

The group-name argument is a case-sensitive, alphanumeric string with a maximum of 127 characters.

switch (config-radius)# server

{ipv4-address | ipv6-address |

server-name}

Configures the RADIUS server as a member of the RADIUS server group.

If the specified RADIUS server is not found, configure it using the radius-server host command and retry this command.

switch (config-radius)# deadtime

minutes

(Optional)

Configures the monitoring dead time. The default is 0 minutes. The range is from 1 through 1440.

switch(config-radius)#

source-interface interface

Note

If the dead-time interval for a RADIUS server group is greater than zero (0), that value takes precedence over the global dead-time value.

(Optional)

Assigns a source interface for a specific RADIUS server group.

The supported interface types are management and VLAN.

Note

Use the source-interface command to override the global source interface assigned by the ip radius

source-interface command.

switch(config-radius)# exit Exits configuration mode.

switch(config)# show

radius-server group [group-name]

(Optional)

Displays the RADIUS server group configuration.

42


OL-30921-01


Configuring the Global Source Interface for RADIUS Server Groups

Step 8


switch(config)# copy

running-config startup-config

Purpose

(Optional)


The following example shows how to configure a RADIUS server group: switch#


switch (config)#

aaa group server radius RadServer

switch (config-radius)#

server 10.10.1.1


deadtime 30


use-vrf management


exit

switch (config)#

show radius-server group

switch (config)#


What to Do Next

Apply the RADIUS server groups to an AAA service.

Configuring the Global Source Interface for RADIUS Server Groups

You can configure a global source interface for RADIUS server groups to use when accessing RADIUS servers. You can also configure a different source interface for a specific RADIUS server group.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


switch# configure terminal switch(config)# ip radius


Purpose


Configures the global source interface for all RADIUS server groups configured on the device. The source interface can be the management or the VLAN interface.



(Optional)

Displays the RADIUS server configuration information.

switch# copy running-config startup

config

(Optional)


OL-30921-01


43


Allowing Users to Specify a RADIUS Server at Login

This example shows how to configure the mgmt 0 interface as the global source interface for RADIUS server groups: switch#


switch(config)#

ip radius source-interface mgmt 0

switch(config)#

exit

switch#


Allowing Users to Specify a RADIUS Server at Login

You can allow users to specify a RADIUS server at login.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


switch# configure terminal switch(config)# radius-server

directed-request




startup-config

Purpose


Allows users to specify a RADIUS server to send the authentication request when logging in. The default is disabled.


(Optional)

Displays the directed request configuration.

(Optional)


This example shows how to allow users to select a RADIUS server when logging in to a network: switch#


switch(config)#

radius-server directed-request

switch#

exit

switch#


Configuring the Global RADIUS Transmission Retry Count and Timeout Interval

You can configure a global retransmission retry count and timeout interval for all RADIUS servers. By default, a switch retries transmission to a RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server. The timeout interval determines how long the Cisco Nexus device waits for responses from RADIUS servers before declaring a timeout failure.

44


OL-30921-01


Configuring the RADIUS Transmission Retry Count and Timeout Interval for a Server

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6



retransmit count switch(config)# radius-server

timeout seconds switch(config)# exit switch# show radius-server switch# copy running-config

startup-config

Purpose


Specifies the retransmission count for all RADIUS servers. The default retransmission count is 1 and the range is from 0 to 5.

Specifies the transmission timeout interval for

RADIUS servers. The default timeout interval is 5 seconds and the range is from 1 to 60 seconds.


(Optional)


(Optional)


This example shows how to set the retry count to 3 and the transmission timeout interval to 5 seconds for

RADIUS servers: switch#


switch(config)#

radius-server retransmit 3

switch(config)#

radius-server timeout 5

switch(config)#

exit

switch#


Configuring the RADIUS Transmission Retry Count and Timeout Interval for a

Server

By default, a Cisco Nexus switch retries transmission to a RADIUS server only once before reverting to local authentication. You can increase this number up to a maximum of five retries per server. You can also set a timeout interval that the switch waits for responses from RADIUS servers before declaring a timeout failure.

Procedure

Step 1

Step 2


switch# configure terminal switch(config)# radius-server host


host-name} retransmit count

Purpose


Specifies the retransmission count for a specific server.

The default is the global value.

Note

The retransmission count value specified for a

RADIUS server overrides the count specified for all RADIUS servers.

OL-30921-01


45


Configuring Accounting and Authentication Attributes for RADIUS Servers

Step 3

Step 4

Step 5

Step 6


switch(config)#radius-server host


host-name} timeout seconds switch(config)# exit switch# show radius-server switch# copy running-config

startup-config

Purpose

Specifies the transmission timeout interval for a specific server. The default is the global value.

Note

The timeout interval value specified for a

RADIUS server overrides the interval value specified for all RADIUS servers.


(Optional)


(Optional)


This example shows how to set the RADIUS transmission retry count to 3 and the timeout interval to 10 seconds on RADIUS host server server1: switch#


switch(config)#

radius-server host server1 retransmit 3

switch(config)#

radius-server host server1 timeout 10

switch(config)#

exit

switch#


Configuring Accounting and Authentication Attributes for RADIUS Servers

You can specify that a RADIUS server is to be used only for accounting purposes or only for authentication purposes. By default, RADIUS servers are used for both accounting and authentication. You can also specify the destination UDP port numbers where RADIUS accounting and authentication messages should be sent.

Procedure

Step 1

Step 2

Step 3



Purpose




acct-port udp-port

(Optional)

Specifies a UDP port to use for RADIUS accounting messages. The default UDP port is 1812.

The range is from 0 to 65535.



accounting

(Optional)

Specifies that the specified RADIUS server is to be used only for accounting purposes. The default is both accounting and authentication.

46


OL-30921-01


Configuring Periodic RADIUS Server Monitoring

Step 4

Step 5

Step 6

Step 7

Step 8




auth-port udp-port

(Optional)

Specifies a UDP port to use for RADIUS authentication messages. The default UDP port is

1812.




authentication

(Optional)

Specifies that the specified RADIUS server only be used for authentication purposes. The default is both accounting and authentication.

switch(config)# exit switch(config)# show radius-server switch(config)# copy running-config

startup-config


(Optional)



This example shows how to configure accounting and authentication attributes for a RADIUS server: switch# configure terminal switch(config)#

radius-server host 10.10.1.1 acct-port 2004

switch(config)#

radius-server host 10.10.1.1 accounting

switch(config)#

radius-server host 10.10.2.2 auth-port 2005

switch(config)#

radius-server host 10.10.2.2 authentication

switch #

exit

switch #


switch #

Configuring Periodic RADIUS Server Monitoring

You can monitor the availability of RADIUS servers. These parameters include the username and password to use for the server and an idle timer. The idle timer specifies the interval during which a RADIUS server receives no requests before the switch sends out a test packet. You can configure this option to test servers periodically.

Note

For security reasons, we recommend that you do not configure a test username that is the same as an existing user in the RADIUS database.

The test idle timer specifies the interval during which a RADIUS server receives no requests before the switch sends out a test packet.

The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, the switch does not perform periodic RADIUS server monitoring.

OL-30921-01


47


Configuring the Dead-Time Interval

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6



Purpose




host-name} test {idle-time minutes |

password password [idle-time minutes]

| username name [password password

[idle-time minutes]]}

Specifies parameters for server monitoring. The default username is test and the default password is test.

The default value for the idle timer is 0 minutes.

The valid range is from 0 to 1440 minutes.

Note

For periodic RADIUS server monitoring, you must set the idle timer to a value greater than

0.


deadtime minutes

Specifies the number of minutes before the switch checks a RADIUS server that was previously unresponsive.

The default value is 0 minutes.

The valid range is 1 to 1440 minutes.


startup-config


(Optional)


(Optional)


This example shows how to configure RADIUS server host 10.10.1.1 with a username (user1) and password

(Ur2Gd2BH) and with an idle timer of 3 minutes and a deadtime of 5 minutes: switch#


switch(config)#

radius-server host 10.10.1.1 test username user1 password Ur2Gd2BH idle-time

3

switch(config)#

radius-server deadtime 5

switch(config)#

exit

switch#



You can configure the dead-time interval for all RADIUS servers. The dead-time interval specifies the time that the Cisco Nexus device waits after declaring a RADIUS server is dead, before sending out a test packet to determine if the server is now alive. The default value is 0 minutes.

48


OL-30921-01


Manually Monitoring RADIUS Servers or Groups

Note

When the dead-time interval is 0 minutes, RADIUS servers are not marked as dead even if they are not responding. You can configure the dead-time interval for a RADIUS server group.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5



deadtime


startup-config

Purpose


Configures the dead-time interval. The default value is 0 minutes. The range is from 1 to 1440 minutes.


(Optional)


(Optional)


This example shows how to configure a deadtime of 5 minutes for a radius server: switch#


switch(config)#

radius-server deadtime 5

switch(config#

exit

switch#


Manually Monitoring RADIUS Servers or Groups

Procedure

Step 1

Step 2


switch# test aaa server radius {ipv4-address|

ipv6-address | server-name} [vrf vrf-name] username

password test aaa server radius {ipv4-address |

ipv6-address | server-name} [vrf vrf-name] username

password

Sends a test message to a RADIUS server to confirm availability.

switch# test aaa group group-name username password Sends a test message to a RADIUS server group to confirm availability.

OL-30921-01


49


Verifying the RADIUS Configuration

This example shows how to send a test message to the RADIUS server and server group to confirm availability: switch#

test aaa server radius 10.10.1.1 user 1 Ur2Gd2BH

switch#

test aaa group RadGroup user2 As3He3CI

Verifying the RADIUS Configuration

To display AAA information, perform one of the following tasks:

Command

show running-config radius [all]

show startup-config radius

Purpose

Displays the RADIUS configuration in the running configuration.

Displays the RADIUS configuration in the startup configuration.

show radius-server [server-name | ipv4-address |

ipv6-address] [directed-request | groups | sorted |

statistics]

Displays all configured RADIUS server parameters.

Displaying RADIUS Server Statistics

Procedure

Step 1


switch# show radius-server statistics {hostname |

ipv4-address | ipv6-address}

Purpose

Displays the RADIUS statistics.

Clearing RADIUS Server Statistics

You can display the statistics that the Cisco NX-OS device maintains for RADIUS server activity.


Configure RADIUS servers on the Cisco NX-OS device.

50


OL-30921-01


Configuration Examples for RADIUS

Procedure

Step 1

Step 2


switch# show radius-server statistics {hostname

| ipv4-address | ipv6-address}

(Optional)

Displays the RADIUS server statistics on the Cisco NX-OS device.

switch# clear radius-server statistics {hostname

| ipv4-address | ipv6-address}

Clears the RADIUS server statistics.


The following example shows how to configure RADIUS: switch#


switch(config)#

radius-server key 7 "ToIkLhPpG"

switch(config)#

radius-server host 10.10.1.1 key 7 "ShMoMhTl" authentication accounting

switch(config)#

aaa group server radius RadServer


server 10.10.1.1


exit



OL-30921-01


51



52


OL-30921-01

C H A P T E R

5



•

Information About Configuring TACACS+, page 53

•

Prerequisites for TACACS+, page 56

•

Guidelines and Limitations for TACACS+, page 56

•

Default Settings for TACACS+, page 56

•

Configuring TACACS+, page 57

•

Displaying TACACS+ Statistics, page 73

•

Verifying the TACACS+ Configuration, page 74

•

Configuration Examples for TACACS+, page 74

Information About Configuring TACACS+

The Terminal Access Controller Access Control System Plus (TACACS+) security protocol provides centralized validation of users attempting to gain access to a Cisco Nexus device. TACACS+ services are maintained in a database on a TACACS+ daemon typically running on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your

Cisco Nexus device are available.

TACACS+ provides for separate authentication, authorization, and accounting facilities. TACACS+ allows for a single access control server (the TACACS+ daemon) to provide each service (authentication, authorization, and accounting) independently. Each service is associated with its own database to take advantage of other services available on that server or on the network, depending on the capabilities of the daemon.

The TACACS+ client/server protocol uses TCP (TCP port 49) for transport requirements. The Cisco Nexus device provides centralized authentication using the TACACS+ protocol.

TACACS+ Advantages

TACACS+ has the following advantages over RADIUS authentication:


53 OL-30921-01


User Login with TACACS+

• Provides independent AAA facilities. For example, the Cisco Nexus device can authorize access without authenticating.

• Uses the TCP transport protocol to send data between the AAA client and server, making reliable transfers with a connection-oriented protocol.

• Encrypts the entire protocol payload between the switch and the AAA server to ensure higher data confidentiality. The RADIUS protocol only encrypts passwords.

User Login with TACACS+

When a user attempts a Password Authentication Protocol (PAP) login to a Cisco Nexus device using

TACACS+, the following actions occur:

1

When the Cisco Nexus device establishes a connection, it contacts the TACACS+ daemon to obtain the username and password.

Note

TACACS+ allows an arbitrary conversation between the daemon and the user until the daemon receives enough information to authenticate the user. This action is usually done by prompting for a username and password combination, but may include prompts for other items, such as the user’s mother’s maiden name.

2

The Cisco Nexus device receives one of the following responses from the TACACS+ daemon:

• ACCEPT—User authentication succeeds and service begins. If the Cisco Nexus device requires user authorization, authorization begins.

• REJECT—User authentication failed. The TACACS+ daemon either denies further access to the user or prompts the user to retry the login sequence.

• ERROR—An error occurred at some time during authentication dither at the daemon or in the network connection between the daemon and the Cisco Nexus device. If the Cisco Nexus deviceh receives an ERROR response, the switch tries to use an alternative method for authenticating the user.

The user also undergoes an additional authorization phase, if authorization has been enabled on the Cisco

Nexus device. Users must first successfully complete TACACS+ authentication before proceeding to

TACACS+ authorization.

3

If TACACS+ authorization is required, the Cisco Nexus device again contacts the TACACS+ daemon and it returns an ACCEPT or REJECT authorization response. An ACCEPT response contains attributes that are used to direct the EXEC or NETWORK session for that user and determines the services that the user can access.

Services include the following:

• ◦ Telnet, rlogin, Point-to-Point Protocol (PPP), Serial Line Internet Protocol (SLIP), or EXEC services

◦Connection parameters, including the host or client IP address (IPv4 or IPv6), access list, and user timeouts

54


OL-30921-01


Default TACACS+ Server Encryption Type and Preshared Key

Default TACACS+ Server Encryption Type and Preshared Key

You must configure the TACACS+ that is preshared key to authenticate the switch to the TACACS+ server.

A preshared key is a secret text string shared between the Cisco Nexus device and the TACACS+ server host.

The length of the key is restricted to 63 characters and can include any printable ASCII characters (white spaces are not allowed). You can configure a global preshared secret key for all TACACS+ server configurations on the Cisco Nexus deviceh to use.

You can override the global preshared key assignment by using the key option when configuring an individual

TACACS+ server.

Command Authorization Support for TACACS+ Servers

By default, command authorization is done against a local database in the Cisco NX-OS software when an authenticated user enters a command at the command-line interface (CLI). You can also verify authorized commands for authenticated users using TACACS+.

TACACS+ Server Monitoring

An unresponsive TACACS+ server can delay the processing of AAA requests. A Cisco Nexus device can periodically monitor an TACACS+ server to check whether it is responding (or alive) to save time in processing

AAA requests. The Cisco Nexus device marks unresponsive TACACS+ servers as dead and does not send

AAA requests to any dead TACACS+ servers. The Cisco Nexus device periodically monitors dead TACACS+ servers and brings them to the alive state once they are responding. This process verifies that a TACACS+ server is in a working state before real AAA requests are sent to the server. Whenever an TACACS+ server changes to the dead or alive state, a Simple Network Management Protocol (SNMP) trap is generated and the

Cisco Nexus device displays an error message that a failure is taking place before it can impact performance.

The following figure shows the different TACACS+ server states:

Figure 3: TACACS+ Server States

OL-30921-01


55


Prerequisites for TACACS+

Note

The monitoring interval for alive servers and dead servers are different and can be configured by the user.

The TACACS+ server monitoring is performed by sending a test authentication request to the TACACS+ server.

Prerequisites for TACACS+

TACACS+ has the following prerequisites:

• You must obtain the IPv4 or IPv6 addresses or hostnames for the TACACS+ servers.

• You must obtain the preshared keys from the TACACS+ servers, if any.

• Ensure that the Cisco Nexus device is configured as a TACACS+ client of the AAA servers.

Guidelines and Limitations for TACACS+

TACACS+ has the following configuration guidelines and limitations:

• You can configure a maximum of 64 TACACS+ servers on the Cisco Nexus device.

Default Settings for TACACS+

The following table lists the default settings for TACACS+ parameters.

Table 7: Default TACACS+ Parameters

Parameters

TACACS+

Dead-time interval

Timeout interval

Idle timer interval

Periodic server monitoring username

Periodic server monitoring password

Default

Disabled

0 minutes

5 seconds

0 minutes test test

56


OL-30921-01




TACACS+ Server Configuration Process

This section describes how to configure TACACS+ servers.

Procedure

Step 1

Enable TACACS+.

Step 2

Establish the TACACS+ server connections to the Cisco Nexus device.

Step 3

Configure the preshared secret keys for the TACACS+ servers.

Step 4

If needed, configure TACACS+ server groups with subsets of the TACACS+ servers for AAA authentication methods.

Step 5

If needed, configure any of the following optional parameters:

• Dead-time interval

• Allow TACACS+ server specification at login

• Timeout interval

• TCP port

Step 6

If needed, configure periodic TACACS+ server monitoring.

Enabling TACACS+

Although by default, the TACACS+ feature is disabled on the Cisco Nexus device. You can enable the

TACACS+ feature to access the configuration and verification commands for authentication.

Procedure

Step 1

Step 2

Step 3

Step 4


switch# configure terminal switch(config)# feature tacacs+ switch(config)# exit switch# copy running-config

startup-config

Purpose


Enables TACACS+.


(Optional)



57 OL-30921-01



Configuring TACACS+ Server Hosts

To access a remote TACACS+ server, you must configure the IPv4 or IPv6 address or the hostname for the

TACACS+ server on the Cisco Nexus device. All TACACS+ server hosts are added to the default TACACS+ server group.You can configure up to 64 TACACS+ servers.

If a preshared key is not configured for a configured TACACS+ server, a warning message is issued if a global key is not configured. If a TACACS+ server key is not configured, the global key (if configured) is used for that server.

Before you configure TACACS+ server hosts, you should do the following:

• Enable TACACS+.

• Obtain the IPv4 or IPv6 addresses or the hostnames for the remote TACACS+ servers.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


switch# configure terminal switch(config)# tacacs-server host


Specifies the IPv4 or IPv6 address or hostname for a TACACS+ server.


switch# show tacacs-server

Purpose



startup-config

(Optional)

Displays the TACACS+ server configuration.

(Optional)


You can delete a TACACS+ server host from a server group.

Configuring TACACS+ Global Preshared Keys

You can configure preshared keys at the global level for all servers used by the Cisco Nexus device. A preshared key is a shared secret text string between the Cisco Nexus device and the TACACS+ server hosts.

Before you configure preshared keys, you should do the following:

• Enable TACACS+.

• Obtain the preshared key values for the remote TACACS+ servers.

58


OL-30921-01



Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


switch# configure terminal switch(config)# tacacs-server

key [0 | 7] key-value switch(config)# exit switch# show tacacs-server switch# copy running-config

startup-config

Purpose


Specifies a preshared key for all TACACS+ servers. You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key.

The default format is clear text. The maximum length is 63 characters.

By default, no preshared key is configured.


(Optional)


Note



(Optional)


The following example shows how to configure global preshared keys: switch#


switch(config)#

tacacs-server key 0 QsEfThUkO

switch(config)#

exit

switch#

show tacacs-server

switch#


Configuring TACACS+ Server Preshared Keys

You can configure preshared keys for a TACACS+ server. A preshared key is a shared secret text string between the Cisco Nexus device and the TACACS+ server host.

Procedure

Step 1

Step 2



Purpose


switch(config)# tacacs-server host


host-name} key [0 | 7] key-value

Specifies a preshared key for a specific TACACS+ server.

You can specify a clear text ( 0 ) or encrypted ( 7 ) preshared key. The default format is clear text. The maximum length is 63 characters.

This preshared key is used instead of the global preshared key.

OL-30921-01


59



Step 3

Step 4

Step 5


switch(config)# exit switch# show tacacs-server switch# copy running-config

startup-config

Purpose


(Optional)


Note



(Optional)


The following example shows how to configure the TACACS+ preshared keys: switch#


switch(config)#

tacacs-server host 10.10.1.1 key 0 PlIjUhYg

switch(config)#

exit

switch#


switch#


Configuring TACACS+ Server Groups

You can specify one or more remote AAA servers to authenticate users using server groups. All members of a group must belong to the TACACS+ protocol. The servers are tried in the same order in which you configure them.

You can configure these server groups at any time but they only take effect when you apply them to an AAA service.


You must use the feature tacacs+ command to enable TACACS+ before you configure TACACS+.

Procedure

Step 1

Step 2

Step 3



Purpose


switch(config)# aaa group server

tacacs+ group-name

Creates a TACACS+ server group and enters the

TACACS+ server group configuration mode for that group.

switch(config-tacacs+)# server


host-name}

Configures the TACACS+ server as a member of the

TACACS+ server group.

If the specified TACACS+ server is not found, configure it using the tacacs-server host command and retry this command.

60


OL-30921-01



Step 4

Step 5

Step 6

Step 7

Step 8


switch(config-tacacs+)# deadtime

minutes

(Optional)

Configures the monitoring dead time. The default is 0 minutes. The range is from 0 through 1440.

Note

If the dead-time interval for a TACACS+ server group is greater than zero (0), that value takes precedence over the global dead-time value.

switch(config-tacacs+)#


(Optional)

Assigns a source interface for a specific TACACS+ server group.

The supported interface types are management and VLAN.

Note

Use the source-interface command to override the global source interface assigned by the ip

tacacs source-interface command.

switch(config-tacacs+)# exit Exits configuration mode.

switch(config)# show tacacs-server

groups

(Optional)

Displays the TACACS+ server group configuration.

switch(config)# copy


(Optional)


The following example shows how to configure a TACACS+ server group: switch#


switch(config)#

aaa group server tacacs+ TacServer


server 10.10.2.2


deadtime 30


exit

switch(config)#

show tacacs-server groups

switch(config)#


Configuring the Global Source Interface for TACACS+ Server Groups

You can configure a global source interface for TACACS+ server groups to use when accessing TACACS+ servers. You can also configure a different source interface for a specific TACACS+ server group.

Procedure

Step 1

Step 2


ip tacacs source-interface interface

Example:

switch(config)# ip tacacs source-interface mgmt 0

Purpose


Configures the global source interface for all

TACACS+ server groups configured on the device. The source interface can be the management or the VLAN interface.

OL-30921-01


61



Step 3

Step 4

Step 5


Example:

switch(config)# exit switch#


Example:

switch# show tacacs-server

copy running-config startup config

Example:

switch# copy running-config startup-config

Purpose


(Optional)

Displays the TACACS+ server configuration information.

(Optional)


Specifying a TACACS+ Server at Login

You can configure the switch to allow the user to specify which TACACS+ server to send the authenticate request by enabling the directed-request option. By default, a Cisco Nexus device forwards an authentication request based on the default AAA authentication method. If you enable this option, the user can log in as

username@hostname, where hostname is the name of a configured RADIUS server.

Note

User specified logins are only supported for Telnet sessions.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


switch# configure terminal switch(config)# tacacs-server


switch(config)# exit switch# show tacacs-server



startup-config

Purpose


Allows users to specify a TACACS+ server to send the authentication request when logging in. The default is disabled.


(Optional)

Displays the TACACS+ directed request configuration.

(Optional)


62


OL-30921-01



Configuring AAA Authorization on TACACS+ Servers

You can configure the default AAA authorization method for TACACS+ servers.


Enable TACACS+.

Procedure

Step 1

Step 2

Step 3


Purpose


Example:


aaa authorization ssh-certificate

default {group group-list [none] | local

| none}

Configures the default AAA authorization method for the TACACS+ servers.

Example:

switch(config)# aaa authorization ssh-certificate default group TACACSServer1

TACACSServer2

The ssh-certificate keyword configures TACACS+ or local authorization with certificate authentication. The default authorization is local authorization, which is the list of authorized commands for the user’s assigned role.

The group-list argument consists of a space-delimited list of TACACS+ server group names. Servers belonging to this group are contacted for AAA authorization. The

local method uses the local database for authorization, and the none method specifies that no AAA authorization be used.

exit


Step 4

Step 5

Example:


show aaa authorization [all]

Example:

switch# show aaa authorization


(Optional)

Displays the AAA authorization configuration. The all keyword displays the default values.

(Optional)


Example:


OL-30921-01


63



Configuring Command Authorization on TACACS+ Servers

You can configure authorization for commands on TACACS+ servers. Command authorization disables user role-based authorization control (RBAC), including the default roles.

Note

By default, context-sensitive help and command tab completion show only the commands that are supported for a user as defined by the assigned roles. When you enable command authorization, the Cisco NX-OS software displays all commands in the context sensitive help and in tab completion, regardless of the role assigned to the user.


Enable TACACS+.

Configure TACACS host and server groups before configuring AAA command authorization.

Procedure

Step 1


Purpose


Step 2

Example:


aaa authorization {commands |

config-commands} default [group

group-list [local] | local]

Example:

switch(config)# aaa authorization commands default group TacGroup

Configures the default authorization method for commands for all roles.

The commands keyword configures authorization sources for all EXEC commands, and the config-commands keyword configures authorization sources for all configuration commands. The default authorization for all commands is local authorization, which is the list of authorized commands for the user's assigned role.

The group-list argument consists of a space-delimited list of

TACACS+ server group names. Servers that belong to this group are contacted for command authorization. The local method uses the local role-based database for authorization.

The local method is used only if all the configured server groups fail to respond and you have configured local as the fallback method.

The default method is local.

If you have not configured a fallback method after the

TACACS+ server group method, authorization fails if all server groups fail to respond.

64


OL-30921-01



Step 3


Purpose


Step 4

Step 5

Example:


show aaa authorization [all]

(Optional)

Displays the AAA authorization configuration. The all keyword displays the default values.

Example:

switch(config)# show aaa authorization


(Optional)


Example:

switch(config)# copy running-config startup-config

Testing Command Authorization on TACACS+ Servers

You can test the command authorization for a user on the TACACS+ servers.

Note

You must send correct commands for authorization or the results might not be reliable.


Enable TACACS+.

Ensure that you have configured command authorization for the TACACS+ servers.

Procedure


Step 1 test aaa authorization command-type

{commands | config-commands} user

username command command-string

Example:

switch# test aaa authorization command-type commands user TestUser command reload

Purpose

Tests a user's authorization for a command on the

TACACS+ servers.

The commands keyword specifies only EXEC commands and the config-commands keyword specifies only configuration commands.

Note

Put double quotes (") before and after the

command-string argument if it contains spaces.

OL-30921-01


65



Enabling and Disabling Command Authorization Verification

You can enable and disable command authorization verificaiton on the command-line interface (CLI) for the default user session or for another username.

Note

The commands do not execute when you enable authorization verification.

Procedure

Step 1

Step 2


terminal verify-only [username username]

Example:

switch# terminal verify-only

Enables command authorization verification. After you enter this command, the Cisco NX-OS software indicates whether the commands you enter are authorized or not.

terminal no verify-only [username

username]

Disables command authorization verification.

Example:

switch# terminal no verify-only

Configuring Privilege Level Support for Authorization on TACACS+ Servers

You can configure privilege level support for authorization on TACACS+ servers.

Unlike Cisco IOS devices, which use privilege levels to determine authorization, Cisco NX-OS devices use role-based access control (RBAC). To enable both types of devices to be administered by the same TACACS+ servers, you can map the privilege levels configured on TACACS+ servers to user roles configured on Cisco

NX-OS devices.

When a user authenticates with a TACACS+ server, the privilege level is obtained and used to form a local user role name of the format “priv-n,” where n is the privilege level. The user assumes the permissions of this local role. Sixteen privilege levels, which map directly to corresponding user roles, are available. The following table shows the user role permissions that correspond to each privilege level.

Privilege Level

15

14

13 - 1

User Role Permissions

network-admin permissions vdc-admin permissions

• Standalone role permissions, if the feature

privilege command is disabled.

• Same permissions as privilege level 0 with cumulative privileges for roles, if the feature

privilege command is enabled.

66


OL-30921-01



Privilege Level

0

User Role Permissions

Permission to execute show commands and exec commands (such as ping, trace, and ssh).

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6


Purpose


Example:


[no] feature privilege Enables or disables the cumulative privilege of roles. Users can see the enable command only if this feature is enabled.


Example:

switch(config)# feature privilege

[no] enable secret [0 | 5] password

[priv-lvl priv-lvl | all]

Enables or disables a secret password for a specific privilege level. Users are prompted to enter the correct password upon each privilege level escalation. The default is disabled.

Example:

switch(config)# enable secret

5 def456 priv-lvl 15

You can enter 0 to specify that the password is in clear text or 5 to specify that the password is in encrypted format. The

password argument can be up to 64 alphanumeric characters.

The priv-lvl argument is from 1 to 15.

Note

To enable the secret password, you must have enabled the cumulative privilege of roles by entering the feature privilege command.

[no] username username priv-lvl n Enables or disables a user to use privilege levels for authorization. The default is disabled.

Example:

switch(config)# username user2 priv-lvl 15

The priv-lvl keyword specifies the privilege level to which the user is assigned. There is no default privilege level.

Privilege levels 0 to 15 (priv-lvl 0 to priv-lvl 15) map to user roles priv-0 to priv-15.

show privilege

Example:

switch(config)# show privilege

(Optional)

Displays the username, current privilege level, and status of cumulative privilege support.


(Optional)


Example:


OL-30921-01


67



Step 7

Step 8


Example:


enable level

Example:

switch# enable 15

Purpose


Enables a user to move to a higher privilege level. This command prompts for the secret password. The level argument specifies the privilege level to which the user is granted access. The only available level is 15.

Permitting or Denying Commands for Users of Privilege Roles

As a network administrator, you can modify the privilege roles to permit users to execute specific commands or to prevent users from running those commands.

You must follow these guidelines when changing the rules of privilege roles:

• You cannot modify the priv-14 and priv-15 roles.

• You can add deny rules only to the priv-0 role.

• These commands are always permitted for the priv-0 role: configure, copy, dir, enable, ping, show,

ssh, telnet, terminal, traceroute, end, and exit.

Procedure

Step 1

Step 2

Step 3


Purpose


Example:


[no] role name priv-n Enables or disables a privilege role and enters role configuration mode. The n argument specifies the privilege level and is a number between 0 and 13.

Example:

switch(config)# role name priv-5 switch(config-role)#

rule number {deny | permit} command

command-string

Example:

switch(config-role)# rule 2 permit command pwd

Configures a command rule for users of privilege roles.

These rules permit or deny users to execute specific commands. You can configure up to 256 rules for each role. The rule number determines the order in which the rules are applied. Rules are applied in descending order.

For example, if a role has three rules, rule 3 is applied before rule 2, which is applied before rule 1.

The command-string argument can contain spaces.

68


OL-30921-01



Step 4

Step 5


Purpose

Note

Repeat this command for 256 rules.

Exits role configuration mode.

Example:

switch(config-role)# exit switch(config)#


(Optional)


Example:


Configuring the Global TACACS+ Timeout Interval

You can set a global timeout interval that the Cisco Nexus device waits for responses from all TACACS+ servers before declaring a timeout failure. The timeout interval determines how long the switch waits for responses from TACACS+ servers before declaring a timeout failure.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5



Purpose


switch(config)# tacacs-server timeout

seconds

Specifies the timeout interval for TACACS+ servers.

The default timeout interval is 5 second and the range is from 1 to 60 seconds.


startup-config


(Optional)


(Optional)


Configuring the Timeout Interval for a Server

You can set a timeout interval that the Cisco Nexus device waits for responses from a TACACS+ server before declaring a timeout failure. The timeout interval determines how long the switch waits for responses from a

TACACS+ server before declaring a timeout failure.

OL-30921-01


69



Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


switch# configure terminal switch(config)# switch(config)#

tacacs-server host {ipv4-address |

ipv6-address | host-name} timeout

seconds


startup-config

Purpose


Specifies the timeout interval for a specific server.

The default is the global value.

Note

The timeout interval value specified for a

TACACS+ server overrides the global timeout interval value specified for all

TACACS+ servers.


(Optional)


(Optional)


Configuring TCP Ports

You can configure another TCP port for the TACACS+ servers if there are conflicts with another application.

By default, the Cisco Nexus device uses port 49 for all TACACS+ requests.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5



Purpose


switch(config)# tacacs-server host


port tcp-port

Specifies the UDP port to use for TACACS+ accounting messages.The default TCP port is 49.



startup-config


(Optional)


(Optional)


The following example shows how to configure TCP ports: switch#


70


OL-30921-01



switch(config)#

tacacs-server host 10.10.1.1 port 2

switch(config)#

exit

switch#


switch#


Configuring Periodic TACACS+ Server Monitoring

You can monitor the availability of TACACS+ servers. These parameters include the username and password to use for the server and an idle timer. The idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco Nexus device sends out a test packet.You can configure this option to test servers periodically, or you can run a one-time only test.

Note

To protect network security, we recommend that you use a username that is not the same as an existing username in the TACACS+ database.

The test idle timer specifies the interval in which a TACACS+ server receives no requests before the Cisco

Nexus device sends out a test packet.

Note

The default idle timer value is 0 minutes. When the idle time interval is 0 minutes, periodic TACACS+ server monitoring is not performed.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6


switch# configure terminal switch(config)# tacacs-server host


host-name} test {idle-time minutes |

password password [idle-time minutes]

| username name [password password

[idle-time minutes]]}

Specifies parameters for server monitoring. The default username is test and the default password is test. The default value for the idle timer is 0 minutes and the valid range is from 0 to 1440 minutes.

Note

For periodic TACACS+ server monitoring, the idle timer value must be greater than 0.

switch(config)# tacacs-server dead-time

minutes

Specifies the number minutes before the Cisco Nexus device checks a TACACS+ server that was previously unresponsive. The default value is 0 minutes and the valid range is 0 to 1440 minutes.


switch# show tacacs-server

Purpose



startup-config

(Optional)


(Optional)


OL-30921-01


71



The following example shows how to configure periodic TACACS+ server monitoring: switch#


switch(config)#

tacacs-server host 10.10.1.1 test username user1 password Ur2Gd2BH idle-time

3

switch(config)#

tacacs-server dead-time 5

switch(config)#

exit

switch#


switch#



You can configure the dead-time interval for all TACACS+ servers. The dead-time interval specifies the time that the Cisco Nexus device waits, after declaring a TACACS+ server is dead, before sending out a test packet to determine if the server is now alive.

Note

When the dead-time interval is 0 minutes, TACACS+ servers are not marked as dead even if they are not responding. You can configure the dead-time interval per group.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5



Purpose


switch(config)# tacacs-server deadtime

minutes

Configures the global dead-time interval. The default value is 0 minutes. The range is from 1 to

1440 minutes.


startup-config


(Optional)


(Optional)


Manually Monitoring TACACS+ Servers or Groups

Procedure

Step 1


switch# test aaa server tacacs+ {ipv4-address |

ipv6-address | host-name} [vrf vrf-name]

username password

Sends a test message to a TACACS+ server to confirm availability.

72


OL-30921-01


Displaying TACACS+ Statistics

Step 2


switch# test aaa group group-name username

password

Purpose

Sends a test message to a TACACS+ server group to confirm availability.

The following example shows how to manually issue a test message: switch#

test aaa server tacacs+ 10.10.1.1 user1 Ur2Gd2BH

switch#

test aaa group TacGroup user2 As3He3CI

Disabling TACACS+

You can disable TACACS+.

Caution

When you disable TACACS+, all related configurations are automatically discarded.

Procedure

Step 1

Step 2

Step 3

Step 4


switch# configure terminal switch(config)# no feature tacacs+ switch(config)# exit switch# copy running-config

startup-config

Purpose


Disables TACACS+.


(Optional)


Displaying TACACS+ Statistics

To display the statistics, the switch maintains for TACACS+ activity, perform this task:

Procedure

Step 1


switch# show tacacs-server statistics {hostname |

ipv4-address | ipv6-address}

Purpose

Displays the TACACS+ statistics.

For detailed information about the fields in the output from this command, see the Command Reference for your Nexus switch.


73 OL-30921-01


Verifying the TACACS+ Configuration

Verifying the TACACS+ Configuration

To display TACACS+ information, perform one of the following tasks:

Command

show tacacs+ {status | pending | pending-diff}

Purpose

Displays the TACACS+ Cisco Fabric Services distribution status and other details.

show running-config tacacs [all] Displays the TACACS+ configuration in the running configuration.

show startup-config tacacs

Displays the TACACS+ configuration in the startup configuration.

show tacacs-serve [host-name | ipv4-address |

ipv6-address] [directed-request | groups | sorted |

statistics]

Displays all configured TACACS+ server parameters.

Configuration Examples for TACACS+

This example shows how to configure TACACS+: switch#


switch(config)#

feature tacacs+

switch(config)#

tacacs-server key 7 "ToIkLhPpG"

switch(config)#

tacacs-server host 10.10.2.2 key 7 "ShMoMhTl"

switch(config)#

aaa group server tacacs+ TacServer


server 10.10.2.2



This example shows how to enable tacacs+ and how to configure the tacacs+ server preshared keys to specify remote AAA servers to authenticate server group TacServer1: switch#


switch(config)#

feature tacacs+

switch(config)#

tacacs-server key 7 "ikvhw10"

switch(config)#

tacacs-server host 1.1.1.1

switch(config)#

tacacs-server host 1.1.1.2

switch(config)#

aaa group server tacacs+ TacServer1


server 1.1.1.1


server 1.1.1.2

74


OL-30921-01

C H A P T E R

6

Configuring SSH and Telnet


•

Information About SSH and Telnet, page 75

•

Guidelines and Limitations for SSH, page 76

•

Default Settings for SSH, page 76

•

Configuring SSH, page 77

•

Configuration Examples for SSH, page 82

•

Configuring Telnet, page 83

•

Verifying the SSH and Telnet Configuration, page 84

Information About SSH and Telnet

SSH Server

The Secure Shell Protocol (SSH) server feature enables a SSH client to make a secure, encrypted connection to a Cisco Nexus device. SSH uses strong encryption for authentication. The SSH server in the Cisco Nexus device switch interoperates with publicly and commercially available SSH clients.

The user authentication mechanisms supported for SSH are RADIUS, TACACS+, and the use of locally stored user names and passwords.

SSH Client

The SSH client feature is an application running over the SSH protocol to provide device authentication and encryption. The SSH client enables a switch to make a secure, encrypted connection to another Cisco Nexus device or to any other device running an SSH server. This connection provides an outbound connection that is encrypted. With authentication and encryption, the SSH client allows for a secure communication over an insecure network.

The SSH client in the Cisco Nexus device works with publicly and commercially available SSH servers.


75 OL-30921-01


SSH Server Keys

SSH Server Keys

SSH requires server keys for secure communications to the Cisco Nexus device. You can use SSH keys for the following SSH options:

• SSH version 2 using Rivest, Shamir, and Adelman (RSA) public-key cryptography

• SSH version 2 using the Digital System Algrorithm (DSA)

Be sure to have an SSH server key-pair with the appropriate version before enabling the SSH service. You can generate the SSH server key-pair according to the SSH client version used. The SSH service accepts three types of key-pairs for use by SSH version 2:

• The dsa option generates the DSA key-pair for the SSH version 2 protocol.

• The rsa option generates the RSA key-pair for the SSH version 2 protocol.

By default, the Cisco Nexus device generates an RSA key using 1024 bits.

SSH supports the following public key formats:

• OpenSSH

• IETF Secure Shell (SECSH)

Caution

If you delete all of the SSH keys, you cannot start the SSH services.

Telnet Server

The Telnet protocol enables TCP/IP connections to a host. Telnet allows a user at one site to establish a TCP connection to a login server at another site, and then passes the keystrokes from one system to the other. Telnet can accept either an IP address or a domain name as the remote system address.

The Telnet server is enabled by default on the Cisco Nexus device.

Guidelines and Limitations for SSH

SSH has the following configuration guidelines and limitations:

• The Cisco Nexus device supports only SSH version 2 (SSHv2).

Default Settings for SSH

The following table lists the default settings for SSH parameters.

76


OL-30921-01


Configuring SSH

Table 8: Default SSH Parameters

Parameters

SSH server

SSH server key

RSA key bits for generation

Telnet server

Default

Enabled

RSA key generated with 1024 bits

1024

Enabled

Configuring SSH

Generating SSH Server Keys

You can generate an SSH server key based on your security requirements. The default SSH server key is an

RSA key that is generated using 1024 bits.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5



Purpose


switch(config)# ssh key {dsa [force]

| rsa [bits [force]]}

Generates the SSH server key.

The bits argument is the number of bits used to generate the key. The range is from 768 to 2048 and the default value is 1024.

Use the force keyword to replace an existing key.

switch(config)# exit switch# show ssh key switch# copy running-config

startup-config


(Optional)

Displays the SSH server keys.

(Optional)


The following example shows how to generate an SSH server key: switch#


switch(config)#

ssh key rsa 2048

switch(config)#

exit

switch#

show ssh key

switch#



77 OL-30921-01


Specifying the SSH Public Keys for User Accounts


You can configure an SSH public key to log in using an SSH client without being prompted for a password.

You can specify the SSH public key in one of three different formats:

• Open SSH format

• IETF SECSH format

• Public Key Certificate in PEM format

Specifying the SSH Public Keys in Open SSH Format

You can specify the SSH public keys in SSH format for user accounts.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


switch# configure terminal switch(config)# username username

sshkey ssh-key switch(config)# exit switch# show user-account switch# copy running-config

startup-config

Purpose


Configures the SSH public key in SSH format.


(Optional)

Displays the user account configuration.

(Optional)


The following example shows how to specify an SSH public key in open SSH format: switch#


switch(config)#

username User1 sshkey ssh-rsa

AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYz

CfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZcTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv+DQBsDQH6rZt0KR+2Da8hJD4Z

XIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5Ninn0McNinn0Mc=

switch(config)#

exit

switch#

show user-account

switch#


Note

The username command in the example above is a single line that has been broken for legibility.

Specifying the SSH Public Keys in IETF SECSH Format

You can specify the SSH public keys in IETF SECSH format for user accounts.

78


OL-30921-01



Step 2

Step 3

Step 4

Step 5

Step 6

Procedure

Step 1


switch# copy server-file bootflash:

filename

switch# configure terminal switch(config)# username username

sshkey file filename switch(config)# exit switch# show user-account switch# copy running-config

startup-config

Purpose

Downloads the file that contains the SSH key in

IETF SECSH format from a server. The server can be FTP, SCP, SFTP, or TFTP.


Configures the SSH public key in SSH format.


(Optional)


(Optional)


The following example shows how to specify the SSH public key in the IETF SECSH format: switch#

copy tftp://10.10.1.1/secsh_file.pub bootflash:secsh_file.pub

switch#


switch(config)#

username User1 sshkey file bootflash:secsh_file.pub

switch(config)#

exit

switch#


switch#


Specifying the SSH Public Keys in PEM-Formatted Public Key Certificate Form

You can specify the SSH public keys in PEM-formatted Public Key Certificate form for user accounts.

Procedure

Step 1

Step 2

Step 3

Step 4


switch# copy server-file bootflash:

filename

switch# configure terminal switch# show user-account switch# copy running-config

startup-config

Purpose

Downloads the file that contains the SSH key in

PEM-formatted Public Key Certificate form from a server. The server can be FTP, SCP, SFTP, or TFTP


(Optional)


(Optional)


OL-30921-01


79


Starting SSH Sessions to Remote Devices

The following example shows how to specify the SSH public keys in PEM-formatted public key certificate form: switch#

copy tftp://10.10.1.1/cert.pem bootflash:cert.pem

switch#


switch#


switch#


Starting SSH Sessions to Remote Devices

You can start SSH sessions to connect to remote devices from your Cisco Nexus device.

Procedure

Step 1


switch# ssh {hostname |

username@hostname} [vrf vrf-name]

Purpose

Creates an SSH session to a remote device. The

hostname argument can be an IPv4 address, an IPv6 address, or a hostname.

Clearing SSH Hosts

When you download a file from a server using SCP or SFTP, you establish a trusted SSH relationship with that server.

Procedure

Step 1


switch# clear ssh hosts

Purpose

Clears the SSH host sessions.

Disabling the SSH Server

By default, the SSH server is enabled on the Cisco Nexus device.

Procedure

Step 1

Step 2


switch# configure terminal switch(config)# [no] feature ssh

Purpose


Enables/disables the SSH server. The default is enabled.

80


OL-30921-01


Deleting SSH Server Keys

Step 3

Step 4

Step 5


switch(config)# exit switch# show ssh server switch# copy running-config

startup-config

Purpose


(Optional)

Displays the SSH server configuration.

(Optional)


Deleting SSH Server Keys

You can delete SSH server keys after you disable the SSH server.

Note

To reenable SSH, you must first generate an SSH server key.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6


switch# configure terminal switch(config)# no feature ssh switch(config)# no ssh key [dsa | rsa] switch(config)# exit switch# show ssh key switch# copy running-config

startup-config

Purpose


Disables the SSH server.

Deletes the SSH server key.

The default is to delete all the SSH keys.


(Optional)


(Optional)


Clearing SSH Sessions

You can clear SSH sessions from the Cisco Nexus device.

OL-30921-01


81


Configuration Examples for SSH

Procedure

Step 1

Step 2


switch# show users switch# clear line vty-line

Purpose

Displays user session information.

Clears a user SSH session.

Configuration Examples for SSH

The following example shows how to configure SSH:

Procedure

Step 1

Generate an SSH server key.

switch(config)#

ssh key rsa

generating rsa key(1024 bits).....

.

generated rsa key

Step 2

Enable the SSH server.

switch#


switch(config)#

feature ssh

Note

This step should not be required because the SSH server is enabled by default.

Step 3

Display the SSH server key.

switch(config)#

show ssh key

rsa Keys generated:Fri May 8 22:09:47 2009 ssh-rsa

AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYzCfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZ/ cTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv+DQBsDQH6rZt0KR+2Da8hJD4ZXIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5/

Ninn0Mc= bitcount:1024 fingerprint:

4b:4d:f6:b9:42:e9:d9:71:3c:bd:09:94:4a:93:ac:ca

************************************** could not retrieve dsa key information

**************************************

82


OL-30921-01


Configuring Telnet

Step 4

Specify the SSH public key in Open SSH format.

switch(config)#

username User1 sshkey ssh-rsa

AAAAB3NzaC1yc2EAAAABIwAAAIEAri3mQy4W1AV9Y2t2hrEWgbUEYz

CfTPO5B8LRkedn56BEy2N9ZcdpqE6aqJLZwfZcTFEzaAAZp9AS86dgBAjsKGs7UxnhGySr8ZELv+DQBsDQH6rZt0KR+2Da8hJD4Z

XIeccWk0gS1DQUNZ300xstQsYZUtqnx1bvm5Ninn0McNinn0Mc=

Step 5

Save the configuration.

switch(config)#


Configuring Telnet

Enabling the Telnet Server

By default, the Telnet server is enabled. You can disable the Telnet server on your Cisco Nexus device.

Procedure

Step 1

Step 2


switch# configure terminal switch(config)# [no] feature telnet

Purpose


Enables/disables the Telnet server. The default is enabled.

Reenabling the Telnet Server

If the Telnet server on your Cisco Nexus device has been disabled, you can reenable it.

Procedure

Step 1


switch(config)# [no] feature telnet

Purpose

Reenables the Telnet server.

Starting Telnet Sessions to Remote Devices

Before you start a Telnet session to connect to remote devices, you should do the following:

• Obtain the hostname for the remote device and, if needed, obtain the username on the remote device.


83 OL-30921-01


Clearing Telnet Sessions

• Enable the Telnet server on the Cisco Nexus device.

• Enable the Telnet server on the remote device.

Procedure

Step 1


switch# telnet hostname

Purpose

Creates a Telnet session to a remote device. The hostname argument can be an IPv4 address, an IPv6 address, or a device name.

The following example shows how to start a Telnet session to connect to a remote device: switch#

telnet 10.10.1.1

Trying 10.10.1.1...

Connected to 10.10.1.1.

Escape character is '^]'.

switch login:

Clearing Telnet Sessions

You can clear Telnet sessions from the Cisco Nexus device.

Procedure

Step 1

Step 2


switch# show users switch# clear line vty-line

Purpose

Displays user session information.

Clears a user Telnet session.

Verifying the SSH and Telnet Configuration

To display SSH and Telnet information, perform one of the following tasks:

Command

show ssh key [dsa | rsa]

Purpose

Displays SSH server key-pair information.

show running-config security [all]

Displays the SSH and user account configuration in the running configuration. The all keyword displays the default values for the SSH and user accounts.

show ssh server show user-account


Displays user account information.

84


OL-30921-01



OL-30921-01


85



86


OL-30921-01

C H A P T E R

7



•

Information About 802.1X, page 87

•

Licensing Requirements for 802.1X, page 95

•

Prerequisites for 802.1X, page 95

•

802.1X Guidelines and Limitations, page 95

•

Default Settings for 802.1X, page 96

•

Configuring 802.1X, page 97

•

Verifying the 802.1X Configuration, page 116

•

Monitoring 802.1X, page 117

•

Configuration Example for 802.1X, page 117

•

Additional References for 802.1X, page 118

•

Feature History for 802.1X, page 119

Information About 802.1X

802.1X defines a client-server-based access control and authentication protocol that restricts unauthorized clients from connecting to a LAN through publicly accessible ports. The authentication server authenticates each client connected to a Cisco NX-OS device port.

Until the client is authenticated, 802.1X access control allows only Extensible Authentication Protocol over

LAN (EAPOL) traffic through the port to which the client is connected. After authentication is successful, normal traffic can pass through the port.

Device Roles

With 802.1X port-based authentication, the devices in the network have specific roles.


87 OL-30921-01


Device Roles

This figure shows the device roles in 802.1X.

Figure 4: 802.1X Device Roles

The specific roles are as follows:

Supplicant

The client device that requests access to the LAN and Cisco NX-OS device services and responds to requests from the Cisco NX-OS device. The workstation must be running 802.1X-compliant client software such as that offered in the Microsoft Windows XP operating device.

Note

To resolve Windows XP network connectivity and Cisco 802.1X port-based authentication issues, read the Microsoft Knowledge Base article at this URL: http://support.microsoft.com/support/kb/articles/Q303/5/97.ASP

Authentication server

The authentication server performs the actual authentication of the supplicant. The authentication server validates the identity of the supplicant and notifies the Cisco NX-OS device regarding whether the supplicant is authorized to access the LAN and Cisco NX-OS device services. Because the Cisco NX-OS device acts as the proxy, the authentication service is transparent to the supplicant. The Remote

Authentication Dial-In User Service (RADIUS) security device with Extensible Authentication Protocol

(EAP) extensions is the only supported authentication server; it is available in Cisco Secure Access

Control Server, version 3.0. RADIUS uses a supplicant-server model in which secure authentication information is exchanged between the RADIUS server and one or more RADIUS clients.

Authenticator

The authenticator controls the physical access to the network based on the authentication status of the supplicant. The authenticator acts as an intermediary (proxy) between the supplicant and the authentication server, requesting identity information from the supplicant, verifying the requested identity information with the authentication server, and relaying a response to the supplicant. The authenticator includes the RADIUS client, which is responsible for encapsulating and decapsulating the EAP frames and interacting with the authentication server.

When the authenticator receives EAPOL frames and relays them to the authentication server, the authenticator strips off the Ethernet header and encapsulates the remaining EAP frame in the RADIUS format. This encapsulation process does not modify or examine the EAP frames, and the authentication server must support

EAP within the native frame format. When the authenticator receives frames from the authentication server, the authenticator removes the server’s frame header, leaving the EAP frame, which the authenticator then encapsulates for Ethernet and sends to the supplicant.

88


OL-30921-01


Authentication Initiation and Message Exchange

Note

The Cisco NX-OS device can only be an 802.1X authenticator.

Authentication Initiation and Message Exchange

Either the authenticator (Cisco NX-OS device) or the supplicant (client) can initiate authentication. If you enable authentication on a port, the authenticator must initiate authentication when it determines that the port link state transitions from down to up. The authenticator then sends an EAP-request/identity frame to the supplicant to request its identity (typically, the authenticator sends an initial identity/request frame followed by one or more requests for authentication information). When the supplicant receives the frame, it responds with an EAP-response/identity frame.

If the supplicant does not receive an EAP-request/identity frame from the authenticator during bootup, the supplicant can initiate authentication by sending an EAPOL-start frame, which prompts the authenticator to request the supplicant’s identity.

Note

If 802.1X is not enabled or supported on the network access device, the Cisco NX-OS device drops any

EAPOL frames from the supplicant. If the supplicant does not receive an EAP-request/identity frame after three attempts to start authentication, the supplicant transmits data as if the port is in the authorized state.

A port in the authorized state means that the supplicant has been successfully authenticated.

When the supplicant supplies its identity, the authenticator begins its role as the intermediary, passing EAP frames between the supplicant and the authentication server until authentication succeeds or fails. If the authentication succeeds, the authenticator port becomes authorized.

The specific exchange of EAP frames depends on the authentication method being used.

OL-30921-01


89


Authenticator PAE Status for Interfaces

This figure shows a message exchange initiated by the supplicant using the One-Time-Password (OTP) authentication method with a RADIUS server. The OTP authentication device uses a secret pass-phrase to generate a sequence of one-time (single use) passwords.

Figure 5: Message Exchange

The user’s secret pass-phrase never crosses the network at any time such as during authentication or during pass-phrase changes.

Authenticator PAE Status for Interfaces

When you enable 802.1X on an interface, the Cisco NX-OS software creates an authenticator port access entity (PAE) instance. An authenticator PAE is a protocol entity that supports authentication on the interface.

When you disable 802.1X on the interface, the Cisco NX-OS software does not automatically clear the authenticator PAE instances. You can explicitly remove the authenticator PAE from the interface and then reapply it, as needed.

Ports in Authorized and Unauthorized States

The authenticator port state determines if the supplicant is granted access to the network. The port starts in the unauthorized state. In this state, the port disallows all ingress and egress traffic except for 802.1X protocol packets. When a supplicant is successfully authenticated, the port transitions to the authorized state, allowing all traffic for the supplicant to flow normally.

If a client that does not support 802.1X is connected to an unauthorized 802.1X port, the authenticator requests the client’s identity. In this situation, the client does not respond to the request, the port remains in the unauthorized state, and the client is not granted access to the network.

In contrast, when an 802.1X-enabled client connects to a port that is not running the 802.1X protocol, the client initiates the authentication process by sending the EAPOL-start frame. When no response is received,

90


OL-30921-01


MAC Authentication Bypass

the client sends the request for a fixed number of times. Because no response is received, the client begins sending frames as if the port is in the authorized state.

Ports can have the following authorization states:

Force authorized

Disables 802.1X port-based authentication and transitions to the authorized state without requiring any authentication exchange. The port transmits and receives normal traffic without 802.1X-based authentication of the client. This authorization state is the default.

Force unauthorized

Auto

Causes the port to remain in the unauthorized state, ignoring all attempts by the client to authenticate.

The authenticator cannot provide authentication services to the client through the interface.

Enables 802.1X port-based authentication and causes the port to begin in the unauthorized state, allowing only EAPOL frames to be sent and received through the port. The authentication process begins when the link state of the port transitions from down to up or when an EAPOL-start frame is received from the supplicant. The authenticator requests the identity of the client and begins relaying authentication messages between the client and the authentication server. Each supplicant that attempts to access the network is uniquely identified by the authenticator by using the supplicant’s MAC address.

If the supplicant is successfully authenticated (receives an Accept frame from the authentication server), the port state changes to authorized, and all frames from the authenticated supplicant are allowed through the port. If the authentication fails, the port remains in the unauthorized state, but authentication can be retried.

If the authentication server cannot be reached, the authenticator can retransmit the request. If no response is received from the server after the specified number of attempts, authentication fails, and the supplicant is not granted network access.

When a supplicant logs off, it sends an EAPOL-logoff message, which causes the authenticator port to transition to the unauthorized state.

If the link state of a port transitions from up to down, or if an EAPOL-logoff frame is received, the port returns to the unauthorized state.

MAC Authentication Bypass

You can configure the Cisco NX-OS device to authorize a supplicant based on the supplicant MAC address by using the MAC authentication bypass feature. For example, you can enable this feature on interfaces configured for 802.1X that are connected to devices such as printers.

If 802.1X authentication times out while waiting for an EAPOL response from the supplicant, the Cisco

NX-OS device tries to authorize the client by using MAC authentication bypass.

When you enable the MAC authentication bypass feature on an interface, the Cisco NX-OS device uses the

MAC address as the supplicant identity. The authentication server has a database of supplicant MAC addresses that are allowed network access. After detecting a client on the interface, the Cisco NX-OS device waits for an Ethernet packet from the client. The Cisco NX-OS device sends the authentication server a

RADIUS-access/request frame with a username and password based on the MAC address. If authorization succeeds, the Cisco NX-OS device grants the client access to the network. If authorization fails, the Cisco

NX-OS device assigns the port to the guest VLAN if one is configured.

If an EAPOL packet is detected on the interface during the lifetime of the link, the Cisco NX-OS device determines that the device connected to that interface is an 802.1X-capable supplicant and uses 802.1X

OL-30921-01


91


802.1X and Port Security

authentication (not MAC authentication bypass) to authorize the interface. EAPOL history is cleared if the interface link status goes down.

If the Cisco NX-OS device already authorized an interface by using MAC authentication bypass and detects an 802.1X supplicant, the Cisco NX-OS device does not unauthorize the client connected to the interface.

When reauthentication occurs, the Cisco NX-OS device uses 802.1X authentication as the preferred reauthentication process if the previous session ended because the Termination-Action RADIUS attribute value is DEFAULT.

Clients that were authorized with MAC authentication bypass can be reauthenticated. The reauthentication process is the same as that for clients that were authenticated with 802.1X. During reauthentication, the port remains in the previously assigned VLAN. If reauthentication is successful, the switch keeps the port in the same VLAN. If reauthentication fails, the switch assigns the port to the guest VLAN, if one is configured.

If reauthentication is based on the Session-Timeout RADIUS attribute (Attribute[27]) and the

Termination-Action RADIUS attribute (Attribute [29]) and if the Termination-Action RADIUS attribute

(Attribute [29]) action is Initialize (the attribute value is DEFAULT), the MAC authentication bypass session ends, and connectivity is lost during reauthentication. If MAC authentication bypass is enabled and the 802.1X

authentication times out, the switch uses the MAC authentication bypass feature to initiate reauthorization.

For more information about these AV pairs, see RFC 3580, IEEE 802.1X Remote Authentication Dial In User

Service (RADIUS) Usage Guidelines.

MAC authentication bypass interacts with the following features:

• 802.1X authentication—You can enable MAC authentication bypass only if 802.1X authentication is enabled on the port.

• Port security— You can configure 802.1X authentication and port security on the same Layer 2 ports.

• Network admission control (NAC) Layer 2 IP validation—This feature takes effect after an 802.1X port is authenticated with MAC authentication bypass, including hosts in the exception list.

802.1X and Port Security

You can configure port security and 802.1X on the same interfaces. Port security secures the MAC addresses that 802.1X authenticates. 802.1X processes packets before port security processes them, so when you enable both on an interface, 802.1X is already preventing inbound traffic on the interface from unknown MAC addresses.

When you enable 802.1X and port security on the same interface, port security continues to learn MAC addresses by the sticky or dynamic method, as configured. Additionally, depending on whether you enable

802.1X in single-host mode or multiple-host mode, one of the following occurs:

Single host mode

Port security learns the MAC address of the authenticated host.

Multiple host mode

Port security drops any MAC addresses learned for this interface by the dynamic method and learns the MAC address of the first host authenticated by 802.1X.

If a MAC address that 802.1X passes to port security would violate the applicable maximum number of secure

MAC addresses, the device sends an authentication failure message to the host.

92


OL-30921-01


Dynamic VLAN Assignment based on MAC-Based Authentication (MAB)

The device treats MAC addresses authenticated by 802.1X as though they were learned by the dynamic method, even if port security previously learned the address by the sticky or static methods. If you attempt to delete a secure MAC address that has been authenticated by 802.1X, the address remains secure.

If the MAC address of an authenticated host is secured by the sticky or static method, the device treats the address as if it were learned by the dynamic method, and you cannot delete the MAC address manually.

Port security integrates with 802.1X to reauthenticate hosts when the authenticated and secure MAC address of the host reaches its port security age limit. The device behaves differently depending upon the type of aging, as follows:

Absolute

Port security notifies 802.1X and the device attempts to reauthenticate the host. The result of reauthentication determines whether the address remains secure. If reauthentication succeeds, the device restarts the aging timer on the secure address; otherwise, the device drops the address from the list of secure addressees for the interface.

Inactivity

Port security drops the secure address from the list of secure addresses for the interface and notifies

802.1X. The device attempts to reauthenticate the host. If reauthentication succeeds, port security secures the address again.

Dynamic VLAN Assignment based on MAC-Based Authentication (MAB)

The Cisco Nexus 5000 and 6000 series switches supports dynamic VLAN assignment. After the 802.1x

authentication or MAB is completed; before bringing up the port, you may want to (as part of authorization) allow the peer/host to be placed into a particular VLAN based as a result of the authentication. The RADIUS server typically indicates the desired VLAN by including tunnel attributes within the Access-Accept message.

This procedure of getting the VLAN an binding it to the port constitutes to Dynamic VLAN assignment.

VLAN Assignment from RADIUS

After authentication is completed either through dot1x or MAB, the response from the RADIUS server can have dynamic VLAN information, which can be assigned to a port. This information is present in response from RADIUS server in Accept-Access message in the form of tunnel attributes. For use in VLAN assignment, the following tunnel attributes are sent:

• Tunnel-type=VLAN(13)

• Tunnel-Medium-Type=802

• Tunnel-Private-Group-ID=VLANID

All the three parameters must be received for configuring access VLAN.

Single Host and Multiple Hosts Support

The 802.1X feature can restrict traffic on a port to only one endpoint device (single-host mode) or allow traffic from multiple endpoint devices on a port (multi-host mode).

OL-30921-01


93


Supported Topologies

Single-host mode allows traffic from only one endpoint device on the 802.1X port. Once the endpoint device is authenticated, the Cisco NX-OS device puts the port in the authorized state. When the endpoint device leaves the port, the Cisco NX-OS device put the port back into the unauthorized state. A security violation in

802.1X is defined as a detection of frames sourced from any MAC address other than the single MAC address authorized as a result of successful authentication. In this case, the interface on which this security association violation is detected (EAPOL frame from the other MAC address) will be disabled. Single host mode is applicable only for host-to-switch topology and when a single host is connected to the Layer 2 (Ethernet access port) or Layer 3 port (routed port) of the Cisco NX-OS device.

Only the first host has to be authenticated on the 802.1X port configured with multiple host mode. The port is moved to the authorized state after the successful authorization of the first host. Subsequent hosts are not required to be authorized to gain network access once the port is in the authorized state. If the port becomes unauthorized when reauthentication fails or an EAPOL logoff message is received, all attached hosts are denied access to the network. The capability of the interface to shut down upon security association violation is disabled in multiple host mode. This mode is applicable for both switch-to-switch and host-to-switch topologies.

Supported Topologies

The 802.1X port-based authentication is supported in two topologies:

• Point-to-point

• Wireless LAN

In a point-to-point configuration, only one supplicant (client) can connect to the 802.1X-enabled authenticator

(Cisco NX-OS device) port. The authenticator detects the supplicant when the port link state changes to the up state. If a supplicant leaves or is replaced with another supplicant, the authenticator changes the port link state to down, and the port returns to the unauthorized state.

This figure shows 802.1X port-based authentication in a wireless LAN. The 802.1X port is configured as a multiple-host port that becomes authorized as soon as one supplicant is authenticated.

Figure 6: Wireless LAN Example

When the port is authorized, all other hosts indirectly attached to the port are granted access to the network.

If the port becomes unauthorized (reauthentication fails or an EAPOL-logoff message is received), the Cisco

NX-OS device denies access to the network to all of the attached supplicants.

94


OL-30921-01


Licensing Requirements for 802.1X

Licensing Requirements for 802.1X

The following table shows the licensing requirements for this feature:

Product

Cisco NX-OS

License Requirement

802.1X requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.

Prerequisites for 802.1X

802.1X has the following prerequisites:

• One or more RADIUS servers are accessible in the network.

• 802.1X supplicants are attached to the ports, unless you enable MAC address authentication bypass.

802.1X Guidelines and Limitations

802.1X port-based authentication has the following configuration guidelines and limitations:

• The Cisco NX-OS software supports 802.1X authentication only on physical ports.

• The Cisco NX-OS software does not support 802.1X authentication on port channels or subinterfaces.

• The Cisco NX-OS software supports 802.1X authentication on member ports of a port channel but not on the port channel itself.

• The Cisco NX-OS software does not support the following 802.1X configurations on port channel members when the members are configured for 802.1X:

◦Host mode cannot be configured in single-host mode. Only multi-host mode is supported on the member ports.

◦MAC authentication bypass cannot be enabled on the member ports.

◦Port security cannot be configured on the port channel.

• Member ports with and without 802.1X configuration can coexist in a port channel. However, you must ensure the identical 802.1X configuration on all the member ports in order for channeling to operate with 802.1X.

• When you enable 802.1X authentication, supplicants are authenticated before any other Layer 2 or

Layer 3 features are enabled on an Ethernet interface.

• The Cisco NX-OS software supports 802.1X authentication only on Ethernet interfaces that are in a port channel, a trunk, or an access port.


95 OL-30921-01


Default Settings for 802.1X

• The Cisco NX-OS software does not support single host mode on trunk interfaces or member interfaces in a port channel.

• The Cisco NX-OS software does not support MAC address authentication bypass on trunk interfaces.

• The Cisco NX-OS software does not support MAC address authentication bypass on a port channel.

• The Cisco NX-OS software does not support Dot1X on vPC ports and MCT.

• The Cisco NX-OS software does not support the following 802.1X protocol enhancements:

◦One-to-many logical VLAN name to ID mapping

◦Web authorization

◦Dynamic domain bridge assignment

◦IP telephony

• The following are the restrictions for dynamic VLAN assignment:

◦Dynamic VLAN assignment is supported for HIF ports (FEX ports) only in Straight Through connection.

◦This feature is supported only for Switchport access ports.

◦The VLAN assigned by RADIUS must be already configured on the switch.

◦This feature is not supported on VPC ports, port-channels, trunk ports, and L3 ports.

◦After a VLAN is assigned by RADIUS, you cannot override it with a different access VLAN.

Default Settings for 802.1X

This table lists the default settings for 802.1X parameters.

Table 9: Default 802.1X Parameters

Parameters

802.1X feature

AAA 802.1X authentication method

Default

Disabled

Not configured

Per-interface 802.1X protocol enable state Disabled (force-authorized)

Note

The port transmits and receives normal traffic without 802.1X-based authentication of the supplicant.

Disabled Periodic reauthentication

Number of seconds between reauthentication attempts 3600 seconds

96


OL-30921-01



Parameters

Quiet timeout period

Retransmission timeout period

Maximum retransmission number

Host mode

Supplicant timeout period

Authentication server timeout period

Default

60 seconds (number of seconds that the Cisco NX-OS device remains in the quiet state following a failed authentication exchange with the supplicant)

30 seconds (number of seconds that the Cisco NX-OS device should wait for a response to an EAP request/identity frame from the supplicant before retransmitting the request)

2 times (number of times that the Cisco NX-OS device will send an EAP-request/identity frame before restarting the authentication process)

Single host

30 seconds (when relaying a request from the authentication server to the supplicant, the amount of time that the Cisco NX-OS device waits for a response before retransmitting the request to the supplicant)

30 seconds (when relaying a response from the supplicant to the authentication server, the amount of time that the Cisco NX-OS device waits for a reply before retransmitting the response to the server)


This section describes how to configure the 802.1X feature.

Note

If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.

Process for Configuring 802.1X

This section describes the process for configuring 802.1X.


97 OL-30921-01


Enabling the 802.1X Feature

Procedure

Step 1

Enable the 802.1X feature.

Step 2

Configure the connection to the remote RADIUS server.

Step 3

Enable 802.1X feature on the Ethernet interfaces.

Enabling the 802.1X Feature

You must enable the 802.1X feature on the Cisco NX-OS device before authenticating any supplicant devices.

Procedure

Step 1


Purpose


Step 2

Step 3

Step 4

Step 5

Example:


feature dot1x

Example:

switch(config)# feature dot1x

exit

Example:


show dot1x

Example:

switch# show dot1x


Example:


Enables the 802.1X feature. The default is disabled.


(Optional)

Displays the 802.1X feature status.

(Optional)


Configuring AAA Authentication Methods for 802.1X

You can use remote RADIUS servers for 802.1X authentication. You must configure RADIUS servers and

RADIUS server groups and specify the default AAA authentication method before the Cisco NX-OS device can perform 802.1X authentication.

98


OL-30921-01


Controlling 802.1X Authentication on an Interface


Obtain the names or addresses for the remote RADIUS server groups.

Procedure

Step 1


Purpose


Step 2

Example:


aaa authentication dot1x default group

group-list

Example:

switch(config)# aaa authentication dot1x default group rad2

Specifies the RADIUS server groups to use for

802.1X authentication.


• radius—Uses the global pool of RADIUS servers for authentication.

• named-group —Uses the global pool of


Step 3

Step 4

Step 5

Step 6 exit


Example:



(Optional)


Example:

switch# show radius-server

show radius-server group [group-name] (Optional)


Example:

switch# show radius-server group rad2


(Optional)


Example:



You can control the 802.1X authentication performed on an interface. An interface can have the following

802.1X authentication states:

OL-30921-01


99



Auto

Enables 802.1X authentication on the interface.

Force-authorized

Disables 802.1X authentication on the interface and allows all traffic on the interface without authentication. This state is the default.

Force-unauthorized

Disallows all traffic on the interface.


Enable the 802.1X feature on the Cisco NX-OS device.

Procedure

Step 1

Step 2

Step 3


Purpose


Example:


interface ethernet slot / port Selects the interface to configure and enters interface configuration mode.

Example:

switch(config)# interface ethernet 2/1 switch(config-if)#

dot1x port-control {auto | force-authorized |

forced-unauthorized}

Changes the 802.1X authentication state on the interface. The default is force-authorized.

Step 4

Step 5

Step 6

Example:

switch(config-if)# dot1x port-control auto

exit


Example:


show dot1x all

(Optional)

Displays all 802.1X feature status and configuration information.

Example:

switch# show dot1x all

show dot1x interface ethernet slot / port

Example:

switch# show dot1x interface ethernet

2/1

(Optional)

Displays 802.1X feature status and configuration information for an interface.

100


OL-30921-01


Configuring 802.1X Authentication on Member Ports

Step 7

Command or Action copy running-config startup-config

Example:


Purpose

(Optional)



You can configure 802.1X authentication on the members of a port channel.

Note

You cannot configure 802.1X authentication on the port channel itself.

There are two ways to configure 802.1X authentication on member ports: 1) by configuring 802.1X on a member port and then adding the port to a port channel or 2) by creating a port channel, adding a port to the port channel, and then configuring 802.1X on the port. The following procedure provides instructions for the first method. To configure 802.1X using the second method, use these commands:

• interface port-channel channel-number

• interface ethernet slot/port

• channel-group channel-number [force] [mode {on | active | passive}]

• dot1x port-control auto

Note

For more information on the above commands, see the Cisco NX-OS Interfaces Command

Reference for your platform.



Procedure

Step 1


Purpose


Example:


OL-30921-01


101



Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8


interface ethernet slot/port

Example:

switch(config-if)# dot1x port-control auto

[no] switchport

Selects the interface to configure and enters interface configuration mode.

Example:

switch(config)# interface ethernet

7/1 switch(config-if)#

dot1x port-control auto

Changes the 802.1X authentication state on the interface.

Configures the interface as a Layer 2 port or, if you use the no keyword, as a Layer 3 port.

Example:

switch(config-if)# switchport

dot1x host-mode multi-host

Example:

switch(config-if)# dot1x host-mode multi-host

Enables multiple hosts mode for the interface. This command is required in order to add a port to a port channel.

channel-group channel-number [force]

[mode {on | active | passive}]

Example:

switch(config-if)# channel-group 5 force

Configures the port in a channel group and sets the mode. The channel number range is from 1 to

4096.The Cisco NX-OS software creates the port channel associated with this channel group if the port channel does not already exist.

The optional force keyword allows you to force an interface with some incompatible configurations to join the channel. The forced interface must have the same speed, duplex, and flow control settings as the channel group.

Note

To remove an 802.1X-enabled port from a port channel, use the no channel-group

channel-number command.

exit

Exits interface configuration mode.

Example:

switch(config-if)# exit switch(config)#

exit


Example:


102


OL-30921-01


Creating or Removing an Authenticator PAE on an Interface

Step 9

Step 10

Step 11

Command or Action Purpose show dot1x all

Example:


show dot1x interface ethernet slot/port (Optional)

Displays 802.1X feature status and configuration information for an interface.

Example:

switch# show dot1x interface ethernet 7/1


(Optional)


Example:


(Optional)


Creating or Removing an Authenticator PAE on an Interface

You can create or remove the 802.1X authenticator port access entity (PAE) instance on an interface.

Note

By default, the Cisco NX-OS software creates the authenticator PAE instance on the interface when you enable 802.1X on an interface.


Enable the 802.1X feature.

Procedure

Step 1

Step 2


Purpose


Example:


show dot1x interface ethernet slot/port

Example:

switch# show do1x interface ethernet

2/1

(Optional)

Displays the 802.1X configuration on the interface.

OL-30921-01


103


Enabling Periodic Reauthentication for an Interface

Step 3

Step 4

Step 5


interface ethernet slot/port Selects the interface to configure and enters interface configuration mode.

Example:


[no] dot1x pae authenticator Creates an authenticator PAE instance on the interface. Use the no form to remove the PAE instance from the interface.

Example:

switch(config-if)# dot1x pae authenticator

Note

If an authenticator PAE already exists on the interface the dot1x pae

authentication command does not change the configuration on the interface.


(Optional)


Example:


Enabling Periodic Reauthentication for an Interface

You can enable periodic 802.1X reauthentication on an interface and specify how often it occurs. If you do not specify a time period before enabling reauthentication, the number of seconds between reauthentication defaults to the global value.

Note

During the reauthentication process, the status of an already authenticated supplicant is not disrupted.



Procedure

Step 1


Purpose


Example:


104


OL-30921-01


Manually Reauthenticating Supplicants

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7



Purpose


Example:



dot1x re-authentication

Enables periodic reauthentication of the supplicants connected to the interface. By default, periodic authentication is disabled.

Example:

switch(config-if)# dot1x re-authentication

dot1x timeout re-authperiod seconds

Example:

switch(config-if)# dot1x timeout re-authperiod 3300

exit

(Optional)

Sets the number of seconds between reauthentication attempts. The default is 3600 seconds. The range is from 1 to 65535.

Note

This command affects the behavior of the

Cisco NX-OS device only if you enable periodic reauthentication on the interface.


Example:


show dot1x all

(Optional)


Example:

switch(config)# show dot1x all


Example:


(Optional)


Manually Reauthenticating Supplicants

You can manually reauthenticate the supplicants for the entire Cisco NX-OS device or for an interface.

Note

During the reauthentication process, the status of an already authenticated supplicant is not disrupted.



OL-30921-01


105


Manually Initializing 802.1X Authentication

Procedure

Step 1


dot1x re-authenticate [interface slot/port]

Example:

switch# dot1x re-authenticate interface

2/1

Purpose

Reauthenticates the supplicants on the Cisco

NX-OS device or on an interface.

Manually Initializing 802.1X Authentication

You can manually initialize the authentication for all supplicants on a Cisco NX-OS device or for a specific interface.

Note

Initializing the authentication clears any existing authentication status before starting the authentication process for the client.



Procedure

Step 1


dot1x initialize [interface ethernet slot/port]

Purpose

Initializes 802.1X authentication on the Cisco

NX-OS device or on a specified interface.

Example:

switch# dot1x initialize interface ethernet 2/1

Changing 802.1X Authentication Timers for an Interface

You can change the following 802.1X authentication timers on the Cisco NX-OS device interfaces:

Quiet-period timer

When the Cisco NX-OS device cannot authenticate the supplicant, the switch remains idle for a set period of time and then tries again. The quiet-period timer value determines the idle period. An authentication failure might occur because the supplicant provided an invalid password. You can provide a faster response time to the user by entering a smaller number than the default. The default is the value of the global quiet period timer. The range is from 1 to 65535 seconds.

106


OL-30921-01



Rate-limit timer

The rate-limit period throttles EAPOL-Start packets from supplicants that are sending too many

EAPOL-Start packets. The authenticator ignores EAPOL-Start packets from supplicants that have successfully authenticated for the rate-limit period duration. The default value is 0 seconds and the authenticator processes all EAPOL-Start packets. The range is from 1 to 65535 seconds.

Switch-to-authentication-server retransmission timer for Layer 4 packets

The authentication server notifies the switch each time that it receives a Layer 4 packet. If the switch does not receive a notification after sending a packet, the Cisco NX-OS device waits a set period of time and then retransmits the packet. The default is 30 seconds. The range is from 1 to 65535 seconds.

Switch-to-supplicant retransmission timer for EAP response frames

The supplicant responds to the EAP-request/identity frame from the Cisco NX-OS device with an

EAP-response/identity frame. If the Cisco NX-OS device does not receive this response, it waits a set period of time (known as the retransmission time) and then retransmits the frame. The default is 30 seconds. The range is from 1 to 65535 seconds.

Switch-to-supplicant retransmission timer for EAP request frames

The supplicant notifies the Cisco NX-OS device it that received the EAP request frame. If the authenticator does not receive this notification, it waits a set period of time and then retransmits the frame. The default is the value of the global retransmission period timer. The range is from 1 to 65535 seconds.

Note

You should change the default values only to adjust for unusual circumstances such as unreliable links or specific behavioral problems with certain supplicants and authentication servers.



Procedure

Step 1


Purpose


Step 2

Example:



Example:


2/1 switch(config-if)


OL-30921-01


107



Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10


dot1x timeout quiet-period seconds

Example:

switch(config-if)# dot1x timeout quiet-period 25

Purpose

(Optional)

Sets the number of seconds that the authenticator waits for a response to an EAP-request/identity frame from the supplicant before retransmitting the request. The default is the global number of seconds set for all interfaces. The range is from 1 to 65535 seconds.

dot1x timeout ratelimit-period seconds

Example:

switch(config-if)# dot1x timeout ratelimit-period 10

(Optional)

Sets the number of seconds that the authenticator ignores

EAPOL-Start packets from supplicants that have successfully authenticated. The default value is 0 seconds. The range is from 1 to 65535 seconds.

dot1x timeout server-timeout seconds

Example:

switch(config-if)# dot1x timeout server-timeout 60

(Optional)

Sets the number of seconds that the Cisco NX-OS device waits before retransmitting a packet to the authentication server. The default is 30 seconds. The range is from 1 to 65535 seconds.

dot1x timeout supp-timeout seconds

Example:

switch(config-if)# dot1x timeout supp-timeout 20

(Optional)

Sets the number of seconds that the Cisco NX-OS device waits for the supplicant to respond to an EAP request frame before the Cisco NX-OS device retransmits the frame. The default is 30 seconds. The range is from 1 to 65535 seconds.

dot1x timeout tx-period seconds

Example:

switch(config-if)# dot1x timeout tx-period 40

(Optional)

Sets the number of seconds between the retransmission of EAP request frames when the supplicant does not send notification that it received the request. The default is the global number of seconds set for all interfaces.

The range is from 1 to 65535 seconds.

exit


Example:


show dot1x all

(Optional)

Displays the 802.1X configuration.

Example:



(Optional)


Example:


108


OL-30921-01


Enabling Single Host or Multiple Hosts Mode

Enabling Single Host or Multiple Hosts Mode

You can enable single host or multiple hosts mode on an interface.



Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6


Purpose


Example:



Example:

switch(config)# interface ethernet 2/1 switch(config-if)

dot1x host-mode {multi-host | single-host}

Example:

switch(config-if)# dot1x host-mode multi-host

Configures the host mode. The default is single-host.

Note

Make sure that the dot1x port-control interface configuration command is set to auto for the specified interface.

exit


Example:


show dot1x all

(Optional)


Example:



Example:


(Optional)


Enabling MAC Authentication Bypass

You can enable MAC authentication bypass on an interface that has no supplicant connected.

OL-30921-01


109


Disabling 802.1X Authentication on the Cisco NX-OS Device



Procedure

Step 1


Step 2

Step 3

Step 4

Purpose


Example:



Example:

switch(config)# interface ethernet 2/1 switch(config-if)

dot1x mac-auth-bypass [eap]

Example:

switch(config-if)# dot1x mac-auth-bypass

exit

Enables MAC authentication bypass. The default is bypass disabled. Use the eap keyword to configure the Cisco NX-OS device to use

EAP for authorization.


Step 5

Step 6

Example:


show dot1x all

(Optional)


Example:



Example:


(Optional)


Disabling 802.1X Authentication on the Cisco NX-OS Device

You can disable 802.1X authentication on the Cisco NX-OS device. By default, the Cisco NX-OS software enables 802.1X authentication after you enable the 802.1X feature. However, when you disable the 802.1X

feature, the configuration is removed from the Cisco NX-OS device. The Cisco NX-OS software allows you to disable 802.1X authentication without losing the 802.1X configuration.

110


OL-30921-01


Disabling the 802.1X Feature

Note

When you disable 802.1X authentication, the port mode for all interfaces defaults to force-authorized regardless of the configured port mode. When you reenable 802.1X authentication, the Cisco NX-OS software restores the configured port mode on the interfaces.



Procedure

Step 1


Purpose


Step 2

Step 3

Example:


no dot1x system-auth-control

Example:

switch(config)# no dot1x system-auth-control

Disables 802.1X authentication on the Cisco

NX-OS device. The default is enabled.

Note

Use the dot1x system-auth-control command to enable 802.1X

authentication on the Cisco NX-OS device.


Step 4 exit

Example:


show dot1x

(Optional)


Step 5

Example:

switch# show dot1x


Example:


(Optional)


Disabling the 802.1X Feature

You can disable the 802.1X feature on the Cisco NX-OS device.

When you disable 802.1X, all related configurations are automatically discarded. The Cisco NX-OS software creates an automatic checkpoint that you can use if you reenable 802.1X and want to recover the configuration.

For more information, see the Cisco NX-OS System Management Configuration Guide for your platform.

OL-30921-01


111


Setting the Maximum Authenticator-to-Supplicant Frame Retransmission Retry Count for an Interface



Procedure

Step 1


Step 2

Step 3

Example:


no feature dot1x

Example:

switch(config)# no feature dot1x

exit

Step 4

Example:



Example:


Purpose


Disables 802.1X.

Caution

Disabling the 802.1X feature removes all 802.1X configuration.


(Optional)


Setting the Maximum Authenticator-to-Supplicant Frame Retransmission Retry

Count for an Interface

You can set the maximum number of times that the Cisco NX-OS device retransmits authentication requests to the supplicant on an interface before the session times out. The default is 2 times and the range is from 1 to 10.



Procedure

Step 1


Purpose


Example:


112


OL-30921-01


Enabling RADIUS Accounting for 802.1X Authentication

Step 2

Step 3

Step 4

Step 5

Step 6



Purpose


Example:



dot1x max-req count

Example:

switch(config-if)# dot1x max-req 3

exit

Changes the maximum authorization request retry count. The default is 2 times and the range is from

1 to 10.

Note

Make sure that the dot1x port-control interface configuration command is set to

auto for the specified interface.


Example:


show dot1x all

(Optional)


Example:



Example:


(Optional)


Enabling RADIUS Accounting for 802.1X Authentication

You can enable RADIUS accounting for the 802.1X authentication activity.



Procedure

Step 1


Example:


Purpose


OL-30921-01


113


Configuring AAA Accounting Methods for 802.1X

Step 2

Step 3

Step 4

Step 5

Command or Action Purpose dot1x radius-accounting

Enables RADIUS accounting for 802.1X.


Example:

switch(config)# dot1x radius-accounting

exit


Example:


show dot1x

(Optional)

Displays the 802.1X configuration.

Example:

switch# show dot1x


(Optional)


Example:


Configuring AAA Accounting Methods for 802.1X

You can enable AAA accounting methods for the 802.1X feature.



Procedure

Step 1

Step 2

Command or Action configure terminal aaa accounting dot1x default

group group-list

Purpose


Configures AAA accounting for 802.1X. The default is disabled.


• radius—For all configured RADIUS servers.

• named-group—Any configured RADIUS server group name.

Step 3 exit


114


OL-30921-01


Setting the Maximum Reauthentication Retry Count on an Interface

Step 4

Step 5

Command or Action show aaa accounting copy running-config startup-config

Purpose

(Optional)

Displays the AAA accounting configuration.

(Optional)


This example shows how to enable the 802.1x feature: switch#


switch(config)#

aaa accounting dot1x default group radius

switch(config)#

exit

switch#

show aaa accounting

switch#


Setting the Maximum Reauthentication Retry Count on an Interface

You can set the maximum number of times that the Cisco NX-OS device retransmits reauthentication requests to the supplicant on an interface before the session times out. The default is 2 times and the range is from 1 to 10.



Procedure

Step 1


Purpose


Step 2

Step 3

Step 4

Example:



Example:


dot1x max-reauth-req retry-count

Example:

switch(config-if)# dot1x max-reauth-req

3

Changes the maximum reauthentication request retry count. The default is 2 times and the range is from 1 to 10.

exit


Example:


OL-30921-01


115


Configuring Guest VLAN

Step 5

Step 6

Command or Action show dot1x all

Example:



Example:


Purpose

(Optional)


(Optional)


Configuring Guest VLAN

If MAB is configured, and if there is an authentication failure due to MAB, then the guest VLAN (if available), will be assigned as access VLAN.

Procedure

Step 1

Step 2

Step 3

Step 4


Purpose


Example:


interface ethernet slot / port Selects the interface to configure and enters interface configuration mode.

Example:

switch(config)# interface ethernet 2/1

dot1x guest-vlan guest-vlan Specifies the guest VLAN to be assigned.

Example:

switch(config-if)# dot1x guest-vlan 5

exit

Returns to privileged EXEC mode.

Example:

switch(config-if)# exit

Verifying the 802.1X Configuration

To display 802.1X information, perform one of the following tasks:

116


OL-30921-01


Monitoring 802.1X

Command show dot1x

show dot1x all [details | statistics | summary]

show dot1x interface ethernet slot/port [details |

statistics | summary]

Purpose



Displays the 802.1X feature status and configuration information for an Ethernet interface.

show running-config dot1x [all]

show startup-config dot1x

Displays the 802.1X feature configuration in the running configuration.

Displays the 802.1X feature configuration in the startup configuration.

For detailed information about the fields in the output from these commands, see the Cisco NX-OS Security

Command Reference for your platform.

Monitoring 802.1X

You can display the statistics that the Cisco NX-OS device maintains for the 802.1X activity.



Procedure

Step 1


show dot1x {all | interface ethernet slot/port} statistics Displays the 802.1X statistics.

Example:

switch# show dot1x all statistics

Configuration Example for 802.1X

The following example shows how to configure 802.1X for an access port:

feature dot1x aaa authentication dot1x default group rad2 interface Ethernet2/1 dot1x pae-authenticator dot1x port-control auto


117 OL-30921-01


Additional References for 802.1X

The following example shows how to configure 802.1X for a trunk port:

feature dot1x aaa authentication dot1x default group rad2 interface Ethernet2/1 dot1x pae-authenticator dot1x port-control auto dot1x host-mode multi-host

Note

Repeat the dot1x pae authenticator and dot1x port-control auto commands for all interfaces that require

802.1X authentication.

Additional References for 802.1X

This section includes additional information related to implementing 802.1X.

Related Documents

Related Topic

Cisco NX-OS Licensing

Command reference

VRF configuration

Document Title

Cisco NX-OS Licensing Guide

Standards

Standards

IEEE Std 802.1X- 2004 (Revision of IEEE Std

802.1X-2001)

RFC 2284

RFC 3580

Title

802.1X IEEE Standard for Local and Metropolitan

Area Networks Port-Based Network Access Control

PPP Extensible Authentication Protocol (EAP)

IEEE 802.1X Remote Authentication Dial In User

Service (RADIUS) Usage Guidelines

MIBs

MIBs

• IEEE8021-PAE-MIB

MIBs Link

To locate and download MIBs, go to the following

URL: http://www.cisco.com/public/sw-center/netmgmt/ cmtk/mibs.shtml

118


OL-30921-01


Feature History for 802.1X

Table 10: Feature History for 802.1X

Feature Name

802.1X

Release

6.0(2)N1(2)


Feature Information

This feature was introduced.

OL-30921-01


119



120


OL-30921-01

C H A P T E R

8


This chapter describes how to configure Cisco TrustSec on Cisco NX-OS devices.

This chapter includes the following sections:

•

Information About Cisco TrustSec , page 121

•

Licensing Requirements for Cisco TrustSec , page 131

•

Prerequisites for Cisco TrustSec , page 131

•

Guidelines and Limitations for Cisco TrustSec , page 131

•

Default Settings for Cisco TrustSec Parameters, page 132

•

Configuring Cisco TrustSec , page 133

•

Verifying the Cisco TrustSec Configuration, page 168

•

Configuration Examples for Cisco TrustSec, page 169

•

Additional References for Cisco TrustSec, page 173

•

Feature History for Cisco TrustSec, page 173

Information About Cisco TrustSec

This section provides information about Cisco TrustSec.

Cisco TrustSec Architecture

The Cisco TrustSec security architecture builds secure networks by establishing clouds of trusted network devices. Cisco TrustSec also uses the device information acquired during authentication for classifying, or coloring, the packets as they enter the network. This packet classification is maintained by tagging packets on ingress to the Cisco TrustSec network so that they can be properly identified for the purpose of applying security and other policy criteria along the data path. The tag, also called the security group tag (SGT), allows the network to enforce the access control policy by enabling the endpoint device to act upon the SGT to filter traffic.


121 OL-30921-01


Cisco TrustSec Architecture

Note

Ingress refers to entering the first Cisco TrustSec-capable device encountered by a packet on its path to the destination and egress refers to leaving the last Cisco TrustSec-capable device on the path.

This figure shows an example of a Cisco TrustSec cloud. In this example, several networking devices and an endpoint device are inside the Cisco TrustSec cloud. One endpoint device and one networking device are outside the cloud because they are not Cisco TrustSec-capable devices.

Figure 7: Cisco TrustSec Network Cloud Example

The Cisco TrustSec architecture consists of the following major components:

Authentication

Verifies the identity of each device before allowing them to join the Cisco TrustSec network.

Authorization

Decides the level of access to the Cisco TrustSec network resources for a device based on the authenticated identity of the device.

Access control

Applies access policies on a per-packet basis using the source tags on each packet.

A Cisco TrustSec network has the following entities:

Authenticators (AT)

Devices that are already part of a Cisco TrustSec network.

Authorization server (AS)

Servers that may provide authentication information, authorization information, or both.

When the link first comes up, authorization occurs in which each side of the link obtains policies, such as

SGT and ACLs, that apply to the link.

122


OL-30921-01


Authentication

Authentication

Cisco TrustSec authenticates a device before allowing it to join the network.

Cisco TrustSec and Authentication

Cisco TrustSec uses EAP-FAST for authentication. EAP-FAST conversations allow for other EAP method exchanges inside the EAP-FAST tunnel using chains, which allows administrators to use traditional user authentication methods, such as Microsoft Challenge Handshake Authentication Protocol Version 2

(MSCHAPv2), while still having security provided by the EAP-FAST tunnel.

OL-30921-01


123

Authentication


This figure shows the EAP-FAST tunnel and inner methods as used in Cisco TrustSec.

Figure 8: Cisco TrustSec Authentication

Cisco TrustSec Enhancements to EAP-FAST

The implementation of EAP-FAST for Cisco TrustSec has the following enhancements:

Authenticate the authenticator

Securely determines the identity of the AT by requiring the AT to use its protected access credential

(PAC) to derive the shared secret between itself and the authentication server. This feature also prevents you from configuring RADIUS shared secrets on the authentication server for every possible IP address that can be used by the AT.

124


OL-30921-01


Authentication

Notify each peer of the identity of its neighbor

By the end of the authentication exchange, the authentication server has identified both the supplicant and the AT. The authentication server conveys the identity of the AT, and whether the AT is Cisco

TrustSec-capable, to the supplicant by using additional type-length-value parameters (TLVs) in the protected EAP-FAST termination. The authentication server also conveys the identity of the supplicant and whether the supplicant is Cisco TrustSec-capable, to the AT by using RADIUS attributes in the

Access-Accept message. Because each peer knows the identity of its neighbor, it can send additional

RADIUS Access-Requests to the authentication server to acquire the policy to be applied on the link.

AT posture evaluation

The AT provides its posture information to the authentication server whenever it starts the authentication exchange with the authentication server on behalf of the supplicant.

802.1X Role Selection

In 802.1X, the AT must have IP connectivity with the authentication server because it has to relay the authentication exchange between the supplicant and the AT using RADIUS over UDP/IP. When an endpoint device, such as a PC, connects to a network, it is obvious that it should act as a supplicant. However, in the case of a Cisco TrustSec connection between two network devices, the 802.1X role of each network device might not be immediately apparent to the other network device.

Instead of requiring manual configuration of the AT and supplicant roles for the Cisco NX-OS devices, Cisco

TrustSec runs a role-selection algorithm to automatically determine which Cisco NX-OS device acts as the

AT and which device acts as the supplicant. The role-selection algorithm assigns the AT role to the device that has IP reachability to a RADIUS server. Both devices start both the AT and supplicant state machines.

When a Cisco NX-OS device detects that its peer has access to a RADIUS server, it terminates its own AT state machine and assumes the role of the supplicant. If both Cisco NX-OS devices have access to a RADIUS server, the algorithm compares the MAC addresses used as the source for sending the EAP over LAN (EAPOL) packets. The Cisco NX-OS device that has the MAC address with the higher value becomes the AT and the other Cisco NX-OS device becomes the supplicant.

Cisco TrustSec Authentication Summary

By the end of the Cisco TrustSec authentication process, the authentication server has performed the following actions:

• Verified the identities of the supplicant and the AT.

• Authenticated the user if the supplicant is an endpoint device.

At the end of the Cisco TrustSec authentication process, both the AT and the supplicant know the following:

• Device ID of the peer

• Cisco TrustSec capability information of the peer

• Key used for the SAP

OL-30921-01


125


SGACLs and SGTs

Device Identities

Cisco TrustSec does not use IP addresses or MAC addresses as device identities. Instead, you assign a name

(device ID) to each Cisco TrustSec-capable Cisco NX-OS device to identify it uniquely in the Cisco TrustSec network. This device ID is used for the following:

• Looking up authorization policy

• Looking up passwords in the databases during authentication

Device Credentials

Cisco TrustSec supports password-based credentials. The authentication servers may use self-signed certificates instead. Cisco TrustSec authenticates the supplicants through passwords and uses MSCHAPv2 to provide mutual authentication even if the authentication server certificate is not verifiable.

The authentication server uses a temporarily configured password to authenticate the supplicant when the supplicant first joins the Cisco TrustSec network. When the supplicant first joins the Cisco TrustSec network, the authentication server authenticates the supplicant using a manufacturing certificate and then generates a strong password and pushes it to the supplicant with the PAC. The authentication server also keeps the new password in its database.

User Credentials

Cisco TrustSec does not require a specific type of user credentials for endpoint devices. You can choose any type of authentication method for the user (for example, MSCHAPv2, LEAP, generic token card (GTC), or

OTP) and use the corresponding credentials.

SGACLs and SGTs

In security group access lists (SGACLs), you can control the operations that users can perform based on assigned security groups. The grouping of permissions into a role simplifies the management of the security policy. As you add users to the Cisco NX-OS device, you simply assign one or more security groups and they immediately receive the appropriate permissions. You can modify security groups to introduce new privileges or restrict current permissions.

Cisco TrustSec assigns a unique 16-bit tag, called the security group tag (SGT), to a security group. The number of SGTs in the Cisco NX-OS device is limited to the number of authenticated network entities. The

SGT is a single label that indicates the privileges of the source within the entire enterprise. Its scope is global within a Cisco TrustSec network.

The management server derives the SGTs based on the security policy configuration. You do not have to configure them manually.

Once authenticated, Cisco TrustSec tags any packet that originates from a device with the SGT that represents the security group to which the device is assigned. The packet carries this SGT throughout the network within the Cisco TrustSec header. Because this tag represents the group of the source, the tag is referred to as the source SGT. At the egress edge of the network, Cisco TrustSec determines the group that is assigned to the packet destination device and applies the access control policy.

126


OL-30921-01


SGACLs and SGTs

Cisco TrustSec defines access control policies between the security groups. By assigning devices within the network to security groups and applying access control between and within the security groups, Cisco TrustSec essentially achieves access control within the network.

This figure shows an example of an SGACL policy.

Figure 9: SGACL Policy Example

This figure shows how the SGT assignment and the SGACL enforcement operate in a Cisco TrustSec network.

Figure 10: SGT and SGACL in Cisco TrustSec Network

OL-30921-01

The Cisco NX-OS device defines the Cisco TrustSec access control policy for a group of devices as opposed to IP addresses in traditional ACLs. With such a decoupling, the network devices are free to move throughout the network and change IP addresses. Entire network topologies can change. As long as the roles and the permissions remain the same, changes to the network do not change the security policy. This feature greatly reduces the size of ACLs and simplifies their maintenance.

In traditional IP networks, the number of access control entries (ACEs) configured is determined as follows:

# of ACEs = (# of sources specified) X (# of destinations specified) X (# of permissions specified)

Cisco TrustSec uses the following formula:

# of ACEs = # of permissions specified


127


SGACLs and SGTs

Determining the Source Security Group

A network device at the ingress of the Cisco TrustSec cloud needs to determine the SGT of the packet entering the Cisco TrustSec cloud so that it can tag the packet with that SGT when it forwards it into the Cisco TrustSec cloud. The egress network device needs to determine the SGT of the packet so that it can apply the SGACLs.

The network device can determine the SGT for a packet in one of the following methods:

• Obtain the source SGT during policy acquisition—After the Cisco TrustSec authentication phase, a network device acquires a policy from an authentication server. The authentication server indicates whether the peer device is trusted or not. If a peer device is not trusted, the authentication server can also provide an SGT to apply to all packets coming from the peer device.

• Obtain the source SGT field from the Cisco TrustSec header—If a packet comes from a trusted peer device, the Cisco TrustSec header carries the correct SGT field if the network device is not the first network device in the Cisco TrustSec cloud for the packet.

Determining the Destination Security Group

The egress network device in a Cisco TrustSec cloud determines the destination group for applying the SGACL.

In some cases, ingress devices or other nonegress devices might have destination group information available.

In those cases, SGACLs might be applied in these devices rather than in egress devices.

Cisco TrustSec determines the destination group for the packet based on the destination IP address.

You do not configure the destination SGT to enforce Cisco TrustSec on egress broadcast, multicast, and unknown unicast traffic on Fabric Extender (FEX) or vEthernet ports. Instead, you set the DST to zero

(unknown). The following is an example of the correct configuration: cts role-based access-list acl-on-fex-egress deny udp deny ip cts role-based sgt 9 dst 0 access-list acl-on-fex-egress

SXP for SGT Propagation Across Legacy Access Networks

The Cisco NX-OS device hardware in the access layer supports Cisco TrustSec. Without the Cisco TrustSec hardware, the Cisco TrustSec software cannot tag the packets with SGTs. You can use SXP to propagate the

SGTs across network devices that do not have hardware support for Cisco TrustSec.

SXP operates between access layer devices and distribution layer devices. The access layer devices use SXP to pass the IP addresses of the Cisco TrustSec-authenticated devices with their SGTs to the distribution switches. Distribution devices with both Cisco TrustSec-enabled software and hardware can use this information to tag packets appropriately and enforce SGACL policies.

128


OL-30921-01


Authorization and Policy Acquisition

This figure shows how to use SXP to propagate SGT information in a legacy network.

Figure 11: Using SXP to Propagate SGT Information

Tagging packets with SGTs requires hardware support. You might have devices in your network that cannot tag packets with SGTs. To allow these devices to send IP address-to-SGT mappings to a device that has Cisco

TrustSec-capable hardware, you must manually set up the SXP connections. Manually setting up an SXP connection requires the following:

• If you require SXP data integrity and authentication, you must configure both the same SXP password on both of the peer devices. You can configure the SXP password either explicitly for each peer connection or globally for the device. The SXP password is not required.

• You must configure each peer on the SXP connection as either an SXP speaker or an SXP listener. The speaker device distributes the SXP information to the listener device.

Note

This Cisco Nexus device does not have the functionality to be an SXP listener. It can only be an SXP speaker.

• You can specify a source IP address to use for each peer relationship or you can configure a default source IP address for peer connections where you have not configured a specific source IP address.

Authorization and Policy Acquisition

After authentication ends, both the supplicant and AT obtain the security policy from the authentication server.

The supplicant and AT enforce the policy against each other. Both the supplicant and AT provide the peer device ID that each receives after authentication. If the peer device ID is not available, Cisco TrustSec can use a manually configured peer device ID.

The authentication server returns the following policy attributes:

Cisco TrustSec trust

Indicates whether the neighbor device is to be trusted for the purpose of putting the SGT in the packets.

OL-30921-01


129


Environment Data Download

Peer SGT

Indicates the security group that the peer belongs to. If the peer is not trusted, all packets received from the peer are tagged with the SGT configured on the ingress interface. If enforcement is enabled on this interface, the SGACLs that are associated with the peer SGT are downloaded. If the device does not know if the SGACLs are associated with the peer’s SGT, the device might send a follow-up request to fetch the SGACLs.

Authorization expiry time

Indicates the number of seconds before the policy expires. The Cisco-proprietary attribute-value (AV) pairs indicate the expiration time of an authorization or policy response to a Cisco TrustSec device. A

Cisco TrustSec device should refresh its policy and authorization before it times out.

Tip

Each Cisco TrustSec device should support some minimal default access policy in case it is not able to contact the authentication server to get an appropriate policy for the peer.

Environment Data Download

The Cisco TrustSec environment data is a collection of information or policies that assists a device to function as a Cisco TrustSec node. The device acquires the environment data from the authentication server when the device first joins a Cisco TrustSec cloud, although you might also manually configure some of the data on a device. For example, you must configure the seed Cisco TrustSec device with the authentication server information, which can later be augmented by the server list that the device acquires from the authentication server.

The device must refresh the Cisco TrustSec environment data before it expires. The device can also cache the data and reuse it after a reboot if the data has not expired.

The device uses RADIUS to acquire the following environment data from the authentication server:

Server lists

List of servers that the client can use for future RADIUS requests (for both authentication and authorization).

Device SGT

Security group to which the device itself belongs.

Expiry timeout

Interval that controls how often the Cisco TrustSec device should refresh its environment data.

RADIUS Relay Functionality

The Cisco NX-OS device that plays the role of the Cisco TrustSec AT in the 802.1X authentication process has IP connectivity to the authentication server, which allows it to acquire the policy and authorization from the authentication server by exchanging RADIUS messages over UDP/IP. The supplicant device may not have IP connectivity with the authentication server. In such cases, Cisco TrustSec allows the AT to act as a

RADIUS relay for the supplicant.

130


OL-30921-01


Licensing Requirements for Cisco TrustSec

The supplicant sends a special EAP over LAN (EAPOL) message to the Cisco TrustSec AT that contains the

RADIUS server IP address and UDP port and the complete RADIUS request. The Cisco TrustSec AT extracts the RADIUS request from the received EAPOL message and sends it over UDP/IP to the authentication server.

When the RADIUS response returns from the authentication server, the Cisco TrustSec AT forwards the message back to the supplicant, encapsulated in an EAPOL frame.

Licensing Requirements for Cisco TrustSec


Product

Cisco NX-OS


Cisco TrustSec requires no license. Any feature not included in a license package is bundled with the

Cisco NX-OS system images and is provided at no extra charge to you. For a complete explanation of the Cisco NX-OS licensing scheme, see the License

and Copyright Information for Cisco NX-OS Software.

Prerequisites for Cisco TrustSec

Cisco TrustSec has the following prerequisites:

• You must enable the 802.1X feature before you enable the Cisco TrustSec feature. Although none of the 802.1X interface level features are available, 802.1X is required for the device to authenticate with

RADIUS.

• You must enable the Cisco TrustSec feature.

Guidelines and Limitations for Cisco TrustSec

Cisco TrustSec has the following guidelines and limitations:

• Cisco TrustSec uses RADIUS for authentication.

• AAA authentication and authorization for Cisco TrustSec is only supported by the Cisco Secure Access

Control Server (ACS).

• Cisco TrustSec supports IPv4 addressing only.

• SXP cannot use the management (mgmt 0) interface.

• You cannot enable Cisco TrustSec on interfaces in half-duplex mode.

• Clearing policies does not take affect immediately; it requires a flap to occur. In addition, the way policies are cleared depends on whether the SGT is static or dynamic. For a static SGT, the SGT is reset to 0 after the flap occurs. For dynamic SGT, the SGT is downloaded again from the RADIUS server after the flap occurs.

• Cisco TrustSec supports management switch virtual interfaces (SVIs), not routed SVIs.


131 OL-30921-01


Default Settings for Cisco TrustSec Parameters

• The 802.1X feature must be enabled before you enable the Cisco TrustSec feature. However, none of the 802.1X interface level features are available. The 802.1X feature is only used for the device to authenticate with RADIUS.

• RBACL is only implemented on bridged Ethernet traffic and cannot be enabled on a routing VLAN or routing interface.

• The determination of whether a peer is trusted or not and its capability to propagate SGTs on egress are made at the physical interface level.

• Cisco TrustedSec interface configurations on port channel members must be exactly the same. If a port channel member is inconsistent with the other port channel members, it will be error disabled.

• In a vPC domain, use the configuration synchronization mode (config-sync) to create switch profiles to ensure that the Cisco TrustSec configuration is synchronized between peers. If you configure the same vPC differently on two peer switches, traffic is treated differently.

• The maximum number of RBACL TCAM entries is 128, with 4 entries used by default, and the remaining

124 entries user-configurable.

• Cisco TrustSec is not supported on Layer 3 interfaces or Virtual Routing and Forwarding (VRF) interfaces.

• The cts-manual, cts trusted mode, and no-propagate sgt configurations must be consistent among all

FEX ports or vEthernet ports on the same fabric port. If these configurations are inconsistent, the interfaces are err-disabled.

• The cts-manual, sgt value, cts trusted mode, and no-propagate sgt configurations must be consistent among all port channel members on the same port channel. If these configurations are inconsistent, the interfaces are err-disabled.

Default Settings for Cisco TrustSec Parameters

This table lists the default settings for Cisco TrustSec parameters.

Table 11: Default Cisco TrustSec Parameters Settings

Parameters

Cisco TrustSec

SXP

SXP default password

SXP reconcile period

SXP retry period

RBACL logging

RBACL statistics

Default

Disabled

Disabled

None

120 seconds (2 minutes)

60 seconds (1 minute)

Disabled

Disabled

132


OL-30921-01




This section provides information about the configuration tasks for Cisco TrustSec.

Enabling the Cisco TrustSec Feature

You must enable both the 802.1X feature and the Cisco TrustSec feature on the Cisco NX-OS device before you can configure Cisco TrustSec. However, none of the 802.1X interface level features are available. The

802.1X feature is only used for the device to authenticate with RADIUS.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7


Example:


feature dot1x

Example:

switch(config)# feature dot1x

feature cts

Example:

switch(config)# feature cts

exit

Example:


show cts

Example:

switch# show cts

show feature

Example:

switch# show feature


Example:


Purpose


Enables the 802.1X feature.

Enables the Cisco TrustSec feature.


(Optional)

Displays the Cisco TrustSec configuration.

(Optional)

Displays the enabled status for features.

(Optional)



133 OL-30921-01


Configuring Cisco TrustSec Device Credentials

Configuring Cisco TrustSec Device Credentials

You must configure unique Cisco TrustSec credentials on each Cisco TrustSec-enabled Cisco NX-OS device in your network. Cisco TrustSec uses the password in the credentials for device authentication.

Note

You must also configure the Cisco TrustSec credentials for the Cisco NX-OS device on the Cisco Secure

ACS (see the documentation at the following URL: http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_installation_and_configuration_ guides_list.html

).


Ensure that you enabled Cisco TrustSec.

Procedure

Step 1


Purpose


Step 2

Step 3

Example:


cts device-id name password password

Example:

switch(config)# cts device-id

MyDevice1 password CiscO321

Configures a unique device ID and password. The

name argument has a maximum length of 32 characters and is case sensitive.

Note

To remove the configuration of device

ID and the password, use the no form of the command.


Step 4 exit

Example:


show cts

(Optional)

Displays the Cisco TrustSec configuration.

Step 5

Step 6

Example:

switch# show cts

show cts environment

Example:

switch# show cts environment


Example:


(Optional)

Displays the Cisco TrustSec environment data.

(Optional)


134


OL-30921-01


Configuring AAA for Cisco TrustSec

Related Topics

Enabling the Cisco TrustSec Feature , on page 133


You can use Cisco Secure ACS for Cisco TrustSec authentication. You must configure RADIUS server groups and specify the default AAA authentication and authorization methods on one of the Cisco TrustSec-enabled

Cisco NX-OS devices in your network cloud.

Note

Only the Cisco Secure ACS supports Cisco TrustSec.

Configuring AAA on the Cisco TrustSec Cisco NX-OS Devices

This section describes how to configure AAA on the Cisco NX-OS device in your Cisco TrustSec network cloud.


Obtain the IPv4 address or hostname for the Cisco Secure ACS.


Procedure

Step 1

Step 2

Step 3


Purpose


Example:


radius-server host {ipv4-address |

ipv6-address | hostname} key [0 | 7] key pac

Example:

switch(config)# radius-server host

10.10.1.1 key L1a0K2s9 pac

Configures a RADIUS server host with a key and

PAC. The hostname argument is alphanumeric, case sensitive, and has a maximum of 256 characters. The key argument is alphanumeric, case sensitive, and has a maximum length of 63 characters. The 0 option indicates that the key is in clear text. The 7 option indicates that the key is encrypted. The default is clear text.


(Optional)


Example:

switch# show radius-server

OL-30921-01


135



Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11


aaa group server radius group-name

Example:

switch(config)# aaa group server radius Rad1 switch(config-radius)#

server {ipv4-address | ipv6-address |

hostname}

Example:

switch(config-radius)# server

10.10.1.1

use-vrf vrf-name

Example:

switch(config-radius)# use-vrf management

Purpose

Specifies the RADIUS server group and enters

RADIUS server group configuration mode.

Specifies the RADIUS server host address.

Specifies the management VRF instance for the

AAA server group.

Note

If you use the management VRF instance, no further configuration is necessary for the devices in the network cloud. If you use a different VRF instance, you must configure the devices with that VRF instance.

Exits RADIUS server group configuration mode.

exit

Example:

switch(config-radius)# exit switch(config)#

aaa authentication cts default group

group-name


Cisco TrustSec authentication.

Example:

switch(config)# aaa authentication cts default group Rad1

aaa authorization cts default group

group-name


Cisco TrustSec authorization.

Example:

switch(config)# aaa authentication cts default group Rad1

exit


Example:


show radius-server groups [group-name]

(Optional)


Example:

switch# show radius-server group rad1

136


OL-30921-01



Step 12

Step 13

Step 14

Step 15

Command or Action show aaa authentication

Example:

switch# show aaa authentication

show aaa authorization

Example:

switch# show aaa authorization

show cts pacs

Example:

switch# show cts pacs


Example:


Purpose

(Optional)

Displays the AAA authentication configuration.

(Optional)

Displays the AAA authorization configuration.

(Optional)

Displays the Cisco TrustSec PAC information.

(Optional)


Related Topics


Configuring AAA on Cisco TrustSec Nonseed Cisco NX-OS Devices , on page 137

Configuring AAA on Cisco TrustSec Nonseed Cisco NX-OS Devices

Cisco TrustSec configures an AAA server group named aaa-private-sg on the nonseed Cisco NX-OS devices in the network cloud. By default, the aaa-private-sg server group uses the management VRF instance to communicate with the Cisco Secure ACS and no further configuration is required on the nonseed Cisco NX-OS devices. However, if you choose to use a different VRF instance, you must change the aaa-private-sg on the nonseed Cisco NX-OS device to use the correct VRF instance.



Ensure that you have configured a seed Cisco NX-OS device in your network.

Procedure

Step 1


Purpose


Example:


OL-30921-01


137


Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path Security

Step 2

Step 3

Step 4

Step 5

Step 6

Command or Action Purpose aaa group server radius aaa-private-sg

Specifies the RADIUS server group aaa-private-sg and enters RADIUS server group configuration mode.

Example:

switch(config)# aaa group server radius aaa-private-sg switch(config-radius)#

use-vrf vrf-name Specifies the management VRF instance for the AAA server group.

Example:

switch(config-radius)# use-vrf MyVRF

exit

Exits RADIUS server group configuration mode.

Example:

switch(config-radius)# exit switch(config)#

show radius-server groups aaa-private-sg

Example:

switch(config)# show radius-server groups aaa-private-sg

(Optional)

Displays the RADIUS server group configuration for the default server group.


(Optional)


Example:


Related Topics


Configuring AAA on the Cisco TrustSec Cisco NX-OS Devices , on page 135

Configuring Cisco TrustSec Authentication, Authorization, SAP, and Data Path

Security

This section provides information about the configuration tasks for Cisco TrustSec authentication, authorization,

SAP, and data path security.

Cisco TrustSec Configuration Process for Cisco TrustSec Authentication and Authorization

Follow these steps to configure Cisco TrustSec authentication and authorization:

138


OL-30921-01



Procedure

Step 1

Enable the Cisco TrustSec feature.

Step 2

Enable Cisco TrustSec authentication.

Step 3

Enable 802.1X authentication for Cisco TrustSec on the interfaces.

Related Topics


Enabling Cisco TrustSec Authentication , on page 139

Enabling Cisco TrustSec Authentication

You must enable Cisco TrustSec authentication on the interfaces. By default, the data path replay protection feature is enabled and the SAP operating mode is GCM-encrypt.

Caution

For the Cisco TrustSec authentication configuration to take effect, you must enable and disable the interface, which disrupts traffic on the interface.

Note

Enabling 802.1X mode for Cisco TrustSec automatically enables authorization and SAP on the interface.

Procedure

Step 1

Step 2

Step 3


Purpose


Example:


interface ethernet slot/port [- port2] Specifies a single port or a range of ports and enters interface configuration mode.

Example:


cts dot1x

Enables 802.1X authentication for Cisco TrustSec and enters Cisco TrustSec 802.1X configuration mode.

Example:

switch(config-if)# cts dot1x switch(config-if-cts-dot1x)#

OL-30921-01


139



Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11

Command or Action no replay-protection

Purpose

(Optional)

Disables replay protection. The default is enabled.

Example:

switch(config-if-cts-dot1x)# no replay-protection

sap modelist {gcm-encrypt | gmac |

no-encap | null}

Example:

switch(config-if-cts-dot1x)# sap modelist gcm-encrypt

exit

(Optional)

Configures the SAP operation mode on the interface.

Use the gcm-encrypt keyword for GCM encryption. This option is the default.

Use the gmac keyword for GCM authentication only.

Use the no-encap keyword for no encapsulation for SAP and no SGT insertion.

Use the null keyword for encapsulation without authentication or encryption.

Exits Cisco TrustSec 802.1X configuration mode.

Example:

switch(config-if-cts-dot1x)# exit switch(config-if)#

shutdown

Disables the interface.

Example:

switch(config-if)# shutdown

no shutdown

Enables the interface and enables Cisco TrustSec authentication on the interface.

Example:

switch(config-if)# no shutdown

exit


Example:


show cts interface {all | brief | ethernet

slot/port}

(Optional)

Displays the Cisco TrustSec configuration on the interfaces.

Example:

switch(config)# show cts interface all


(Optional)


Example:


140


OL-30921-01



Related Topics


Configuring Data-Path Replay Protection for Cisco TrustSec on Interfaces

By default, the Cisco NX-OS software enables the data-path reply protection feature. You can disable the data-path replay protection feature on the interfaces for Layer 2 Cisco TrustSec if the connecting device does not support SAP.

Caution

For the data-path replay protection configuration to take effect, you must enable and disable the interface, which disrupts traffic on the interface.


Ensure that you enabled Cisco TrustSec authentication on the interface.

Procedure

Step 1


Purpose


Step 2

Step 3

Step 4

Step 5

Example:



Example:


cts dot1x

Enables 802.1X authentication for Cisco

TrustSec and enters Cisco TrustSec 802.1X

configuration mode.

Example:


no replay-protection

Example:

switch(config-if-cts-dot1x)# no replay-protection

Disables data-path replay protection. The default is enabled.

Use the replay-protection command to enable data-path replay protection on the interface.

exit


Example:


OL-30921-01


141



Step 6

Step 7

Step 8

Step 9

Step 10

Command or Action shutdown

Purpose


Example:


no shutdown

Example:


exit

Enables the interface and disables the data-path reply protection feature on the interface.


Example:



slot/port}

(Optional)

Displays the Cisco TrustSec configuration on the interface.

Example:



(Optional)


Example:


Related Topics


Configuring SAP Operation Modes for Cisco TrustSec on Interfaces

You can configure the SAP operation mode on the interfaces for Layer 2 Cisco TrustSec. The default SAP operation mode is GCM-encrypt.

Caution

For the SAP operation mode configuration to take effect, you must enable and disable the interface, which disrupts traffic on the interface.



142


OL-30921-01



Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7


Purpose


Example:


interface ethernet slot/port [- port2]

Specifies a single interface or a range of interfaces and enters interface configuration mode.

Example:



cts dot1x

Enables 802.1X authentication for Cisco TrustSec and enters Cisco TrustSec 802.1X configuration mode.

Example:


sap modelist [gcm-encrypt | gmac |

no-encap | null]

Example:

switch(config-if-cts-dot1x)# sap modelist gmac

exit

Configures the SAP authentication mode on the interface.

Use the gcm-encrypt keyword for GCM encryption. This option is the default.

Use the gmac keyword for GCM authentication only.

Use the no-encap keyword for no encapsulation for SAP on the interface and no SGT insertion.

Use the null keyword for encapsulation without authentication or encryption for SAP on the interface. Only the SGT is encapsulated.


Example:


shutdown


Example:


no shutdown

Enables the interface and SAP operation mode on the interface.

Example:


OL-30921-01


143



Step 8

Step 9

Step 10


Purpose


Example:



slot/port}

(Optional)


Example:



Example:


(Optional)


Related Topics


Configuring SGT Propagation for Cisco TrustSec on Interfaces

The SGT propagation feature on the Layer 2 interface is enabled by default. You can disable the SGT propagation feature on an interface if the peer device connected to the interface cannot handle Cisco TrustSec packets tagged with an SGT.

Caution

For the SGT propagation configuration to take effect, you must enable and disable the interface, which disrupts traffic on the interface.



Procedure

Step 1


Purpose


Example:


144


OL-30921-01



Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10



Example:


cts dot1x

Enables 802.1X authentication for Cisco

TrustSec and enters Cisco TrustSec 802.1X

configuration mode.

Example:


no propagate-sgt

Example:

switch(config-if-cts-dot1x)# no propagate-sgt

Disables SGT propagation. The default is enabled.

Use the propagate-sgt command to enable

SGT propagation on the interface.

exit


Example:


shutdown


Example:


no shutdown

Example:


exit

Enables the interface and disables the data-path reply protection feature on the interface.


Example:



slot/port}

(Optional)


Example:



(Optional)


Example:


OL-30921-01


145


Configuring Cisco TrustSec Authentication in Manual Mode

Related Topics


Regenerating SAP Keys on an Interface

You can trigger an SAP exchange to generate a new set of keys and protect the data traffic flowing on an interface.



Procedure

Step 1

Step 2


cts rekey ethernet slot/port

Purpose

Generates the SAP keys for an interface.

Example:

switch# cts rekey ethernet 2/3

show cts interface {all | brief | ethernet slot/port}

Example:

switch# show cts interface all

(Optional)

Displays the Cisco TrustSec configuration on the interfaces.

Related Topics



You can manually configure Cisco TrustSec on an interface if your Cisco NX-OS device does not have access to a Cisco Secure ACS. You must manually configure the interfaces on both ends of the connection.

Caution

For the Cisco TrustSec manual mode configuration to take effect, you must enable and disable the interface, which disrupts traffic on the interface.



146


OL-30921-01



Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


Purpose


Example:


interface interface slot/port

Specifies an interface and enters interface configuration mode.

Example:


cts manual

Enters Cisco TrustSec manual configuration mode.

Note

You cannot enable Cisco TrustSec on interfaces in half-duplex mode.

Example:

switch(config-if)# cts manual switch(config-if-cts-manual)#

policy dynamic identity peer-name

Example:

switch(config-if-cts-manual)# policy dynamic identity MyDevice2

(Optional)

Configures a dynamic authorization policy download.

The peer-name argument is the Cisco TrustSec device

ID for the peer device. The peer name is case sensitive.

Note

Note

Ensure that you have configured the Cisco

TrustSec credentials and AAA for Cisco

TrustSec.

The policy dynamic and policy static commands are mutually exclusive. Only one can be applied at a time. To change from one to the other, you must use the no form of the command to remove the configuration before configuring the other command.

policy static sgt tag [trusted]

Example:

switch(config-if-cts-manual)# policy static sgt 0x2

(Optional)

Configures a static authorization policy. The tag argument is a hexadecimal value in the format 0xhhhh.

The range is from 0x2 to 0xffef. The trusted keyword indicates that traffic coming on the interface with this

SGT should not have its tag overridden.

Note

The policy dynamic and policy static commands are mutually exclusive. Only one can be applied at a time. To change from one to the other, you must use the no form of the command to remove the configuration before configuring the other command.

OL-30921-01


147


Configuring Pause Frame Encryption or Decryption for Cisco TrustSec on Interfaces

Step 6

Step 7

Step 8

Step 9

Step 10

Step 11


Purpose

Exits Cisco TrustSec manual configuration mode.

Example:

switch(config-if-cts-manual)# exit switch(config-if)#

shutdown


Example:


no shutdown

Enables the interface and enables Cisco TrustSec authentication on the interface.

Example:


exit


Example:


show cts interface {all | brief |

ethernet slot/port}

(Optional)

Displays the Cisco TrustSec configuration for the interfaces.

Example:



(Optional)


Example:


Related Topics


Configuring Pause Frame Encryption or Decryption for Cisco TrustSec on

Interfaces

Pause frames are MAC control frames used for Ethernet flow control. The ports on some line cards encrypt and decrypt pause frames while the ports on other line cards do not have this ability. This disparity causes interoperability issues and causes the ports to discard or ignore the pause frames.

You can determine if the pause frames are to be encrypted or clear on individual interfaces. You must configure the interfaces on both ends of the connection but can do so using either dot1x or manual mode. If two ports are connected to form a CTS link and one is clear pause capable and the other is secure (encryption or decryption) pause capable, the pause frames must be sent in the clear across the link in order for them to be correctly sent and received.

148


OL-30921-01


Configuring Pause Frame Encryption or Decryption for Cisco TrustSec on Interfaces

Note

Beginning with Cisco NX-OS Release 6.2.2, all F Series and M1 Series modules support both secure

(encrypted and decrypted) and clear pause frames. In prior releases, F1 Series modules, F2 Series modules,

F2e Series modules, and the N7K-M132XP-12(L) module support only clear pause frames.

Note

You cannot enable Cisco TrustSec on interfaces in half-duplex mode. Use the show interface command to determine if an interface is configured for half-duplex mode.

Caution

For the pause frame encryption or decryption configuration to take effect, you must enable and disable the interface, which disrupts traffic on the interface.



Ensure that you have enabled flow control on the interface using the flowcontrol {send | receive} command.

Procedure

Step 1


Purpose


Step 2

Step 3

Step 4

Example:


interface ethernet slot/port Specifies an interface and enters interface configuration mode.

Example:



cts dot1x or cts manual

Example:


[no] encrypt pause-frame

Example:

switch(config-if-cts-dot1x)# no encrypt pause-frame

Enters Cisco TrustSec dot1x or manual configuration mode.

Note

You cannot enable Cisco TrustSec on interfaces in half-duplex mode.

Configures pause frame encryption or decryption for Cisco TrustSec on the interface. When no

encrypt pause-frame is configured, the pause frames are sent in the clear. When encrypt

pause-frame is configured, pause frames are sent encrypted over the CTS link.

OL-30921-01


149


Configuring SGACL Policies

Step 5

Step 6

Step 7

Step 8

Step 9

Step 10


Example:


shutdown

Purpose

Exits Cisco TrustSec dot1x or manual configuration mode.


Example:


no shutdown

Enables the interface and enables pause frame encryption or decryption for Cisco TrustSec on the interface.

Example:


exit


Example:



slot/port}

(Optional)


Example:



(Optional)


Example:



This section provides information about the configuration tasks for SGACL policies.

SGACL Policy Configuration Process

Follow these steps to configure Cisco TrustSec SGACL policies:

150


OL-30921-01



Procedure

Step 1

For Layer 2 interfaces, enable SGACL policy enforcement for the VLANs with Cisco TrustSec-enabled interfaces.

Step 2

If you are not using AAA on a Cisco Secure ACS to download the SGACL policy configuration, manually configure the SGACL mapping and policies.

Enabling SGACL Policy Enforcement on VLANs

If you use SGACLs, you must enable SGACL policy enforcement in the VLANs that have Cisco

TrustSec-enabled Layer 2 interfaces.

Note

This operation cannot be performed on FCoE VLANs.


• Ensure that you enabled Cisco TrustSec.

• Ensure that you enabled SGACL batch programming.

Procedure

Step 1

Step 2

Step 3


Purpose


Example:


vlan vlan-id

Specifies a VLAN and enters VLAN configuration mode.

Example:

switch(config)# vlan 10 switch(config-vlan)#

cts role-based enforcement

Enables Cisco TrustSec SGACL policy enforcement on the VLAN.

Example:

switch(config-vlan)# cts role-based enforcement

Note

If you enable the cts role-based enforcement on a VLAN and no other configuration on ports, the traffic traversing through these ports are subject to (0,0) SGACL. You can either configure this SGACL statically or download it from Cisco ISE.

OL-30921-01


151



Step 4

Step 5

Step 6

Command or Action Purpose exit

Saves the VLAN configuration and exits VLAN configuration mode.

Example:

switch(config-vlan)# exit switch(config)#

show cts role-based enable

Example:

switch(config)# show cts role-based enable

(Optional)

Displays the Cisco TrustSec SGACL enforcement configuration.


Example:


(Optional)


Related Topics


Enabling SGACL Policy Enforcement on VRF Instances

If you use SGACLs, you must enable SGACL policy enforcement in the VRF instances that have Cisco

TrustSec-enabled Layer 3 interfaces.

Note

You cannot enable SGACL policy enforcement on the management VRF instance.


• Ensure that you enabled Cisco TrustSec.

• Ensure that you enabled SGACL batch programming.

• Ensure that you enabled dynamic Address Resolution Protocol (ARP) inspection or Dynamic Host

Configuration Protocol (DHCP) snooping.

Procedure

Step 1


Example:


Purpose


152


OL-30921-01



Step 2

Step 3

Step 4

Step 5

Step 6


vrf context vrf-name

Purpose

Specifies a VRF instance and enters VRF configuration mode.

Example:

switch(config)# vrf context MyVrf switch(config-vrf)#

cts role-based enforcement

Enables Cisco TrustSec SGACL policy enforcement on the VRF instance.

Example:

switch(config-vrf)# cts role-based enforcement

exit

Exits VRF configuration mode.

Example:

switch(config-vrf)# exit switch(config)#

show cts role-based enable

Example:

switch(config)# show cts role-based enable

(Optional)

Displays the Cisco TrustSec SGACL enforcement configuration.


(Optional)


Example:


Related Topics


Manually Configuring Cisco TrustSec SGTs

You can manually configure unique Cisco TrustSec security group tags (SGTs) for the packets originating from this device.


Ensure that you have enabled Cisco TrustSec.

Procedure

Step 1


Example:


Purpose


OL-30921-01


153



Step 2

Step 3

Step 4

Step 5


cts sgt tag

Example:

switch(config)# cts sgt 0x00a2

exit

Example:


show cts environment-data

Example:

switch# show cts environment-data


Example:


Purpose

Configures the SGT for packets sent from the device. The tag argument is a hexadecimal value in the format 0xhhhh. The range is from 0x2 to

0xffef.


(Optional)

Displays the Cisco TrustSec environment data information.

(Optional)


Related Topics


Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VLAN

You can manually configure an IPv4 address to SGACL SGT mapping on a VLAN so that the policies for that SGT are downloaded from the Secure ACS server, or if you are using SXP mode, the SGT mapping is relayed to the listener.



Ensure that you enabled SGACL policy enforcement on the VLAN.

Procedure

Step 1


Purpose


Example:


154


OL-30921-01



Step 2

Step 3

Step 4

Step 5

Step 6


vlan vlan-id Specifies a VLAN and enters VLAN configuration mode.

Example:

switch(config)# vlan 10 switch(config-vlan)#

cts role-based sgt-map ipv4-address tag

Configures SGT mapping for the SGACL policies for the VLAN.

Example:

switch(config-vlan)# cts role-based sgt-map

10.10.1.1 100

exit

Saves the VLAN configuration and exits

VLAN configuration mode.

Example:

switch(config-vlan)# exit switch(config)#

show cts role-based sgt-map [summary | sxp

peer peer-ipv4-addr | vlan vlan-id | vrf vrf-name]

(Optional)

Displays the Cisco TrustSec SGACL SGT mapping configuration.

Example:

switch(config)# show cts role-based sgt-map


(Optional)


Example:


Related Topics


Enabling SGACL Policy Enforcement on VLANs , on page 151

Enabling SGACL Policy Enforcement on VRF Instances, on page 152

Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VRF Instance

You can manually configure IPv4-address-to-SGACL SGT mapping on a VRF instance if a Cisco Secure

ACS is not available to download the SGACL policy configuration. You can use this feature if you do not have Cisco Secure ACS available on your Cisco NX-OS device. The IPv4-SGT mapping for VRF is useful for the SXP speaker.

Note

The cts role based enforcement command is not supported on VRF.



OL-30921-01


155



Ensure that the Layer-3 module is enabled.

Procedure

Step 1


Step 2

Step 3

Step 4

Step 5

Step 6

Purpose


Example:


vrf context vrf-name Specifies a VRF instance and enters VRF configuration mode.

Example:

switch(config)# vrf context accounting switch(config-vrf)#

cts role-based sgt-map ipv4-address tag Configures SGT mapping for the SGACL policies for the VLAN.

Example:

switch(config-vrf)# cts role-based sgt-map

10.10.1.1 100

exit

Exits VRF configuration mode.

Example:

switch(config-vrf)# exit switch(config)#

show cts role-based sgt-map [summary | sxp peer

peer-ipv4-addr | vlan vlan-id | vrf vrf-name]

(Optional)

Displays the Cisco TrustSec SGACL SGT mapping configuration.

Example:

switch(config)# show cts role-based sgt-map


(Optional)


Example:


Manually Configuring SGACL Policies

You can manually configure SGACL policies on your Cisco NX-OS device if a Cisco Secure ACS is not available to download the SGACL policy configuration. You can also enable role-based access control list

(RBACL) logging, which allows users to monitor specific types of packets exiting the Cisco NX-OS device.



For Cisco TrustSec logging to function, you must enable Cisco TrustSec counters or statistics.

Ensure that you have enabled SGACL policy enforcement on the VLAN.

156


OL-30921-01



If you plan to enable RBACL logging, ensure that you have enabled RBACL policy enforcement on the

VLAN.

If you plan to enable RBACL logging, ensure that you have set the logging level of CTS manager syslogs to

6 or less.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7


Purpose


Example:


cts role-based access-list list-name

Example:

switch(config)# cts role-based access-list MySGACL switch(config-rbacl)#

{deny | permit} all [log]

Specifies an SGACL and enters role-based access list configuration mode. The list-name argument value is alphanumeric, case sensitive, and has a maximum length of 32 characters.

Example:

switch(config-rbacl)# deny all log

(Optional)

Denies or permits all traffic. Optionally, you can use the log keyword to specify that packets matching this configuration be logged.

{deny | permit} icmp [log]

Example:

switch(config-rbacl)# permit icmp

{deny | permit} igmp [log]

Example:

switch(config-rbacl)# deny igmp

(Optional)

Denies or permits Internet Control Message Protocol

(ICMP) traffic. Optionally, you can use the log keyword to specify that packets matching this configuration be logged.

(Optional)

Denies or permits Internet Group Management

Protocol (IGMP) traffic. Optionally, you can use the

log keyword to specify that packets matching this configuration be logged.

{deny | permit} ip [log]

Example:

switch(config-rbacl)# permit ip

(Optional)

Denies or permits IP traffic. Optionally, you can use the log keyword to specify that packets matching this configuration be logged.

{deny | permit} tcp [{dst | src} {{eq | gt

| lt | neq} port-number | range

port-number1 port-number2}] [log]

Example:

switch(config-rbacl)# deny tcp dst eq 100

(Optional)

Denies or permits TCP traffic. The default permits all

TCP traffic. The range for the port-number,

port-number1, and port-number2 arguments is from

0 to 65535. Optionally, you can use the log keyword to specify that packets matching this configuration be logged.

OL-30921-01


157



Step 8

Step 9

Step 10

Step 11

Step 12


{deny | permit} udp [{dst | src} {{eq | gt

| lt | neq} port-number | range

port-number1 port-number2}] [log]

Example:

switch(config-rbacl)# permit udp src eq 1312

Denies or permits UDP traffic. The default permits all UDP traffic. The range for the port-number,

port-number1, and port-number2 arguments is from

0 to 65535. Optionally, you can use the log keyword to specify that packets matching this configuration be logged.

exit

Exits role-based access-list configuration mode.

Example:

switch(config-rbacl)# exit switch(config)#

cts role-based sgt {sgt-value | any |

unknown} dgt {dgt-value | any |

unknown} access-list list-name

Maps the SGT values to the SGACL. The sgt-value and dgt-value argument values range from 0 to 65519.

Note

You must create the SGACL before you can map SGTs to it.

Example:

switch(config)# cts role-based sgt

3 dgt 10 access-list MySGACL

show cts role-based access-list

(Optional)

Displays the Cisco TrustSec SGACL configuration.

Example:

switch(config)# show cts role-based access-list


Example:


(Optional)


Related Topics




Displaying the Downloaded SGACL Policies

After you configure the Cisco TrustSec device credentials and AAA, you can verify the Cisco TrustSec

SGACL policies downloaded from the Cisco Secure ACS. The Cisco NX-OS software downloads the SGACL policies when it learns of a new SGT through authentication and authorization on an interface or from manual

IPv4 address to SGACL SGT mapping.



158


OL-30921-01



Procedure

Step 1

Command or Action show cts role-based access-list

Example:

switch# show cts role-based access-list

Purpose

Displays Cisco TrustSec SGACLs, both downloaded from the Cisco Secure ACS and manually configured on the Cisco NX-OS device.

Related Topics


Refreshing the Downloaded SGACL Policies

You can refresh the SGACL policies downloaded to the Cisco NX-OS device by the Cisco Secure ACS.



Procedure

Step 1

Step 2

Command or Action cts refresh role-based-policy

Purpose

Refreshes the Cisco TrustSec SGACL policies from the Cisco Secure ACS.

Example:

switch# cts refresh role-based-policy

show cts role-based policy

(Optional)

Displays the Cisco TrustSec SGACL policies.

Example:

switch# show cts role-based policy

Related Topics


Enabling Statistics for RBACL

You can request a count of the number of packets that match role-based access control list (RBACL) policies.

These statistics are collected per ACE.

Note

RBACL statistics are lost only when the Cisco NX-OS device reloads or you deliberately clear the statistics.

OL-30921-01


159





If you plan to enable RBACL statistics, ensure that you have enabled RBACL policy enforcement on the

VLAN.

When you enable RBACL statistics, each policy requires one entry in the hardware. If you do not have enough space remaining in the hardware, an error message appears, and you are unable to enable the statistics.

Procedure

Step 1


Purpose


Step 2

Step 3

Step 4

Step 5

Step 6

Example:


[no] cts role-based counters enable Enables or disables RBACL statistics. The default is disabled.

Example:

switch(config)# cts role-based counters enable


(Optional)


Example:


exit


Example:


show cts role-based counters

Example:

switch# show cts role-based counters

clear cts role-based counters

Example:

switch# clear cts role-based counters

(Optional)

Displays the configuration status of RBACL statistics and lists statistics for all RBACL policies.

(Optional)

Clears the RBACL statistics so that all counters are reset to 0.

Clearing Cisco TrustSec SGACL Policies

You can clear the Cisco TrustSec SGACL policies.

160


OL-30921-01


Manually Configuring SXP

Note

Clearing policies does not take affect immediately; it requires a flap to occur. In addition, the way policies are cleared depends on whether the SGT is static or dynamic. For a static SGT, the SGT is reset to 0 after the flap occurs. For dynamic SGT, the SGT is downloaded again from the RADIUS server after the flap occurs.



Procedure

Step 1

Command or Action show cts role-based policy

Purpose

(Optional)

Displays the Cisco TrustSec RBACL policy configuration.

Step 2

Example:

switch# clear cts policy all

clear cts policy {all | peer device-name | sgt

sgt-value}

Clears the policies for Cisco TrustSec connection information.

Example:

switch# clear cts policy all

Related Topics



You can use the SGT Exchange Protocol (SXP) to propagate the SGTs across network devices that do not have hardware support for Cisco TrustSec. This section describes how to configure Cisco TrustSec SXP on

Cisco NX-OS devices in your network.

Cisco TrustSec SXP Configuration Process

Follow these steps to manually configure Cisco TrustSec SXP:

Procedure

Step 1

Enable the Cisco TrustSec feature.

Step 2

Enable Cisco TrustSec SXP.

Step 3

Configure SXP peer connections.

Note

You cannot use the management (mgmt 0) connection for

SXP.

OL-30921-01


161



Related Topics



Manually Configuring IPv4-Address-to-SGACL SGT Mapping for a VLAN, on page 154

Manually Configuring SGACL Policies, on page 156


Enabling Cisco TrustSec SXP , on page 162

Configuring Cisco TrustSec SXP Peer Connections, on page 163

Enabling Cisco TrustSec SXP

You must enable Cisco TrustSec SXP before you can configure peer connections.



Procedure

Step 1


Purpose


Step 2

Example:


cts sxp enable

Enables SXP for Cisco TrustSec.

Step 3

Example:

switch(config)# cts sxp enable

exit


Step 4

Example:


show cts sxp

(Optional)

Displays the SXP configuration.

Step 5

Example:

switch# show cts sxp


(Optional)


Example:


162


OL-30921-01



Related Topics


Configuring Cisco TrustSec SXP Peer Connections

You must configure the SXP peer connection on both the speaker and listener devices. When using password protection, make sure to use the same password on both ends.

Note

If the default SXP source IP address is not configured and you do not specify the SXP source address in the connection, the Cisco NX-OS software derives the SXP source IP address from existing local IP addresses. The SXP source address could be different for each TCP connection initiated from the Cisco

NX-OS device.

Note

This Cisco Nexus switch supports SXP speaker mode only. Therefore, any SXP peer must be configured as a listener.



Ensure that you enabled SXP.

Ensure that you enabled RBACL policy enforcement in the VRF instance.

Procedure

Step 1


Purpose


Step 2

Example:


cts sxp connection peer

peer-ipv4-addr [source src-ipv4-addr]

password {default | none | required

password} mode listener [vrf

vrf-name]

Configures the SXP address connection.

The source keyword specifies the IPv4 address of the source device. The default source is IPv4 address you configured using the cts sxp default source-ip command.

Example:

switch(config)# cts sxp connection peer 10.10.1.1 source

20.20.1.1 password default mode listener

The password keyword specifies the password that SXP should use for the connection using the following options:

• Use the default option to use the default SXP password that you configured using the cts sxp

default password command.

• Use the none option to not use a password.

• Use the required option to use the password specified in the command.

OL-30921-01


163




Step 3 exit

Purpose

The speaker and listener keywords specify the role of the remote peer device. Because this Cisco Nexus Series switch can only act as the speaker in the connection, the peer must be configured as the listener.

The vrf keyword specifies the VRF instance to the peer.

The default is the default VRF instance.

Note

You cannot use the management (mgmt 0) interface for SXP.


Step 4

Step 5

Example:


show cts sxp connections

(Optional)

Displays the SXP connections and their status.

Example:

switch# show cts sxp connections


(Optional)


Example:


Related Topics




Configuring the Default SXP Password

By default, SXP uses no password when setting up connections. You can configure a default SXP password for the Cisco NX-OS device.




164


OL-30921-01



Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6


Example:


cts sxp default password password

Purpose


Configures the SXP default password.

Example:

switch(config)# cts sxp default password

A2Q3d4F5

exit


Example:


show cts sxp

(Optional)


Example:


show running-config cts

(Optional)

Displays the SXP configuration in the running configuration.

Example:

switch# show running-config cts


Example:


(Optional)


Related Topics



Configuring the Default SXP Source IPv4 Address

The Cisco NX-OS software uses the default source IPv4 address in all new TCP connections where a source

IPv4 address is not specified. When you change the default source IP address, the existing SXP connections are reset and the IP-SGT bindings learned over SXP are cleared. The SXP connections, for which a source

IP address has been configured, will continue to use the same IP address, while coming back up.

The SXP connections, for which a source IP address has not been configured, uses the default IP address as the source IP address. Note that for such connections, correct destination IP address configuration on the peer and the reachability to the default source IP address are the required conditions before such connections can

OL-30921-01


165



become operational. It is recommended to ensure that these conditions are met for existing operational connections, before configuring default source IP address on a device.




Procedure

Step 1


Purpose


Step 2

Step 3

Step 4

Step 5

Example:


cts sxp default source-ip src-ip-addr Configures the SXP default source IPv4 address.

Example:

switch(config)# cts sxp default source-ip

10.10.3.3

exit


Example:


show cts sxp

(Optional)


Example:



Example:


(Optional)


Related Topics



Changing the SXP Reconcile Period

After a peer terminates an SXP connection, an internal hold-down timer starts. If the peer reconnects before the internal hold-down timer expires, the SXP reconcile period timer starts. While the SXP reconcile period timer is active, the Cisco NX-OS software retains the SGT mapping entries learned from the previous connection and removes invalid entries. The default value is 120 seconds (2 minutes). Setting the SXP reconcile period to 0 seconds disables the timer and causes all entries from the previous connection to be removed.

166


OL-30921-01






Procedure

Step 1

Step 2

Step 3


Purpose


Example:


cts sxp reconcile-period seconds

Example:

switch(config)# cts sxp reconcile-period

180

Changes the SXP reconcile timer period. The default value is 120 seconds (2 minutes). The range is from 0 to 64000.

exit


Step 4

Step 5

Example:


show cts sxp

Example:



Example:


(Optional)


(Optional)


Related Topics



Changing the SXP Retry Period

The SXP retry period determines how often the Cisco NX-OS software retries an SXP connection. When an

SXP connection is not successfully set up, the Cisco NX-OS software makes a new attempt to set up the connection after the SXP retry period timer expires. The default value is 60 seconds (1 minute). Setting the

SXP retry period to 0 seconds disables the timer and retries are not attempted.



OL-30921-01


167


Verifying the Cisco TrustSec Configuration


Procedure

Step 1


Step 2

Step 3

Step 4

Step 5

Purpose


Example:


cts sxp retry-period seconds

Example:

switch(config)# cts sxp retry-period

120

exit

Changes the SXP retry timer period. The default value is 60 seconds (1 minute). The range is from 0 to 64000.


Example:


show cts sxp

(Optional)


Example:



(Optional)


Example:


Related Topics



Verifying the Cisco TrustSec Configuration

To display Cisco TrustSec configuration information, perform one of the following tasks:

Command show cts

Purpose

Displays Cisco TrustSec information.

show cts credentials show cts environment-data

Displays Cisco TrustSec credentials for EAP-FAST.

Displays Cisco TrustSec environmental data.

168


OL-30921-01


Configuration Examples for Cisco TrustSec

Command

show cts interface {all | brief | ethernet slot/port}

Purpose


show cts role-based access-list

Displays Cisco TrustSec SGACL information.

show cts pacs show cts role-based counters

Displays Cisco TrustSec authorization information and PACs in the device key store.

Displays the configuration status of RBACL statistics and lists statistics for all RBACL policies.

show cts role-based enable show cts role-based policy

Displays Cisco TrustSec SGACL enforcement status.

Displays Cisco TrustSec SGACL policy information.

show cts role-based sgt-map [summary | sxp peer

peer-ipv4-addr | vlan vlan-id | vrf vrf-name]

Displays the Cisco TrustSec SGACL SGT map configuration.

Use the summary keyword to display a summary of the SGT mappings.

Use the sxp peer option to display the SGT map configuration for a specific SXP peer.

Use the vlan option to display the SGT map configuration for a specific VLAN.

Use the vrf option to display the SGT map configuration for a specific VRF.

show cts sxp show running-config cts

Displays Cisco TrustSec SXP information.

Displays the Cisco TrustSec information in the running configuration.

Configuration Examples for Cisco TrustSec

This section provides configuration examples for Cisco TrustSec.

Enabling Cisco TrustSec

The following example shows how to enable Cisco TrustSec: feature dot1x feature cts cts device-id device1 password Cisco321


169 OL-30921-01


Configuring AAA for Cisco TrustSec on a Cisco NX-OS Device

Configuring AAA for Cisco TrustSec on a Cisco NX-OS Device

The following example shows how to configure AAA for Cisco TrustSec on the Cisco NX-OS device: radius-server host 10.10.1.1 key Cisco123 pac aaa group server radius Rad1 server 10.10.1.1

use-vrf management aaa authentication cts default group Rad1 aaa authorization cts default group Rad1

Enabling Cisco TrustSec Authentication on an Interface

The following example shows how to enable Cisco TrustSec authentication with a clear text password on an interface: interface ethernet 2/1 cts dot1x shutdown no shutdown


The following example shows how to configure Cisco TrustSec authentication in manual mode static policy on an interface: interface ethernet 2/1 cts manual policy static sgt 0x20 no propagate-sgt

The following example shows how to configure Cisco TrustSec authentication in manual mode dynamic policy on an interface: interface ethernet 2/2 cts manual policy dynamic identity device2

Configuring Cisco TrustSec Role-Based Policy Enforcement for the Default

VRF Instance

The following example shows how to enable Cisco TrustSec role-based policy enforcement for the default

VRF instance: cts role-based enforcement

170


OL-30921-01


Configuring Cisco TrustSec Role-Based Policy Enforcement for a Nondefault VRF

Configuring Cisco TrustSec Role-Based Policy Enforcement for a Nondefault

VRF

The following example shows how to enable Cisco TrustSec role-based policy enforcement for a nondefault

VRF: vrf context test cts role-based enforcement

Configuring Cisco TrustSec Role-Based Policy Enforcement for a VLAN

The following example shows how to enable Cisco TrustSec role-based policy enforcement for a VLAN: vlan 10 cts role-based enforcement

Configuring IPv4 Address to SGACL SGT Mapping for the Default VRF Instance

The following example shows how to manually configure IPv4 address to SGACL SGT mapping for Cisco

TrustSec role-based policies for the default VRF instance: cts role-based sgt-map 10.1.1.1 20

Configuring IPv4 Address to SGACL SGT Mapping for a Nondefault VRF Instance


TrustSec role-based policies for a nondefault VRF instance: vrf context test cts role-based sgt-map 30.1.1.1 30

Configuring IPv4 Address to SGACL SGT Mapping for a VLAN


TrustSec role-based policies for a VLAN: vlan 10 cts role-based sgt-map 20.1.1.1 20

OL-30921-01


171


Manually Configuring Cisco TrustSec SGACLs

Manually Configuring Cisco TrustSec SGACLs

The following example shows how to manually configure Cisco TrustSec SGACLs: cts role-based access-list abcd permit icmp cts role-based sgt 10 dgt 20 access-list abcd

The following example shows how to enable RBACL logging: cts role-based access-list RBACL1 deny tcp src eq 1111 dest eq 2222 log cts role-based sgt 10 dgt 20 access-list RBACL1

The above configuration generates the following ACLLOG syslog:

%$ VDC-1 %$ %CTS-6-CTS_RBACL_STAT_LOG: CTS ACE permit all log, Threshold exceeded: Hit count in 10s period = 4

Note

The ACLLOG syslog does not contain the destination group tag (DGT) information of the matched RBACL policy.

The following example shows how to enable and display RBACL statistics: cts role-based counters enable show cts role-based counters

RBACL policy counters enabled

Counters last cleared: 06/08/2009 at 01:32:59 PM rbacl:abc deny tcp dest neq 80 deny tcp dest range 78 79 rbacl:def deny udp deny ip deny igmp

[0]

[0]

[0]

[0]

[0]

Manually Configuring SXP Peer Connections

This figure shows an example of SXP peer connections over the default VRF instance.

Note

Because this Cisco Nexus switch supports only SXP speaker mode, it can only be configured as SwitchA in this example.

172


OL-30921-01


Figure 12: Example SXP Peer Connections

Additional References for Cisco TrustSec

The following example shows how to configure the SXP peer connections on SwitchA: feature cts cts sxp enable cts sxp connection peer 10.20.2.2 password required A2BsxpPW mode listener cts sxp connection peer 10.30.3.3 password required A2CsxpPW mode listener

The following example shows how to configure the SXP peer connection on SwitchB: feature cts cts sxp enable cts sxp connection peer 10.10.1.1 password required A2BsxpPW mode speaker

The following example shows how to configure the SXP peer connection on SwitchC: feature cts cts sxp enable cts sxp connection peer 10.10.1.1 password required A2CsxpPW mode speaker

Additional References for Cisco TrustSec

This sections provides additional information related to implementing Cisco TrustSec.

Related Documentation

Related Topic

Cisco NX-OS licensing

Command Reference

Document Title


Feature History for Cisco TrustSec

This table lists the release history for this feature.


173 OL-30921-01

Feature History for Cisco TrustSec

Table 12: Feature History for Cisco TrustSec

Feature Name

Cisco TrustSec

Releases

5.1(3)N1(1)


Feature Information

This feature was introduced.

174


OL-30921-01

C H A P T E R

9



•

Information About ACLs, page 175

•

Configuring IP ACLs, page 183

•

Configuring MAC ACLs, page 191

•

Example Configuration for MAC ACLs, page 195

•

Information About VLAN ACLs, page 195

•

Configuring VACLs, page 196

•

Configuration Examples for VACL, page 199

•

Configuring ACLs on Virtual Terminal Lines, page 199

•

Configuring the ACL Resource Usage Threshold, page 202

Information About ACLs

An access control list (ACL) is an ordered set of rules that you can use to filter traffic. Each rule specifies a set of conditions that a packet must satisfy to match the rule. When the switch determines that an ACL applies to a packet, it tests the packet against the conditions of all rules. The first match determines whether the packet is permitted or denied. If there is no match, the switch applies the applicable default rule. The switch continues processing packets that are permitted and drops packets that are denied.

You can use ACLs to protect networks and specific hosts from unnecessary or unwanted traffic. For example, you could use ACLs to disallow HTTP traffic from a high-security network to the Internet. You could also use ACLs to allow HTTP traffic but only to specific sites, using the IP address of the site to identify it in an

IP ACL.

IP ACL Types and Applications

The Cisco Nexus device supports IPv4, IPv6, and MAC ACLs for security traffic filtering. The switch allows you to use IP access control lists (ACLs) as port ACLs, VLAN ACLs, and Router ACLs as shown in the following table.


175 OL-30921-01


IP ACL Types and Applications

Table 13: Security ACL Applications

Application Supported Interfaces

Port ACL An ACL is considered a port ACL when you apply it to one of the following:

• Ethernet interface

• Ethernet port-channel interface

Types of ACLs Supported

IPv4 ACLs

IPv6 ACLs

MAC ACLs

When a port ACL is applied to a trunk port, the ACL filters traffic on all VLANs on the trunk port.

Router ACL

• VLAN interfaces

Note

You must enable VLAN interfaces globally before you can configure a VLAN interface.

IPv4 ACLs

IPv6 ACLs

• Physical Layer 3 interfaces

• Layer 3 Ethernet subinterfaces

• Layer 3 Ethernet port-channel interfaces

• Layer 3 Ethernet port-channel subinterfaces

• Tunnels

• Management interfaces

VLAN

ACL

(VACL)

VTY ACL

An ACL is a VACL when you use an access map to associate the ACL with an action and then apply the map to a VLAN.

IPv4 ACLs

MAC ACLs

VTYs IPv4 ACLs

IPv6 ACLs

Application Order

When the device processes a packet, it determines the forwarding path of the packet. The path determines which ACLs that the device applies to the traffic. The device applies the ACLs in the following order:

1

Port ACL

2

Ingress VACL

3

Ingress Router ACL

4

Egress Router ACL

5

Egress VACL

176


OL-30921-01


Rules

Rules

You can create rules in access-list configuration mode by using the permit or deny command. The switch allows traffic that matches the criteria in a permit rule and blocks traffic that matches the criteria in a deny rule. You have many options for configuring the criteria that traffic must meet in order to match the rule.

Source and Destination

In each rule, you specify the source and the destination of the traffic that matches the rule. You can specify both the source and destination as a specific host, a network or group of hosts, or any host.

Protocols

IPv4, IPv6, and MAC ACLs allow you to identify traffic by protocol. For your convenience, you can specify some protocols by name. For example, in an IPv4 ACL, you can specify ICMP by name.

You can specify any protocol by the integer that represents the Internet protocol number. For example, you can use 115 to specify Layer 2 Tunneling Protocol (L2TP) traffic.

Implicit Rules

IP and MAC ACLs have implicit rules, which means that although these rules do not appear in the running configuration, the switch applies them to traffic when no other rules in an ACL match.

All IPv4 ACLs include the following implicit rule: deny ip any any

This implicit rule ensures that the switch denies unmatched IP traffic.

All IPv6 ACLs include the following implicit rule: deny ipv6 any any

Additional Filtering Options

You can identify traffic by using additional options. IPv4 ACLs support the following additional filtering options:

• Layer 4 protocol

• TCP and UDP ports

• ICMP types and codes

• IGMP types

• Precedence level

• Differentiated Services Code Point (DSCP) value

• TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set

• Established TCP connections

OL-30921-01


177


Rules

IPv6 ACLs support the following additional filtering options:


• Authentication Header Protocol

• Encapsulating Security Payload

• Payload Compression Protocol

• Stream Control Transmission Protocol (SCTP)

• SCTP, TCP, and UDP ports

• ICMP types and codes

• IGMP types

• Flow label

• DSCP value

• TCP packets with the ACK, FIN, PSH, RST, SYN, or URG bit set

• Established TCP connections

• Packet length

MAC ACLs support the following additional filtering options:


• VLAN ID

• Class of Service (CoS)

Sequence Numbers

The Cisco Nexus device supports sequence numbers for rules. Every rule that you enter receives a sequence number, either assigned by you or assigned automatically by the device. Sequence numbers simplify the following ACL tasks:

• Adding new rules between existing rules—By specifying the sequence number, you specify where in the ACL a new rule should be positioned. For example, if you need to insert a rule between rules numbered

100 and 110, you could assign a sequence number of 105 to the new rule.

• Removing a rule—Without using a sequence number, removing a rule requires that you enter the whole rule, as follows: switch(config-acl)#

no permit tcp 10.0.0.0/8 any

However, if the same rule had a sequence number of 101, removing the rule requires only the following command: switch(config-acl)#

no 101

• Moving a rule—With sequence numbers, if you need to move a rule to a different position within an

ACL, you can add a second instance of the rule using the sequence number that positions it correctly, and then you can remove the original instance of the rule. This action allows you to move the rule without disrupting traffic.

178


OL-30921-01


Logical Operators and Logical Operation Units

If you enter a rule without a sequence number, the device adds the rule to the end of the ACL and assigns a sequence number that is 10 greater than the sequence number of the preceding rule to the rule. For example, if the last rule in an ACL has a sequence number of 225 and you add a rule without a sequence number, the device assigns the sequence number 235 to the new rule.

In addition, the device allows you to reassign sequence numbers to rules in an ACL. Resequencing is useful when an ACL has rules numbered contiguously, such as 100 and 101, and you need to insert one or more rules between those rules.

Logical Operators and Logical Operation Units

IP ACL rules for TCP and UDP traffic can use logical operators to filter traffic based on port numbers.

The Cisco Nexus device stores operator-operand couples in registers called logical operation units (LOUs) to perform operations (greater than, less than, not equal to, and range) on the TCP and UDP ports specified in an IP ACL.

Note

The range operator is inclusive of boundary values.

These LOUs minimize the number of ternary content addressable memory (TCAM) entries needed to perform these operations. A maximum of two LOUs are allowed for each feature on an interface. For example an ingress RACL can use two LOUs, and a QoS feature can use two LOUs. If an ACL feature requires more than two arithmetic operations, the first two operations use LOUs, and the remaining access control entries

(ACEs) get expanded.

The following guidelines determine when the device stores operator-operand couples in LOUs:

• If the operator or operand differs from other operator-operand couples that are used in other rules, the couple is stored in an LOU.

For example, the operator-operand couples "gt 10" and "gt 11" would be stored separately in half an

LOU each. The couples "gt 10" and "lt 10" would also be stored separately.

• Whether the operator-operand couple is applied to a source port or a destination port in the rule affects

LOU usage. Identical couples are stored separately when one of the identical couples is applied to a source port and the other couple is applied to a destination port.

For example, if a rule applies the operator-operand couple "gt 10" to a source port and another rule applies a "gt 10" couple to a destination port, both couples would also be stored in half an LOU, resulting in the use of one whole LOU. Any additional rules using a "gt 10" couple would not result in further

LOU usage.

ACL Resource Management

Understanding the ACL capacities when configuring ACLs helps avoid resource contention and exhaustion.

Because the platform enforces several types of ACLs in hardware rather than in software, the switch programs hardware lookup tables and various hardware resources so that when a packet arrives, the switch can perform a hardware table lookup and execute the appropriate action without affecting performance, while the packets are cut-through switched.

For typical configurations, the switch uses one of the following main hardware resources:

OL-30921-01


179


Statistics and ACLs

• Logical operation units (LOUs)-Registers that are used to store Layer 2, Layer 3, and Layer 4 operations information.

• Value, Mask, Result (VMR)-Entries in the TCAM that consist of a value pattern, the associated mask value, and a result for lookups returning a hit for the entry.

The switch optimizes the use of these hardware resources for Layer 4 operations (L4Op). When the number of (L4Ops) are exhausted, an ACL that needs to check a particular value using a L4Op can be expanded to use a set of entries in the TCAM instead. The ACL uses the TCAM entries to perform the same filtering that

L4Op would have performed.

If the number of L4Ops are not exhausted, the switch computes the cost of using each resource. If the cost of using a set of expanded TCAM entries is less than that of using a L4Op, the switch expands the set of TCAM entries to preserve the L4Op for higher priority operations.

Depending on the size of ACL TCAM, and the size of various regions in the TCAM, it is possible that policies that are expanded might not fit within the available space. For example, after the switch is reloaded, the set of policies that were expanded before might not be expanded again.

To manage this issue, you can configure a threshold value. The threshold value is from 0 to 32 and the default value is 5. When an ACL policy needs a L4Op, the policy is expanded to check if the number of expanded

TCAM entries needed exceeds the threshold value. If the number exceeds the threshold value, the expansion is not used, and L4Op is used instead. If the number of TCAM entries do not exceed the threshold value (that is, they are less than or equal to the threshold value), then the expanded TCAM entries are installed.

Note

If there is an ACL policy that uses both a source L4Op and destination L4Op, the source L4Op and destination L4Op are expanded individually. The following example shows an ACL policy with source and destination L4Ops: permit tcp any get 546 any range 236 981

Statistics and ACLs

The device can maintain global statistics for each rule that you configure in IPv4, IPv6, and MAC ACLs. If an ACL is applied to multiple interfaces, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which that ACL is applied.

Note

The device does not support interface-level ACL statistics.

For each ACL that you configure, you can specify whether the device maintains statistics for that ACL, which allows you to turn ACL statistics on or off as needed to monitor traffic filtered by an ACL or to help troubleshoot the configuration of an ACL.

The device does not maintain statistics for implicit rules in an ACL. For example, the device does not maintain a count of packets that match the implicit deny ip any any rule at the end of all IPv4 ACLs. If you want to maintain statistics for implicit rules, you must explicitly configure the ACL with rules that are identical to the implicit rules.

180


OL-30921-01


Licensing Requirements for ACLs

Licensing Requirements for ACLs


Product

Cisco NX-OS


No license is required to use ACLs.

Prerequisites for ACLs

IP ACLs have the following prerequisites:

• You must be familiar with IP addressing and protocols to configure IP ACLs.

• You must be familiar with the interface types that you want to configure with ACLs.

VACLs have the following prerequisite:

• Ensure that the IP ACL or MAC ACL that you want to use in the VACL exists and is configured to filter traffic in the manner that you need for this application.

Guidelines and Limitations for ACLs

IP ACLs have the following configuration guidelines and limitations:

• We recommend that you perform ACL configuration using the Session Manager. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration. This is especially useful for ACLs that include more than about 1000 rules.

• When you apply an ACL that uses time ranges, the device updates the ACL entries whenever a time range referenced in an ACL entry starts or ends. Updates that are initiated by time ranges occur on a best-effort priority. If the device is especially busy when a time range causes an update, the device may delay the update by up to a few seconds.

• To apply an IP ACL to a VLAN interface, you must have enabled VLAN interfaces globally.

MAC ACLs have the following configuration guidelines and limitations:

• MAC ACLs apply to ingress traffic only.

• ACL statistics are not supported if the DHCP snooping feature is enabled.

• To filter Address Resolution Protocol (ARP) traffic using MAC ACL, the user needs to filter the Ether type as 0x806 for ARP in the Application Control Engine (ACE).

VACLs have the following configuration guidelines and limitations:

• We recommend that you perform ACL configurations using the Session Manager. This feature allows you to verify ACL configuration and confirm that the resources required by the configuration are available prior to committing them to the running configuration.

OL-30921-01


181


Default ACL Settings

• ACL statistics are not supported if the DHCP snooping feature is enabled.

• There is no defined sequence of application to match ACLs under the same sequence number. For a definite sequence of match statements, use different sequence numbers.

• You need to configure the default deny command at the end when you are using different types of ACLs such as MAC, IP, or IPv6. For example: switch(config)#

ip access-list drop_ip

switch(config-acl)#

deny ip any any

switch(config)#

mac access-list drop_mac

switch(config-acl)#

deny any any

switch(config)#

ipv6 access-list drop_ipv6

switch(config-acl)#

deny ipv6 any any

switch(config)#

vlan access-map abc 10

<match statements> switch(config)#

vlan access-map xyz 20

<match statements>

.

.

.

.

switch(config)#

vlan access-map gef 100

switch(config-access-map)#

match ip address drop_ip


match mac address drop_mac


match ipv6 address drop_ipv6

• To permit all traffic while updating ACL use the hardware access-list update default-result permit command.

• Traffic is run against system ACL with implicit permit which punts control traffic to supervise before it is run against user-configured ACLs. Hence, any user configured ACL designed to deny control traffic is not effective.

• The Cisco Nexus 5600 platform uses SUP redirect mechanism for ICMP-V6 RA/RS/ND packet processing. The SUP redirect has the higher priority over ACL deny operation and does not allow the user to use ACL deny command for blocking the packet.

Default ACL Settings

The following table lists the default settings for IP ACLs parameters.

Table 14: Default IP ACLs Parameters

Parameters

IP ACLs

ACL rules

Default

No IP ACLs exist by default.

Implicit rules apply to all ACLs .

The following table lists the default settings for MAC ACLs parameters.

182


OL-30921-01


Configuring IP ACLs

Table 15: Default MAC ACLs Parameters

Parameters

MAC ACLs

ACL rules

Default

No MAC ACLs exist by default.

Implicit rules apply to all ACLs .

The following table lists the default settings for VACL parameters.

Table 16: Default VACL Parameters

Parameters

VACLs

ACL rules

Default

No IP ACLs exist by default.

Implicit rules apply to all ACLs.

Configuring IP ACLs

Creating an IP ACL

You can create an IPv4 or IPv6 ACL on the switch and add rules to it.

Procedure

Step 1



Step 2

switch(config)# {ip | ipv6} access-list name

Creates the IP ACL and enters IP ACL configuration mode. The name argument can be up to 64 characters.

Step 3

switch(config-acl)# [sequence-number] {permit | deny} protocol source destination

Creates a rule in the IP ACL. You can create many rules. The sequence-number argument can be a whole number between 1 and 4294967295.

The permit and deny commands support many ways of identifying traffic. For more information, see the

Command Reference for the specific Cisco Nexus device.

Step 4

(Optional) switch(config-acl)# statistics

Specifies that the switch maintains global statistics for packets that match the rules in the ACL.

Step 5

(Optional) switch# show {ip | ipv6} access-lists name

Displays the IP ACL configuration.

Step 6

(Optional) switch# show ip access-lists name



183 OL-30921-01


Changing an IP ACL

Step 7

(Optional) switch# copy running-config startup-config


This example shows how to create an IPv4 ACL: switch#


switch(config)#

ip access-list acl-01

switch(config-acl)#

permit ip 192.168.2.0/24 any

switch(config-acl)#

statistics

This example shows how to create an IPv6 ACL: switch#


switch(config)#

ipv6 access-list acl-01-ipv6

switch(config-ipv6-acl)#

permit tcp 2001:0db8:85a3::/48 2001:0db8:be03:2112::/64

Changing an IP ACL

You can add and remove rules in an existing IPv4 or IPv6 ACL. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.

If you need to add more rules between existing rules than the current sequence numbering allows, you can use the resequence command to reassign sequence numbers.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5



Purpose


switch(config)# {ip | ipv6}

access-list name

Enters IP ACL configuration mode for the ACL that you specify by name.

switch(config)# ip access-list name Enters IP ACL configuration mode for the ACL that you specify by name.

switch(config-acl)#

[sequence-number] {permit | deny}

protocol source destination

Creates a rule in the IP ACL. Using a sequence number allows you to specify a position for the rule in the ACL.

Without a sequence number, the rule is added to the end of the rules. The sequence-number argument can be a whole number between 1 and 4294967295.

The permit and deny commands support many ways of identifying traffic. For more information, see the Command

Reference for your Cisco Nexus device.

switch(config-acl)# no

{sequence-number | {permit |

deny} protocol source destination}

(Optional)

Removes the rule that you specified from the IP ACL.

The permit and deny commands support many ways of identifying traffic. For more information, see the Command

Reference for your Cisco Nexus device.

184


OL-30921-01


Removing an IP ACL

Step 6

Step 7

Step 8


switch(config-acl)# [no] statistics (Optional)

Specifies that the switch maintains global statistics for packets that match the rules in the ACL.

The no option stops the switch from maintaining global statistics for the ACL.

switch#show ip access-lists name (Optional)



startup-config

(Optional)


Related Topics

Changing Sequence Numbers in an IP ACL, on page 186

Removing an IP ACL

You can remove an IP ACL from the switch.

Before you remove an IP ACL from the switch, be sure that you know whether the ACL is applied to an interface. The switch allows you to remove ACLs that are currently applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, the switch considers the removed ACL to be empty.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


switch# configure terminal switch(config)# no {ip | ipv6}


Removes the IP ACL that you specified by name from the running configuration.

switch(config)# no ip access-list name Removes the IP ACL that you specified by name from the running configuration.

switch# show running-config

Purpose



startup-config

(Optional)

Displays the ACL configuration. The removed IP

ACL should not appear.

(Optional)


OL-30921-01


185


Changing Sequence Numbers in an IP ACL

Changing Sequence Numbers in an IP ACL

You can change all the sequence numbers assigned to the rules in an IP ACL.

Procedure

Step 1

Step 2

Step 3

Step 4



Purpose


switch(config)# resequence {ip |

ipv6} access-list name

starting-sequence-number increment

Assigns sequence numbers to the rules contained in the

ACL, where the first rule receives the starting sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment that you specify.

The starting-sequence-number argument and the

increment argument can be a whole number between 1 and 4294967295.

switch# show {ip | ipv6} access-lists

name

(Optional)



startup-config

(Optional)


Configuring ACLs with Logging

You can create an access-control list for logging traffic of a specified protocol and address.

Procedure

Step 1

Step 2

Step 3


switch# configure terminal switch(config)# {ip | ipv6}


Purpose


Creates the IP ACL and enters IP ACL configuration mode. The

name argument can be up to 64 characters.

switch(config-acl)# permit

protocol source destination log

Creates a rule to log traffic of the specified protocol in the syslog file. in the IP ACL. Valid values for the protocol argument are:

• icmp—ICMP

• igmp—IGMP

• ip—IPv4

• ipv6—IPv6

186


OL-30921-01


OL-30921-01

Applying an IP ACL to mgmt0

Step 4

Step 5


• tcp—TCP

• udp—UDP

• sctp—SCTP (IPv6 only)

The source and destination arguments can be the IP address with a network wildcard (IPv4 only), IP address and variable-length subnet mask, host address, or any to designate any address. For more information, see the System Management configuration guide and the Security command reference for your platform.

Exists the current configuration mode.

switch(config-acl)# exit switch(config)# copy


(Optional)


The following example shows how to create an ACL for logging entries that match IPv4 TCP traffic from any source and any destination: switch#

configuration terminal

switch(config)#

ip access-list tcp_log

switch(config-acl)#

permit tcp any any log

switch(config-acl)#

exit

switch(config)#


Applying an IP ACL to mgmt0

You can apply an IPv4 or IPv6 ACL to the management interface (mgmt0).


Ensure that the ACL that you want to apply exists and that it is configured to filter traffic in the manner that you need for this application.

Procedure

Step 1

Step 2


Example:


interface mgmt port

Example:

switch(config)# interface mgmt0 switch(config-if)#

Purpose


Enters configuration mode for the management interface.


187


Applying an IP ACL as a Router ACL

Step 3

Step 4

Step 5


ip access-group access-list {in | out}

Example:

switch(config-if)#ip access-group acl-120 out

Applies an IPv4 or IPv6 ACL to the Layer 3 interface for traffic flowing in the direction specified. You can apply one router ACL per direction.

show running-config aclmgr

(Optional)

Displays the ACL configuration.

Example:

switch(config-if)# show running-config aclmgr


(Optional)


Example:

switch(config-if)# copy running-config startup-config

Related Topics

• Creating an IP ACL

Applying an IP ACL as a Router ACL

You can apply an IPv4 or IPv6 ACL to any of the following types of interfaces:

• Physical Layer 3 interfaces and subinterfaces

• Layer 3 Ethernet port-channel interfaces and subinterfaces

• VLAN interfaces

• Tunnels

• Management interfaces

ACLs applied to these interface types are considered router ACLs.


Ensure that the ACL you want to apply exists and that it is configured to filter traffic in the manner that you need for this application.

Procedure

Step 1



Purpose


188


OL-30921-01


Applying an IP ACL as a Port ACL

Step 2

Step 3

Step 4

Step 5


Enter one of the following commands:

• switch(config)# interface ethernet slot/port[.

number]

Enters configuration mode for the interface type that you specified.

• switch(config)# interface port-channel

channel-number[. number]

• switch(config)# interface tunnel

tunnel-number

• switch(config)# interface vlan vlan-ID

• switch(config)# interface mgmt port


• switch(config-if)# ip access-group access-list

{in | out}

Applies an IPv4 or IPv6 ACL to the Layer

3 interface for traffic flowing in the direction specified. You can apply one router ACL per direction.

• switch(config-if)# ipv6 traffic-filter access-list

{in | out} switch(config-if)# show running-config aclmgr switch(config-if)# copy running-config

startup-config

(Optional)


(Optional)


Applying an IP ACL as a Port ACL

You can apply an IPv4 or IPv6 ACL to a physical Ethernet interface or a PortChannel. ACLs applied to these interface types are considered port ACLs.

Note

Some configuration parameters when applied to an PortChannel are not reflected on the configuration of the member ports.

Procedure

Step 1



Purpose


OL-30921-01


189


Verifying IP ACL Configurations

Step 2

Step 3

Step 4

Step 5


switch(config)# interface {ethernet

[chassis/]slot/port | port-channel

channel-number} switch(config-if)# {ip port access-group

| ipv6 port traffic-filter} access-list in

Enters interface configuration mode for the specified interface.

Applies an IPv4 or IPv6 ACL to the interface or

PortChannel. Only inbound filtering is supported with port ACLs. You can apply one port ACL to an interface.

switch# show running-config switch# copy running-config

startup-config

(Optional)


(Optional)


Verifying IP ACL Configurations

To display IP ACL information, perform one of the following tasks:

Command show running-config

Purpose

Displays ACL configuration, including IP ACL configuration and interfaces that IP ACLs are applied to.

show running-config interface

Displays the configuration of an interface to which you have applied an ACL.

For detailed information about the fields in the output from these commands, refer to the Command Reference for your Cisco Nexus device.

Monitoring and Clearing IP ACL Statistics


show {ip | ipv6} access-lists name

Purpose

Displays IP ACL configuration. If the IP ACL includes the statistics command, then the show ip

access-lists and show ipv6 access-list command output includes the number of packets that have matched each rule.

190


OL-30921-01


Configuring MAC ACLs


show ip access-lists name

clear {ip | ipv6} access-list counters

[access-list-name]

clear ip access-list counters [access-list-name]

Purpose

Displays IP ACL configuration. If the IP ACL includes the statistics command, then the show ip

access-lists command output includes the number of packets that have matched each rule.

Clears statistics for all IP ACLs or for a specific IP

ACL.

Clears statistics for all IP ACLs or for a specific IP

ACL.

Configuring MAC ACLs

Creating a MAC ACL

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6


switch# configure terminal switch# mac access-list name switch(config-mac-acl)#


source destination protocol

switch(config-mac-acl)# statistics switch# show mac access-lists name switch# copy running-config

startup-config

Purpose


Creates the MAC ACL and enters ACL configuration mode.

Creates a rule in the MAC ACL.

The permit and deny options support many ways of identifying traffic. For more information, see the

Security command reference for your platform.

(Optional)

Specifies that the switch maintains global statistics for packets matching the rules in the ACL.

(Optional)

Displays the MAC ACL configuration.

(Optional)


The following example shows how to create a MAC ACL and add rules to it: switch#


switch(config)#

mac access-list acl-mac-01


191 OL-30921-01


Changing a MAC ACL

switch(config-mac-acl)#

permit 00c0.4f00.0000 0000.00ff.ffff any


statistics

Changing a MAC ACL

In an existing MAC ACL, you can add and remove rules. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.


Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7



Purpose


switch(config)# mac access-list name Enters ACL configuration mode for the ACL that you specify by name.



source destination protocol

Creates a rule in the MAC ACL. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules.

The permit and deny commands support many ways of identifying traffic.

switch(config-mac-acl)# no

{sequence-number | {permit|deny}

source destination protocol}

(Optional)

Removes the rule that you specify from the MAC ACL.

The permit and deny commands support many ways of identifying traffic.

switch(config-mac-acl)# [no] statistics (Optional)

Specifies that the switch maintains global statistics for packets matching the rules in the ACL.

The no option stops the switch from maintaining global statistics for the ACL.

switch# show mac access-lists name (Optional)



startup-config

(Optional)


The following example shows how to change a MAC ACL: switch#


switch(config)#



100 permit mac 00c0.4f00.00 0000.00ff.ffff any


statistics

192


OL-30921-01


Removing a MAC ACL

Removing a MAC ACL

You can remove a MAC ACL from the switch.

Be sure that you know whether the ACL is applied to an interface. The switch allows you to remove ACLs that are current applied. Removing an ACL does not affect the configuration of interfaces where you have applied the ACL. Instead, the switch considers the removed ACL to be empty.

Procedure

Step 1

Step 2

Step 3

Step 4



Purpose


switch(config)# no mac access-list name Removes the MAC ACL that you specify by name from the running configuration.

switch# show mac access-lists (Optional)



startup-config

(Optional)


Changing Sequence Numbers in a MAC ACL

You can change all the sequence numbers assigned to rules in a MAC ACL. Resequencing is useful when you need to insert rules into an ACL and there are not enough available sequence numbers.

Procedure

Step 1

Step 2

Step 3

Step 4



Purpose


switch(config)# resequence mac



Assigns sequence numbers to the rules contained in the

ACL, where the first rule receives the number specified by the starting-sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment number that you specify.

switch# show mac access-lists name

(Optional)



startup-config

(Optional)


OL-30921-01


193


Applying a MAC ACL as a Port ACL

Related Topics

Rules, on page 177

Applying a MAC ACL as a Port ACL

You can apply a MAC ACL as a port ACL to any of the following interface types:

• Ethernet interfaces

• EtherChannel interfaces

Be sure that the ACL that you want to apply exists and is configured to filter traffic as necessary for this application.

Note

Some configuration parameters when applied to an EtherChannel are not reflected on the configuration of the member ports.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5



Purpose


switch(config)# interface {ethernet

[chassis/]slot/port | port-channel

channel-number} switch(config-if)# mac port access-group

access-list

switch# show running-config

Enters interface configuration mode for the

Ethernet specified interface.

Applies a MAC ACL to the interface.

(Optional)

Displays ACL configuration.

switch# copy running-config startup-config (Optional)


Related Topics

Creating an IP ACL, on page 183

Verifying MAC ACL Configurations

To display MAC ACL information, perform one of the following tasks:

194


OL-30921-01


Example Configuration for MAC ACLs

Command show mac access-lists show running-config show running-config interface

Purpose


Displays ACL configuration, including MAC ACLs and the interfaces that ACLs are applied to.

Displays the configuration of the interface to which you applied the ACL.

Displaying and Clearing MAC ACL Statistics

To display and clear MAC ACL statistics, perform one of the following tasks:

Command show mac access-lists

Purpose

Displays MAC ACL configuration. If the MAC ACL includes the statistics command, the show mac

access-lists command output includes the number of packets that have matched each rule.

clear mac access-list counters

Clears statistics for all MAC ACLs or for a specific

MAC ACL.

Example Configuration for MAC ACLs

This example shows how to create a MAC ACL named acl-mac-01 and apply it to Ethernet interface 1/1: switch#


switch(config)#



permit 00c0.4f00.0000 0000.00ff.ffff any


exit

switch(config)#

interface ethernet 1/1

switch(config-if)#

mac access-group acl-mac-01

Information About VLAN ACLs

A VLAN ACL (VACL) is one application ofa MAC ACL or an IP ACL. You can configure VACLs to apply to all packets that are bridged within a VLAN. VACLs are used strictly for security packet filtering. VACLs are not defined by direction (ingress or egress).

VACLs and Access Maps

VACLs use access maps to link an IP ACL or a MAC ACL to an action. The switch takes the configured action on packets that are permitted by the VACL.


195 OL-30921-01


VACLs and Actions

Starting with the Cisco NX-OS Release 7.2(1)N1(1), you can configure more than one instance of a VLAN access map by assigning a sequence number. In this case, the lower sequence number of a VLAN access map has a higher priority. Additionally, you can specify an ACL for multiple access maps.

VACLs and Actions

In access map configuration mode, you use the action command to specify one of the following actions:

• Forward—Sends the traffic to the destination determined by normal operation of the switch.

• Drop—Drops the traffic.

Statistics

The Cisco Nexus device can maintain global statistics for each rule in a VACL. If a VACL is applied to multiple VLANs, the maintained rule statistics are the sum of packet matches (hits) on all the interfaces on which that VACL is applied.

Note

The Cisco Nexus device does not support interface-level VACL statistics.

For each VLAN access map that you configure, you can specify whether the switch maintains statistics for that VACL. This allows you to turn VACL statistics on or off as needed to monitor traffic filtered by a VACL or to help troubleshoot VLAN access-map configuration.

Configuring VACLs

Creating or Changing a VACL

You can create or change a VACL. Creating a VACL includes creating an access map that associates an IP

ACL or MAC ACL with an action to be applied to the matching traffic.

Procedure

Step 1

Step 2


switch# configure terminal switch(config)# vlan access-map

map-name [sequence-number]

Purpose


Enters access map configuration mode for the access map specified. The sequence-number argument specifies the sequence number of a VLAN access map. The default sequence number is set as 10. If you do not specify the sequence number, the device assigns a sequence number that is 10 greater than the sequence number of the preceding access map instance.

196


OL-30921-01


Removing a VACL

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8


switch(config-access-map)# match ip

address ip-access-list

Specifies an IPv4 and IPv6 ACL for the map.

Specifies a MAC ACL for the map.

switch(config-access-map)# match

mac address mac-access-list switch(config-access-map)# action

{drop | forward}

Specifies the action that the switch applies to traffic that matches the ACL.

switch(config-access-map)# [no]

statistics

(Optional)

Specifies that the switch maintains global statistics for packets matching the rules in the VACL.

The no option stops the switch from maintaining global statistics for the VACL.

switch(config-access-map)# show

running-config

switch(config-access-map)# copy


(Optional)


(Optional)


Removing a VACL

You can remove a VACL, which means that you will delete the VLAN access map.

Be sure that you know whether the VACL is applied to a VLAN. The switch allows you to remove VACLs that are current applied. Removing a VACL does not affect the configuration of VLANs where you have applied the VACL. Instead, the switch considers the removed VACL to be empty.

Procedure

Step 1

Step 2

Step 3

Step 4


switch# configure terminal switch(config)# no vlan access-map

map-name

switch(config)# show running-config switch(config)# copy running-config

startup-config

Purpose


Removes the VLAN access map configuration for the specified access map.

(Optional)


(Optional)


OL-30921-01


197


Applying a VACL to a VLAN

Applying a VACL to a VLAN

You can apply a VACL to a VLAN.

Procedure

Step 1

Step 2

Step 3

Step 4


switch# configure terminal switch(config)# [no] vlan filter

map-name vlan-list list

Purpose


Applies the VACL to the VLANs by the list that you specified. The no option unapplies the VACL.

The vlan-list command can specify a list of up to 32

VLANs, but multiple vlan-list commands can be configured to cover more than 32 VLANs.

switch(config)# show running-config (Optional)


switch(config)# copy running-config

startup-config

(Optional)


Verifying the VACL Configuration

To display VACL configuration information, perform one of the following tasks:

Command show running-config aclmgr

Purpose

Displays ACL configuration, including VACL-related configuration.

show vlan filter show vlan access-map

Displays information about VACLs that are applied to a VLAN.

Displays information about VLAN access maps.

Displaying and Clearing VACL Statistics

To display or clear VACL statistics, perform one of the following tasks:

198


OL-30921-01


Configuration Examples for VACL

Command show vlan access-list clear vlan access-list counters

Purpose

Displays VACL configuration. If the VLAN access-map includes the statistics command, then the

show vlan access-list command output includes the number of packets that have matched each rule.

Clears statistics for all VACLs or for a specific

VACL.

Configuration Examples for VACL

The following example shows how to configure a VACL to forward traffic permitted by an IP ACL named acl-ip-01 and how to apply the VACL to VLANs 50 through 82: switch#


switch(config)#

vlan access-map acl-ip-map


match ip address acl-ip-01


action forward


exit

switch(config)#

vlan filter acl-ip-map vlan-list 50-82

Configuring ACLs on Virtual Terminal Lines

To restrict incoming and outgoing connections for IPv4 or IPv6 between a Virtual Terminal (VTY) line and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command.

Follow these guidelines when configuring ACLs on VTY lines:

• Set identical restrictions on all VTY lines because a user can connect to any of them.

• Statistics per entry is not supported for ACLs on VTY lines.


Be sure that the ACL that you want to apply exists and is configured to filter traffic for this application.

Procedure

Step 1

Step 2


switch# configure terminal switch(config)# line vty

Purpose


Enters line configuration mode.

Example:

switch(config)# line vty switch(config-line)#


199 OL-30921-01


Verifying ACLs on VTY Lines

Step 3

Step 4

Step 5

Step 6

Step 7


switch(config-line)# access-class access-list-number

{in | out}

Specifies inbound or outbound access restrictions.

Example:

switch(config-line)# access-class ozi2 in switch(config-line)#access-class ozi3 out switch(config)# switch(config-line)# no access-class

access-list-number {in | out}

(Optional)

Removes inbound or outbound access restrictions.

Example:

switch(config-line)# no access-class ozi2 in switch(config-line)# no access-class ozi3 out switch(config)# switch(config-line)# exit Exits line configuration mode.

Example:

switch(config-line)# exit switch# switch# show running-config aclmgr (Optional)

Displays the running configuration of the ACLs on the switch.

Example:

switch# show running-config aclmgr switch# copy running-config startup-config

Example:


(Optional)


The following example shows how to apply the access-class ozi2 command to the in-direction of the vty line.

switch#


Enter configuration commands, one per line.

End with CNTL/Z.

switch(config)#

line vty

switch(config-line)#

access-class ozi2 in


exit

switch#

Verifying ACLs on VTY Lines

To display the ACL configurations on VTY lines, perform one of the following tasks:

Command show running-config aclmgr show users

show access-lists access-list-name

Purpose

Displays the running configuration of the ACLs configured on the switch.

Displays the users that are connected.

Display the statistics per entry.

200


OL-30921-01


Configuration Examples for ACLs on VTY Lines

Configuration Examples for ACLs on VTY Lines

The following example shows the connected users on the console line (ttyS0) and the VTY lines (pts/0 and pts/1).

switch#

show users

NAME LINE admin admin admin ttyS0 pts/0 pts/1

TIME IDLE

Aug 27 20:45 .

Aug 27 20:06 00:46

Aug 27 20:52 .

PID COMMENT

14425 *

14176 (172.18.217.82) session=ssh

14584 (10.55.144.118)

The following example shows how to allow vty connections to all IPv4 hosts except 172.18.217.82 and how to deny vty connections to any IPv4 host except 10.55.144.118, 172.18.217.79, 172.18.217.82, 172.18.217.92:

• Applying the ipv6 access-list ozi7 command to the in direction of the VTY line, denies VTY connections to all IPv6 hosts.

• Applying the ipv6 access-list ozip6 command to the out direction of the VTY line, allows VTY connections to all IPv6 hosts.

switch#


!Time: Fri Aug 27 22:01:09 2010 version 5.0(2)N1(1) ip access-list ozi

10 deny ip 172.18.217.82/32 any

20 permit ip any any ip access-list ozi2

10 permit ip 10.55.144.118/32 any

20 permit ip 172.18.217.79/32 any

30 permit ip 172.18.217.82/32 any

40 permit ip 172.18.217.92/32 any ipv6 access-list ozi7

10 deny tcp any any ipv6 access-list ozip6

10 permit tcp any any line vty access-class ozi in access-class ozi2 out ipv6 access-class ozi7 in ipv6 access-class ozip6 out

The following example shows how to configure the IP access list by enabling per-entry statistics for the ACL: switch#


Enter configuration commands, one per line.

End with CNTL/Z.

switch(config)#

ip access-list ozi2

switch(config-acl)#

statistics per-entry

switch(config-acl)#

deny tcp 172.18.217.83/32 any

switch(config-acl)#

exit

switch(config)#

ip access-list ozi

switch(config-acl)#

statistics per-entry

switch(config-acl)#

permit ip 172.18.217.20/24 any

switch(config-acl)#

exit

switch#

The following example shows how to apply the ACLs on VTY in and out directions: switch(config)#

line vty


ip access-class ozi in


access-class ozi2 out


exit

switch#

OL-30921-01


201


Configuring the ACL Resource Usage Threshold

The following example shows how to remove the access restrictions on the VTY line: switch#


Enter configuration commands, one per line. End with CNTL/Z.

switch(config)#

line vty


no access-class ozi2 in


no ip access-class ozi2 in


exit

switch#

Configuring the ACL Resource Usage Threshold

You can configure a threshold value for the number of Logical Operation Units (LOUs).

Procedure

Step 1

Step 2

Step 3



Purpose


switch(config)# hardware access-list lou

resource threshold value

Configures the threshold value for the number of

LOUs.

switch(config-if)# copy running-config

startup-config

(Optional)


The following example shows how to configure the maximum threshold value for LOUs: switch#

configuration terminal

switch(config)#

hardware access-list lou resource threshold 15

202


OL-30921-01

C H A P T E R

10

Configuring Port Security


•

Information About Port Security, page 203

•

Licensing Requirements for Port Security, page 208

•

Prerequisites for Port Security, page 208

•

Guidelines and Limitations for Port Security, page 209

•

Guidelines and Limitations for Port Security on vPCs, page 209

•

Default Settings for Port Security, page 210

•

Configuring Port Security, page 210

•

Verifying the Port Security Configuration, page 220

•

Displaying Secure MAC Addresses, page 220

•

Configuration Example for Port Security, page 220

•

Configuration Example of Port Security in a vPC Domain, page 221

•

Additional References for Port Security, page 221

Information About Port Security

Port security allows you to configure Layer 2 physical interfaces, Layer 2 port-channel interfaces, and virtual port channels (vPCs) to allow inbound traffic from only a restricted set of MAC addresses. The MAC addresses in the restricted set are called secure MAC addresses. In addition, the device does not allow traffic from these

MAC addresses on another interface within the same VLAN. The number of MAC addresses that the device can secure is configurable per interface.

Note

Unless otherwise specified, the term interface refers to physical interfaces, port-channel interfaces, and vPCs; likewise, the term Layer 2 interface refers to both Layer 2 physical interfaces and Layer 2 port-channel interfaces.


203 OL-30921-01


Secure MAC Address Learning

Secure MAC Address Learning

The process of securing a MAC address is called learning. A MAC address can be a secure MAC address on one interface only. For each interface that you enable port security on, the device can learn a limited number of MAC addresses by the static, dynamic, or sticky methods. The way that the device stores secure MAC addresses varies depending upon how the device learned the secure MAC address.

Note

All learned MAC addresses are synchronized between vPC peers.

Static Method

The static learning method allows you to manually add or remove secure MAC addresses to the running configuration of an interface. If you copy the running configuration to the startup configuration, static secure

MAC addresses are unaffected if the device restarts.

A static secure MAC address entry remains in the configuration of an interface until one of the following events occurs:

• You explicitly remove the address from the configuration.

• You configure the interface to act as a Layer 3 interface.

Adding secure addresses by the static method is not affected by whether dynamic or sticky address learning is enabled.

Dynamic Method

By default, when you enable port security on an interface, you enable the dynamic learning method. With this method, the device secures MAC addresses as ingress traffic passes through the interface. If the address is not yet secured and the device has not reached any applicable maximum, it secures the address and allows the traffic.

The device stores dynamic secure MAC addresses in memory. A dynamic secure MAC address entry remains in the configuration of an interface until one of the following events occurs:

• The device restarts.

• The interface restarts.

• The address reaches the age limit that you configured for the interface.

• You explicitly remove the address.


Sticky Method

If you enable the sticky method, the device secures MAC addresses in the same manner as dynamic address learning, but the device stores addresses learned by this method in nonvolatile RAM (NVRAM). As a result,

204


OL-30921-01


Dynamic Address Aging

addresses learned by the sticky method persist through a device restart. Sticky secure MAC addresses do not appear in the running configuration of an interface.

Dynamic and sticky address learning are mutually exclusive. When you enable sticky learning on an interface, the device stops dynamic learning and performs sticky learning instead. If you disable sticky learning, the device resumes dynamic learning.

A sticky secure MAC address entry remains in the configuration of an interface until one of the following events occurs:

• You explicitly remove the address.


Dynamic Address Aging

The device ages MAC addresses learned by the dynamic method and drops them after the age limit is reached.

You can configure the age limit on each interface. The range is from 0 to 1440 minutes, where 0 disables aging.

In vPC domains, dynamic MAC addresses are dropped only after the age limit is reached on both vPC peers.

The method that the device uses to determine that the MAC address age is also configurable. The two methods of determining address age are as follows:

Inactivity

The length of time after the device last received a packet from the address on the applicable interface.

Absolute

The length of time after the device learned the address. This is the default aging method; however, the default aging time is 0 minutes, which disables aging.

Note

If the absolute method is used to age out a MAC address, then depending on the traffic rate, few packets may drop each time a MAC address is aged out and relearned. To avoid this use inactivity timeout.

Secure MAC Address Maximums

By default, an interface can have only one secure MAC address. You can configure the maximum number of

MAC addresses permitted per interface or per VLAN on an interface. Maximums apply to secure MAC addresses learned by any method: dynamic, sticky, or static.

Note

In vPC domains, the configuration on the primary vPC takes effect.

Tip

To ensure that an attached device has the full bandwidth of the port, set the maximum number of addresses to one and configure the MAC address of the attached device.

OL-30921-01


205


Security Violations and Actions

The following three limits can determine how many secure MAC addresses are permitted on an interface:

Device maximum

The device has a nonconfigurable limit of 8192 secure MAC addresses. If learning a new address would violate the device maximum, the device does not permit the new address to be learned, even if the interface or VLAN maximum has not been reached.

Interface maximum

You can configure a maximum number of 1025 secure MAC addresses for each interface protected by port security. The default interface maximum is one address. Interface maximums cannot exceed the device maximum.

In vPC domains, you set the maximum number of secure MAC addresses on the primary vPC switch.

The primary vPC switch does the count validation, even if a maximum number of secure MAC addresses is set on the secondary switch.

VLAN maximum

You can configure the maximum number of secure MAC addresses per VLAN for each interface protected by port security. A VLAN maximum cannot exceed the configured interface maximum.

VLAN maximums are useful only for trunk ports. There are no default VLAN maximums.

You can configure VLAN and interface maximums per interface, as needed; however, when the new limit is less than the applicable number of secure addresses, you must reduce the number of secure MAC addresses first.


Port security triggers security violations when either of the two following events occur:

MAX Count Violation

Ingress traffic arrives at an interface from a nonsecure MAC address and learning the address would exceed the applicable maximum number of secure MAC addresses. The blocked entry is added to the

Forwarding Module (FWM) of the Cisco Nexus switch.

When an interface has both a VLAN maximum and an interface maximum configured, a violation occurs when either maximum is exceeded. For example, consider the following on a single interface configured with port security:

• VLAN 1 has a maximum of 5 addresses

• The interface has a maximum of 10 addresses

The device detects a violation when any of the following occurs:

• The device has learned five addresses for VLAN 1 and inbound traffic from a sixth address arrives at the interface in VLAN 1.

• The device has learned 10 addresses on the interface and inbound traffic from an 11th address arrives at the interface.

206


OL-30921-01



MAC Move Violation

Ingress traffic from a secure MAC address arrives at a different interface in the same VLAN as the interface on which the address is secured. The blocked entry is added as a drop entry in the Port Security table.

When a security violation occurs, the device increments the security violation counter for the interface and takes the action specified by the port security configuration of the interface. If a violation occurs because ingress traffic from a secure MAC address arrives at a different interface than the interface on which the address is secure, the device applies the action on the interface that received the traffic.

The possible actions that the device can take are as follows:

Shutdown

Shuts down the interface that received the packet triggering the violation. The interface is error disabled.

This action is the default. After you reenable the interface, it retains its port security configuration, including its secure MAC addresses.

You can use the errdisable global configuration command to configure the device to reenable the interface automatically if a shutdown occurs, or you can manually reenable the interface by entering the shutdown and no shut down interface configuration commands.

Restrict

Drops ingress traffic from any nonsecure MAC addresses and adds the MAC address as a blocked

MAC entry in the port security table..

Note

In vPC domains, blocked MAC addresses added to the port security table due to violations occuring in the Restrict mode are not synchronized across vPC peers.

The device keeps a count of the number of dropped packets, which is called the security violation count.

Address learning continues until the maximum security violations have occurred on the interface. Traffic from addresses learned after the first security violation is dropped.

Protect

Prevents further violations from occurring. The address that triggered the security violation is learned but any traffic from the address is dropped. Further address learning stops.

Note

In vPCs, the violation action configured on the primary vPC switch takes affect. So, whenever a security violation is triggered, the security action defined on the primary vPC switch occurs.

After the maximum number of MAX move violations (10) is reached, the interface is shut down and placed in the errdisabled state.

OL-30921-01


207


Port Type Changes

Port Type Changes

When you have configured port security on a Layer 2 interface and you change the port type of the interface, the device behaves as follows:

Access port to trunk port

Trunk port to access port

When you change a Layer 2 interface from a trunk port to an access port, the device drops all secure addresses learned by the dynamic method. It also moves all addresses learned by the sticky method on the native trunk VLAN to the access VLAN. The device drops secure addresses learned by the sticky method if they are not on the native trunk VLAN.

Switched port to routed port

When you change an interface from a Layer 2 interface to a Layer 3 interface, the device disables port security on the interface and discards all port security configuration for the interface. The device also discards all secure MAC addresses for the interface, regardless of the method used to learn the address.

Routed port to switched port

When you change an interface from a Layer 3 interface to a Layer 2 interface, the device has no port security configuration for the interface.

Licensing Requirements for Port Security


Product

Cisco NX-OS


Port security requires no license. Any feature not included in a license package is bundled with the

Cisco NX-OS device images and is provided at no extra charge to you. For an explanation of the Cisco

NX-OS licensing scheme, see the License and

Copyright Information for Cisco NX-OS Software

available at the following URL: http:// www.cisco.com/en/US/docs/switches/datacenter/sw/

4_0/nx-os/license_agreement/nx-ossw_lisns.html

.

Prerequisites for Port Security

Port security has the following prerequisites:

• You must globally enable port security for the device that you want to protect with port security.

208


OL-30921-01


Guidelines and Limitations for Port Security

• In a vPC domain, you must enable port security globally on both vPC peers and on both vPC interfaces on the vPC peers. We recommend that you use the config sync command to ensure that the configuration is consistent on both vPC peers.

Guidelines and Limitations for Port Security

When configuring port security, follow these guidelines:

• Port security is supported on PVLAN ports.

• Port security does not support switched port analyzer (SPAN) destination ports.

• Port security does not depend upon other features.

• Port security is not supported on vPC peer links.

• Port security is not supported on Network Interface (NIF) port, Flex Link ports, or vEthernet interfaces.

Guidelines and Limitations for Port Security on vPCs

In addition to the guidelines and limitations for port security, there are additional guidelines and limitations for port security on vPCs. When configuring port security on vPCs, follow these guidelines:

• You must enabled port security globally on both vPC peers in a vPC domain.

• You must enable port security on the vPC interfaces of both vPC peers.

• You must configure a static secure MAC address on the primary vPC peer. This MAC address is synchronized with the secondary vPC peer. Do not configure a static secure MAC address on the secondary peer. This MAC address appears in the secondary vPC configuration, but does not take affect.

• All learned MAC addresses are synchronized between vPC peers.

• Both vPC peers can be configured with either the dynamic or sticky MAC address learning method.

However, we recommend that both vPC peers be configured for the same method.

• Dynamic MAC addresses are dropped only after the age limit is reached on both vPC peers.

• You set the maximum number of secure MAC addresses on the primary vPC switch. The primary vPC switch does the count validation, even if a maximum number of secure MAC addresses is set on the secondary switch.

• You configure the violation action on the primary vPC. So, whenever a security violation is triggered, the security action defined on the primary vPC switch occurs.

• Port security is enabled on a vPC interface when the port security feature is enabled on both vPC peers and port security is enabled on both vPC interfaces of the vPC peers. You can use the config sync command to verify that the configuration is correct.

• While a switch undergoes an in-service software upgrade (ISSU), port security operations are stopped on its peer switch. The peer switch does not learn any new MAC addresses, and MAC moves occurring during this operation are ignored. When the ISSU is complete, the peer switch is notified and normal port security functionality resumes.

• ISSU to higher versions is supported; however ISSU to lower versions is not supported.


209 OL-30921-01


Default Settings for Port Security

Default Settings for Port Security

This table lists the default settings for port security parameters.

Table 17: Default Port Security Parameters

Parameters

Port security enablement globally

Port security enablement per interface

MAC address learning method

Default

Disabled

Disabled

Dynamic

Interface maximum number of secure MAC addresses 1

Security violation action Shutdown


Enabling or Disabling Port Security Globally

You can enable or disable port security globally on a device. By default, port security is disabled globally.

When you disable port security, all port security configuration on the interface is ineffective. When you disable port security globally, all port security configuration is lost.

Note

To enable or disable port security in a vPC domain, you must enable or disable port security globally on both vPC peers.

Procedure

Step 1

Step 2


Example:


[no] feature port-security

Example:

switch(config)# feature port-security

Purpose


Enables port security globally. The no option disables port security globally.

210


OL-30921-01


Enabling or Disabling Port Security on a Layer 2 Interface

Step 3

Step 4

Step 5

Command or Action show port-security

Purpose

Displays the status of port security.

Example:

switch(config)# show port-security


Example:


If you are configuring port security for a vPC domain, repeat steps 1 through 4 on the vPC peer to enable port security globally.

—

(Optional)


Example:

Enabling or Disabling Port Security on a Layer 2 Interface

You can enable or disable port security on a Layer 2 interface. By default, port security is disabled on all interfaces.

When you disable port security on an interface, all switchport port security configuration for the interface is lost.


You must have enabled port security globally.

If you are setting up port security in a vPC domain, you must have enabled port security globally on both vPC peers.

If a Layer 2 Ethernet interface is a member of a port-channel interface, you cannot enable or disable port security on the Layer 2 Ethernet interface.

If any member port of a secure Layer 2 port-channel interface has port security enabled, you cannot disable port security for the port-channel interface unless you first remove all secure member ports from the port-channel interface.

Procedure

Step 1


Purpose


Example:


OL-30921-01


211


Enabling or Disabling Sticky MAC Address Learning

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7





Purpose

Enters interface configuration mode for the Ethernet or port-channel interface that you want to configure with port security.

Example:


switchport

Configures the interface as a Layer 2 interface.

Example:


[no] switchport port-security

Example:

switch(config-if)# switchport port-security

Enables port security on the interface.

The no option disables port security on the interface.

show running-config port-security

Displays the port security configuration.

Example:

switch(config-if)# show running-config port-security


Example:


If you are configuring port security for a vPC domain, repeat steps 1 through 6 to on the vPC peer to enable port security on its vPC interface.

—

(Optional)


Enabling or Disabling Sticky MAC Address Learning

You can disable or enable sticky MAC address learning on an interface. If you disable sticky learning, the device returns to dynamic MAC address learning on the interface, which is the default learning method.

By default, sticky MAC address learning is disabled.



212


OL-30921-01


Adding a Static Secure MAC Address on an Interface

Procedure

Step 1

Step 2


Example:





Purpose


Enters interface configuration mode for the interface that you want to configure with sticky MAC address learning.

Step 3

Step 4

Step 5

Step 6

Example:


switchport

Configures the interface as a Layer 2 interface.

Example:


[no] switchport port-security mac-address sticky

Example:

switch(config-if)# switchport port-security mac-address sticky

Enables sticky MAC address learning on the interface. The no option disables sticky

MAC address learning.



Example:



(Optional)


Example:


Adding a Static Secure MAC Address on an Interface

You can add a static secure MAC address on a Layer 2 interface.

Note

If the MAC address is a secure MAC address on any interface, you cannot add it as a static secure MAC address to another interface until you remove it from the interface on which it is already a secure MAC address.

OL-30921-01


213


Removing a Static Secure MAC Address on an Interface

By default, no static secure MAC addresses are configured on an interface.



Verify that the interface maximum has not been reached for secure MAC addresses. If needed, you can remove a secure MAC address or you can change the maximum number of addresses on the interface.

Procedure

Step 1


Purpose


Step 2

Example:





Enters interface configuration mode for the interface that you specify.

Step 3

Step 4

Step 5

Example:


[no] switchport port-security mac-address

address [vlan vlan-ID]

Example:

switch(config-if)# switchport port-security mac-address 0019.D2D0.00AE

Configures a static MAC address for port security on the current interface. Use the

vlan keyword if you want to specify the

VLAN that traffic from the address is allowed on.



Example:



(Optional)


Example:


Removing a Static Secure MAC Address on an Interface

You can remove a static secure MAC address on a Layer 2 interface.

214


OL-30921-01


Removing a Dynamic Secure MAC Address

Procedure

Step 1

Step 2


Example:





Purpose


Enters interface configuration mode for the interface from which you want to remove a static secure MAC address.

Step 3

Step 4

Step 5

Example:


no switchport port-security mac-address address Removes the static secure MAC address from port security on the current interface.

Example:

switch(config-if)# no switchport port-security mac-address 0019.D2D0.00AE



Example:



Example:


(Optional)


Removing a Dynamic Secure MAC Address

You can remove dynamically learned, secure MAC addresses.



OL-30921-01


215


Configuring a Maximum Number of MAC Addresses

Procedure

Step 1

Step 2

Step 3

Step 4


Purpose


Example:


clear port-security dynamic {interface

ethernet slot/port | address address} [vlan

vlan-ID]

Example:

switch(config)# clear port-security dynamic interface ethernet 2/1

Removes dynamically learned, secure MAC addresses, as specified.

If you use the interface keyword, you remove all dynamically learned addresses on the interface that you specify.

If you use the address keyword, you remove the single, dynamically learned address that you specify.

Use the vlan keyword if you want to further limit the command to removing an address or addresses on a particular VLAN.

show port-security address

Displays secure MAC addresses.

Example:

switch(config)# show port-security address


Example:


(Optional)


Configuring a Maximum Number of MAC Addresses

You can configure the maximum number of MAC addresses that can be learned or statically configured on a Layer 2 interface. You can also configure a maximum number of MAC addresses per VLAN on a Layer 2 interface. The largest maximum number of addresses that you can configure on an interface is 1025 addresses.

The system maximum number of address is 8192.

By default, an interface has a maximum of one secure MAC address. VLANs have no default maximum number of secure MAC addresses.

Note

When you specify a maximum number of addresses that is less than the number of addresses already learned or statically configured on the interface, the device rejects the command. To remove all addresses learned by the dynamic method, use the shutdown and no shutdown commands to restart the interface.

216


OL-30921-01


Configuring an Address Aging Type and Time



Procedure

Step 1


Step 2

Purpose


Example:





Enters interface configuration mode, where slot is the interface that you want to configure with the maximum number of MAC addresses.

Step 3

Step 4

Step 5

Example:


[no] switchport port-security maximum

number [vlan vlan-ID]

Example:

switch(config-if)# switchport port-security maximum 425

Configures the maximum number of MAC addresses that can be learned or statically configured for the current interface. The highest valid number is 1025. The no option resets the maximum number of MAC addresses to the default, which is 1.

If you want to specify the VLAN that the maximum applies to, use the vlan keyword.



Example:



Example:


(Optional)



You can configure the MAC address aging type and the length of time that the device uses to determine when

MAC addresses learned by the dynamic method have reached their age limit.

Absolute aging is the default aging type.

OL-30921-01


217



By default, the aging time is 0 minutes, which disables aging.



Procedure

Step 1

Step 2


Purpose


Example:





Enters interface configuration mode for the interface that you want to configure with the

MAC aging type and time.

Step 3

Step 4

Step 5

Step 6

Example:


[no] switchport port-security aging type

{absolute | inactivity}

Configures the type of aging that the device applies to dynamically learned MAC addresses.

The no option resets the aging type to the default, which is absolute aging.

Example:

switch(config-if)# switchport port-security aging type inactivity

[no] switchport port-security aging time

minutes

Example:

switch(config-if)# switchport port-security aging time 120

Configures the number of minutes that a dynamically learned MAC address must age before the device drops the address. The maximum valid minutes is 1440. The no option resets the aging time to the default, which is 0 minutes (no aging).



Example:



Example:


(Optional)


218


OL-30921-01


Configuring a Security Violation Action

Configuring a Security Violation Action

You can configure the action that the device takes if a security violation occurs. The violation action is configurable on each interface that you enable with port security.

The default security action is to shut down the port on which the security violation occurs.



Procedure

Step 1


Purpose


Step 2

Example:





Enters interface configuration mode for the interface that you want to configure with a security violation action.

Step 3

Step 4

Step 5

Example:


[no] switchport port-security violation {protect

| restrict | shutdown}

Example:

switch(config-if)# switchport port-security violation restrict

Configures the security violation action for port security on the current interface. The no option resets the violation action to the default, which is to shut down the interface.



Example:



(Optional)


Example:


OL-30921-01


219


Verifying the Port Security Configuration

Verifying the Port Security Configuration

To display the port security configuration information, perform one of the following tasks. For detailed information about the fields in the output from this command, see the Security Command Reference for your platform.

Command show running-config port-security

Purpose


show port-security

Displays the port security status of the device.

show port-security interface show port-security address show running-config interface show mac address-table show system internal port-security info global

Displays the port security status of a specific interface.

Displays secure MAC addresses.

Displays the interfaces that are in the running-configuration.

Displays the contents of the MAC address table.

Displays the port security settings of the device.

Displaying Secure MAC Addresses

Use the show port-security address command to display secure MAC addresses. For detailed information about the fields in the output from this command, see the Security Command Reference for your platform.

Configuration Example for Port Security

The following example shows a port security configuration for the Ethernet 2/1 interface with VLAN and interface maximums for secure addresses. In this example, the interface is a trunk port. Additionally, the violation action is set to Restrict.

feature port-security interface Ethernet 2/1 switchport switchport port-security switchport port-security maximum 10 switchport port-security maximum 7 vlan 10 switchport port-security maximum 3 vlan 20 switchport port-security violation restrict

220


OL-30921-01


Configuration Example of Port Security in a vPC Domain

Configuration Example of Port Security in a vPC Domain

The following example shows how to enable and configure port security on vPC peers in a vPC domain. The first switch is the primary vPC peer and the second switch is the secondary vPC peer. It is assumed that domain

103 has already been created.

primary_switch(config)#

feature port-security

primary_switch(config-if)#

int e1/1


switchport port-security


switchport port-security max 1025


switchport port-security violation restrict


switchport port-security aging time 4


switchport port-security aging type absolute


switchport port-security mac sticky


switchport port-security mac-address 0.0.1 vlan 101


switchport port-security mac-address 0.0.2 vlan 101



secondary_switch(config)#

int e103/1/1

secondary_switch(config-if)#

switchport port-security

secondary_switch(config-if)#


Additional References for Port Security


Related Topic

Layer 2 switching

Port security commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

Document Title

Standards

Standards Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

—

MIBs

Cisco NX-OS provides read-only SNMP support for port security.


221 OL-30921-01


Additional References for Port Security

MIBs MIBs Link

Note

• CISCO-PORT-SECURITY-MIB

To locate and download MIBs, go to the following

URL:

Traps are supported for notification of secure

MAC address violations.

http://www.cisco.com/public/sw-center/netmgmt/ cmtk/mibs.shtml

222


OL-30921-01

OL-30921-01

C H A P T E R

11

Configuring DHCP Snooping


•

Information About DHCP Snooping, page 224

•

Information About the DHCP Relay Agent, page 228

•

Information about the DHCPv6 Relay Agent, page 230

•

Information About the Lightweight DHCPv6 Relay Agent, page 230

•

vIP HSRP Enhancement, page 231

•

Guidelines and Limitations for DHCP Snooping, page 231

•

Guidelines and Limitations for the vIP HSRP Enhancement, page 232

•

Default Settings for DHCP Snooping, page 233

•

Configuring DHCP Snooping, page 233

•

Configuring the DHCPv6 Relay Agent, page 244

•

Configuring Lightweight DHCPv6 Relay Agent, page 247

•

Enabling DHCP Relay Agent using VIP Address, page 249

•

Verifying the DHCP Snooping Configuration, page 250

•

Displaying DHCP Bindings, page 250

•

Displaying and Clearing LDRA Information, page 250

•

Clearing the DHCP Snooping Binding Database, page 254

•

Clearing DHCP Relay Statistics, page 255

•

Clearing DHCPv6 Relay Statistics, page 255

•

Monitoring DHCP, page 255

•

Configuration Examples for DHCP Snooping, page 255

•

Configuration Examples for LDRA, page 256


223


Information About DHCP Snooping

Information About DHCP Snooping

DHCP snooping acts like a firewall between untrusted hosts and trusted DHCP servers. DHCP snooping performs the following activities:

• Validates DHCP messages received from untrusted sources and filters out invalid messages.

• Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

• Uses the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

DHCP snooping is enabled on a per-VLAN basis. By default, the feature is inactive on all VLANs. You can enable the feature on a single VLAN or a range of VLANs.

Feature Enabled and Globally Enabled

When you are configuring DHCP snooping, it is important that you understand the difference between enabling the DHCP snooping feature and globally enabling DHCP snooping.

Feature Enablement

The DHCP snooping feature is disabled by default. When the DHCP snooping feature is disabled, you cannot configure it or any of the features that depend on DHCP snooping. The commands to configure DHCP snooping and its dependent features are unavailable when DHCP snooping is disabled.

When you enable the DHCP snooping feature, the switch begins building and maintaining the DHCP snooping binding database. Features dependent on the DHCP snooping binding database can now make use of it and can therefore also be configured.

Enabling the DHCP snooping feature does not globally enable it. You must separately enable DHCP snooping globally.

Disabling the DHCP snooping feature removes all DHCP snooping configuration from the switch. If you want to disable DHCP snooping and preserve the configuration, globally disable DHCP snooping but do not disable the DHCP snooping feature.

Global Enablement

After DHCP snooping is enabled, DHCP snooping is globally disabled by default. Global enablement is a second level of enablement that allows you to have separate control of whether the switch is actively performing

DHCP snooping that is independent from enabling the DHCP snooping binding database.

When you globally enable DHCP snooping, on each untrusted interface of VLANs that have DHCP snooping enabled, the switch begins validating DHCP messages that are received and used the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

When you globally disable DHCP snooping, the switch stops validating DHCP messages and validating subsequent requests from untrusted hosts. It also removes the DHCP snooping binding database. Globally disabling DHCP snooping does not remove any DHCP snooping configuration or the configuration of other features that are dependent upon the DHCP snooping feature.

224


OL-30921-01


Trusted and Untrusted Sources

Trusted and Untrusted Sources

You can configure whether DHCP snooping trusts traffic sources. An untrusted source might initiate traffic attacks or other hostile actions. To prevent such attacks, DHCP snooping filters messages from untrusted sources.

In an enterprise network, a trusted source is a switch that is under your administrative control. These switches include the switches, routers, and servers in the network. Any switch beyond the firewall or outside the network is an untrusted source. Generally, host ports are treated as untrusted sources.

In a service provider environment, any switch that is not in the service provider network is an untrusted source

(such as a customer switch). Host ports are untrusted sources.

In a Cisco Nexus device, you indicate that a source is trusted by configuring the trust state of its connecting interface.

The default trust state of all interfaces is untrusted. You must configure DHCP server interfaces as trusted.

You can also configure other interfaces as trusted if they connect to switches (such as switches or routers) inside your network. You usually do not configure host port interfaces as trusted.

Note

For DHCP snooping to function properly, you must connect all DHCP servers to the switch through trusted interfaces.

DHCP Snooping Binding Database

Using information extracted from intercepted DHCP messages, DHCP snooping dynamically builds and maintains a database. The database contains an entry for each untrusted host with a leased IP address if the host is associated with a VLAN that has DHCP snooping enabled. The database does not contain entries for hosts that are connected through trusted interfaces.

Note

The DHCP snooping binding database is also referred to as the DHCP snooping binding table.

DHCP snooping updates the database when the switch receives specific DHCP messages. For example, the feature adds an entry to the database when the switch receives a DHCPACK message from the server. The feature removes the entry in the database when the IP address lease expires or the switch receives a

DHCPRELEASE message from the host.

Each entry in the DHCP snooping binding database includes the MAC address of the host, the leased IP address, the lease time, the binding type, and the VLAN number and interface information associated with the host.

You can remove entries from the binding database by using the clear ip dhcp snooping binding command.

DHCP Snooping Option 82 Data Insertion

DHCP can centrally manage the IP address assignments for a large number of subscribers. When you enable

Option 82, the device identifies a subscriber device that connects to the network (in addition to its MAC

OL-30921-01


225


DHCP Snooping Option 82 Data Insertion

address). Multiple hosts on the subscriber LAN can connect to the same port on the access device and are uniquely identified.

When you enable Option 82 on the Cisco NX-OS device, the following sequence of events occurs:

1

The host (DHCP client) generates a DHCP request and broadcasts it on the network.

2

When the Cisco NX-OS device receives the DHCP request, it adds the Option 82 information in the packet.

The Option 82 information contains the device MAC address (the remote ID suboption) and the port identifier, vlan-mod-port, from which the packet is received (the circuit ID suboption). For hosts behind the port channel, the circuit ID is filled with the if_index of the port channel.

Note

For vPC peer switches, the remote ID suboption contains the vPC switch MAC address, which is unique in both switches. This MAC address is computed with the vPC domain ID. The Option 82 information is inserted at the switch where the DHCP request is first received before it is forwarded to the other vPC peer switch.

3

The device forwards the DHCP request that includes the Option 82 field to the DHCP server.

4

The DHCP server receives the packet. If the server is Option 82 capable, it can use the remote ID, the circuit ID, or both to assign IP addresses and implement policies, such as restricting the number of IP addresses that can be assigned to a single remote ID or circuit ID. The DHCP server echoes the Option

82 field in the DHCP reply.

5

The DHCP server sends the reply to the Cisco NX-OS device. The Cisco NX-OS device verifies that it originally inserted the Option 82 data by inspecting the remote ID and possibly the circuit ID fields. The

Cisco NX-OS device removes the Option 82 field and forwards the packet to the interface that connects to the DHCP client that sent the DHCP request.

If the previously described sequence of events occurs, the following values do not change:

• Circuit ID suboption fields

◦Suboption type

◦Length of the suboption type

◦Circuit ID type

◦Length of the circuit ID type

• Remote ID suboption fields

◦Suboption type

◦Length of the suboption type

◦Remote ID type

◦Length of the circuit ID type

This figure shows the packet formats for the remote ID suboption and the circuit ID suboption. The Cisco

NX-OS device uses the packet formats when you globally enable DHCP snooping and when you enable

Option 82 data insertion and removal. For the circuit ID suboption, the module field is the slot number of the module.

226


OL-30921-01


Figure 13: Suboption Packet Formats

DHCP Snooping in a vPC Environment

DHCP Snooping in a vPC Environment

A virtual port channel (vPC) allows two Cisco NX-OS switches to appear as a single logical port channel to a third switch. The third switch can be a switch, server, or any other networking switch that supports port channels.

In a typical vPC environment, DHCP requests can reach one vPC peer switch and the responses can reach the other vPC peer switch, resulting in a partial DHCP (IP-MAC) binding entry in one switch and no binding entry in the other switch. This issue is addressed by using Cisco Fabric Service over Ethernet (CFSoE) distribution to ensure that all DHCP packets (requests and responses) appear on both switches, which helps in creating and maintaining the same binding entry on both switches for all clients behind the vPC link.

CFSoE distribution also allows only one switch to forward the DHCP requests and responses on the vPC link.

In non-vPC environments, both switches forward the DHCP packets.

Synchronizing DHCP Snooping Binding Entries

The dynamic DHCP binding entries should be in sync in the following scenarios:

• When the remote vPC is online, all the binding entries for that vPC link should be in sync with the peer.

• When DHCP snooping is enabled on the peer switch, the dynamic binding entries for all vPC links that are up remotely should be in sync with the peer.

OL-30921-01


227


Information About the DHCP Relay Agent

Packet Validation

The switch validates DHCP packets received on the untrusted interfaces of VLANs that have DHCP snooping enabled. The switch forwards the DHCP packet unless any of the following conditions occur (in which case, the packet is dropped):

• The switch receives a DHCP response packet (such as a DHCPACK, DHCPNAK, or DHCPOFFER packet) on an untrusted interface.

• The switch receives a packet on an untrusted interface, and the source MAC address and the DHCP client hardware address do not match. This check is performed only if the DHCP snooping MAC address verification option is turned on.

• The switch receives a DHCPRELEASE or DHCPDECLINE message from an untrusted host with an entry in the DHCP snooping binding table, and the interface information in the binding table does not match the interface on which the message was received.

• The switch receives a DHCP packet that includes a relay agent IP address that is not 0.0.0.0.

In addition, you can enable strict validation of DHCP packets, which checks the options field of DHCP packets, including the “magic cookie” value in the first four bytes of the options field. By default, strict validation is disabled. When you enable it, by using the ip dhcp packet strict-validation command, if DHCP snooping processes a packet that has an invalid options field, it drops the packet.

Information About the DHCP Relay Agent

DHCP Relay Agent

You can configure the device to run a DHCP relay agent, which forwards DHCP packets between clients and servers. This feature is useful when clients and servers are not on the same physical subnet. Relay agents receive DHCP messages and then generate a new DHCP message to send out on another interface. The relay agent sets the gateway address (giaddr field of the DHCP packet) and, if configured, adds the relay agent information option (Option 82) in the packet and forwards it to the DHCP server. The reply from the server is forwarded back to the client after removing Option 82.

After you enable Option 82, the device uses the binary ifindex format by default. If needed, you can change the Option 82 setting to use an encoded string format instead. When a device acts as a relay agent and is configured to insert Option 82, the circuit ID is same for all hosts even when they are connected to different ports. You can use the ip dhcp relay sub-option circuit-id customized command to retain the unique circuit

ID that is inserted by a client.

Note

When the device relays a DHCP request that already includes Option 82 information, the device forwards the request with the original Option 82 information without altering it.

228


OL-30921-01


VRF Support for the DHCP Relay Agent

VRF Support for the DHCP Relay Agent

You can configure the DHCP relay agent to forward DHCP broadcast messages from clients in a virtual routing and forwarding (VRF) instance to DHCP servers in a different VRF. By using a single DHCP server to provide DHCP support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF.

Enabling VRF support for the DHCP relay agent requires that you enable Option 82 for the DHCP relay agent.

If a DHCP request arrives on an interface that you have configured with a DHCP relay address and VRF information, and the address of the DCHP server belongs to a network on an interface that is a member of a different VRF, the device inserts Option 82 information in the request and forwards it to the DHCP server in the server VRF. The Option 82 information includes the following:

VPN identifier

Name of the VRF that the interface that receives the DHCP request is a member of.

Link selection

Subnet address of the interface that receives the DHCP request.

Server identifier override

IP address of the interface that receives the DHCP request.

Note

The DHCP server must support the VPN identifier, link selection, and server identifier override options.

When the device receives the DHCP response message, it strips off the Option 82 information and forwards the response to the DHCP client in the client VRF.

DHCP Relay Binding Database

A relay binding is an entity that associates a DHCP or BOOTP client with a relay agent address and its subnet.

Each relay binding stores the client MAC address, active relay agent address, active relay agent address mask, logical and physical interfaces to which the client is connected, giaddr retry count, and total retry count. The giaddr retry count is the number of request packets transmitted with that relay agent address, and the total retry count is the total number of request packets transmitted by the relay agent. One relay binding entry is maintained for each DHCP or BOOTP client.

Note

When DHCP smart relay is enabled globally or at the interface level on any switch, the relay bindings on all switches should be synchronized with the vPC peer.

OL-30921-01


229


Information about the DHCPv6 Relay Agent

Information about the DHCPv6 Relay Agent

DHCPv6 Relay Agent

You can configure the device to run a DHCPv6 relay agent, which forwards DHCPv6 packets between clients and servers. This feature is useful when clients and servers are not on the same physical subnet. Relay agents receive DHCPv6 messages and then generate a new DHCPv6 message to send out on another interface. The relay agent sets the gateway address (giaddr field of the DHCPv6 packet) and forwards it to the DHCPv6 server.

VRF Support for the DHCPv6 Relay Agent

You can configure the DHCPv6 relay agent to forward DHCPv6 broadcast messages from clients in a virtual routing and forwarding (VRF) instance to DHCPv6 servers in a different VRF. By using a single DHCPv6 server to provide DHCPv6 support to clients in multiple VRFs, you can conserve IP addresses by using a single IP address pool rather than one for each VRF.

Information About the Lightweight DHCPv6 Relay Agent

Lightweight DHCPv6 Relay Agent

A variety of different link-layer network topologies exist for the aggregation of IPv6 nodes into one or more routers. In Layer 2 aggregation networks (IEEE 802.1D bridging or similar) that have many nodes on a single link, a DHCP Version 6 (DHCPv6) server or DHCP relay agent normally does not recognize how a DHCP client is attached to a network. From Cisco NX-OS Release 7.3(0)N1(1), you can configure the interface of a device to run Lightweight DHCPv6 Relay Agent (LDRA), which forwards DHCPv6 messages between clients and servers.

The LDRA feature is used to insert relay agent options in DHCPv6 message exchanges primarily to identify client-facing interfaces. LDRA resides on the same IPv6 link as the client and a DHCPv6 relay agent or server.

LDRA for VLANs and Interfaces

You can configure LDRA on VLANs and interfaces. LDRA is not enabled by default. To enable LDRA, it should be enabled globally and at the interface level. You should configure the interfaces as client-facing trusted, client-facing untrusted, or server-facing. All client-facing interfaces must be configured as trusted or untrusted. By default, all the client-facing interfaces in LDRA are configured as untrusted. When a client-facing interface is deemed untrusted, LDRA will discard messages of type RELAY-FORWARD, which are received from the client-facing interface.

The LDRA configuration on a VLAN should be configured as client-facing trusted or client-facing untrusted.

When you configure LDRA functionality on a VLAN, the functionality is configured on all the ports or interfaces within the VLAN. However, if you configure an interface in a VLAN as client-facing untrusted,

230


OL-30921-01


Guidelines and Limitations for Lightweight DHCPv6 Relay Agent

and configure the VLAN as client-facing trusted, the configuration of an interface takes precedence over the configuration of a VLAN. At least one interface in a VLAN should be configured as server-facing interface.

Guidelines and Limitations for Lightweight DHCPv6 Relay Agent

• Access nodes implementing LDRA do not support IPv6 control or routing.

• An interface or port cannot be configured as both client facing and server facing at the same time.

• To support virtual port channel, LDRA configuration should be symmetric on the vPC peers.

• LDRA supports Cisco Fabricpath.

vIP HSRP Enhancement

Starting with Cisco NX-OS Release 7.2(0)N1(1), the vIP HSRP enhancement provides support for an HSRP

VIP configuration to be in a differnet subnet than that of the interface subnet. This feature is applicable only for IPv4 and not for IPv6. The following are the enhancements:

• Enhance ARP to source with VIP from SUP for hosts when hosts in VIP subnet are referenced by static route to VLAN configuration.

• Periodic ARP sync support to VPC peer if this feature enabled.

• Allow use of the VIP address as L3 source address and gateway address for all communications with

DHCP server.

• Enhance DHCP relay agent to relay DHCP packets with source as VIP instead of SVI IP when the feature is enabled.

Guidelines and Limitations for DHCP Snooping

Consider the following guidelines and limitations when configuring DHCP snooping:

• The DHCP snooping database can store 2000 bindings.

• DHCP snooping is not active until you enable the feature, enable DHCP snooping globally, and enable

DHCP snooping on at least one VLAN.

• Before globally enabling DHCP snooping on the switch, make sure that the switches that act as the

DHCP server and the DHCP relay agent are configured and enabled.

• If a VLAN ACL (VACL) is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts.

• DHCP snooping and DHCP relay feature are not supported on the same VLAN.

• By default, DHCP bindings are not saved persistently across switch reboots. To maintain persistent bindings across switch reboots, use the copy r s command. When the copy r s command is issued, all bindings that exist at that time are made persistent across switch reboots.

• Make sure that the DHCP configuration is synchronized across the switches in a vPC link. Otherwise, a run-time error can occur, resulting in dropped packets.


231 OL-30921-01


Guidelines and Limitations for the vIP HSRP Enhancement

• To use both remote and local DHCP servers, you must configure the DHCP relay feature and either define the unicast address of the local DHCP server or configure a local broadcast address for the subnet where the local DHCP server resides. If you do not define the unicast address of the DHCP server or configure a local broadcast address for the subnet, local DHCP packets cannot be delivered. For example, this situation can occur when you apply an IP DHCP address to an SVI.

• When you configure DHCPv6 server addresses on an interface, a destination interface cannot be used with global IPv6 addresses.

The following additional guidelines and limitations apply to implementations that include FabricPath:

• DHCP snooping should be enabled on CE-Fabric boundary switches.

• DHCP snooping is enabled on all access layer switches to secure the network at the access layer.

• DHCP does not learn which binding entries are on ports configured in FabricPath mode. DHCP snooping must be manually enabled on all access layer switches.

• When Dynamic ARP Inspection (DAI) is enabled, ARP packets received on FabricPath ports are allowed.

• IPSG cannot be enabled on ports in FabricPath mode.

• All FabricPath ports in the system must be configured as trusted ports.

• DHCP snooping with Fabric Path has to be enabled on all of the configured VLANs for a switch. If you do not enable FabricPath for all of the VLANs on the switch, DHCP packets will drop for the VLANs where DHCP has not been enabled.

To ensure that DHCP packets are not dropped, you must complete all of the following configurations:

◦Enable the DHCP feature using the feature dhcp command.

◦Install the FabricPath feature set using the install feature-set fabricpath and feature-set fabricpath commands

◦Globally enable DHCP snooping using the ip dhcp snooping command.

◦Enable DHCP snooping for each of the configured VLANs on the switch using the ip dhcp snooping

vlan vlan command.

Guidelines and Limitations for the vIP HSRP Enhancement

• This feature will work only for HSRP in combination with VPC topologies. In scenarios where HSRP standby is not a VPC pair, this feature will not work, as there will not be periodic adjacency sync support for non-VPC cases.

• This feature is applicable only for IPv4 and not for IPv6.

• Support for this feature is only for Regular HSRP and not for Anycast HSRP, so this feature will not work if Anycast HSRP is enabled.

• SUP generated IP traffic (for example, ping/traceroute/ICMP Error packets) destined for VIP subnets originated from the HSRP Active/Standby box will continue to source with IPv4 SVI interface IP and not the vIP. If you want to explicitly source using the loopback IP for ping/traceroute, you can specify the loopback IP along with the source keyword.

• Static ARP configuration for creating entries in VIP subnets is not supported.

232


OL-30921-01


Default Settings for DHCP Snooping

• DHCP relay agent will always use primary VIP address to communicate with DHCP server. DHCP relay agent does not consider use of secondary VIP addresses as long as primary VIP is available.

• DHCP relay agent behavior in case inter-vrf is different and requires use of Option-82 information in

DHCP packets. DHCP server and clients will be in the same VRF and use of VIP is not supported for inter-vrf relay.

Default Settings for DHCP Snooping

This table lists the default settings for DHCP snooping parameters.

Table 18: Default DHCP Snooping Parameters

Parameters

DHCP snooping feature

DHCP snooping globally enabled

DHCP snooping VLAN

DHCP snooping Option 82 support

DHCP snooping trust

VRF support for the DHCP relay agent

VRF support for the DHCPv6 relay agent

DHCP relay agent

DHCPv6 relay agent

DHCPv6 relay option type cisco

Default

Disabled

No

None

Disabled

Untrusted

Disabled

Disabled

Disabled

Disabled

Disabled


Minimum DHCP Snooping Configuration

1

Enable the DHCP snooping feature.

2


233 OL-30921-01


Enabling or Disabling the DHCP Snooping Feature

Procedure

Step 1

Step 2

Step 3

Step 4


Enable the DHCP snooping feature.

Purpose

When the DHCP snooping feature is disabled, you cannot configure DHCP snooping.

For details, see

Enabling or Disabling the DHCP

Snooping Feature, on page 234

.

Enable DHCP snooping globally.

Enable DHCP snooping on at least one VLAN.

For details, see

Enabling or Disabling DHCP Snooping

Globally, on page 235

.

By default, DHCP snooping is disabled on all VLANs.

For details, see

Enabling or Disabling DHCP Snooping on a VLAN, on page 235

.

Ensure that the DHCP server is connected to the switch using a trusted interface.

For details, see

Configuring an Interface as Trusted or

Untrusted, on page 238

.

Enabling or Disabling the DHCP Snooping Feature

You can enable or disable the DHCP snooping feature on the switch. By default, DHCP snooping is disabled.


If you disable the DHCP snooping feature, all DHCP snooping configuration is lost. If you want to turn off

DHCP snooping and preserve the DHCP snooping configuration, disable DHCP globally.

Procedure

Step 1

Step 2

Step 3


Purpose


Example:


[no] feature dhcp Enables the DHCP snooping feature. The no option disables the DHCP snooping feature and erases all DHCP snooping configuration.

Example:

switch(config)# feature dhcp

show running-config dhcp

Example:

switch(config)# show running-config dhcp

(Optional)

Shows the DHCP snooping configuration.

234


OL-30921-01


Enabling or Disabling DHCP Snooping Globally

Step 4


Example:


Purpose

(Optional)


Enabling or Disabling DHCP Snooping Globally

You can enable or disable the DHCP snooping globally on the switch. Globally disabling DHCP snooping stops the switch from performing any DHCP snooping or relaying DHCP messages but preserves DCHP snooping configuration.


Ensure that you have enabled the DHCP snooping feature. By default, DHCP snooping is globally disabled.

Procedure

Step 1


Purpose


Step 2

Step 3

Step 4

Example:


[no] ip dhcp snooping Enables DHCP snooping globally. The no option disables DHCP snooping.

Example:

switch(config)# ip dhcp snooping


(Optional)


Example:



(Optional)


Example:


Enabling or Disabling DHCP Snooping on a VLAN

You can enable or disable DHCP snooping on one or more VLANs.

OL-30921-01


235


Enabling or Disabling Option 82 Data Insertion and Removal


By default, DHCP snooping is disabled on all VLANs.

Ensure that DHCP snooping is enabled.

Note

If a VACL is configured on a VLAN that you are configuring with DHCP snooping, ensure that the VACL permits DHCP traffic between DHCP servers and DHCP hosts.

Procedure

Step 1

Step 2

Step 3

Step 4


Purpose


Example:


[no] ip dhcp snooping vlan vlan-list Enables DHCP snooping on the VLANs specified by vlan-list. The no option disables

DHCP snooping on the VLANs specified.

Example:

switch(config)# ip dhcp snooping vlan

100,200,250-252


(Optional)


Example:



(Optional)


Example:


Enabling or Disabling Option 82 Data Insertion and Removal

You can enable or disable the insertion and removal of Option 82 information for DHCP packets forwarded without the use of the DHCP relay agent.


By default, the switch does not include Option 82 information in DHCP packets.


236


OL-30921-01


Enabling or Disabling Strict DHCP Packet Validation

Procedure

Step 1

Step 2

Step 3

Step 4


Purpose


Example:


[no] ip dhcp snooping information option

Example:

switch(config)# ip dhcp snooping information option


Enables the insertion and removal of Option

82 information from DHCP packets. The no option disables the insertion and removal of

Option 82 information.


Example:



(Optional)


Example:


Enabling or Disabling Strict DHCP Packet Validation

You can enable or disable the strict validation of DHCP packets by the DHCP snooping feature. By default, strict validation of DHCP packets is disabled.

Procedure

Step 1

Step 2

Step 3


Purpose


Example:


[no] ip dhcp packet strict-validation Enables the strict validation of DHCP packets by the DHCP snooping feature. The no option disables strict DHCP packet validation.

Example:

switch(config)# ip dhcp packet strict-validation


Example:


(Optional)


OL-30921-01


237


Configuring an Interface as Trusted or Untrusted

Step 4


Example:


Purpose

(Optional)


Configuring an Interface as Trusted or Untrusted

You can configure whether an interface is a trusted or untrusted source of DHCP messages. You can configure

DHCP trust on the following types of interfaces:

• Layer 2 Ethernet interfaces

• Layer 2 port-channel interfaces


By default, all interfaces are untrusted.


Procedure

Step 1


Step 2

Step 3

Purpose


Example:



• interface ethernet port/slot


• Enters interface configuration mode, where

port / slot is the Layer 2 Ethernet interface that you want to configure as trusted or untrusted for DHCP snooping.

• Enters interface configuration mode, where

port / slot is the Layer 2 port-channel interface that you want to configure as trusted or untrusted for DHCP snooping.

Example:


[no] ip dhcp snooping trust

Example:

switch(config-if)# ip dhcp snooping trust

Configures the interface as a trusted interface for

DHCP snooping. The no option configures the port as an untrusted interface.

238


OL-30921-01


Enabling or Disabling the DHCP Relay Agent

Step 4

Step 5

Command or Action Purpose show running-config dhcp

(Optional)


Example:

switch(config-if)# show running-config dhcp


Example:


(Optional)


Enabling or Disabling the DHCP Relay Agent

You can enable or disable the DHCP relay agent. By default, the DHCP relay agent is enabled.


Ensure that the DHCP feature is enabled.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Command or Action config t

Purpose


Example:

switch# config t switch(config)#

[no] ip dhcp relay Enables the DHCP relay agent. The no option disables the relay agent.

Example:

switch(config)# ip dhcp relay

show ip dhcp relay

(Optional)

Displays the DHCP relay configuration.

Example:

switch(config)# show ip dhcp relay


(Optional)

Displays the DHCP configuration.

Example:



(Optional)


Example:


OL-30921-01


239


Enabling or Disabling Option 82 for the DHCP Relay Agent

Enabling or Disabling Option 82 for the DHCP Relay Agent

You can enable or disable the device to insert and remove Option 82 information on DHCP packets forwarded by the relay agent.

By default, the DHCP relay agent does not include Option 82 information in DHCP packets.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6


Purpose


Example:


[no] ip dhcp relay

Example:



Enables the DHCP relay feature. The no option disables this behavior.

Example:

switch(config)# ip dhcp relay

[no] ip dhcp relay information option

Example:

switch(config)# ip dhcp relay information option

[no] ip dhcp relay sub-option circuit-id

customized

Example:

switch(config)# ip dhcp relay sub-option circuit-id customized


Enables the DHCP relay agent to insert and remove

Option 82 information on the packets that it forwards. The Option 82 information is in binary ifindex format by default. The no option disables this behavior.

(Optional)

Enables retention of the unique circuit ID that is inserted by a client. The no option disables this behavior.

Note

By default, the circuit ID is same for all hosts even when they are connected to different ports.

(Optional)


(Optional)


Example:


240


OL-30921-01


OL-30921-01

Enabling or Disabling VRF Support for the DHCP Relay Agent

Step 7


Example:


Purpose

(Optional)


Enabling or Disabling VRF Support for the DHCP Relay Agent

You can configure the device to support the relaying of DHCP requests that arrive on an interface in one VRF to a DHCP server in a different VRF instance.


You must enable Option 82 for the DHCP relay agent.

Procedure

Step 1


Purpose


Step 2

Step 3

Step 4

Step 5

Example:


[no] ip dhcp relay information option vpn Enables VRF support for the DHCP relay agent.

The no option disables this behavior.

Example:

switch(config)# ip dhcp relay information option vpn

[no] ip dhcp relay sub-option type cisco

Example:

switch(config)# ip dhcp relay sub-option type cisco

Enables DHCP to use Cisco proprietary numbers

150, 152, and 151 when filling the link selection, server ID override, and VRF name/VPN ID relay agent Option 82 suboptions. The no option causes

DHCP to use RFC numbers 5, 11, and 151 for the link selection, server ID override, and VRF name/VPN ID suboptions.


(Optional)


Example:



(Optional)


Example:



241


Enabling or Disabling Subnet Broadcast Support for the DHCP Relay Agent on a Layer 3 Interface

Step 6


Example:


Purpose

(Optional)


Enabling or Disabling Subnet Broadcast Support for the DHCP Relay Agent on a Layer 3 Interface

You can configure the device to support the relaying of DHCP packets from clients to a subnet broadcast IP address. When this feature is enabled, the VLAN ACLs (VACLs) accept IP broadcast packets and all subnet broadcast (primary subnet broadcast as well as secondary subnet broadcast) packets.



Ensure that the DHCP relay agent is enabled.

Procedure

Step 1


Purpose


Step 2

Step 3

Step 4

Example:


interface interface slot/port

Example:


Enters interface configuration mode, where

slot/port is the interface for which you want to enable or disable subnet broadcast support for the DHCP relay agent.

[no] ip dhcp relay subnet-broadcast Enables subnet broadcast support for the DHCP relay agent. The no option disables this behavior.

Example:

switch(config-if)# ip dhcp relay subnet-broadcast

exit


Example:


242


OL-30921-01


Creating a DHCP Static Binding

Step 5

Step 6

Step 7

Step 8


Example:



Example:

switch# show ip dhcp relay


Example:

switch# show running-config dhcp


Example:


Purpose


(Optional)


(Optional)


(Optional)


Creating a DHCP Static Binding

You can create a static DHCP source binding to a Layer 2 interface.


Ensure that you have enabled the DHCP snooping feature.

Procedure

Step 1

Step 2


Purpose


Example:


ip source binding IP-address MAC-address vlan

vlan-id {interface ethernet slot/port | port-channel

channel-no}

Binds the static source address to the

Layer 2 Ethernet interface.

Example:

switch(config)# ip source binding 10.5.22.7

001f.28bd.0013 vlan 100 interface ethernet

2/3

OL-30921-01


243


Configuring the DHCPv6 Relay Agent

Step 3

Step 4

Step 5

Command or Action show ip dhcp snooping binding

Example:

switch(config)# ip dhcp snooping binding

show ip dhcp snooping binding dynamic

Example:

switch(config)# ip dhcp snooping binding dynamic


Example:


Purpose

(Optional)

Shows the DHCP snooping static and dynamic bindings.

(Optional)

Shows the DHCP snooping dynamic bindings.

(Optional)


The following example shows how to create a static IP source entry associated with VLAN 100 on Ethernet interface 2/3: switch#


switch(config)#

ip source binding 10.5.22.7 001f.28bd.0013 vlan 100 interface ethernet 2/3

switch(config)#

Configuring the DHCPv6 Relay Agent

Enabling or Disabling the DHCPv6 Relay Agent



Procedure

Step 1

Step 2


Example:


[no] ipv6 dhcp relay

Example:

switch(config)# ipv6 dhcp relay

Purpose


Enables the DHCPv6 relay agent. The no option disables the relay agent.

244


OL-30921-01


Enabling or Disabling VRF Support for the DHCPv6 Relay Agent

Step 3

Step 4

Step 5


show ipv6 dhcp relay [interface interface]

Purpose

(Optional)

Displays the DHCPv6 relay configuration.

Example:

switch(config)# show ipv6 dhcp relay


(Optional)


Example:



(Optional)


Example:


Enabling or Disabling VRF Support for the DHCPv6 Relay Agent

You can configure the device to support the relaying of DHCPv6 requests that arrive on an interface in one

VRF to a DHCPv6 server in a different VRF.



Ensure that the DHCPv6 relay agent is enabled.

Procedure

Step 1

Step 2

Step 3


Purpose


Example:


[no] ipv6 dhcp relay option vpn Enables VRF support for the DHCPv6 relay agent.

The no option disables this behavior.

Example:

switch(config)# ipv6 dhcp relay option vpn

[no] ipv6 dhcp relay option type cisco

Example:

switch(config)# ipv6 dhcp relay option type cisco

Causes the DHCPv6 relay agent to insert virtual subnet selection (VSS) details as part of the vendor-specific option. The no option causes the

DHCPv6 relay agent to insert VSS details as part of the VSS option (68), which is defined in RFC-6607.

This command is useful when you want to use

DHCPv6 servers that do not support RFC-6607 but

OL-30921-01


245


Configuring the DHCPv6 Relay Source Interface

Step 4

Step 5

Step 6


allocate IPv6 addresses based on the client VRF name.

show ipv6 dhcp relay [interface interface] (Optional)


Example:



(Optional)


Example:



(Optional)


Example:


Configuring the DHCPv6 Relay Source Interface

You can configure the source interface for the DHCPv6 relay agent. By default, the DHCPv6 relay agent uses the relay agent address as the source address of the outgoing packet. Configuring the source interface enables you to use a more stable address (such as the loopback interface address) as the source address of relayed messages.



Ensure that the DHCPv6 relay agent is enabled.

Procedure

Step 1


Purpose


Step 2

Example:


[no] ipv6 dhcp relay source-interface

interface

Example:

switch(config)# ipv6 dhcp relay source-interface loopback 2

Configures the source interface for the DHCPv6 relay agent.

246


OL-30921-01


Configuring Lightweight DHCPv6 Relay Agent

Step 3

Step 4

Step 5



Purpose

Note

The DHCPv6 relay source interface can be configured globally, per interface, or both. When both the global and interface levels are configured, the interface-level configuration overrides the global configuration.

(Optional)


Example:



(Optional)


Example:



(Optional)


Example:


Configuring Lightweight DHCPv6 Relay Agent

Configuring Lightweight DHCPv6 Relay Agent for an Interface

Perform this task to configure Lightweight DHCPv6 Relay Agent (LDRA) for an interface.

Procedure

Step 1


Step 2

Example:


[no] ipv6 dhcp ldra

Purpose


Enables the LDRA functionality globally.

Example:

switch(config)# ipv6 dhcp ldra


247 OL-30921-01


Configuring Lightweight DHCPv6 Relay Agent for a VLAN

Step 3

Step 4

Step 5


interface slot/port

Purpose

Specifies an interface type and number, and enters interface configuration mode.

Example:

switch(config)# interface ethernet 0/0

switchport

Switches an interface that is in Layer 3 mode to Layer 2 mode for Layer 2 configuration.

Example:


[no] ipv6 dhcp-ldra

{client-facing-trusted | client-facing-untrusted | client-facing-disable | server-facing}

Example:

switch(config-if)# ipv6 dhcp-ldra server-facing

Enables LDRA functionality on a specified interface or port.

The no option disables the LDRA functionality.

Note

The client-facing-trusted specifies client-facing interfaces or ports as trusted. The trusted port allows the DHCPv6 packets and they are encapsulated as per LDRA options. The client-facing-untrusted specifies client-facing interfaces or ports as untrusted. The untrusted ports perform LDRA functionality, but drop only the relay forward packets received on it. The client-facing-disable keyword disables LDRA functionality on an interface or port. Disabled port performs the Layer-2 forwarding of DHCPv6 packets. The server-facing keyword specifies an interface or port as server facing. Server facing port allows the reply packets from server.

Configuring Lightweight DHCPv6 Relay Agent for a VLAN

Perform this task to configure Lightweight DHCPv6 Relay Agent (LDRA) for a VLAN.


Ensure that the VLAN is not assigned an IP address.

Procedure

Step 1


Purpose


Example:


248


OL-30921-01


Enabling DHCP Relay Agent using VIP Address

Step 2

Step 3


[no] ipv6 dhcp ldra

Purpose

Enables the LDRA functionality globally.

Example:

switch(config)# ipv6 dhcp ldra

[no] ipv6 dhcp-ldra attach–policy vlan

vlan-id {client-facing-trusted |

client-facing-untrusted}

Example:

switch(config)# ipv6 dhcp-ldra attach-policy vlan 25 client-facing-trusted

Enables LDRA functionality on the specified VLAN.

The no option disables the LDRA functionality.

Note

The client-facing-trusted keyword configures all the ports or interfaces associated with the VLAN as client-facing, trusted ports. The client-facing-untrusted keyword configures all the ports or interfaces associated with the VLAN as client-facing, untrusted ports.

Enabling DHCP Relay Agent using VIP Address

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7


switch# configure terminal switch(config)# [no] ip dhcp relay

source-address hsrp

switch(config)# interface type number switch(config-if)# [no] ip dhcp relay

source-address hsrp

switch(config-if)# end

(Optional) switch# show ip dhcp relay

(Optional) switch# show hsrp brief

Purpose

Enters global configuration mode

Enables/Disables DHCP relay agent to use VIP globally.

Enters interface configuration mode.

Enables/Disables DHCP relay agent to use VIP at L3 interface level.

Returns to privileged EXEC mode.


Displays the summary of Hot Standby Router

Protocol (HSRP) information.

The following example enables DHCP relay agent using VIP address: interface vlan 500 ip address 5.5.5.5/24 ip dhcp relay source-address hsrp ip dhcp relay address 100.100.100.100

hsrp 10


249 OL-30921-01


Verifying the DHCP Snooping Configuration

ip 17.17.17.17/28 ip 15.15.15.20/28 secondary

Verifying the DHCP Snooping Configuration

To display DHCP snooping configuration information, perform one of the following tasks. For detailed information about the fields in the output from these commands, see the System Management Configuration

Guide for your Cisco Nexus device.

Command show running-config dhcp

Purpose

Displays the DHCP snooping configuration.



show ip dhcp snooping


Displays the DHCPv6 relay global or interface-level configuration.

Displays general information about

DHCP snooping.

Displaying DHCP Bindings

Use the show ip dhcp snooping binding command to display the DHCP static and dynamic binding table.

Use the show ip dhcp snooping binding dynamic to display the DHCP dynamic binding table.

For detailed information about the fields in the output from this command, see the System Management

Configuration Guide for your Cisco Nexus device.

This example shows how to create a static DHCP binding and then verify the binding using the show ip dhcp

snooping binding command.

switch# configuration terminal switch(config)#

ip source binding 10.20.30.40 0000.1111.2222 vlan 400 interface port-channel

500

switch(config)#

show ip dhcp snooping binding

MacAddress IpAddress LeaseSec Type VLAN Interface

--------------------------------------------------------------

00:00:11:11:22:22 10.20.30.40

infinite

static

400 port-channel500

Displaying and Clearing LDRA Information

To display Lightweight DHCPv6 Relay Agent (LDRA) information, use one of the commands in this table.

Command show ipv6 dhcp-ldra

Purpose

Displays the LDRA configuration details.

250


OL-30921-01



OL-30921-01

Command show ipv6 dhcp-ldra statistics

show ipv6 dhcp-ldra statistics vlan vlan-id

Purpose

Displays LDRA configuration statistics before and after initiating a DHCP session.

Displays LDRA configuration statistics for the specified VLAN.

show ipv6 dhcp-ldra statistics interface interface-id Displays LDRA configuration statistics for the specified interface.

To clear the DHCPv6 LDRA-specific statistics, use the clear ipv6 dhcp-ldra statistics command.

Displaying LDRA Configuration Details

The following example shows the LDRA configuration details for a switch: switch(config)#

show ipv6 dhcp-ldra

DHCPv6 LDRA is Enabled.

DHCPv6 LDRA policy: client-facing-trusted

Target: Ethernet1/1

DHCPv6 LDRA policy: client-facing-untrusted

Target: vlan 102 vlan 103

DHCPv6 LDRA policy: server-facing

Target: port-channel101

Displaying the LDRA Statistics

The following example displays the LDRA statistics: switch(config)#

show ipv6 dhcp-ldra statistics

PACKET STATS:

---------------------------------------------------------

Message Type Rx Tx Drops |

---------------------------------------------------------

SOLICIT

ADVERTISE

REQUEST

CONFIRM

RENEW

REBIND

REPLY

RELEASE

DECLINE

RECONFIGURE

INFORMATION_REQUEST

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

|

|

0 |

0 |

0 |

|

|

|

|

|

|

RELAY_FORWARD

RELAY_REPLY

0

0

0

0

0 |

0 |

---------------------------------------------------------

Total 0 0 0 |

---------------------------------------------------------

CFS STATS:

---------------------------------------------------------


---------------------------------------------------------

SOLICIT 0 0 0 |

ADVERTISE 0 0 0 |


251


REQUEST

CONFIRM

RENEW

REBIND

REPLY

0

0

0

0

0

0

0

0

0

0

0 |

0 |

0 |

0 |

0 |

RELEASE

DECLINE

RECONFIGURE

INFORMATION_REQUEST

0

0

0

0

0

0

0

0

0

0

0

0

|

|

|

|

RELAY_FORWARD

RELAY_REPLY

0

0

0

0

0

0

|

|

---------------------------------------------------------

Total 0 0 0 |

---------------------------------------------------------

Non-DHCPv6 LDRA Packets:

---------------------------------------------------------

Total Packets Received:

Total Packets Forwarded:

Total Packets Dropped:

0

0

0

---------------------------------------------------------

DHCPv6 LDRA DROPS

---------------------------------------------------------

Invalid Message Type:

Max hops exceeded:

Relay Forward Received on Untrusted port:

Packet received over MCT:

Invalid Message Type on Client facing port:

No Server Port Present:

0

0

0

0

0

0

The following example displays the LDRA statistics for the interface Ethernet1/1:

SWITCH(config)#

show ipv6 dhcp-ldra statistics interface e1/1

INTERFACE: Ethernet1/1

PACKET STATS:

---------------------------------------------------------


---------------------------------------------------------

SOLICIT 0 0 0 |

ADVERTISE

REQUEST

CONFIRM

RENEW

REBIND

REPLY

0

0

0

0

0

0

0

0

0

0

0

0

0 |

0 |

0 |

0 |

0 |

0 |

RELEASE

DECLINE

RECONFIGURE

INFORMATION_REQUEST

RELAY_FORWARD

0

0

0

0

0

0

0

0

0

0

0

0

|

|

0 |

0 |

0 |

RELAY_REPLY 0 0 0 |

---------------------------------------------------------

Total 0 0 0 |

---------------------------------------------------------

CFS STATS:

---------------------------------------------------------


---------------------------------------------------------

SOLICIT

ADVERTISE

REQUEST

CONFIRM

RENEW

0

0

0

0

0

0

0

0

0

0

0

0

|

|

0 |

0 |

0 |

REBIND

REPLY

RELEASE

DECLINE

RECONFIGURE

INFORMATION_REQUEST

0

0

0

0

0

0

0

0

0

0

0

0

0 |

0 |

0 |

0 |

0 |

0 |

RELAY_FORWARD

RELAY_REPLY

0

0

0

0

0

0

|

|

---------------------------------------------------------


252


OL-30921-01



Total 0 0 0 |

---------------------------------------------------------


---------------------------------------------------------

Total Packets Received: 0



0

0

---------------------------------------------------------

DHCPv6 LDRA DROPS

---------------------------------------------------------

Invalid Message Type: 0

Max hops exceeded:





0

0

0

0

0

The following example displays the LDRA statistics for the VLAN 101:

SWITCH(config)#

show ipv6 dhcp-ldra statistics vlan 101

VLAN: 101

PACKET STATS:

---------------------------------------------------------


---------------------------------------------------------

SOLICIT 0 0 0 |

ADVERTISE

REQUEST

0

0

0

0

0

0

|

|

CONFIRM

RENEW

REBIND

0

0

0

0

0

0

0 |

0 |

0 |

REPLY

RELEASE

DECLINE

RECONFIGURE

0

0

0

0

0

0

0

0

0 |

0 |

0 |

0 |

INFORMATION_REQUEST

RELAY_FORWARD

RELAY_REPLY

0

0

0

0

0

0

0 |

0 |

0 |

---------------------------------------------------------

Total 0 0 0 |

---------------------------------------------------------

CFS STATS:

---------------------------------------------------------


---------------------------------------------------------

SOLICIT

ADVERTISE

REQUEST

0

0

0

0

0

0

0 |

0 |

0 |

CONFIRM

RENEW

REBIND

REPLY

RELEASE

DECLINE

RECONFIGURE

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

0

|

|

|

|

|

|

|

INFORMATION_REQUEST

RELAY_FORWARD

0

0

0

0

0 |

0 |

RELAY_REPLY 0 0 0 |

---------------------------------------------------------

Total 0 0 0 |

---------------------------------------------------------


---------------------------------------------------------

Total Packets Received: 0



0

0

---------------------------------------------------------

DHCPv6 LDRA DROPS

---------------------------------------------------------

Invalid Message Type: 0

OL-30921-01


253


Clearing the DHCP Snooping Binding Database

Max hops exceeded:





0

0

0

0

0

Clearing the DHCP Snooping Binding Database

You can remove entries from the DHCP snooping binding database, including a single entry, all entries associated with an interface, or all entries in the database.



Procedure

Step 1

Step 2

Step 3

Step 4

Command or Action Purpose clear ip dhcp snooping binding

(Optional)

Clears all entries from the DHCP snooping binding database.

Example:

switch# clear ip dhcp snooping binding

clear ip dhcp snooping binding interface ethernet

slot/port[.subinterface-number]

(Optional)

Clears entries associated with a specific

Ethernet interface from the DHCP snooping binding database.

Example:

switch# clear ip dhcp snooping binding interface ethernet 1/4

clear ip dhcp snooping binding interface

port-channel channel-number[.subchannel-number]

(Optional)

Clears entries associated with a specific port-channel interface from the DHCP snooping binding database.

Example:

switch# clear ip dhcp snooping binding interface port-channel 72

clear ip dhcp snooping binding vlan vlan-id mac

mac-address ip ip-address interface {ethernet

slot/port[.subinterface-number | port-channel

channel-number[.subchannel-number] }

(Optional)

Clears a single, specific entry from the

DHCP snooping binding database.

Step 5

Example:

switch# clear ip dhcp snooping binding vlan

23 mac 0060.3aeb.54f0 ip 10.34.54.9 interface ethernet 2/11


Example:

switch# show ip dhcp snooping binding

(Optional)

Displays the DHCP snooping binding database.

254


OL-30921-01


Clearing DHCP Relay Statistics

Clearing DHCP Relay Statistics

Use the clear ip dhcp relay statistics command to clear the global DHCP relay statistics.

Use the clear ip dhcp relay statistics interface interface command to clear the DHCP relay statistics for a particular interface.

Use the clear ip dhcp relay statistics interface interface serverip ip-address [use-vrf vrf-name] command to clear the DHCP relay statistics at the server level for a particular interface.

Clearing DHCPv6 Relay Statistics

Use the clear ipv6 dhcp relay statistics command to clear the global DHCPv6 relay statistics.

Use the clear ipv6 dhcp relay statistics interface interface command to clear the DHCPv6 relay statistics for a particular interface.

Use the clear ipv6 dhcp relay statistics interface interface server-ip ip-address [use-vrf vrf-name] command to clear the DHCPv6 relay statistics at the server level for a particular interface.

Monitoring DHCP

Use the show ip dhcp snooping statistics command to monitor DHCP snooping.

Use the show ip dhcp relay statistics [interface interface [serverip ip-address [use-vrf vrf-name]]] command to monitor DHCP relay statistics at the global, server, or interface level.

Use the (Optional) show ip dhcp snooping statistics vlan [vlan-id] interface [ethernet|port-channel][id] command to know the exact statistics about snooping statistics per interface under a vlan.

Use the show ipv6 dhcp relay statistics [interface interface [server-ip ip-address [use-vrf vrf-name]]] command to monitor DHCPv6 relay statistics at the global, server, or interface level.

Configuration Examples for DHCP Snooping

The following example shows how to enable DHCP snooping on two VLANs, with Option 82 support enabled and Ethernet interface 2/5 trusted because the DHCP server is connected to that interface: feature dhcp ip dhcp snooping ip dhcp snooping info option interface Ethernet 2/5 ip dhcp snooping trust ip dhcp snooping vlan 1 ip dhcp snooping vlan 50


255 OL-30921-01


Configuration Examples for LDRA

Configuration Examples for LDRA

Configuring LDRA for an Interface

The following example shows how to enable LDRA and configure interface Ethernet 1/1 as client-facing and trusted: switch#


switch(config)#

ipv6 dhcp ldra

switch(config)#


switch(config-if)#

switchport

switch(config-if)#

ipv6 dhcp-ldra client-facing-trusted

switch(config-if)#

exit

switch(config)#


switch(config-if)#

switchport

switch(config-if)#

ipv6 dhcp-ldra attach-policy server-facing

switch(config-if)#

exit

Configuring LDRA for a VLAN

The following example shows how to enable LDRA and configure VLAN with VLAN ID 25 as client-facing and trusted: switch#


switch(config)#

ipv6 dhcp ldra

switch(config)#

ipv6 dhcp-ldra attach-policy vlan 25 client-facing-trusted

256


OL-30921-01

C H A P T E R

12



•

Information About DAI, page 257

•

Licensing Requirements for DAI, page 261

•

Prerequisites for DAI, page 262

•

Guidelines and Limitations for DAI, page 262

•

Default Settings for DAI, page 263

•

Configuring DAI, page 263

•

Verifying the DAI Configuration, page 269

•

Monitoring and Clearing DAI Statistics, page 269

•

Configuration Examples for DAI, page 270

•

Configuring ARP ACLs, page 275

•

Verifying the ARP ACL Configuration, page 279

Information About DAI

ARP

ARP provides IP communication within a Layer 2 broadcast domain by mapping an IP address to a MAC address. For example, host B wants to send information to host A but does not have the MAC address of host A in its ARP cache. In ARP terms, host B is the sender and host A is the target.

To get the MAC address of host A, host B generates a broadcast message for all hosts within the broadcast domain to obtain the MAC address associated with the IP address of host A. All hosts within the broadcast domain receive the ARP request, and host A responds with its MAC address.


257 OL-30921-01


ARP Spoofing Attacks

ARP Spoofing Attacks

ARP spoofing attacks and ARP cache poisoning can occur because ARP allows a reply from a host even if an ARP request was not received. After the attack, all traffic from the device under attack flows through the attacker’s computer and then to the router, switch, or host.

An ARP spoofing attack can affect hosts, switches, and routers connected to your Layer 2 network by sending false information to the ARP caches of the devices connected to the subnet. Sending false information to an

ARP cache is known as ARP cache poisoning. Spoof attacks can also intercept traffic intended for other hosts on the subnet.

This figure shows an example of ARP cache poisoning.

Figure 14: ARP Cache Poisoning

Hosts A, B, and C are connected to the device on interfaces A, B, and C, which are on the same subnet. Their

IP and MAC addresses are shown in parentheses; for example, host A uses IP address IA and MAC address

MA. When host A needs to send IP data to host B, it broadcasts an ARP request for the MAC address associated with IP address IB. When the device and host B receive the ARP request, they populate their ARP caches with an ARP binding for a host with the IP address IA and a MAC address MA; for example, IP address IA is bound to MAC address MA. When host B responds, the device and host A populate their ARP caches with a binding for a host with the IP address IB and the MAC address MB.

Host C can poison the ARP caches of the device, host A, and host B by broadcasting two forged ARP responses with bindings: one for a host with an IP address of IA and a MAC address of MC and another for a host with the IP address of IB and a MAC address of MC. Host B and the device then use the MAC address MC as the destination MAC address for traffic intended for IA, which means that host C intercepts that traffic. Likewise, host A and the device use the MAC address MC as the destination MAC address for traffic intended for IB.

Because host C knows the true MAC addresses associated with IA and IB, it can forward the intercepted traffic to those hosts by using the correct MAC address as the destination. This topology, in which host C has inserted itself into the traffic stream from host A to host B, is an example of a man-in-the middle attack.

DAI and ARP Spoofing Attacks

DAI ensures that only valid ARP requests and responses are relayed. When DAI is enabled and properly configured, a Cisco Nexus device performs these activities:

• Intercepts all ARP requests and responses on untrusted ports

• Verifies that each of these intercepted packets has a valid IP-to-MAC address binding before updating the local ARP cache or before forwarding the packet to the appropriate destination

• Drops invalid ARP packets

258


OL-30921-01


Interface Trust States and Network Security

DAI can determine the validity of an ARP packet based on valid IP-to-MAC address bindings stored in a

Dynamic Host Configuration Protocol (DHCP) snooping binding database. This database is built by DHCP snooping if DHCP snooping is enabled on the VLANs and on the device. It can also contain static entries that you create. If the ARP packet is received on a trusted interface, the device forwards the packet without any checks. On untrusted interfaces, the device forwards the packet only if it is valid.

You can configure DAI to drop ARP packets when the IP addresses in the packets are invalid or when the

MAC addresses in the body of the ARP packets do not match the addresses specified in the Ethernet header.

Related Topics

Applying ARP ACLs to VLANs for DAI Filtering, on page 265

Logging DAI Packets, on page 261

Enabling or Disabling Additional Validation, on page 266

Interface Trust States and Network Security

DAI associates a trust state with each interface on the device. Packets that arrive on trusted interfaces bypass all DAI validation checks, and packets that arrive on untrusted interfaces go through the DAI validation process.

In a typical network configuration, the guidelines for configuring the trust state of interfaces are as follows:

Untrusted

Interfaces that are connected to hosts

Trusted

Interfaces that are connected to devices

With this configuration, all ARP packets that enter the network from a device bypass the security check. No other validation is needed at any other place in the VLAN or in the network.

Caution

Use the trust state configuration carefully. Configuring interfaces as untrusted when they should be trusted can result in a loss of connectivity.

The following figure, assume that both device A and device B are running DAI on the VLAN that includes host 1 and host 2. If host 1 and host 2 acquire their IP addresses from the DHCP server connected to device A, only device A binds the IP-to-MAC address of host 1. If the interface between device A and device B is untrusted, the ARP packets from host 1 are dropped by device B and connectivity between host 1 and host 2 is lost.

OL-30921-01


259

Prioritizing ARP ACLs and DHCP Snooping Entries

Figure 15: ARP Packet Validation on a VLAN Enabled for DAI


If you configure interfaces as trusted when they should be untrusted, you may open a security hole in a network.

If device A is not running DAI, host 1 can easily poison the ARP cache of device B (and host 2, if you configured the link between the devices as trusted). This condition can occur even though device B is running

DAI.

DAI ensures that hosts (on untrusted interfaces) connected to a device that runs DAI do not poison the ARP caches of other hosts in the network; however, DAI does not prevent hosts in other portions of the network from poisoning the caches of the hosts that are connected to a device that runs DAI.

If some devices in a VLAN run DAI and other devices do not, the guidelines for configuring the trust state of interfaces on a device that runs DAI becomes the following:

Untrusted

Interfaces that are connected to hosts or to devices that are not running DAI

Trusted

Interfaces that are connected to devices that are running DAI

To validate the bindings of packets from devices that do not run DAI, configure ARP ACLs on the device that runs DAI. When you cannot determine the bindings, isolate at Layer 3 the devices that run DAI from devices that do not run DAI.

Note

Depending on your network setup, you may not be able to validate a given ARP packet on all devices in the VLAN.

Related Topics

Configuring the DAI Trust State of a Layer 2 Interface, on page 264

Prioritizing ARP ACLs and DHCP Snooping Entries

By default, DAI filters DAI traffic by comparing DAI packets to IP-MAC address bindings in the DHCP snooping database.

260


OL-30921-01


Logging DAI Packets

When DAI is applied, it takes precedence over ARP ACLs and VACLs. The device denies or permits the packet based on whether a valid IP-MAC binding exists in the DHCP snooping database irrespective of any user-configured ARP ACLs or VACLs.

If you apply a VACL and an ARP ACL to a VLAN and you configured the VACL to act on ARP traffic, the device permits or denies ARP traffic as determined by the VACL, not the ARP ACL.

Related Topics

Applying ARP ACLs to VLANs for DAI Filtering, on page 265

Configuring ARP ACLs, on page 275

Session Manager Support for ARP ACLs, on page 275

Creating an ARP ACL, on page 275

Changing an ARP ACL, on page 276

Removing an ARP ACL, on page 277

Changing Sequence Numbers in an ARP ACL, on page 278

Logging DAI Packets

Cisco NX-OS maintains a buffer of log entries about DAI packets processed. Each log entry contains flow information, such as the receiving VLAN, the port number, the source and destination IP addresses, and the source and destination MAC addresses.

You can also specify the type of packets that are logged. By default, aCisco Nexus device logs only packets that DAI drops.

If the log buffer overflows, the device overwrites the oldest DAI log entries with newer entries. You can configure the maximum number of entries in the buffer.

Note

Cisco NX-OS does not generate system messages about DAI packets that are logged.

Related Topics

Configuring the DAI Logging Buffer Size, on page 267

Configuring DAI Log Filtering, on page 268

Licensing Requirements for DAI

This table shows the licensing requirements for DAI.

Product

Cisco NX-OS


DAI requires no license. Any feature not included in a license package is bundled with the Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.


261 OL-30921-01


Prerequisites for DAI

Prerequisites for DAI

• You must enable the DHCP feature before you can configure DAI.

Guidelines and Limitations for DAI

DAI has the following configuration guidelines and limitations:

• DAI is an ingress security feature; it does not perform any egress checking.

• DAI is not effective for hosts connected to devices that do not support DAI or that do not have this feature enabled. Because man-in-the-middle attacks are limited to a single Layer 2 broadcast domain, you should separate the domain with DAI from domains without DAI. This separation secures the ARP caches of hosts in the domain with DAI.

• DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. If you want DAI to use static IP-MAC address bindings to determine if ARP packets are valid, DHCP snooping needs only to be enabled. If you want

DAI to use dynamic IP-MAC address bindings to determine if ARP packets are valid, you must configure

DHCP snooping on the same VLANs on which you configure DAI.

• When you use the feature dhcp command to enable the DHCP feature, there is a delay of approximately

30 seconds before the I/O modules receive the DHCP or DAI configuration. This delay occurs regardless of the method that you use to change from a configuration with the DHCP feature disabled to a configuration with the DHCP feature enabled. For example, if you use the Rollback feature to revert to a configuration that enables the DHCP feature, the I/O modules receive the DHCP and DAI configuration approximately 30 seconds after you complete the rollback.

• DAI is supported on access ports, trunk ports, port-channel ports, and private VLAN ports.

• The DAI trust configuration of a port channel determines the trust state of all physical ports that you assign to the port channel. For example, if you have configured a physical port as a trusted interface and then you add that physical port to a port channel that is an untrusted interface, the physical port becomes untrusted.

• When you remove a physical port from a port channel, the physical port does not retain the DAI trust state configuration of the port channel.

• When you change the trust state on the port channel, the device configures a new trust state on all the physical ports that comprise the channel.

• If you want DAI to use static IP-MAC address bindings to determine if ARP packets are valid, ensure that DHCP snooping is enabled and that you have configured the static IP-MAC address bindings.

• If you want DAI to use dynamic IP-MAC address bindings to determine if ARP packets are valid, ensure that DHCP snooping is enabled.

• ARP ACLs can be used to perform SPAN on ACL.

• ARP ACLs can be used for ACL-based classification for QoS policies, but cannot be used for policies that are FEX offloaded.

• DAI takes precedence over VACL and ARP ACL, and VACL takes precedence over ARP ACL.

262


OL-30921-01


Default Settings for DAI

• The maximum number of match criteria in an ARP ACLs is limited by the free space in the TCAM for the VACL region. For the Cisco Nexus device, each match criteria typically takes 2 entries as the ARP keytype is a wide entry.

Default Settings for DAI

This table lists the default settings for DAI parameters.

Table 19: Default DAI Parameters

Parameters

DAI

Interface trust state

Default

Disabled on all VLANs.

All interfaces are untrusted.

Validation checks

Log buffer

Per-VLAN logging

No checks are performed.

When DAI is enabled, all denied or dropped ARP packets are logged.

The number of entries in the log is 32.

The number of system messages is limited to 5 per second.

The logging-rate interval is 1 second.

All denied or dropped ARP packets are logged.

Configuring DAI

Enabling or Disabling DAI on VLANs

You can enable or disable DAI on VLANs. By default, DAI is disabled on all VLANs.


If you are enabling DAI, ensure the following:

• Ensure that the DHCP feature is enabled.

• The VLANs on which you want to enable DAI are configured.


263 OL-30921-01


Configuring the DAI Trust State of a Layer 2 Interface

Procedure

Step 1

Step 2

Step 3

Step 4


Purpose


Example:


[no] ip arp inspection vlan list

Example:

switch(config)# ip arp inspection vlan 13

Enables DAI for the specified list of VLANs.

The no option disables DAI for the specified

VLANs.

show ip arp inspection vlan list (Optional)

Shows the DAI status for the specified list of

VLANs.

Example:

switch(config)# show ip arp inspection vlan 13


(Optional)


Example:


Configuring the DAI Trust State of a Layer 2 Interface

You can configure the DAI interface trust state of a Layer 2 interface. By default, all interfaces are untrusted.

A device forwards ARP packets that it receives on a trusted Layer 2 interface but does not check them.

On untrusted interfaces, the device intercepts all ARP requests and responses and verifies that the intercepted packets have valid IP-MAC address bindings before updating the local cache and forwarding the packet to the appropriate destination. If the device determines that packets have invalid bindings, it drops the packets and logs them according to the logging configuration.


If you are enabling DAI, ensure that the DHCP feature is enabled.

Procedure

Step 1


Purpose


Example:


264


OL-30921-01


Applying ARP ACLs to VLANs for DAI Filtering

Step 2

Step 3

Step 4

Step 5


interface type number / slot

Purpose

Enters interface configuration mode.

Example:


[no] ip arp inspection trust

Example:

switch(config-if)# ip arp inspection trust

Configures the interface as a trusted ARP interface. The no option configures the interface as an untrusted ARP interface.

show ip arp inspection interface type number /

slot

(Optional)

Displays the trust state and the ARP packet rate for the specified interface.

Example:

switch(config-if)# show ip arp inspection interface ethernet 2/1


(Optional)


Example:


Related Topics

Interface Trust States and Network Security, on page 259

Configuring DAI Log Filtering, on page 268

Applying ARP ACLs to VLANs for DAI Filtering

You can apply an ARP ACL to one or more VLANs. The device permits packets only if the ACL permits them. By default, no VLANs have an ARP ACL applied.


Ensure that the ARP ACL that you want to apply is correctly configured.

Procedure

Step 1


Purpose


Example:


OL-30921-01


265


Enabling or Disabling Additional Validation

Step 2

Step 3

Step 4


[no] ip arp inspection filter acl-name vlan

list

Applies the ARP ACL to the list of VLANs, or if you use the no option, removes the ARP

ACL from the list of VLANs.

Example:

switch(config)# ip arp inspection filter arp-acl-01 vlan 100

show ip arp inspection vlan list

Example:

switch(config)# show ip arp inspection vlan 100


(Optional)

Shows the DAI status for the specified list of

VLANs, including whether an ARP ACL is applied.

(Optional)


Example:


Related Topics

Configuring ARP ACLs, on page 275

Session Manager Support for ARP ACLs, on page 275


Changing an ARP ACL, on page 276

Removing an ARP ACL, on page 277


Enabling or Disabling Additional Validation

You can enable or disable additional validation of ARP packets. By default, no additional validation of ARP packets is enabled. When no additional validation is configured, the source MAC address and the source IP address check against the IP-to-MAC binding entry for ARP packets are done by using the Ethernet source

MAC address (not the ARP sender MAC address) and the ARP sender IP address.

DAI intercepts, logs, and discards ARP packets with invalid IP-to-MAC address bindings. You can enable additional validation on the destination MAC address, the sender and target IP addresses, and the source MAC address.

You can use the following keywords with the ip arp inspection validate command to implement additional validations:

dst-mac

Checks the destination MAC address in the Ethernet header against the target MAC address in the ARP body for ARP responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.

266


OL-30921-01


Configuring the DAI Logging Buffer Size ip

Checks the ARP body for invalid and unexpected IP addresses. Addresses include 0.0.0.0,

255.255.255.255, and all IP multicast addresses. Sender IP addresses are checked in all ARP requests and responses, and target IP addresses are checked only in ARP responses.

src-mac

Checks the source MAC address in the Ethernet header against the sender MAC address in the ARP body for ARP requests and responses. When enabled, packets with different MAC addresses are classified as invalid and are dropped.

When enabling additional validation, follow these guidelines:

• You must specify at least one of the keywords. You can specify one, two, or all three keywords.

• Each ip arp inspection validate command that you enter replaces the configuration from any previous commands. If you enter an ip arp inspection validate command to enable src-mac and dst-mac validations, and a second ip arp inspection validate command to enable ip validation, the src-mac and dst-mac validations are disabled when you enter the second command.

Procedure

Step 1

Step 2

Step 3

Step 4


Purpose


Example:


[no] ip arp inspection validate {[src-mac]

[dst-mac] [ip]}

Enables additional DAI validation, or if you use the no option, disables additional DAI validation.

Example:

switch(config)# ip arp inspection validate src-mac dst-mac ip


(Optional)

Displays the DHCP snooping configuration, including the DAI configuration.

Example:



(Optional)


Example:


Configuring the DAI Logging Buffer Size

You can configure the DAI logging buffer size. The default buffer size is 32 messages.

OL-30921-01


267


Configuring DAI Log Filtering

Procedure

Step 1

Step 2

Step 3

Step 4


Purpose


Example:


[no] ip arp inspection log-buffer entries

number

Configures the DAI logging buffer size. The no option reverts to the default buffer size, which is 32 messages. The buffer size can be between

1 and 1024 messages.

Example:

switch(config)# ip arp inspection log-buffer entries 64


Example:


(Optional)



(Optional)


Example:


Configuring DAI Log Filtering

You can configure how the device determines whether to log a DAI packet. By default, the device logs DAI packets that are dropped.

Procedure

Step 1


Step 2

Example:



• ip arp inspection vlan vlan-list logging

dhcp-bindings all


dhcp-bindings none

Purpose


Configures DAI log filtering, as follows. The

no option removes DAI log filtering.

• Logs all packets that match DHCP bindings.

• Does not log packets that match DHCP bindings.

268


OL-30921-01


Verifying the DAI Configuration



dhcp-bindingspermit

• no ip arp inspection vlan vlan-list logging

dhcp-bindings {all | none | permit}

Purpose

• Logs packets permitted by DHCP bindings.

• Removes DAI log filtering.

Step 3

Step 4

Example:

switch(config)# ip arp inspection vlan 100 dhcp-bindings permit


(Optional)


Example:



(Optional)


Example:


Verifying the DAI Configuration

To display the DAI configuration information, perform one of the following tasks.

Command show ip arp inspection

Purpose

Displays the status of DAI.

show ip arp inspection interface ethernet show ip arp inspection vlan show arp access-lists show ip arp inspection log

Displays the trust state.

Displays the DAI configuration for a specific VLAN.

Displays ARP ACLs.

Displays the DAI log configuration.

Monitoring and Clearing DAI Statistics

To monitor and clear DAI statistics, use the commands in this table. For more information about these commands, see the Security Command Reference for your Cisco Nexus device.


269 OL-30921-01


Configuration Examples for DAI

Command show ip arp inspection statistics clear ip arp inspection statistics vlan <id>

Purpose

Displays DAI statistics.

Clears DAI statistics.

Configuration Examples for DAI

Example 1-Two Devices Support DAI

These procedures show how to configure DAI when two devices support DAI.

The following figure shows the network configuration for this example. Host 1 is connected to device A, and

Host 2 is connected to device B. Both devices are running DAI on VLAN 1 where the hosts are located. A

DHCP server is connected to device A. Both hosts acquire their IP addresses from the same DHCP server.

Device A has the bindings for Host 1 and Host 2, and device B has the binding for Host 2. Device A Ethernet interface 2/3 is connected to the device B Ethernet interface 1/4.

Figure 16: Two Devices Supporting DAI

DAI depends on the entries in the DHCP snooping binding database to verify IP-to-MAC address bindings in incoming ARP requests and ARP responses. Make sure to enable DHCP snooping to permit ARP packets that have dynamically-assigned IP addresses.

• This configuration does not work if the DHCP server is moved from device A to a different location.

• To ensure that this configuration does not compromise security, configure Ethernet interface 2/3 on device A and Ethernet interface 1/4 on device B as trusted.

Configuring Device A

To enable DAI and configure Ethernet interface 2/3 on device A as trusted, follow these steps:

270


OL-30921-01



OL-30921-01

Procedure

Step 1

While logged into device A, verify the connection between device A and device B.

switchA#

show cdp neighbors

Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge

Device ID switchB switchA#

S - Switch, H - Host, I - IGMP, r - Repeater,

V - VoIP-Phone, D - Remotely-Managed-Device, s - Supports-STP-Dispute

Local Intrfce

Ethernet2/3

Hldtme

177

Capability

R S I

Platform Port ID

WS-C2960-24TC Ethernet1/4

Step 2

Enable DAI on VLAN 1 and verify the configuration.

switchA#

config t

switchA(config)#

ip arp inspection vlan 1

switchA(config)#

show ip arp inspection vlan 1

Source Mac Validation : Disabled

Destination Mac Validation : Disabled

IP Address Validation : Disabled

Vlan : 1

-----------

Configuration : Enabled

Operation State : Active switchA(config)#

Step 3

Configure Ethernet interface 2/3 as trusted.

switchA(config)#


switchA(config-if)#

ip arp inspection trust

switchA(config-if)#

exit

switchA(config)#

exit

switchA#

show ip arp inspection interface ethernet 2/3

Interface Trust State Rate (pps) Burst Interval

-------------

Ethernet2/3

-----------

Trusted

----------

15

--------------

5

Step 4

Verify the bindings.

switchA#



-----------------------------------------------------------------

00:60:0b:00:12:89 10.0.0.1

switchA#

0 dhcp-snooping 1 Ethernet2/3

Step 5

Check the statistics before and after DAI processes any packets.

switchA#

show ip arp inspection statistics vlan 1

Vlan : 1

-----------

ARP Req Forwarded = 0

ARP Res Forwarded = 0

ARP Req Dropped

ARP Res Dropped

DHCP Drops

DHCP Permits

= 0

= 0

= 0

= 0


271



SMAC Fails-ARP Req = 0

SMAC Fails-ARP Res = 0

DMAC Fails-ARP Res = 0

IP Fails-ARP Req = 0

IP Fails-ARP Res = 0 switchA#

If host 1 sends out two ARP requests with an IP address of 10.0.0.1 and a MAC address of 0002.0002.0002, both requests are permitted, and are shown as follows: switchA#


Vlan : 1

-----------



ARP Req Dropped

ARP Res Dropped

DHCP Drops

DHCP Permits

= 0

= 0

= 0

= 2





IP Fails-ARP Res = 0

If host 1 tries to send an ARP request with an IP address of 10.0.0.3, the packet is dropped and an error message is logged.

00:12:08: %SW_DAI-4-DHCP_SNOOPING_DENY: 2 Invalid ARPs (Req) on Ethernet2/3, vlan

1.([0002.0002.0002/10.0.0.3/0000.0000.0000/0.0.0.0/02:42:35 UTC Fri Jul 13 2008])

The statistics display as follows: switchA#


switchA#

Vlan : 1

-----------



ARP Req Dropped

ARP Res Dropped

DHCP Drops

DHCP Permits

= 2

= 0

= 2

= 2





IP Fails-ARP Res = 0 switchA#

272


OL-30921-01



Configuring Device B

To enable DAI and configure Ethernet interface 1/4 on device B as trusted, follow these steps:

Procedure

Step 1

While logged into device B, verify the connection between device B and device A.

switchB#

show cdp neighbors

Capability Codes: R - Router, T - Trans-Bridge, B - Source-Route-Bridge

S - Switch, H - Host, I - IGMP, r - Repeater,

Device ID switchA switchB#

V - VoIP-Phone, D - Remotely-Managed-Device, s - Supports-STP-Dispute

Local Intrfce Hldtme Capability Platform

Ethernet1/4 120 R S I

Port ID

WS-C2960-24TC Ethernet2/3

Step 2

Enable DAI on VLAN 1, and verify the configuration.

switchB#

config t

switchB(config)#

ip arp inspection vlan 1

switchB(config)#

show ip arp inspection vlan 1

Source Mac Validation : Disabled

Destination Mac Validation : Disabled

IP Address Validation : Disabled

Vlan : 1

-----------

Configuration : Enabled

Operation State : Active switchB(config)#

Step 3

Configure Ethernet interface 1/4 as trusted.

switchB(config)#


switchB(config-if)#

ip arp inspection trust

switchB(config-if)#

exit

switchB(config)#

exit

switchB#

show ip arp inspection interface ethernet 1/4

Interface

-------------

Ethernet1/4 switchB#

Trust State

-----------

Trusted

Rate (pps)

----------

15

Burst Interval

--------------

5

Step 4

Verify the list of DHCP snooping bindings.

switchB#



-----------------------------------------------------------------

00:01:00:01:00:01 10.0.0.2

switchB#

4995 dhcp-snooping 1 Ethernet1/4

Step 5

Check the statistics before and after DAI processes any packets.

switchB#


Vlan : 1

-----------

OL-30921-01


273





ARP Req Dropped

ARP Res Dropped

DHCP Drops

DHCP Permits

= 0

= 0

= 0

= 0





IP Fails-ARP Res = 0 switchB#

If Host 2 sends out an ARP request with the IP address 10.0.0.2 and the MAC address 0001.0001.0001, the packet is forwarded and the statistics are updated.

switchB#


Vlan : 1

-----------



ARP Req Dropped

ARP Res Dropped

= 0

= 0

DHCP Drops

DHCP Permits

= 0

= 1





IP Fails-ARP Res = 0 switchB#

If Host 2 attempts to send an ARP request with the IP address 10.0.0.1, DAI drops the request and logs the following system message:

00:18:08: %SW_DAI-4-DHCP_SNOOPING_DENY: 1 Invalid ARPs (Req) on Ethernet1/4, vlan

1.([0001.0001.0001/10.0.0.1/0000.0000.0000/0.0.0.0/01:53:21 UTC Fri Jun 13 2008])

The statistics display as follows: switchB#


Vlan : 1

-----------



ARP Req Dropped = 1

ARP Res Dropped

DHCP Drops

= 0

= 1

DHCP Permits = 1





IP Fails-ARP Res = 0

274


OL-30921-01


Configuring ARP ACLs

switchB#

Configuring ARP ACLs

Session Manager Support for ARP ACLs

.

Session Manager supports the configuration of ARP ACLs. This feature allows you to create a configuration session and verify your ARP ACL configuration changes prior to committing them to the running configuration.

Creating an ARP ACL

You can create an ARP ACL on the device and add rules to it.

Procedure

Step 1


Purpose


Step 2

Step 3

Step 4

Example:

switch#


switch(config)#

arp access-list name Creates the ARP ACL and enters ARP ACL configuration mode.

Example:

switch(config)#

arp access-list arp-acl-01

switch(config-arp-acl)#

[sequence-number] {permit | deny} ip {any | host

sender-IP | sender-IP sender-IP-mask} mac {any

| host sender-MAC | sender-MAC

sender-MAC-mask}

Example:


permit ip

192.168.2.0 255.2555.255.0 mac

00C0.4F00.0000 ffff.ff00.0000

Creates a rule that permits or denies any ARP message based upon the IP address and MAC address of the sender of the message. Using a sequence number allows you to specify a position for the rule in the ACL. Without a sequence number, the rule is added to the end of the rules.

[sequence-number] {permit | deny} request ip

{any | host sender-IP | sender-IP sender-IP-mask}

mac {any | host sender-MAC | sender-MAC

sender-MAC-mask}

Creates a rule that permits or denies ARP request messages based upon the IP address and MAC address of the sender of the message. Using a sequence number allows you to specify a position for the rule in the ACL. Without a


275 OL-30921-01


Changing an ARP ACL

Step 5

Step 6

Step 7


Example:


permit request ip

192.168.102.0 0.0.0.255 mac any

sequence number, the rule is added to the end of the rules.

[sequence-number] {permit | deny} response ip

{any | host sender-IP | sender-IP sender-IP-mask}

[any | host target-IP | target-IP target-IP-mask]]

mac {any | host sender-MAC | sender-MAC

sender-MAC-mask} [any | host target-MAC |

target-MAC target-MAC-mask]

Creates a rule that permits or denies ARP response messages based upon the IPv4 address and MAC address of the sender and the target of the message. Using a sequence number allows you to specify a position for the rule in the ACL.

Without a sequence number, the rule is added to the end of the rules.

Example:


permit response ip host 192.168.202.32 any mac host

00C0.4FA9.BCF3 any

show arp access-lists acl-name

(Optional)

Shows the ARP ACL configuration.

Example:


show arp access-lists arp-acl-01 copy running-config startup-config

(Optional)


Example:



Changing an ARP ACL

You can change and remove rules in an existing ARP ACL. You cannot change existing rules. Instead, to change a rule, you can remove it and recreate it with the desired changes.


Procedure

Step 1


Example:


Purpose


276


OL-30921-01


Removing an ARP ACL

Step 2

Step 3

Step 4

Step 5

Step 6


arp access-list name Enters ARP ACL configuration mode for the

ACL that you specify by name.

Example:

switch(config)# arp access-list arp-acl-01 switch(config-acl)#

[sequence-number] {permit | deny} [request |

response] ip IP-data mac MAC-data

(Optional)

Creates a rule.

Example:

switch(config-arp-acl)# 100 permit request ip 192.168.132.0 255.2555.255.0 mac any

Using a sequence number allows you to specify a position for the rule in the ACL.

Without a sequence number, the rule is added to the end of the rules.

no {sequence-number | {permit | deny} [request

| response] ip IP-data mac MAC-data

(Optional)

Removes the rule that you specified from the

ARP ACL.

Example:

switch(config-arp-acl)# no 80

show arp access-lists

Displays the ARP ACL configuration.

Example:

switch(config-arp-acl)# show arp access-lists


Example:

switch(config-arp-acl)# copy running-config startup-config

(Optional)


Related Topics



Removing an ARP ACL

You can remove an ARP ACL from the device.


Ensure that you know whether the ACL is applied to a VLAN. The device allows you to remove ACLs that are currently applied. Removing an ACL does not affect the configuration of VLANs where you have applied the ACL. Instead, the device considers the removed ACL to be empty.

OL-30921-01


277


Changing Sequence Numbers in an ARP ACL

Procedure

Step 1

Step 2

Step 3

Step 4


Example:


no arp access-list name

Example:

switch(config)# no arp access-list arp-acl-01

show arp access-lists

Example:

switch(config)# show arp access-lists


Example:


Purpose


Removes the ARP ACL you specified by name from running configuration.


(Optional)


Changing Sequence Numbers in an ARP ACL

You can change all the sequence numbers assigned to rules in an ARP ACL.

Procedure

Step 1

Step 2


Example:


resequence arp access-list name


Example:

switch(config)# resequence arp access-list arp-acl-01 100 10 switch(config)#

Purpose


Assigns sequence numbers to the rules contained in the ACL, where the first rule receives the starting sequence number that you specify. Each subsequent rule receives a number larger than the preceding rule. The difference in numbers is determined by the increment that you specify.

278


OL-30921-01


Verifying the ARP ACL Configuration

Step 3

Step 4


show arp access-lists name Displays the ARP ACL configuration for the ACL specified by the name argument.

Example:

switch(config)# show arp access-lists arp-acl-01


(Optional)


Example:



To display ARP ACL configuration information, use the commands in this table.

Command show arp access-lists

Purpose



Displays ACLs in the running configuration.

OL-30921-01


279



280


OL-30921-01

C H A P T E R

13



•

Information About IP Source Guard, page 281

•

Licensing Requirements for IP Source Guard, page 282

•

Prerequisites for IP Source Guard, page 282

•

Guidelines and Limitations for IP Source Guard, page 282

•

Default Settings for IP Source Guard, page 282

•

Configuring IP Source Guard, page 283

•

Displaying IP Source Guard Bindings, page 285

•

Configuration Example for IP Source Guard, page 285

•

Additional References for IP Source Guard, page 285

Information About IP Source Guard

IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches one of two sources of IP and MAC address bindings:

• Entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table.

• Static IP source entries that you configure.

Filtering on trusted IP and MAC address bindings helps prevent spoofing attacks, in which an attacker uses the IP address of a valid host to gain unauthorized network access. To circumvent IP Source Guard, an attacker would have to spoof both the IP address and the MAC address of a valid host.

You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping. IP Source

Guard supports interfaces that are configured to operate in access mode and trunk mode. When you initially enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:

• DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results of inspecting the packet.

• IP traffic from static IP source entries that you have configured in the Cisco NX-OS device.


281 OL-30921-01


Licensing Requirements for IP Source Guard

The device permits the IP traffic when DHCP snooping adds a binding table entry for the IP address and MAC address of an IP packet or when you have configured a static IP source entry.

The device drops IP packets when the IP address and MAC address of the packet do not have a binding table entry or a static IP source entry. For example, assume that the show ip dhcp snooping binding command displays the following binding table entry:

MacAddress

----------

IpAddress LeaseSec Type

-----------------------

00:02:B3:3F:3B:99 10.5.5.2

6943 dhcp-snooping

VLAN

-------

10

Interface

---------

Ethernet2/3

If the device receives an IP packet with an IP address of 10.5.5.2, IP Source Guard forwards the packet only if the MAC address of the packet is 00:02:B3:3F:3B:99.

Licensing Requirements for IP Source Guard

This table shows the licensing requirements for IP Source Guard.

Product

Cisco NX-OS


IP Source Guard requires no license. Any feature not included in a license package is bundled with the

Cisco NX-OS system images and is provided at no extra charge to you. For an explanation of the Cisco

NX-OS licensing scheme, see the Cisco NX-OS

Licensing Guide.

Prerequisites for IP Source Guard

IP Source Guard has the following prerequisite:

• You must enable the DHCP feature.

Guidelines and Limitations for IP Source Guard

IP Source Guard has the following configuration guidelines and limitations:

• IP Source Guard limits IP traffic on an interface to only those sources that have an IP-MAC address binding table entry or static IP source entry. When you first enable IP Source Guard on an interface, you may experience disruption in IP traffic until the hosts on the interface receive a new IP address from a DHCP server.

• IP Source Guard is dependent upon DHCP snooping to build and maintain the IP-MAC address binding table or upon manual maintenance of static IP source entries.

Default Settings for IP Source Guard

This table lists the default settings for IP Source Guard parameters.

282


OL-30921-01



Table 20: Default IP Source Guard Parameters

Parameters

IP Source Guard

IP source entries

Default

Disabled on each interface.

None. No static or default IP source entries exist by default.


Enabling or Disabling IP Source Guard on a Layer 2 Interface

You can enable or disable IP Source Guard on a Layer 2 interface. By default, IP Source Guard is disabled on all interfaces.



Procedure

Step 1

Step 2

Step 3

Step 4


Purpose


Example:



Enters interface configuration mode for the specified interface.

Example:


[no] ip verify source dhcp-snooping-vlan Enables IP Source Guard on the interface. The

no option disables IP Source Guard on the interface.

Example:

switch(config-if)# ip verify source dhcp-snooping vlan


Example:

switch(config-if)# show running-config dhcp

(Optional)

Displays the running configuration for DHCP snooping, including the IP Source Guard configuration.


283 OL-30921-01


Adding or Removing a Static IP Source Entry

Step 5


Example:


Purpose

(Optional)


Related Topics

Adding or Removing a Static IP Source Entry, on page 284

Adding or Removing a Static IP Source Entry

You can add or remove a static IP source entry on a device. By default, there are no static IP source entries on a device.

Procedure

Step 1


Purpose


Step 2

Step 3

Step 4

Example:


[no] ip source binding IP-address MAC-address

vlan vlan-ID interface ethernet slot/port

Creates a static IP source entry for the current interface, or if you use the no option, removes a static IP source entry.

Example:

switch(config)# ip source binding

10.5.22.17 001f.28bd.0013 vlan 100 interface ethernet 2/3

show ip dhcp snooping binding [interface

ethernet slot/port]

Example:

switch(config)# show ip dhcp snooping binding interface ethernet 2/3


(Optional)

Displays IP-MAC address bindings for the interface specified, including static IP source entries. Static entries appear with the term in the Type column.

(Optional)


Example:


Related Topics

Enabling or Disabling IP Source Guard on a Layer 2 Interface, on page 283

284


OL-30921-01


Displaying IP Source Guard Bindings

Displaying IP Source Guard Bindings, on page 285

Displaying IP Source Guard Bindings

Use the show ip verify source command to display IP-MAC address bindings.

Configuration Example for IP Source Guard

This example shows how to create a static IP source entry and then how to enable IP Source Guard on an interface.

ip source binding 10.5.22.17 001f.28bd.0013 vlan 100 interface ethernet 2/3 interface ethernet 2/3 no shutdown ip verify source dhcp-snooping-vlan

Additional References for IP Source Guard


Related Topic

IP Source Guard commands: complete command syntax, command modes, command history, defaults, usage guidelines, and examples

Document Title

Standards

Standards Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.

—

OL-30921-01


285

Additional References for IP Source Guard


286


OL-30921-01

C H A P T E R

14



•

Information About CoPP, page 287

•

Control Plane Protection, page 289

•

CoPP Policy Templates, page 293

•

CoPP and the Management Interface, page 297

•

Licensing Requirements for CoPP, page 297

•

Guidelines and Limitations for CoPP, page 298

•

Default Settings for CoPP, page 298

•

Configuring CoPP, page 299

•

Verifying the CoPP Configuration, page 301

•

Displaying the CoPP Configuration Status, page 302

•

Monitoring CoPP, page 302

•

Monitoring CoPP with SNMP, page 303

•

Clearing the CoPP Statistics, page 303

•

Additional References for CoPP, page 303

Information About CoPP

Control Plane Policing (CoPP) protects the control plane and separates it from the data plane, which ensures network stability, reachability, and packet delivery.

This feature allows a policy map to be applied to the control plane. This policy map looks like a normal QoS policy and is applied to all traffic entering the switch from a non-management port. A common attack vector for network devices is the denial-of-service (DoS) attack, where excessive traffic is directed at the device interfaces.


287 OL-30921-01


Information About CoPP

The Cisco NX-OS device provides CoPP to prevent DoS attacks from impacting performance. Such attacks, which can be perpetrated either inadvertently or maliciously, typically involve high rates of traffic destined to the supervisor module or CPU itself.

The supervisor module divides the traffic that it manages into three functional components or planes:

Data plane

Handles all the data traffic. The basic functionality of a Cisco NX-OS device is to forward packets from one interface to another. The packets that are not meant for the switch itself are called the transit packets.

These packets are handled by the data plane.

Control plane

Handles all routing protocol control traffic. These protocols, such as the Border Gateway Protocol

(BGP) and the Open Shortest Path First (OSPF) Protocol, send control packets between devices. These packets are destined to router addresses and are called control plane packets.

Management plane

Runs the components meant for Cisco NX-OS device management purposes such as the command-line interface (CLI) and Simple Network Management Protocol (SNMP).

The supervisor module has both the management plane and control plane and is critical to the operation of the network. Any disruption or attacks to the supervisor module will result in serious network outages. For example, excessive traffic to the supervisor module could overload and slow down the performance of the entire Cisco NX-OS device. Another example is a DoS attack on the supervisor module that could generate

IP traffic streams to the control plane at a very high rate, forcing the control plane to spend a large amount of time in handling these packets and preventing the control plane from processing genuine traffic.

Examples of DoS attacks are as follows:

• Internet Control Message Protocol (ICMP) echo requests

• IP fragments

• TCP SYN flooding

These attacks can impact the device performance and have the following negative effects:

• Reduced service quality (such as poor voice, video, or critical applications traffic)

• High route processor or switch processor CPU utilization

• Route flaps due to loss of routing protocol updates or keepalives

• Unstable Layer 2 topology

• Slow or unresponsive interactive sessions with the CLI

• Processor resource exhaustion, such as the memory and buffers

• Indiscriminate drops of incoming packets

Caution

It is important to ensure that you protect the supervisor module from accidental or malicious attacks by configuring control plane protection.

288


OL-30921-01


Control Plane Protection

Control Plane Protection

To protect the control plane, the Cisco NX-OS device segregates different packets destined for the control plane into different classes. Once these classes are identified, the Cisco NX-OS device polices the packets, which ensures that the supervisor module is not overwhelmed.

Control Plane Packet Types

Different types of packets can reach the control plane:

Receive packets

Packets that have the destination address of a router. The destination address can be a Layer 2 address

(such as a router MAC address) or a Layer 3 address (such as the IP address of a router interface). These packets include router updates and keepalive messages. Multicast packets can also be in this category where packets are sent to multicast addresses that are used by a router.

Exception packets

Packets that need special handling by the supervisor module. For example, if a destination address is not present in the Forwarding Information Base (FIB) and results in a miss, the supervisor module sends an ICMP unreachable packet back to the sender. Another example is a packet with IP options set.

Redirected packets

Packets that are redirected to the supervisor module. Features such as Dynamic Host Configuration

Protocol (DHCP) snooping or dynamic Address Resolution Protocol (ARP) inspection redirect some packets to the supervisor module.

Glean packets

If a Layer 2 MAC address for a destination IP address is not present in the FIB, the supervisor module receives the packet and sends an ARP request to the host.

All of these different packets could be maliciously used to attack the control plane and overwhelm the Cisco

NX-OS device. CoPP classifies these packets to different classes and provides a mechanism to individually control the rate at which the supervisor module receives these packets.

Classification for CoPP

For effective protection, the Cisco NX-OS device classifies the packets that reach the supervisor modules to allow you to apply different rate controlling policies based on the type of the packet. For example, you might want to be less strict with a protocol packet such as Hello messages but more strict with a packet that is sent to the supervisor module because the IP option is set.

Rate Controlling Mechanisms

Once the packets are classified, the Cisco NX-OS device has two different mechanisms to control the rate at which packets arrive at the supervisor module: policing and rate limiting.


289 OL-30921-01


CoPP Extended Rate

Using hardware policers, you can define separate actions for traffic that conforms to or violates certain conditions. These actions can transmit the packet, mark down the packet, or drop the packet.

You can configure the following parameters for policing:

Committed information rate (CIR)

Desired bandwidth, specified as a bit rate.

Committed burst (BC)

Size of a traffic burst that can exceed the CIR within a given unit of time and not impact scheduling.

CoPP Extended Rate

Beginning with Cisco NX-OS Release 7.1(1)N1(1), you can configure an extended CoPP committed information rate (CIR) limit of up to 61,440 Kbps for each customized CoPP profile.

CoPP Class Maps

The following table shows the available class maps and their configurations.

Table 21: Class Map Configurations and Descriptions

Class Map

class-map type control-plane match-any copp-system-class-arp

Configuration

match protocol arp match protocol nd

Description

Class matches all ARP packets.

Class matches all ARP packets and

ND (NA, NS, RA, and RS) packets.

Class matches all BGP packets.

class-map type control-plane match-any copp-system-class-bgp match protocol bgp class-map type control-plane match-any copp-system-class-bridging match protocol bridging class-map type control-plane match-any copp-system-class-cdp match protocol cdp class-map type control-plane match-any copp-system-class-default match protocol default class-map type control-plane match-any copp-system-class-dhcp match protocol dhcp

Class matches all STP and RSTP frames.

Class matches all CDP frames.

Class matches all frames. Used for the default policer.

Class matches all IPv4 DHCP packets

Class matches all both IPv4 DHCP packets.

290


OL-30921-01


CoPP Class Maps

Class Map

class-map type control-plane match-any copp-system-class-eigrp class-map type control-plane match-any copp-system-class-exception class-map type control-plane match-any copp-system-class-excp-ip-frag class-map type control-plane match-any copp-system-class-excp-same-if class-map type control-plane match-any copp-system-class-excp-ttl

Configuration

match protocol eigrp match protocol eigrp6 match protocol exception match protocol ip_frag match protocol same-if match protocol ttl class-map type control-plane match-any copp-system-class-fip match protocol fip class-map type control-plane match-any copp-system-class-glean match protocol glean class-map type control-plane match-any copp-system-class-hsrp-vrrp match protocol hsrp_vrrp match protocol hsrp6 class-map type control-plane match-any copp-system-class-icmp-echo match protocol icmp_echo

Description

Class matches all IPv4 EIGRP packets.

Class matches both IPv4 and IPv6

EIGRP packets.

Class matches all IP packets that are treated as exception packets

(except TTL exception, IP

Fragment exception and Same

Interface exception packets) for IP routing purposes, such as packets with a Martian destination address or with an MTU failure.

Class matches all IP packets that are fragments. (These packets are treated as exception packets from an IP routing perspective).

Class matches all IP packets that are treated as exception packets for

IP routing. The packets are matched because they are received from the interface where their destination is supposed to be.

Class matches all packets that are treated as TTL exception packets

(when TTL is 0) from a IP routing perspective.

Class matches all packets belonging to the FCoE

Initialization Protocol.

Class matches all IP packets that cannot be routed to the next hop because the destination MAC information is unavailable.

Class matches HSRP and VRRP packets.

Class matches IPv4 HSRP, VRRP and IPv6 HSRP packets

Class matches all ICMP Echo

(Ping) packets.

OL-30921-01


291

CoPP Class Maps


Class Map Configuration

class-map type control-plane match-any copp-system-class-igmp match protocol igmp class-map type control-plane match-any copp-system-class-isis match protocol isis_dce class-map type control-plane match-any copp-system-class-msdp match protocol msdp class-map type control-plane match-any copp-system-class-ospf match protocol ospf match protocol ospfv3 class-map type control-plane match-any copp-system-class-pim-hello match protocol pim class-map type control-plane match-any copp-system-class-pim-register match protocol reg class-map type control-plane match-any copp-system-class-rip match protocol rip

Description

Class matches all IGMP packets.

class-map type control-plane match-any copp-system-class-l3dest-miss match protocol unicast class-map type control-plane match-any copp-system-class-lacp match protocol lacp class-map type control-plane match-any copp-system-class-lldp match protocol lldp_dcx class-map type control-plane match-any-copp-system-class-mcast-last-hop match protocol mcast_last_hop class-map type control-plane match-any copp-system-class-mcast-miss match protocol multicast class-map type control-plane match-any copp-system-class-mgmt match protocol mgmt

Class matches Fabricpath ISIS packets and ignores router ISIS packets.

Class matches all unicast routed packets that did not find a destination in the FIB.

Class matches all Link Aggregation

Control Protocol (LACP) frames.

Class matches all LLDP frames.

Class matches all IP multicast last hop packets.

Class matches all IP multicast frames that could not be routed because they did not have an entry in the FIB.

Class matches all management-related frames, such as SNMP, HTTP, NTP, Telnet, and

SSH.

Class matches MSDP packets.

Class matches OSPF and OSPFv3

Protocol packets.

Class matches all PIM Hello packets.

Class matches all PIM Register packets.

Class matches all RIP packets.

292


OL-30921-01


CoPP Policy Templates

Class Map

class-map type control-plane match-any copp-system-class-rpf-fail

Configuration

match protocol rpf_fail class-map type control-plane match-any copp-system-class-udld match protocol udld

Description

Class matches all RPF failure packets.

Class matches all UDLD frames.

CoPP Policy Templates

When you bring up your Cisco NX-OS device for the first time, the Cisco NX-OS software installs the default copp-system-policy to protect the supervisor module from DoS attacks. You can choose the CoPP policy template for your deployment scenario by specifying CoPP policy options from the initial setup utility:

• Default CoPP Policy (copp-system-policy-default)

• Scaled Layer 2 CoPP Policy (copp-system-policy-scaled-l2)

• Scaled Layer 3 CoPP Policy (copp-system-policy-scaled-l3)

• Customized CoPP Policy (copp-system-policy-customized)

If you do not select an option or choose not to execute the setup utility, the Cisco NX-OS software applies the Default policing. Cisco recommends starting with the default policy and later modifying the CoPP policies as required.

The default copp-system-policy-default policy has optimized values suitable for basic device operations.

You can change which CoPP policy is used by using the service-policy input policy-name command in the control plane configuration mode.

Default CoPP Policy

The copp-system-policy-default policy is applied to the switch by default. It has the classes with policer rates that should suit most network installations. You cannot modify this policy or the class maps associated with it. In addition, you cannot modify the class map configurations in this policy.

This policy has the following configuration: policy-map type control-plane copp-system-policy-default class copp-system-class-igmp police cir 1024 kbps bc 65535 bytes class copp-system-class-pim-hello police cir 1024 kbps bc 4800000 bytes class copp-system-class-bridging police cir 20000 kbps bc 4800000 bytes class copp-system-class-arp police cir 1024 kbps bc 3600000 bytes class copp-system-class-dhcp police cir 1024 kbps bc 4800000 bytes class copp-system-class-mgmt police cir 12000 kbps bc 4800000 bytes class copp-system-class-lacp police cir 1024 kbps bc 4800000 bytes


293 OL-30921-01


Scaled Layer 2 CoPP Policy

class copp-system-class-lldp police cir 2048 kbps bc 4800000 bytes class copp-system-class-udld police cir 2048 kbps bc 4800000 bytes class copp-system-class-isis police cir 1024 kbps bc 4800000 bytes class copp-system-class-msdp police cir 9600 kbps bc 4800000 bytes class copp-system-class-cdp police cir 1024 kbps bc 4800000 bytes class copp-system-class-fip police cir 1024 kbps bc 4800000 bytes class copp-system-class-bgp police cir 9600 kbps bc 4800000 bytes class copp-system-class-eigrp police cir 9600 kbps bc 4800000 bytes class copp-system-class-exception police cir 64 kbps bc 4800000 bytes class copp-system-class-glean police cir 1024 kbps bc 4800000 bytes class copp-system-class-hsrp-vrrp police cir 1024 kbps bc 256000 bytes class copp-system-class-icmp-echo police cir 64 kbps bc 3600000 bytes class copp-system-class-ospf police cir 9600 kbps bc 4800000 bytes class copp-system-class-pim-register police cir 9600 kbps bc 4800000 bytes class copp-system-class-rip police cir 9600 kbps bc 4800000 bytes class copp-system-class-l3dest-miss police cir 64 kbps bc 256000 bytes class copp-system-class-mcast-miss police cir 256 kbps bc 3200000 bytes class copp-system-class-excp-ip-frag police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-same-if police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-ttl police cir 64 kbps bc 3200000 bytes class copp-system-class-default police cir 512 kbps bc 6400000 bytes


The copp-system-policy-scaled policy has most classes with policer rates that are same as the default policy.

However, it has higher policer rates for IGMP and ISIS. You cannot modify this policy or the class maps associated with it. In addition, you cannot modify the class map configurations in this policy.

This policy has the following configuration: policy-map type control-plane copp-system-policy-scaled-l2 class copp-system-class-igmp police cir 4096 kbps bc 264000 bytes class copp-system-class-pim-hello police cir 1024 kbps bc 4800000 bytes class copp-system-class-bridging police cir 20000 kbps bc 4800000 bytes class copp-system-class-arp police cir 1024 kbps bc 3600000 bytes class copp-system-class-dhcp police cir 1024 kbps bc 4800000 bytes class copp-system-class-mgmt police cir 12000 kbps bc 4800000 bytes class copp-system-class-lacp police cir 1024 kbps bc 4800000 bytes class copp-system-class-lldp police cir 2048 kbps bc 4800000 bytes

294


OL-30921-01



class copp-system-class-udld police cir 2048 kbps bc 4800000 bytes class copp-system-class-isis police cir 2048 kbps bc 4800000 bytes class copp-system-class-msdp police cir 9600 kbps bc 4800000 bytes class copp-system-class-cdp police cir 1024 kbps bc 4800000 bytes class copp-system-class-fip police cir 1024 kbps bc 4800000 bytes class copp-system-class-bgp police cir 9600 kbps bc 4800000 bytes class copp-system-class-eigrp police cir 9600 kbps bc 4800000 bytes class copp-system-class-exception police cir 64 kbps bc 4800000 bytes class copp-system-class-glean police cir 1024 kbps bc 4800000 bytes class copp-system-class-hsrp-vrrp police cir 1024 kbps bc 4800000 bytes class copp-system-class-icmp-echo police cir 64 kbps bc 3600000 bytes class copp-system-class-ospf police cir 9600 kbps bc 4800000 bytes class copp-system-class-pim-register police cir 9600 kbps bc 4800000 bytes class copp-system-class-rip police cir 9600 kbps bc 4800000 bytes class copp-system-class-l3dest-miss police cir 64 kbps bc 3200000 bytes class copp-system-class-mcast-miss police cir 256 kbps bc 3200000 bytes class copp-system-class-excp-ip-frag police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-same-if police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-ttl police cir 64 kbps bc 3200000 bytes class copp-system-class-default police cir 512 kbps bc 6400000 bytes


The copp-system-policy-scaled-l3 policy has most classes with policer rates that are same as the default policy.

However, it has higher policer rates for IGMP, ICMP Echo, ISIS, Mcast-miss, and Glean related classes. You cannot modify this policy or the class maps associated with it. In addition, you cannot modify the class map configurations in this policy.

This policy has the following configuration: policy-map type control-plane copp-system-policy-scaled-l3 class copp-system-class-igmp police cir 4096 kbps bc 264000 bytes class copp-system-class-pim-hello police cir 1024 kbps bc 4800000 bytes class copp-system-class-bridging police cir 20000 kbps bc 4800000 bytes class copp-system-class-arp police cir 4000 kbps bc 3600000 bytes class copp-system-class-dhcp police cir 1024 kbps bc 4800000 bytes class copp-system-class-mgmt police cir 12000 kbps bc 4800000 bytes class copp-system-class-lacp police cir 1024 kbps bc 4800000 bytes class copp-system-class-lldp police cir 2048 kbps bc 4800000 bytes class copp-system-class-udld

OL-30921-01


295


Customizable CoPP Policy

police cir 2048 kbps bc 4800000 bytes class copp-system-class-isis police cir 2048 kbps bc 4800000 bytes class copp-system-class-msdp police cir 9600 kbps bc 4800000 bytes class copp-system-class-cdp police cir 1024 kbps bc 4800000 bytes class copp-system-class-fip police cir 1024 kbps bc 4800000 bytes class copp-system-class-bgp police cir 9600 kbps bc 4800000 bytes class copp-system-class-eigrp police cir 9600 kbps bc 4800000 bytes class copp-system-class-exception police cir 64 kbps bc 4800000 bytes class copp-system-class-glean police cir 4000 kbps bc 4800000 bytes class copp-system-class-hsrp-vrrp police cir 1024 kbps bc 4800000 bytes class copp-system-class-icmp-echo police cir 4000 kbps bc 3600000 bytes class copp-system-class-ospf police cir 9600 kbps bc 4800000 bytes class copp-system-class-pim-register police cir 9600 kbps bc 4800000 bytes class copp-system-class-rip police cir 9600 kbps bc 4800000 bytes class copp-system-class-l3dest-miss police cir 64 kbps bc 3200000 bytes class copp-system-class-mcast-miss police cir 4000 kbps bc 3200000 bytes class copp-system-class-excp-ip-frag police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-same-if police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-ttl police cir 64 kbps bc 3200000 bytes class copp-system-class-default police cir 512 kbps bc 6400000 bytes

Customizable CoPP Policy

The copp-system-policy-customized policy is configured identically to the default policy, but can be customized for different class map information rates and burst sizes.

You cannot add or delete any of the class maps configured in this policy.

Important

This policy is meant for advanced users. We recommend that you use extreme caution when configuring this policy and test it extensively before deploying it in your production network.

This policy has the following configuration: policy-map type control-plane copp-system-policy-customized class copp-system-class-igmp police cir 1024 kbps bc 65535 bytes class copp-system-class-pim-hello police cir 1024 kbps bc 4800000 bytes class copp-system-class-bridging police cir 20000 kbps bc 4800000 bytes class copp-system-class-arp police cir 1024 kbps bc 3600000 bytes class copp-system-class-dhcp police cir 1024 kbps bc 4800000 bytes class copp-system-class-mgmt police cir 12000 kbps bc 4800000 bytes

296


OL-30921-01


CoPP and the Management Interface

class copp-system-class-lacp police cir 1024 kbps bc 4800000 bytes class copp-system-class-lldp police cir 2048 kbps bc 4800000 bytes class copp-system-class-udld police cir 2048 kbps bc 4800000 bytes class copp-system-class-isis police cir 1024 kbps bc 4800000 bytes class copp-system-class-msdp police cir 9600 kbps bc 4800000 bytes class copp-system-class-cdp police cir 1024 kbps bc 4800000 bytes class copp-system-class-fip police cir 1024 kbps bc 4800000 bytes class copp-system-class-bgp police cir 9600 kbps bc 4800000 bytes class copp-system-class-eigrp police cir 9600 kbps bc 4800000 bytes class copp-system-class-exception police cir 64 kbps bc 4800000 bytes class copp-system-class-glean police cir 1024 kbps bc 4800000 bytes class copp-system-class-hsrp-vrrp police cir 1024 kbps bc 4800000 bytes class copp-system-class-icmp-echo police cir 64 kbps bc 3600000 bytes class copp-system-class-ospf police cir 9600 kbps bc 4800000 bytes class copp-system-class-pim-register police cir 9600 kbps bc 4800000 bytes class copp-system-class-rip police cir 9600 kbps bc 4800000 bytes class copp-system-class-l3dest-miss police cir 64 kbps bc 3200000 bytes class copp-system-class-mcast-miss police cir 256 kbps bc 3200000 bytes class copp-system-class-excp-ip-frag police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-same-if police cir 64 kbps bc 3200000 bytes class copp-system-class-excp-ttl police cir 64 kbps bc 3200000 bytes class copp-system-class-default police cir 512 kbps bc 6400000 bytes

CoPP and the Management Interface

The Cisco NX-OS device supports only hardware-based CoPP which does not support the management interface (mgmt0). The out-of-band mgmt0 interface connects directly to the CPU and does not pass through the in-band traffic hardware where CoPP is implemented.

On the mgmt0 interface, ACLs can be configured to give or deny access to a particular type of traffic.

Licensing Requirements for CoPP

This feature does not require a license. Any feature not included in a license package is bundled with the Cisco

NX-OS system images and is provided at no extra charge to you. For a complete explanation of the Cisco

NX-OS licensing scheme, see the Cisco NX-OS Licensing Guide.


297 OL-30921-01


Guidelines and Limitations for CoPP

Guidelines and Limitations for CoPP

CoPP is a feature that is enabled by default in the switch. You cannot enable or disable CoPP.

• Only one control-plane policy can be applied at a time.

• Removing a CoPP policy applies the default CoPP policy. In this way, a CoPP policy is always applied.

• You cannot add or delete any classes or policies.

• You cannot change the order of the classes or remove a class from any policy.

• You cannot modify the default, the Scaled Layer-2, or the Scaled Layer 3 policies. However, you can modify the information rate and burst size of the classes in the customized policy.

• The customized policy configuration is the same as the default policy configuration, unless the customized policy has been modified.

• When upgrading from a previous release, the default CoPP policy is enabled by default on the switch.

• After modifying the customized policy or changing the applied policy, the statistical counters are reset.

• After you perform an ISSU, the statistical counters are reset.

• Cisco recommends that you use the default CoPP policy initially and then later determine which of the

CoPP policies to use based on the data center and application requirements.

• Customizing CoPP is an ongoing process. CoPP must be configured according to the protocols and features used in your specific environment as well as the supervisor features that are required by the server environment. As these protocols and features change, CoPP must be modified.

• Cisco recommends that you continuously monitor CoPP. If drops occur, determine if CoPP dropped traffic unintentionally or in response to a malfunction or attack. In either event, analyze the situation and evaluate the need to use a different CoPP policy or modify the customized CoPP policy.

• All the traffic that you do not specify in the other class maps is put into the last class, the default class.

• The Cisco NX-OS software does not support egress CoPP or silent mode. CoPP is supported only on ingress (you cannot use the service-policy output copp command to the control plane interface).

Note

If you are familiar with the Cisco IOS CLI, be aware that the Cisco NX-OS commands for this feature might differ from the Cisco IOS commands that you would use.

Default Settings for CoPP

This table lists the default settings for CoPP parameters.

Table 22: Default CoPP Parameters Settings

Parameters

Default policy

Default

copp-system-policy-default

298


OL-30921-01


Configuring CoPP

Parameters

Default policy

Scale factor value

Default

9 policy entries

Note

The maximum number of supported policies with associated class maps is 128.

1.00

Configuring CoPP

Applying a CoPP Policy to the Switch

You can apply one of the following CoPP policies to the switch:

• Default CoPP Policy (copp-system-policy-default).

• Scaled Layer 2 CoPP Policy (copp-system-policy-scaled-l2).

• Scaled Layer 3 CoPP Policy (copp-system-policy-scaled-l3).

• Customized CoPP Policy (copp-system-policy-customized).

Procedure

Step 1

Step 2

Step 3

Step 4


switch# configure terminal switch(config) # control-plane switch(config-cp) # service-policy

input policy-map-name switch(config-cp) # copy


Purpose


Enters control-plane mode.

Applies the specified CoPP policy map. The

policy-map-name can be copp-system-policy-default, copp-system-policy-scaled-l2, copp-system-policy-scaled-l3, or copp-system-policy-customized.


This example shows how to apply a CoPP policy to the device: switch#


switch(config)#

control-plane

switch(config-cp) #

service-policy input copp-system-policy-default

switch(config-cp) #



299 OL-30921-01


Modifying the Customized CoPP Policy

Modifying the Customized CoPP Policy

You can only modify the information rates and burst sizes of the class maps configured in this policy.

Procedure

Step 1

Step 2

Step 3

Step 4

Step 5


switch# configure terminal switch(config)# policy-map type

control-plane copp-system-policy-customized

switch(config-pmap)# class

class-map-name

switch(config-pmap-c)# police cir

rate-value kbps bc buffer-size bytes switch(config-pmap-c) # copy


Purpose


Enters configuration mode for the customized CoPP policy.

Specifies one of the 28 predefined class-maps listed in any CoPP predefined policy.

Configures the committed information rate (CIR) and committed burst size (BC). The range for cir is from 1 to 20480. The range for bc is from 1500 to

6400000.


This example shows how to modify the customized CoPP policy: switch(config)#

policy-map type control-plane copp-system-policy-customized

switch(config-pmap)#

class copp-system-class-bridging

switch(config-pmap-c)#

police cir 10000 kbps bc 2400000 bytes

Configuring CoPP Extended Rate

Procedure

Step 1

Step 2

Step 3



Purpose


switch(config)# control-plane Enters control-plane mode.

switch(config-cp)# service-policy input

copp-system-policy-customized

(Optional)

Applies the customized CoPP system policy map.

Note

Use this command if the CoPP profile is not customized.

300


OL-30921-01


Verifying the CoPP Configuration

Step 5

Step 6

Step 7

Step 4

Step 8


switch(config-cp)# ingress-copp switch(config-cp)# policy-map type

control-plane copp-system-policy-customized

switch(config-pmap)# class

class-map-name

switch(config-pmap-c)# police cir

rate-value kbps bc buffer-size bytes switch(config-pmap-c)# copy


Purpose

Allows CoPP extended CIR configuration.

Note

Use the no form of the command to remove the extended CIR.

Enters configuration mode for the customized CoPP policy.

Specifies one of the 28 predefined class-maps listed in any CoPP predefined policy.

Configures the committed information rate (CIR) and committed burst size (BC). The range for extended

CIR is from 1 to 61,440 Kbps. The range for BC is from 1500 to 6400000.


This example shows how to configure CoPP Extended Rate: switch(config)#

control-plane

switch(config-cp)#

ingress-copp

switch(config-cp)#

policy-map type control-plane copp-system-policy-customized

switch(config-pmap)#

class copp-system-class-lacp

switch(config-pmap-c)#

police cir 51200 kbps bc 4800000 bytes

Verifying the CoPP Configuration

Use one of the following commands to verify the configuration:

Command

show policy-map type control-plane [expand]

[name policy-map-name]

Purpose

Displays the control plane policy map with associated class maps.

show policy-map interface control-plane show class-map type control-plane

[class-map-name]

Displays the policy values with associated class maps and drops per policy or class map.

Displays the control plane class map configuration, including the ACLs that are bound to this class map.


301 OL-30921-01


Displaying the CoPP Configuration Status

Displaying the CoPP Configuration Status

Procedure

Step 1


switch# show copp status

Purpose

Displays the configuration status for the CoPP feature.

This example shows how to display the CoPP configuration status: switch#

show copp status

Monitoring CoPP

Procedure

Step 1


switch# show policy-map

interface control-plane

Purpose

Displays packet-level statistics for all classes that are part of the applied CoPP policy. For example, Conformed and Violated packet counters.

Statistics are specified in terms of OutPackets (packets admitted to the control plane) and DropPackets (packets dropped because of rate limiting).

This example shows how to monitor CoPP: switch#

show policy-map interface control-plane

Control Plane service-policy input: copp-system-policy-default class-map copp-system-class-igmp (match-any) match protocol igmp police cir 1024 kbps , bc 65535 bytes conformed 0 bytes; action: transmit violated 0 bytes; class-map copp-system-class-pim-hello (match-any) match protocol pim police cir 1024 kbps , bc 4800000 bytes conformed 0 bytes; action: transmit violated 0 bytes;

....

302


OL-30921-01


Monitoring CoPP with SNMP

Monitoring CoPP with SNMP

Beginning with Cisco NX-OS Release 7.1(1)N1(1), CoPP supports the Cisco class-based QoS MIB

(cbQoSMIB). All of the CoPP elements can now be monitored (but not modified) using SNMP. This feature applies only to policies and their subelements (such as classes, match rules, and set actions) that are attached to the control plane. Elements of policies that are not in service on the control plane are not visible through

SNMP.

The following cbQoSMIB tables are supported:

• cbQosPolicyMapCfg

• cbQosClassMapCfg

• cbQosMatchStmtCfg

• cbQosPoliceCfg

• cbQosSetCfg

• cbQosPoliceStat

More detailed information on cbQoSMIB tables and elements is available at the following urls:

• http://tools.cisco.com/Support/SNMP/do/

BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.166

• http://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus6000/sw/system_management/7x/ b_6k_System_Mgmt_Config_7x/b_6k_System_Mgmt_Config_7x_chapter_010110.html

Clearing the CoPP Statistics

Procedure

Step 1


switch# show policy-map interface

control-plane

Step 2

switch# clear copp statistics

Purpose

(Optional)

Displays the currently applied CoPP policy and per-class statistics.

Clears the CoPP statistics.

This example shows how to clear the CoPP statistics for your installation: switch#

show policy-map interface control-plane

switch#

clear copp statistics

Additional References for CoPP

This section provides additional information related to implementing CoPP.


303 OL-30921-01

Additional References for CoPP


Related Topic

Licensing

Command reference


Document Title


304


OL-30921-01

C H A P T E R

15



•

Information About TCAM Carving, page 305

•

Information About User-Defined Templates, page 305

•

Creating a User-Defined Template, page 308

•

Modifying a User Defined Template, page 308

•

Committing a User-Defined Template, page 308

•

Deleting a Template, page 309

•

Verifying the TCAM Carving Configuration, page 310

Information About TCAM Carving

The Ternary Content-Addressable Memory (TCAM) carving feature uses a template-based approach that enables you to modify the default region sizes of the TCAM. When the switch boots up, you see this default template, unless you have configured any other template. This table lists the types and sizes of various regions in a template.

Information About User-Defined Templates

In addition to the default template, you can create a maximum of 16 templates (which means that you can have 17 templates at one time). You can specify whatever sizes of ternary content addressable memory (TCAM) regions you want.

You can apply the following operations on each template:

• Create

• Modify

• Delete

• Commit


305 OL-30921-01



Each template can be in one of the following states:

• Saved

• Committed

Create

When you create a template, the size of the TCAM regions are initialized to the default values. When a template is created, the template is in the saved state by default. Once you create a template, you can modify it to change the size of any TCAM region. You should configure the size of the region in multiples of 64 because the size of each TCAM block is 64 entries. If you enter a value that is not a multiple of 64, an error message asks you to enter the value again.

Modify

You can modify any saved template to change the size of any TCAM region but you cannot modify the size of any region in the TCAM to 0. During the modification, the software checks that the size that you entered is on a 64 boundary. When you modify a template, the combined size of all the TCAM regions might have fewer than 4096 entries. During a modification, the software does not check that you have fewer than 4096 entries.

You can modify a template only when it is in the saved state. After a template is committed, you cannot modify it.

A user-defined committed template can be changed to the created state by servicing another user-defined template or default template.

To service another user-defined template, enter the following command:

hardware profile tcam resource service-template user-defined-template

To service a default template, enter the following command:

no hardware profile tcam resource service-template currently-committed- template

Delete

You can delete any saved template. After you delete a template, all information about the template is lost. A committed template cannot be deleted.

A user-defined committed template can be changed to the created state by servicing another user-defined template or default template.

To service another user-defined template, enter the following command:

hardware profile tcam resource service-template user-defined-template

To service a default template, enter the following command:

no hardware profile tcam resource service-template currently-committed- template

Commit

You can commit any of your user-defined templates or the default template that is provided by the software.

To commit a template, enter the commit command and perform a reboot of the switch. When you enter the

commit command, the software validates the template. If the validation is successful, the software prompts you to reboot the switch. The template (user defined or default) is applied after the reboot. If you did not choose to reboot, no changes are made to the TCAM regions and no template is committed.

306


OL-30921-01



After you commit a template, the system does not automatically reboot but a message is displayed in the

commit command output asking you to reboot the switch for the committed template to take effect. After you agree to reboot, the following occurs:

• The committed template is saved in the startup configuration.

• The switch is rebooted.

• The committed template is used by the software.

• The template goes to the running state.

After the switch reboots, the committed template is applied to all ASICs on the Cisco Nexus device. You cannot commit different templates to different ASICs on the Cisco Nexus device. All saved templates and committed templates along with the size of each region of each template are displayed in the running configuration.

When a template is committed, the software checks the following:

1

The combined size of all regions in the TCAM is 4096 entries.

2

The size of each region fits within the TCAM. At any point of time, there is always a running size for the

TCAM region. This running size (the current size in the hardware TCAM) is defined by either the default or a user-defined template that was committed and is currently being used as the running template. If you increase the size of a region in a template that is currently being committed, from the current running size, the software checks if there are enough free entries outside the current region (entries that are not allocated to any other region) that can be used to increase the size of the region. If you decrease the size of a region in a template that is currently being committed from the current running size, the software checks to determine if there are enough free entries within the region that can be freed up to reduce the size of the

TCAM region. All changes that reduce the sizes of the regions within the template are done before the changes to increase the sizes of regions within the template.

3

The hardware does not support more than 256 entries in the sup-region and span regions. This check is done during validation.

If all these checks pass, you can commit he template and you are prompted to apply the template by rebooting.

If these checks fail, the commit fails and the template goes back to the saved state. If the commit fails, the

commit command output displays the reasons that it failed.

You cannot modify or delete the default template. You can only move this template from saved to committed or committed to saved. If the default template is committed, it is not displayed in the running configuration.

To apply the default template, enter the no commit command using the currently running template. Entering this command executes the same validation checks that were performed when you committed the template.

If all validations succeed, the software prompts you to reboot the switch. If you agree to reboot, the template is saved in the startup configuration and the system is rebooted. After the reboot, the default template is applied. The startup configuration has the committed template that you committed before rebooting. After rebooting, the template in the startup configuration is used. If there is no committed template in the startup configuration, the default template is used.

You create and manage the TCAM carving templates by entering the template manager commands. The template-based TCAM carving CLI is supported in config-sync. Only template creation is supported inside config-sync. Template commit should be performed separately on each switch outside the config-sync context.

OL-30921-01


307


Creating a User-Defined Template

Creating a User-Defined Template

Procedure

Step 1

Step 2



Purpose


switch(config)# hardware profile tcam

resource template template-name

Creates a new template with the default region sizes.

A maximum of 16 templates (plus the default) can be created. The template-name argument can be a maximum of 64 characters.

This example shows how to create a user-defined template named qos-template: switch#


switch(config)#

hardware profile tcam resource template qos-template

Modifying a User Defined Template

Procedure

Step 1

Step 2



Purpose



resource template template-name

Creates a new template with the default region sizes.

A maximum of 16 templates (plus the default) can be created. Use this command to enter template mode.

This example shows how to modify a user-defined qos template.

switch#


switch(config)#

hardware profile tcam resource template qos-template

switch(config-tmpl)

qos 64

Committing a User-Defined Template

You can commit a user-defined template.

308


OL-30921-01


Deleting a Template

Procedure

Step 1

Step 2

Step 3



Purpose



resource service-template template-name

Commits a previously defined template in the running image.

switch(config)# copy running-config

startup-config


This example show how to commit a user-defined template: switch#


switch(config)#

hardware profile tcam resource service-template qos-template

Details of qos-template:

Region Features Size-allocated Current-usage Available/free

---------------------------------------------------------------------------vacl vacl svi racl

1024 1024 0

1024 ifacl qos pacl l3 racl interface qos vlan qos system qos cts interface span

2048

256

1024

256 rbacl span

64

512

32

512 sup vlan span sup rdt 192 192 copp switch(config)#


0

32

0

0

What to Do Next

Reboot the system.

Deleting a Template

After creating a template, the template can be deleted. Deleting removes all the information about the template from the software.

Procedure

Step 1

Step 2



Purpose


switch(config)# no hardware

profile tcam resource template

template-name

Deletes a user-defined template.

Only saved templates can be deleted. Templates that are committed/running cannot be deleted. A template that is in the running configuration (same as the startup configuration) cannot be deleted. Any other user-defined template that is in


309 OL-30921-01


Verifying the TCAM Carving Configuration


a saved state can be deleted. The default template cannot be deleted.

This example shows how to delete a template: switch#


switch(config)#

no hardware profile tcam resource template qos-template

Verifying the TCAM Carving Configuration

To display TCAM carving configuration information, enter one of the following commands:

Command show hardware profile tcam resource template

Purpose

Displays all templates.

Displays a user-defined template.

show hardware profile tcam resource template

name template-name

show hardware profile tcam resource template default

Displays a default template.

310


OL-30921-01

I N D E X

802.1X

87, 90, 91, 93, 94, 95, 96, 97, 98, 99, 101, 104, 109, 110, 111, 112,

114, 116, 117

authenticator PAEs

90

configuration process

97

configuring

97

configuring AAA accounting methods

114

configuring AAA authentication methods

98

configuring on member ports

101

controlling on interfaces

99

default settings

96

description

87

disabling authentication

110

disabling feature

111

enabling feature

98

enabling MAC authentication bypass

109

enabling mulitple hosts mode

109

enabling periodic reauthentication on interfaces

104

enabling single host mode

109

example configuration

117

guidelines

95

licensing requirements

95

limitations

95

MAC authenication bypass

91

monitoring

117

multiple host support

93

prerequisites

95

setting interface maximum retransmission retry count

112

single host support

93

supported topologies

94

verifying configuration

116

802.1X authentication

89, 90, 106, 113

authorization states for ports

90

changing timers on interfaces

106

enabling RADIUS accounting

113

initiation

89

manually initializing

106

802.1X reauthentication

115

setting maximum retry count on interfaces

115

802.1X supplicants

105

manually reauthenticating

105

A

AAA

3, 7, 8, 10, 11, 12, 17, 18, 46, 98, 135, 137

accounting

7

authentication

7

benefits

8

configuring authentication methods for 802.1X

98

Configuring Console Authorization Commands

17

configuring console login

12

configuring for Cisco TrustSec

135

configuring for RADIUS servers

46

configuring nonseed device for Cisco TrustSec

137

configuring seed device for Cisco TrustSec

135

default settings

12

description

3

enabling MSCHAP authentication

18

guidelines

12

limitations

12

prerequisites

11

user login process

10

AAA accounting

19, 114

configuring default methods

19

configuring methods for 802.1X

114

AAA accounting logs

33

clearing

33

displaying

33

AAA authorization

63

configuring on TACACS+ servers

63

AAA logins

14

enabling authentication failure messages

14

AAA protocols

7

RADIUS

7

TACACS+

7

AAA server groups

8

description

8

AAA servers

19, 21

specifying SNMPv3 parameters

19, 21

specifying user roles

21

specifying user roles in VSAs

19

AAA services

8, 9

configuration options

9

remote

8

OL-30921-01


IN-1

Index

accounting

7

description

7

ACL

176, 178

processing order

176

sequence numbers

178

ACL implicit rules

177

ACLs

175, 177, 181, 186, 195

applications

175

creating log entries for

186

guidelines

181

identifying traffic by protocols

177

licensing

181

limitations

181

prerequisites

181

types

175

VLAN

195

ARP ACLs

260, 275

description

275

priority of ARP ACLs and DHCP snooping entries

260

authentication

7, 9, 10, 89, 123, 139

802.1X

89

Cisco TrustSec

123

configuring for Cisco TrustSec

139

description

7

local

7

methods

9

remote

7

user login

10

authenticator PAEs

90, 103

creating on an interface

103

description

90

removing from an interface

103

authorization

10, 66

user login

10

verifying commands

66

C

changed information

1

description

1

Cisco

20, 37

vendor ID

20, 37

Cisco TrustSec

121, 126, 129, 130, 131, 132, 133, 134, 135, 137, 148, 150,

161, 168, 169

architecture

121

authorization

129

configuring

133

configuring AAA on nonseed device

137

configuring AAA on seed device

135

configuring device credentials

134

configuring pause frame encryption and decryption on interfaces

148

Cisco TrustSec (continued) default values

132

description

121

enabling

133

enabling (example)

169

environment data download

130

example configurations

169

guidelines

131

licensing

131

limitations

131

manually configuring SXP

161

policy acquisition

129

prerequisites

131

RADIUS relay

130

SGACLs

126, 150

SGTs

126

verifying configuration

168

Cisco TrustSec authentication

123, 124, 125, 135, 138, 139, 146, 170

802.1X role selection description

125


138

configuring

135, 139

configuring in manual mode

146

description

123

EAP-FAST enhancements

124

manual mode configuration examples

170

summary

125

Cisco TrustSec authorization

129, 135, 138


138

configuring

135

Cisco TrustSec device credentials

126

description

126

Cisco TrustSec device identities

126

description

126

Cisco TrustSec environment data

130

download

130

Cisco TrustSec policies

170, 171

example enforcement configuration

170, 171

Cisco TrustSec seed devices

130, 135, 170

description

130, 135

example configuration

170

Cisco TrustSec user credentials

126

description

126

cisco-av-pair

19, 21

specifying AAA user parameters

19, 21

class maps

290

CoPP

290

clearing statistics

303

CoPP

303

commands

66

disabing authorization verification

66

enabing authorization verification

66

committing

308

user defined template

308

IN-2


OL-30921-01

Index

configuration status

302

CoPP

302

control plane

299

policies

299

applying

299

control plane class maps

301

verifying the configuration

301

control plane policy maps

301


301

control plane protection

289

CoPP

289

packet types

289

control plane protection, classification

289

control plane protection, CoPP

289

rate controlling mechanisms

289

CoPP

287, 289, 290, 293, 297, 298, 301, 302, 303

class maps

290

clearing statistics

303

configuration status

302

control plane protection

289

control plane protection, classification

289

default settings

298

guidelines

298

information about

287

licensing

297

limitations

298

monitoring

302

monitoring with SNMP

303

policy templates

293

restrictions for management interfaces

297


301

CoPP policies

293, 294, 295, 296, 299

applying

299

customized

296

default

293

scaled Layer 2

294

scaled Layer 3

295

CoPP policy

300

customized

300

modifying

300

creating

308


308

CTS, See

Cisco TrustSec

customized CoPP policy

296, 300

modifying

300

D

DAI

262, 263

default settings

263

guidelines

262

limitations

262

OL-30921-01

deafult settings

210

port security

210

default CoPP policy

293

default settings

12, 96, 263, 282, 298

802.1X

96

AAA

12

CoPP

298

DAI

263

IP Source Guard

282

device roles

87

description for 802.1X

87

DHCP binding database, See

DHCP snooping binding database

DHCP Option 82

225

description

225

DHCP relay agent

228, 229, 239, 240, 241, 242

described

228

enabling or disabling

239

enabling or disabling Option 82

240

enabling or disabling subnet broadcast support on a Layer 3

Interface

242

enabling or disabling VRF support

241

VRF support

229

DHCP relay binding database

229

description

229

DHCP relay statistics

255

clearing

255

DHCP snooping

223, 224, 225, 227, 231, 233

binding database

225

default settings

233

description

223

guidelines

231

in a vPC environment

227

limitations

231

message exchange process

225

Option 82

225

overview

224


225

See also


described

225

description

225

entries

225

See also


DHCPv6 relay

246

configuring the source interface

246

DHCPv6 relay agent

230, 244, 245

described

230

enabling or disabling

244

enabling or disabling VRF support

245

VRF support

230

DHCPv6 relay statistics

255

clearing

255

dynamic ARP inspection

257, 258, 259, 260, 261

ARP cache poisoning

258

ARP requests

257


IN-3

Index

dynamic ARP inspection (continued)

ARP spoofing attack

258


258

function of

258

interface trust states

259

logging of dropped packets

261

network security issues and interface trust states

259

priority of ARP ACLs and DHCP snooping entries

260

Dynamic Host Configuration Protocol snooping, See

DHCP snooping

E

examples

33

AAA configurations

33

G

guidelines

181, 209, 231, 262, 298

ACLs

181

CoPP

298

DAI

262

DHCP snooping

231

port security

209

L

LDRA

230

described

230

licensing

95, 131, 181, 297

802.1X

95

ACLs

181

Cisco TrustSec

131

CoPP

297

Lightweight DHCPv6 relay agent

230, 231

described

230

guidelines and limitations

231

limitations

181, 209, 231, 262, 298

ACLs

181

CoPP

298

DAI

262

DHCP snooping

231

port security

209

logging

186

creating ACL for

186

logical operation units

179

IP ACLs

179

logical operators

179

IP ACLs

179

login

44

RADIUS servers

44

LOU, See


I

IDs

20, 37

Cisco vendor ID

20, 37

information about

305

default template

305

user-defined templates

305

IP ACL implicit rules

177

IP ACLs

4, 175, 179, 184, 185, 186, 188, 189

applications

175

applying as a Router ACL

188

applying as port ACLs

189

changing

184

changing sequence numbers in

186

description

4


179

logical operators

179

removing

185

types

175

IP Source Guard

282

default settings

282

M

MAC ACL implicit rules

177

MAC ACLs

191

ACLs

191

MAC

191

creating

191

creating

191

MAC addresses

204

learning

204

MAC authentication

91, 109

bypass for 802.1X

91

enabling bypass in 802.1X

109

management interfaces

297

CoPP restrictions

297

modifying

308


308

monitoring

36, 47, 302

CoPP

302

RADIUS

36

RADIUS servers

47

MSCHAP

18

enabling authentication

18

IN-4


OL-30921-01

Index

N

new information

1

description

1

P

policy templates

293

description

293

port ACL

189

port security

204, 206, 209, 210

default settings

210

guidelines

209

limitations

209

MAC address learning

204

MAC move

206

violations

206

ports

90

authorization states for 802.1X

90

preshared keys

55

TACACS+

55

privilege level support for TACACS+ authorization

66

configuring

66

privilege roles

68

permitting or denying commands for

68

R

RADIUS

4, 35, 36, 38, 44, 50, 51, 130

configuring servers

38

configuring timeout intervals

44

configuring transmission retry counts

44

default settings

38

description

4


51

monitoring

36

network environments

35

operations

36

prerequisites

38

relay for Cisco TrustSec

130

statistics, displaying

50

RADIUS accounting

113

enabling for 802.1X authentication

113

RADIUS server groups

43

global source interfaces

43

RADIUS server preshared keys

41

RADIUS servers

44, 45, 46, 48, 49, 51

allowing users to specify at login

44

configuring AAA for

46

configuring timeout interval

45

configuring transmission retry count

45

OL-30921-01

RADIUS servers (continued) deleting hosts

48


51

manually monitoring

49

RADIUS statistics

50

clearing

50

RADIUS, global preshared keys

40

RADIUS, periodic server monitoring

47

RADIUS, server hosts

39

configuring

39

rate controlling mechanisms

289

control plane protection, CoPP

289

RBACL

159

clearing statistics

159

displaying statistics

159

enabling statistics

159

RBACL logging

156

enabling

156

remote devices

80

connecting to using SSH

80

router ACLs

188

rules

177

implicit

177

S

SAP

142

configuring modes on interfaces

142

SAP keys

146

regenerating on interfaces

146

scaled Layer 2 CoPP policy

294

scaled Layer 3 CoPP policy

295

secure MAC addresses

204

learning

204

security

204, 299

policies

299

applying

299

port

204

MAC address learning

204

security group access lists, See

SGACLs

security group tag, See SGT server groups

8

servers

44

RADIUS

44

SGACL policies

156, 158, 160

clearing

160

displaying downloaded policies

158

manually configuring

156

SGACL policy enforcement

151, 152

enabling on VLANs

151

enabling on VRF instances

152


IN-5

Index

SGACLs

126, 150, 171, 172

configuring

150

description

126

example manual configuration

172

example SGT mapping configuration

171

SGACLs policies

129, 159

acquisition

129

refreshing downloaded policies

159

SGT Exchange Protocol, See

SXP

SGTs

126, 128, 153, 154, 155, 171

description

126

example mapping configuration

171

manually configuring

153

manually configuring address-to-SGACL mapping

154, 155

propagation with SXP

128

SNMP

303

monitoring CoPP

303

SNMPv3

19, 21

specifying AAA parameters

19

specifying parameters for AAA servers

21

source interfaces

43, 61

RADIUS server groups

43

TACACS+ server groups

61

SSH

4

description

4

SSH clients

75

SSH server keys

76

SSH servers

75

SSH sessions

80, 81

clearing

81

connecting to remote devices

80

statistics

73, 159

for RBACL

159

TACACS+

73

SXP

128, 161, 162, 163, 164, 165, 166, 167

changing reconcile periods

166

changing retry periods

167


161

configuring default passwords

164

configuring default source IP addresses

165

configuring manually

161

configuring peer connections

163

enabling

162

SGT propagation

128

SXP connections

172

example manual configuration

172

TACACS+ (continued) configuring global timeout interval

69

description

4, 53

displaying statistics

73


74

field descriptions

56

global preshared keys

55

limitations

56

prerequisites

56

preshared key

55

user login operation

54

verifying command authorization

66

TACACS+ command authorization

64, 65

configuring

64

testing

65

TACACS+ server groups

61

global source interfaces

61

TACACS+ servers

56, 57, 69, 70, 72

configuring hosts

57

configuring TCP ports

70

configuring timeout interval

69

field descriptions

56

manually monitoring

72

TCP ports

70

TACACS+ servers

70

Telnet

4

description

4

Telnet server

83

enabling

83

reenabling

83

Telnet servers

76

Telnet sessions

83, 84

clearing

84

connecting to remote devices

83

U


308

committing

308

creating

308

modifying

308

user login

10

authentication process

10

authorization process

10

user roles

19, 21

specifying on AAA servers

19, 21

user-defined templates

305

information about

305

T

TACACS+

4, 53, 54, 55, 56, 57, 66, 69, 73, 74

advantages over RADIUS

53

configuring

57

IN-6


OL-30921-01

Index

V

vendor-specific attributes

20

verifying

33, 50, 74, 310

AAA configuration

33

RADUIS configuration

50

TACACS+ configuration

74

TCAM carving configuration

310

VLAN ACLs

195

information about

195

vPCs

227

and DHCP snooping

227

VSAs

20

format

20

protocol options

20

support description

20

OL-30921-01


IN-7

Index

IN-8


OL-30921-01